A new feature that gives users granular control over permissions that allow websites to access motion and light sensors could soon make its way over to Chrome, after being spotted by Reddit user ”Leopeva64-2” in the browser’s Canary Channel. That’s coupled with a change to the browser’s UI that showcases a new icon in the Omnibox, indicating that a given site is accessing the sensors.
Clicking on the icon, currently shaped like a dot with audio bars, brings forward options to block the site’s use of the sensors and manage associated permissions. As with other permissions, the change appears to indicate that the permissions can be controlled on a site-by-site basis or via a toggle switch that shuts off access altogether.
What harm could access to these sensors do?
Websites having access to the sensors in question is not new, with API for allowing that access having been added to web standards by the World Wide Web Consortium (W3C) back in 2017. The addition was made as part of the consortium’s wider push to standardize web application and progressive web application performance in a more ‘local’ direction — allowing them to perform more similarly to native apps and software.
Specifically, the W3C noted the additions as being made in support of use cases such as home automation, accessibility, personal weather forecast, and sports and fitness monitoring as well as more mundane features such as automatic dimming. The change was, however, immediately followed by reports from various security blogs remarking on how access to the new APIs could allow bad actors to steal personal data from users.
Some of those reports went so far as to showcase how an attack could successfully be implemented. For instance, the data associated with ambient lights sensors can cue an attacker into the colors that are being presented on the user’s screen, giving away what site is being accessed and other information.
The shift from Google to address possible privacy concerns stemming from the sensors follows several other directional changes from the company on that front and therefore shouldn’t be too surprising. Prior to this, Google has begun putting a much tighter set of controls over web extensions, made changes to how Chrome does or does not sign users in, and most recently even added support for an alternative privacy-focused search engine.
The when and the where
No indication is provided regarding exactly which version or variant of Chrome the change was spotted in. The UI shown in the images for the change appears to be the same as is found in desktop versions of the software rather than the mobile version. Chrome 74 is the most recent beta version of the browser and that’s scheduled to remain the case until at least March 28 — with that version heading to the Stable Channel in mid-April.
If the new permission settings follow trends in previous adjustments, it should eventually make its way across every platform from Chrome OS to Android. That won’t necessarily appear in Chrome 74 and doesn’t appear in the currently scheduled changes for that update number. So it will most likely be pushed back til at least Chrome 75.