Rate limits to prevent excessive use #48
Description
From w3c/security-request#71:
Limit API Usage
Global: A global rate limit should be implemented to restrict the number of vibration requests made within a certain period (e.g., per minute or hour), preventing excessive use.Session-Based: To prevent prolonged abuse, set session-based limits on the total vibration duration or number of vibrations that can occur during a single-user session.
Site-based: per site and subdomains
Threats and Attacks:
Draining Battery/User’s Resources DoS.
This proposal was discussed at TPAC 2024, conclusion:
We're proposing to collect data from real-world users to understand what specific values to use for global rate limit that'd restrict the number of vibration requests made within a certain period. We will propose this in a future update to the specification when we have a large number of samples available to make an informed decision.
This issue is to gather data that's help make an informed decision on the limits, including feedback from web developers and users to understand use cases that may be affected by the limits.