Don't allow the caller to distinguish different failure modes #29
Comments
mgiuca
added a commit
to mgiuca/web-share
that referenced
this issue
Jun 2, 2017
Added a security consideration that implementations should be careful about exposing this information. This isn't a technical change, but changes a weak recommendation *to* differentiate error cases to a weak recommendation *against* it. Closes w3c#29.
mgiuca
added a commit
to mgiuca/web-share
that referenced
this issue
Jun 2, 2017
Added a security consideration that implementations should be careful about exposing this information. This isn't a technical change, but changes a weak recommendation *to* differentiate error cases to a weak recommendation *against* it. Closes w3c#29.
mgiuca
added a commit
that referenced
this issue
Jun 2, 2017
Removed note about distinguishing between different error cases. Closes #29.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Raised by @dbaron on the TAG review.
There is a minor privacy issue in distinguishing between "no apps are available" and "the user cancelled the share"; if only a handful of popular targets exist for a particular payload (especially if we add new share types that might have specialized handlers, e.g., for rare MIME types) then a malicious site could use
navigator.shareto check whether those apps are installed, based on the response string.Also, in our current Android implementation, we are totally unable to distinguish between "no apps are available" and "the user cancelled the share". Therefore, let's just remove this provision. I won't go as far as to explicitly bar the user agent from distinguishing these, but add a note under security considerations.
The text was updated successfully, but these errors were encountered: