-
Notifications
You must be signed in to change notification settings - Fork 388
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security and privacy questionnaire on WebXR Device API #1379
Comments
Thanks for putting together this initial draft! I've got a few comments:
This seems to be asking more about what information the API surfaces, while your draft response is more about pulling data from external servers. I think something along the following would be more accurate: "Initially, the WebXR Device API exposes a boolean indicating whether or not the user's device is capable of displaying VR or AR content. To query any further information from the API an XRSession must be started, which requires user consent. For the duration of the session, continuous position, orientation, and optical information for the user's XR device (such as a headset) and any associated controllers are reported on an ongoing basis.
I'd add a bullet point to this stating: "The values reported during a session are required in order to allow the page to render appropriately tracked imagery. If the data is not present or inaccurate then the resulting rendering may make the user sick." We can also mention: "XRSessions are typically presented full screen on the device, and upon exiting the full screen mode the session ends and the data is no longer reported."
We may want to clarify that we don't expose any "typical" PII (like serial numbers or user names).
For clarity, we should mention that the reported position and orientation data is derived from device sensors such as gyroscopes or cameras, but the sensor values themselves are not reported outside of the module that you mentioned.
While we are discussing the model element under the Immersive Web banner I don't see it becoming a WebXR API module, so we probably don't need to discuss it as part of this questionnaire. |
Thank you so much for review.
ah, from
replaced with this.
added both
added one bullet for clarification.
added one bullet.
added clarification. (I suppose we should, at least, mention since it's within IWWG/CG space) |
Looks good, thank you! One more comment:
I feel like this sentence was intended to go under the previous section about PII rather than the section about "sensitive information"? |
@toji Ah! yes, thank you for pointing. |
This is still draft version.
Detail analyses are also at privacy and security explainer.
The text was updated successfully, but these errors were encountered: