Starting with Firefox 60 —expected to be released in May 2018— websites won't be able to use Firefox to access data from sensors that provide proximity distances and ambient light information.
Firefox was allowing websites to access this data via the W3C Proximity and Ambient Light APIs.
But at the start of the month, Mozilla engineers have decided to disable access to these two APIs by default. The APIs won't be removed, but their status is now controlled by two Firefox flags that will ship disabled by default.
This means users will have to manually enable the two flags before any website can use Firefox to extract proximity and ambient light data from the device's underlying sensors.
A total of five new flags added
The two flags will be available in Firefox's about:config settings page. The screenshot below shows the latest Firefox Nightly version, where the two flags are now disabled, while other sensor APIs are enabled.
device.sensors.ambientLight.enabled
The Firefox code commit in which these two flags have been added also includes three other flags —to enable or disable all sensors APIs, to enable/disable the Device Orientation Sensor API, and to enable/disable the Motion Sensor API.
device.sensors.orientation.enabled
device.sensors.motion.enabled
These three flags will ship enabled by default, as access to these two APIs is needed by a broad range of a wide range of mobile websites.
Privacy concerns over the Proximity and Ambient Light APIs
The Proximity and Ambient Light sensors are both new and highly controversial. A key factor in the decision to ship these two APIs disabled by default is the work of privacy expert Lukasz Olejnik.
Olejnik published two research reports on the possible ways attackers and advertisers could abuse these two APIs.
For example, Olejnik argued that the W3C Proximity Sensor API could allow websites and advertisers to query the position of nearby objects in relation to a user's smartphone or tablet. Additionally, he also argued that malicious sites could use the W3C Ambient Light Sensor API to steal browser data.
Shipping these two APIs off by default takes care of some of Olejnik's concerns, albeit it does not mitigate the risk altogether.
"More user control is always good," Olejnik said regarding Mozilla's decision.
Comments
GT500 - 6 years ago
In the current stable Firefox mobile build, "device.sensors.enabled" is present in "about:config", and is set to "true" by default.
It's now set to "false" on my phone. :P
Thanks for the info.
forum11 - 6 years ago
I am relieved that these flags are finally being added! It's icing on the cake to have them disabled by default, although if I had it my way pretty much everything would be opt-in vs. opt-out. I feel that Firefox has been on a tear lately, adding every new thing that comes out of the W3C, a lot of it questionable, and not giving users control over it.
garbagefonking - 6 years ago
How the fuck does garbage like this get added to a browser in the first place.
If people knew this kind of shit existed they would try to avoid it. Fucking morons developing software are completely out of touch, do they even use the garbage they make?
Nobody wants a browser that stuffs you with notifications and adds bloated useless realtime communicating, depth pressure sensing, ambient light/sound/radio/positioning, app installing unsafe/slow/battery wasting garbage.
People want a browser that's just a browser. If I tell you to render a webpage just do it as fast as possible. nothing less, nothing more. It isn't that fucking hard. If any of the browser developers stopped wasting time on this useless garbage they'd find that they wouldn't have to constantly strip things back out of the browser and people might actually enjoy using it.
forum11 - 6 years ago
"How... does garbage like this get added to a browser in the first place."
I primarily blame the W3C (see my previous post). They've severely lost their way and Mozilla/Firefox is happily following along, although maybe Mozilla is starting to come to its senses at least to some degree. It's no wonder that the Electronic Frontier Foundation resigned from the W3C last year.