Hello P5 folks,
I’m working on a WEBGL project that uses phone accelerometers. I’m finding that sketches hosted by the p5 servers work great. But when I host a project on my own server the site not longer responds to the rotation data. Is there a security issue that the P5 servers bypass somehow?
For example, this Jiashan Wu / Daniel Shiffman sketch works great on my phone.
https://editor.p5js.org/shiffman/full/BJxoCbdxx
but when I host the same project on my greenGeeks server
http://www.joemckaystudio.com/Accelerometerdata/
it no longer works.
And insight much appreciated.
Hello @JoeMcKay,
Web API:s that potentially reveals personal information, like sensor data, are only available in a secure context. When served over SSL/TLS. Once you make your website available over HTTPS the sketch will probably start working.
4.2.1. Secure Context
Sensor readings are explicitly flagged by the Secure Contexts specification [POWERFUL-FEATURES] as a high-value target for network attackers. Thus all interfaces defined by this specification or extension specifications are only available within a secure context.
That make sense. I’ll work on getting the ‘s’ added to my page (Although what I hacker would do with someone’s phone rotation data is beyond me.)
Thanks for the quick reply.
Your phone’s movement can potentially tell things about you. Are you sitting still, walking, running, sitting in a moving vehicle? Other information could probably be inferred, like figuring out what a person is typing on a smartphone keyboard. Perhaps the phone’s movement when you touch m
on the soft keyboard differs a bit from when you touch q
. (Just a contrived example. There are more straightforward ways to snoop on what a person is typing.)
Is it probable that a attacker would exploit this on your website? No, I don’t think so. But is it possible? Absolutely! And that’s why those API:s are only allowed within a secure context. It’s a good thing.
Yeah, it is a good thing and it makes sense in combination with other sensors.