@@ -228,7 +228,66 @@ <h4>
228228 </ h4 >
229229 < p >
230230 When the {{Navigator/share()}} method is called with argument
231- |data:ShareData|, run the following steps:
231+ |data:ShareData|, run the listed steps listed below while taking
232+ into consideration the following security implications.
233+ </ p >
234+ < p >
235+ Web Share enables data to be sent from websites to a [=share
236+ target=], which can be a native applications. While this ability is
237+ not unique to Web Share, it does come with a number of potential
238+ security risks that can vary in severity (depending on the
239+ underlying platform).
240+ </ p >
241+ < p >
242+ The data passed to {{Navigator/share()}} might be used to exploit
243+ buffer overflow or other remote code execution vulnerabilities in
244+ the [=share target=] that receive shares. There is no general way
245+ to guard against this, but implementors will want to be aware that
246+ it is a possibility (particularly when sharing files).
247+ </ p >
248+ < p >
249+ [=Share targets=] that dereference a shared URL and forward that
250+ information on might inadvertently forward information that might
251+ be otherwise confidential. This can lead to unexpected information
252+ leakage if shares reference content that is only accessible by that
253+ application, the host on which it runs, or its network location.
254+ </ p >
255+ < p >
256+ Malicious sites might exploit share targets that leak information
257+ by providing URLs that ultimately resolve to local resources,
258+ including, but not limited to, "file:" URLs or local services that
259+ might otherwise be inaccessible. Even though this API limits shared
260+ URLS to a restricted set of [=sharable schemes=], use of redirects
261+ to other URLs or tweaks to DNS records for hosts in those URLs
262+ might be used to cause applications to acquire content.
263+ </ p >
264+ < p >
265+ To avoid being used in these attacks, share targets can consume the
266+ URL, retrieve the content, and process that information without
267+ sharing it. For instance, a photo editing application might
268+ retrieve an image that is "shared" with it. A share target can also
269+ share the URL without fetching any of the referenced content.
270+ </ p >
271+ < p >
272+ Share targets that fetch content for the purposes of offering a
273+ preview or for sharing content risk information leakage. Content
274+ that is previewed and authorized by a user might be safe to
275+ forward, however it is not always possible for a person to identify
276+ when information should be confidential, so forwarding any content
277+ presents a risk. In particular, the {{ShareData/title}} might be
278+ used by an attacker to trick a user into misinterpreting the nature
279+ of the content. <!--
280+ , as demonstrated in the [[Wylecial]] <a data-cite=
281+ "Wylecial#">proof of concept attack</a>
282+ -->
283+ </ p >
284+ < p >
285+ As with any user of {{DOMException}}, implementors need to
286+ carefully consider what information is revealed in the error
287+ message when {{Navigator/share()}} is rejected. Even distinguishing
288+ between the case where no [=share targets=] are available and user
289+ cancellation could reveal information about which share targets are
290+ installed on the user's device.
232291 </ p >
233292 < ol class ="algorithm ">
234293 < li > Let |document:Document| be the [=current settings object=]'s
@@ -295,13 +354,17 @@ <h4>
295354 </ li >
296355 </ ol >
297356 </ li >
298- < li > Present the user with a choice of one or more < a > share
299- targets</ a > , selected at the user agent's discretion. The user
300- agent MUST give the user the option to cancel rather than
301- choosing any of the [=share targets=]. Wait for the user's
302- choice.
357+ < li > Present the user with a choice of one more < a > share
358+ targets</ a > and the ability abort the operation. This UI
359+ surface serves as a security confirmation, ensuring that
360+ websites cannot silently send data to native applications. The
361+ user agent SHOULD show intermediary UI through which the user
362+ can verify the shared content (if the OS-level UI does not
363+ provide this functionality).
303364 </ li >
304- < li > If the user chose to cancel the share operation, [=queue a
365+ < li > Wait for the user's choice.
366+ </ li >
367+ < li > If the user chose to abort the share operation, [=queue a
305368 global task=] on the [=user interaction task source=] using
306369 |global| to:
307370 < ol >
@@ -580,6 +643,11 @@ <h2>
580643 the string < code > < dfn class ="permission "> "web-share"</ dfn > </ code > . Its
581644 < a > default allowlist</ a > is '`self`'.
582645 </ p >
646+ < p >
647+ Developers can use the means afforded by the [[[permissions-policy]]]
648+ specification to control if and when a third-party context is [=allowed
649+ to use=] this API.
650+ </ p >
583651 < div class ="note ">
584652 < p >
585653 A < a > document</ a > ’s permission policy determines whether a
@@ -598,102 +666,24 @@ <h2>
598666 guidelines for the platform.
599667 </ p >
600668 </ section >
601- < section class =" informative " data-cite =" secure-contexts " >
669+ < section >
602670 < h2 >
603- Security and privacy considerations
671+ Privacy considerations
604672 </ h2 >
605- < p >
606- Web Share enables data to be sent from websites to a [=share target=],
607- which can be a native applications. While this ability is not unique to
608- Web Share, it does come with a number of potential security risks that
609- can vary in severity (depending on the underlying platform).
610- </ p >
611- < p >
612- The following points are worth considering:
613- </ p >
614673 < ul >
615- < li > The API does not expose to the website which [=share targets=] are
616- available, or which share target was chosen by the user from
617- {{Navigator/share()}}. Doing so could be used for fingerprinting by
618- leaking details about the user's device.
619- </ li >
620- < li > User agents are discouraged from showing any kind of "always use
621- this target in the future" option, or bypassing the UI if there is only
622- a single share target. Further, calls to {{Navigator.share()}} require
623- [=transient activation=] (i.e., some kind of user activation) before
624- any UI is presented to the user.
625- </ li >
626- < li > Implementors will want to carefully consider what information is
627- revealed in the error message when {{Navigator/share()}} is rejected.
628- Even distinguishing between the case where no targets are available and
629- user cancellation could reveal information about which apps are
630- installed on the user's device.
631- </ li >
632- < li > There is a requirement that {{Navigator/share()}} presents the user
633- with a dialog asking them to select a target application (even if there
634- is only one possible target). This surface serves as a security
635- confirmation, ensuring that websites cannot silently send data to
636- native applications.
637- </ li >
638- < li > Due to the capabilities of the API surface, {{Navigator/share()}}
639- is only [=exposed=] in [=secure contexts=] (such as `https://`
640- schemes).
641- </ li >
642- < li > Developers can use the means afforded by the
643- [[[permissions-policy]]] specification to control if and when a
644- third-party context is [=allowed to use=] this API.
674+ < li > By design, the API cannot be used by a website to learn which
675+ [=share targets=] are available, or which share target the user chose
676+ from {{Navigator/share()}}. This is to prevent leaking information that
677+ could be used for fingerprinting, as well as leaking details about the
678+ user's device or user's preferred share targets.
645679 </ li >
646680 < li > Use of {{Navigator/share()}} from a < a href =
647681 "https://en.wikipedia.org/wiki/Privacy_mode "> private browsing mode</ a >
648682 might leak private data to a third-party application that does not
649683 respect the user's privacy setting. User agents could present
650- additional warnings or disable the feature entirely when in a private
651- browsing mode, but this is not mandated as the chooser UI could be
652- considered sufficient warning.
653- </ li >
654- < li > The data passed to {{Navigator/share()}} might be used to exploit
655- buffer overflow or other remote code execution vulnerabilities in
656- native applications that receive shares. There is no general way to
657- guard against this, but implementors will want to be aware that it is a
658- possibility (particularly when sharing files).
659- </ li >
660- < li >
661- < p >
662- [=Share targets=] that dereference a shared URL and forward that
663- information on might inadvertently forward information that might
664- be otherwise confidential. This can lead to unexpected information
665- leakage if shares reference content that is only accessible by that
666- application, the host on which it runs, or its network location.
667- </ p >
668- < p >
669- Malicious sites might exploit share targets that leak information
670- by providing URLs that ultimately resolve to local resources,
671- including, but not limited to, "file:" URLs or local services that
672- might otherwise be inaccessible. Even though this API limits shared
673- URLS to a restricted set of [=sharable schemes=], use of redirects
674- to other URLs or tweaks to DNS records for hosts in those URLs
675- might be used to cause applications to acquire content.
676- </ p >
677- < p >
678- To avoid being used in these attacks, share targets can consume the
679- URL, retrieve the content, and process that information without
680- sharing it. For instance, a photo editing application might
681- retrieve an image that is "shared" with it. A share target can also
682- share the URL without fetching any of the referenced content.
683- </ p >
684- < p >
685- Share targets that fetch content for the purposes of offering a
686- preview or for sharing content risk information leakage. Content
687- that is previewed and authorized by a user might be safe to
688- forward, however it is not always possible for a person to identify
689- when information should be confidential, so forwarding any content
690- presents a risk. In particular, the {{ShareData/title}} might be
691- used by an attacker to trick a user into misinterpreting the nature
692- of the content. <!--
693- , as demonstrated in the [[Wylecial]] <a data-cite=
694- "Wylecial#">proof of concept attack</a>
695- -->
696- </ p >
684+ additional warnings or MAY disable the feature entirely when in a
685+ private browsing mode, but this is not mandated as the chooser UI could
686+ be considered sufficient warning.
697687 </ li >
698688 </ ul >
699689 </ section >
0 commit comments