From 062a18796d917eca9c0ec82aa6b1794412032c2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Fri, 1 Jul 2022 14:32:43 +1000 Subject: [PATCH] Move Priv/Sec into spec --- index.html | 170 ++++++++++++++++++++++++++--------------------------- 1 file changed, 85 insertions(+), 85 deletions(-) diff --git a/index.html b/index.html index bab77af..3960e8c 100644 --- a/index.html +++ b/index.html @@ -228,7 +228,66 @@

When the {{Navigator/share()}} method is called with argument - |data:ShareData|, run the following steps: + |data:ShareData|, run the listed steps listed below while taking + into consideration the following security implications. +

+

+ Web Share enables data to be sent from websites to a [=share + target=], which can be a native applications. While this ability is + not unique to Web Share, it does come with a number of potential + security risks that can vary in severity (depending on the + underlying platform). +

+

+ The data passed to {{Navigator/share()}} might be used to exploit + buffer overflow or other remote code execution vulnerabilities in + the [=share target=] that receive shares. There is no general way + to guard against this, but implementors will want to be aware that + it is a possibility (particularly when sharing files). +

+

+ [=Share targets=] that dereference a shared URL and forward that + information on might inadvertently forward information that might + be otherwise confidential. This can lead to unexpected information + leakage if shares reference content that is only accessible by that + application, the host on which it runs, or its network location. +

+

+ Malicious sites might exploit share targets that leak information + by providing URLs that ultimately resolve to local resources, + including, but not limited to, "file:" URLs or local services that + might otherwise be inaccessible. Even though this API limits shared + URLS to a restricted set of [=sharable schemes=], use of redirects + to other URLs or tweaks to DNS records for hosts in those URLs + might be used to cause applications to acquire content. +

+

+ To avoid being used in these attacks, share targets can consume the + URL, retrieve the content, and process that information without + sharing it. For instance, a photo editing application might + retrieve an image that is "shared" with it. A share target can also + share the URL without fetching any of the referenced content. +

+

+ Share targets that fetch content for the purposes of offering a + preview or for sharing content risk information leakage. Content + that is previewed and authorized by a user might be safe to + forward, however it is not always possible for a person to identify + when information should be confidential, so forwarding any content + presents a risk. In particular, the {{ShareData/title}} might be + used by an attacker to trick a user into misinterpreting the nature + of the content. +

+

+ As with any user of {{DOMException}}, implementors need to + carefully consider what information is revealed in the error + message when {{Navigator/share()}} is rejected. Even distinguishing + between the case where no [=share targets=] are available and user + cancellation could reveal information about which share targets are + installed on the user's device.

  1. Let |document:Document| be the [=current settings object=]'s @@ -295,12 +354,17 @@

-
  • Present the user with a choice of one or more share - targets, selected at the user agent's discretion. The user - MUST be given the option to cancel rather than choosing any of - the share targets. Wait for the user's choice. +
  • Present the user with a choice of one more share + targets and the ability abort the operation. This UI + surface serves as a security confirmation, ensuring that + websites cannot silently send data to native applications. The + user agent SHOULD show intermediary UI through which the user + can verify the shared content (if the OS-level UI does not + provide this functionality). +
    • +
  • Wait for the user's choice.
    • -
  • If the user chose to cancel the share operation, [=queue a +
  • If the user chose to abort the share operation, [=queue a global task=] on the [=user interaction task source=] using |global| to:
      @@ -580,6 +644,11 @@

      the string "web-share". Its default allowlist is '`self`'.

      +

      + Developers can use the means afforded by the [[[permissions-policy]]] + specification to control if and when a third-party context is [=allowed + to use=] this API. +

      A document’s permission policy determines whether a @@ -598,93 +667,24 @@

      guidelines for the platform.

      -
      +

      - Security and privacy considerations + Privacy considerations

      -

      - Web Share enables data to be sent from websites to native applications. - While this ability is not unique to Web Share, it does come with a - number of potential security issues that can vary in severity - (depending on the underlying platform). -

        -
      • There is a requirement to not allow the website to learn which apps - are installed, or which app was chosen from {{Navigator/share()}}, - because this information could be used for fingerprinting, as well as - leaking details about the user's device. -
        • -
      • Implementors will want to carefully consider what information is - revealed in the error message when {{Navigator/share()}} is rejected. - Even distinguishing between the case where no targets are available and - user cancellation could reveal information about which apps are - installed on the user's device. -
        • -
      • There is a requirement that {{Navigator/share()}} presents the user - with a dialog asking them to select a target application (even if there - is only one possible target). This surface serves as a security - confirmation, ensuring that websites cannot silently send data to - native applications. -
        • -
      • Due to the capabilities of the API surface, {{Navigator/share()}} - is only [=exposed=] in [=secure contexts=] (such as `https://` - schemes). -
        • -
      • Developers can use the means afforded by the - [[[permissions-policy]]] specification to control if and when a - third-party context is [=allowed to use=] this API. +
      • By design, the API cannot be used by a website to learn which + [=share targets=] are available, or which share target the user chose + from {{Navigator/share()}}. This is to prevent leaking information that + could be used for fingerprinting, as well as leaking details about the + user's device or user's preferred share targets.
      • Use of {{Navigator/share()}} from a private browsing mode might leak private data to a third-party application that does not respect the user's privacy setting. User agents could present - additional warnings or disable the feature entirely when in a private - browsing mode, but this is not mandated as the chooser UI could be - considered sufficient warning. -
        • -
      • The data passed to {{Navigator/share()}} might be used to exploit - buffer overflow or other remote code execution vulnerabilities in - native applications that receive shares. There is no general way to - guard against this, but implementors will want to be aware that it is a - possibility. -
        • -
      • -

        - Share targets that dereference a shared URL and forward that - information on might inadvertently forward information that might - be otherwise confidential. This can lead to unexpected information - leakage if shares reference content that is only accessible by that - application, the host on which it runs, or its network location. -

        -

        - Malicious sites might exploit share targets that leak information - by providing URLs that ultimately resolve to local resources, - including, but not limited to, "file:" URLs or local services that - might otherwise be inaccessible. Even though this API limits shared - URLS to "http:" and "https:", use of redirects to other URLs or - tweaks to DNS records for hosts in those URLs might be used to - cause applications to acquire content. -

        -

        - To avoid being used in these attacks, share targets can consume the - URL, retrieve the content, and process that information without - sharing it. For instance, a photo editing application might - retrieve an image that is "shared" with it. A share target can also - share the URL without fetching any of the referenced content. -

        -

        - Share targets that fetch content for the purposes of offering a - preview or for sharing content risk information leakage. Content - that is previewed and authorized by a user might be safe to - forward, however it is not always possible for a person to identify - when information should be confidential, so forwarding any content - presents a risk. In particular, the {{ShareData/title}} might be - used by an attacker to trick a user into misinterpreting the nature - of the content. -

        + additional warnings or MAY disable the feature entirely when in a + private browsing mode, but this is not mandated as the chooser UI could + be considered sufficient warning.