-
Notifications
You must be signed in to change notification settings - Fork 34
/
index.bs
1481 lines (1255 loc) · 59.1 KB
/
index.bs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<pre class="metadata">
Title: Self-Review Questionnaire: Security and Privacy
Status: ED
TR: https://www.w3.org/TR/security-privacy-questionnaire/
ED: https://w3ctag.github.io/security-questionnaire/
Shortname: security-privacy-questionnaire
Repository: w3ctag/security-questionnaire
Level: None
Editor: Theresa O’Connor, w3cid 40614, Apple Inc. https://apple.com, [email protected]
Editor: Peter Snyder, w3cid 109401, Brave Software https://brave.com, [email protected]
Former Editor: Jason Novak, Apple Inc., https://apple.com
Former Editor: Lukasz Olejnik, Independent researcher, https://lukaszolejnik.com
Former Editor: Mike West, Google Inc., [email protected]
Former Editor: Yan Zhu, Yahoo Inc., [email protected]
Group: tag
Markup Shorthands: css no, markdown yes
Local Boilerplate: status yes
Local Boilerplate: copyright yes
Abstract: This document contains a set of questions to be used when
evaluating the security and privacy implications of web platform
technologies.
</pre>
<h2 id="intro">Introduction</h2>
When designing new features for the Web platform,
we must always consider the security and privacy implications of our work.
New Web features should always
maintain or enhance
the overall security and privacy of the Web.
This document contains a set of questions
intended to help <abbr title="specification">spec</abbr> authors
as they think through
the security and privacy implications
of their work and write the narrative Security Considerations and Privacy
Considerations sections for inclusion in-line in their specifications,
as described below in [[#considerations]].
It also documents mitigation strategies
that spec authors can use to address
security and privacy concerns they encounter as they work on their spec.
This document is itself a work in progress,
and there may be security or privacy concerns
which this document does not (yet) cover.
Please [let us know](https://github.com/w3ctag/security-questionnaire/issues/new)
if you identify a security or privacy concern
this questionnaire should ask about.
<h3 id="howtouse">How To Use The Questionnaire</h3>
Work through these questions
early on in the design process,
when things are easier to change.
When privacy and security issues are only found later,
after a feature has shipped,
it's much harder to change the design.
If security or privacy issues are found late,
user agents may need to adopt breaking changes
to fix the issues.
Keep these questions in mind while working on specifications.
Periodically revisit this questionnaire and continue to consider the questions,
particularly as a design changes over time.
<h3 id=resources>Additional resources</h3>
The Mitigating Browser Fingerprinting in Web Specifications
[[FINGERPRINTING-GUIDANCE]] document published by PING goes into
further depth about browser fingerprinting and should be considered in
parallel with this document.
The IETF's RFC about privacy considerations, [[RFC6973]], is a
wonderful resource, particularly section 7.
<h3 id=reviews>TAG, PING, security reviews and this questionnaire</h3>
Before requesting
privacy and
security reviews from the [Privacy Interest Group
(PING)](https://www.w3.org/Privacy/IG/) and security reviewers,
write "Security Considerations" and
"Privacy Considerations" sections in your document, as described in
[[#considerations]]. Answering the questions in this
document will, we hope, inform your writing of those sections. It is not
appropriate, however, to merely copy this questionnaire into those sections.
Instructions for requesting security and privacy reviews can be
found in the document
<cite>[How to do Wide Review](https://www.w3.org/Guide/documentreview/#how_to_get_horizontal_review)</cite>.
When requesting
a [review](https://github.com/w3ctag/design-reviews)
from the [Technical Architecture Group (TAG)](https://www.w3.org/2001/tag/),
please provide the TAG with answers
to the questions in this document.
[This Markdown
template](https://raw.githubusercontent.com/w3ctag/security-questionnaire/main/questionnaire.markdown)
may be useful when doing so.
<h2 id="questions">Questions to Consider</h2>
<h3 class=question id="purpose">
What information does this feature expose,
and for what purposes?
</h3>
User agents should only expose information to the Web
when doing so is necessary to serve a clear user need.
Does your feature expose information to websites?
If so, how does exposing this information benefit the user?
Are the risks to the user outweighed by the benefits to the user?
If so, how?
See also
* [[DESIGN-PRINCIPLES#priority-of-constituencies]]
When answering this question, please consider each of these four possible
areas of information disclosure / sharing.
For the below sub-questions,
please take the term *potentially identifying information*
to mean information that describes the browser user,
distinct from others who use the same browser version.
Examples of such *potentially identifying information* include information
about the browser user's environment (e.g., operating system configuration,
browser configuration, hardware capabilities), and the user's prior activities
and interests (e.g., browsing history, purchasing preferences, personal
characteristics).
1. What information does your spec expose to the **first party** that
the **first party** cannot currently easily determine.
2. What information does your spec expose to **third parties** that
**third parties** cannot currently easily determine.
3. What *potentially identifying information* does your spec expose to the
**first party** that the **first party** can already access (i.e., what
identifying information does your spec duplicate or mirror).
4. What *potentially identifying information* does your spec expose to
**third parties** that **third parties** can already access.
<h3 class=question id="minimum-data">
Do features in your specification expose the minimum amount of information
necessary to implement the intended functionality?
</h3>
Features should only expose information
when it's absolutely necessary.
If a feature exposes more information than is necessary,
why does it do so, and can that the same functionality be achieved by
exposing less information?
See also
* [[#data-minimization]]
<p class=example>
Content Security Policy [[CSP]] unintentionally exposed redirect targets
cross-origin by allowing one origin to infer details about another origin
through violation reports (see [[HOMAKOV]]). The working group eventually
mitigated the risk by reducing a policy's granularity after a redirect.
</p>
<h3 class=question id="personal-data">
Do the features in your specification expose personal information,
personally-identifiable information (PII), or information derived from
either?
</h3>
Personal information is any data about a user
(for example, their home address),
or information that could be used to identify a user,
such as an alias, email address, or identification number.
Note: Personal information is
distinct from personally identifiable information
(<abbr title="personally identifiable information">PII</abbr>).
PII is a legal concept,
the definition of which varies from jurisdiction to jurisdiction.
When used in a non-legal context,
PII tends to refer generally
to information
that could be used to identify a user.
When exposing
personal information, PII, or derivative information,
specification authors must prevent or, when prevention is not possible, minimize
potential harm to users.
<p class=example>
A feature
which gathers biometric data
(such as fingerprints or retina scans)
for authentication
should not directly expose this biometric data to the web.
Instead,
it can use the biometric data
to look up or generate some temporary key which is not shared across origins
which can then be safely exposed to the origin. [[WEBAUTHN]]
</p>
Personal information, PII, or their derivatives
should not be exposed to origins
without [meaningful user consent](https://w3ctag.github.io/design-principles/#consent).
Many APIs
use the Permissions API to acquire meaningful user consent.
[[PERMISSIONS]]
Keep in mind
that each permission prompt
added to the web platform
increases the risk
that users will ignore
the contents of all permission prompts.
Before adding a permission prompt, consider your options for using
a less obtrusive way to gain meaningful user consent.
[[ADDING-PERMISSION]]
<p class=example>
`<input type=file>` can be used to upload
documents containing personal information
to websites.
It makes use of
the underlying native platform's file picker
to ensure the user understands
that the file and its contents
will be exposed to the website,
without a separate permissions prompt.
</p>
See also
* [[#user-mediation]]
* [[DESIGN-PRINCIPLES#consent]]
<h3 class=question id="sensitive-data">
How do the features in your specification deal with sensitive information?
</h3>
Personal information is not the only kind of sensitive information.
Many other kinds of information may also be sensitive.
What is or isn't sensitive information can vary
from person to person
or from place to place.
Information that would be harmless if known about
one person or group of people
could be dangerous if known about
another person or group.
Information about a person
that would be harmless in one country
might be used in another country
to detain, kidnap, or imprison them.
Examples of sensitive information include:
caste,
citizenship,
color,
credentials,
criminal record,
demographic information,
disability status,
employment status,
ethnicity,
financial information,
health information,
location data,
marital status,
political beliefs,
profession,
race,
religious beliefs or nonbeliefs,
sexual preferences,
and
trans status.
When a feature exposes sensitive information to the web,
its designers must take steps
to mitigate the risk of exposing the information.
<div class=example>
The Credential Management API allows sites
to request a user's credentials
from a password manager. [[CREDENTIAL-MANAGEMENT-1]]
If it exposed the user's credentials to JavaScript,
and if the page using the API were vulnerable to [=XSS=] attacks,
the user's credentials could be leaked to attackers.
The Credential Management API
mitigates this risk
by not exposing the credentials to JavaScript.
Instead, it exposes
an opaque {{FormData}} object
which cannot be read by JavaScript.
The spec also recommends
that sites configure Content Security Policy [[CSP]]
with reasonable [=connect-src=] and [=form-action=] values
to further mitigate the risk of exfiltration.
</div>
Many use cases
which require location information
can be adequately served
with very coarse location data.
For instance,
a site which recommends restaurants
could adequately serve its users
with city-level location information
instead of exposing the user's precise location.
See also
* [[DESIGN-PRINCIPLES#do-not-expose-use-of-assistive-tech]]
<h3 class=question id=hidden-data>
Does data exposed by your specification carry related but distinct
information that may not be obvious to users?
</h3>
Features which enable users
to share data with origins
should ensure that such data
does not carry embedded, possibly hidden, information
without the user's awareness, understanding, and consent.
Documents
such as image or video files
often contain metadata about
where and when the image, video, or audio was captured
and
what kind of device captured or produced the data.
When uploaded,
this kind of metadata
may reveal to origins
information the user did not intend to reveal,
such as the user's present or past location
and socioeconomic status.
User agents should enable users to choose
whether or not to share such data with sites,
and the default should be that such data
is not shared.
<h3 class=question id="persistent-origin-specific-state">
Do the features in your specification introduce state
that persists across browsing sessions?
</h3>
The Web platform already includes many mechanisms
origins can use to
store information.
Cookies,
`ETag`,
`Last Modified`,
{{localStorage}},
and
{{indexedDB}},
are just a few examples.
Allowing a website
to store data
on a user’s device
in a way that persists across browsing sessions
introduces the risk
that this state may be used
to track a user
without their knowledge or control,
either in [=first-party-site context|first-=] or [=third-party context|third-party=] contexts.
One way
user agents prevent origins from
abusing client-side storage mechanisms
is by providing users with the ability
to clear data stored by origins.
Specification authors should include similar
protections to make sure that new
client-side storage mechanisms
cannot be misused to track users across domains
without their control.
However, just giving users the ability
to delete origin-set state is usually
not sufficient since users rarely
manually clear browser state.
Spec authors should consider ways
to make new features more privacy-preserving without full storage clearing,
such as
reducing the uniqueness of values,
rotating values,
or otherwise making features no more identifying than is needed.
<!-- https://github.com/w3ctag/design-principles/issues/215 -->
Additionally, specification authors
should carefully consider and specify, when possible,
how their features should interact with browser caching
features. Additional mitigations may be necessary to
prevent origins from abusing caches to
identify and track users across sites or sessions without user consent.
<p class=example>
Platform-specific DRM implementations
(such as [=content decryption modules=] in [[ENCRYPTED-MEDIA]])
might expose origin-specific information
in order to help identify users
and determine whether they ought to be granted access
to a specific piece of media.
These kinds of identifiers
should be carefully evaluated
to determine how abuse can be mitigated;
identifiers which a user cannot easily change
are very valuable from a tracking perspective,
and protecting such identifiers
from an [=active network attacker=]
is vital.
</p>
<h3 class=question id="underlying-platform-data">
Do the features in your specification expose information about the
underlying platform to origins?
</h3>
(Underlying platform information includes
user configuration data,
the presence and attributes of hardware I/O devices such as sensors,
and the availability and behavior of various software features.)
If so, is the same information exposed across origins?
Do different origins see different data or the same data?
Does the data change frequently or rarely?
Rarely-changing data exposed to multiple origins
can be used to uniquely identify a user across those origins.
This may be direct
(when the piece of information is unique)
or indirect
(because the data may be combined with other data to form a fingerprint). [[FINGERPRINTING-GUIDANCE]]
When considering whether or not to expose such information,
specs and user agents
should not consider the information in isolation,
but should evaluate the risk of adding it
to the existing fingerprinting surface of the platform.
Keep in mind that
the fingerprinting risk of a particular piece of information
may vary between platforms.
The fingerprinting risk of some data
on the hardware and software platforms *you* use
may be different than
the fingerprinting risk on other platforms.
When you do decide to expose such information,
you should take steps to mitigate the harm of such exposure.
Sometimes the right answer is to not expose the data in the first place (see [[#drop-feature]]).
In other cases,
reducing fingerprintability may be as simple as
ensuring consistency—for instance,
by ordering a list of available resources—but sometimes,
more complex mitigations may be necessary.
See [[#mitigations]] for more.
If features in your spec expose such data
and does not define adequate mitigations,
you should ensure that such information
is not revealed to origins
without [[DESIGN-PRINCIPLES#consent|meaningful user consent]],
and
you should clearly describe this
in your specification's Security and Privacy Considerations sections.
<p class=example>
WebGL's `RENDERER` string
enables some applications to improve performance.
It's also valuable fingerprinting data.
This privacy risk must be carefully weighed
when considering exposing such data to origins.
</p>
<p class=example>
The [=PDF viewer plugin objects=] list almost never changes.
Some user agents have [disabled direct enumeration of the plugin list](https://bugzilla.mozilla.org/show_bug.cgi?id=757726)
to reduce the fingerprinting harm of this interface.
</p>
See also:
* [[DESIGN-PRINCIPLES#device-ids|Use care when exposing identifying information about devices]]
* [[DESIGN-PRINCIPLES#device-enumeration|Use care when exposing APIs for selecting or enumerating devices]]
<h3 class=question id=send-to-platform>
Does this specification allow an origin to send data to the underlying
platform?
</h3>
If so, what kind of data can be sent?
Platforms differ in how they process data passed into them,
which may present different risks to users.
Don't assume the underlying platform will safely handle the data that is passed.
Where possible, mitigate attacks by limiting or structuring the kind of data is passed to the platform.
<div class=example>
URLs may or may not be dereferenced by a platform API,
and if they are dereferenced,
redirects may or may not be followed.
If your specification sends URLs to underlying platform APIs,
the potential harm of *your* API
may vary depending on
the behavior of the various underlying platform APIs it's built upon.
What happens when `file:`, `data:`, or `blob:` URLs
are passed to the underlying platform API?
These can potentially read sensitive data
directly form the user's hard disk or from memory.
Even if your API only allows `http:` and `https:` URLs,
such URLs may be vulnerable to [=CSRF=] attacks,
or be redirected to `file:`, `data:`, or `blob:` URLs.
</div>
<h3 class=question id="sensor-data">
Do features in this specification enable access to device sensors?
</h3>
If so, what kinds of information from or about the sensors are exposed to origins?
Information from sensors may serve as a fingerprinting vector across origins.
Additionally,
sensors may reveal something sensitive about the device or its environment.
If sensor data is relatively stable
and consistent across origins,
it could be used as a cross-origin identifier.
If two User Agents expose such stable data from the same sensors,
the data could even be used as a cross-browser, or potentially even a cross-device, identifier.
<p class=example>
Researchers discovered that
it's possible to use
a sufficiently fine-grained gyroscope
as a microphone [[GYROSPEECHRECOGNITION]].
This can be mitigated by lowering the gyroscope's sample rates.
</p>
<p class=example>
Ambient light sensors could allow an attacker to learn whether or not a
user had visited given links [[OLEJNIK-ALS]].
</p>
<p class=example>
Even relatively short lived data, like the battery status, may be able to
serve as an identifier [[OLEJNIK-BATTERY]].
</p>
<h3 class=question id="string-to-script">
Do features in this specification enable new script execution/loading
mechanisms?
</h3>
New mechanisms for executing or loading scripts have a risk of enabling novel attack surfaces.
Generally, if a new feature needs this you should consult with a wider audience,
and think about whether or not an existing mechanism can be used
or the feature is really necessary.
<!-- NOTE: This is still experimental technology, and we might have to provide a different example if this experiment fails. -->
<p class=example>
<a href="https://github.com/whatwg/html/issues/4315">JSON modules</a> are expected to be treated only as data,
but the initial proposal allowed an adversary to swap it out with code without the user knowing.
<a href="https://github.com/tc39/proposal-import-assertions">Import assertions</a> were implemented
as a mitigation for this vulnerability.
</p>
<h3 class=question id="remote-device">
Do features in this specification allow an origin to access other devices?
</h3>
If so, what devices do the features in this specification allow an origin to
access?
Accessing other devices, both via network connections and via
direct connection to the user's machine (e.g. via Bluetooth,
NFC, or USB), could expose vulnerabilities - some of
these devices were not created with web connectivity in mind and may be inadequately
hardened against malicious input, or with the use on the web.
Exposing other devices on a user’s local network also has significant privacy
risk:
* If two user agents have the same devices on their local network, an
attacker may infer that the two user agents are running on the same host
or are being used by two separate users who are in the same physical
location.
* Enumerating the devices on a user’s local network provides significant
entropy that an attacker may use to fingerprint the user agent.
* If features in this spec expose persistent or long lived identifiers of
local network devices, that provides attackers with a way to track a user
over time even if a user takes steps to prevent such tracking (e.g.
clearing cookies and other stateful tracking mechanisms).
* Direct connections might be also be used to bypass security checks that
other APIs would provide. For example, attackers used the WebUSB API to
access others sites' credentials on a hardware security, bypassing
same-origin checks in an early U2F API. [[YUBIKEY-ATTACK]]
<p class=example>
The Network Service Discovery API [[DISCOVERY-API]] recommended CORS
preflights before granting access to a device, and requires user agents to
involve the user with a permission request of some kind.
</p>
<p class=example>
Likewise, the Web Bluetooth [[WEB-BLUETOOTH]] has an extensive discussion of
such issues in [[WEB-BLUETOOTH#privacy]], which is worth
reading as an example for similar work.
</p>
<p class=example>
[[WEBUSB]] addresses these risks through a combination of user mediation /
prompting, secure origins, and feature policy.
See [[WEBUSB#security-and-privacy]] for more.
</p>
<h3 class=question id="native-ui">
Do features in this specification allow an origin some measure of control over
a user agent's native UI?
</h3>
Features that allow for control over a user agent’s UI (e.g. full screen
mode) or changes to the underlying system (e.g. installing an ‘app’ on a
smartphone home screen) may surprise users or obscure security / privacy
controls. To the extent that your feature does allow for the changing of a
user agent’s UI, can it effect security / privacy controls? What analysis
confirmed this conclusion?
<h3 class=question id="temporary-id">
What temporary identifiers do the features in this specification create or
expose to the web?
</h3>
If a standard exposes a temporary identifier to the web, the identifier
should be short lived and should rotate on some regular duration to mitigate
the risk of this identifier being used to track a user over time. When a
user clears state in their user agent, these temporary identifiers should be
cleared to prevent re-correlation of state using a temporary identifier.
If features in this spec create or expose temporary identifiers to the
web, how are they exposed, when, to what entities, and, how frequently are
those temporary identifiers rotated?
Example temporary identifiers include TLS Channel ID, Session Tickets, and
IPv6 addresses.
<p class=example>
The index attribute in the Gamepad API [[GAMEPAD]] — an integer that starts
at zero, increments, and is reset — is a good example of a privacy friendly
temporary identifier.
</p>
<h3 class=question id="first-third-party">
How does this specification distinguish between behavior in first-party and
third-party contexts?
</h3>
The behavior of a feature should be considered not just in the context of its
being used by a first party origin that a user is visiting but also the
implications of its being used by an arbitrary third party that the first
party includes. When developing your specification, consider the implications
of its use by third party resources on a page and, consider if support for
use by third party resources should be optional to conform to the
specification. If supporting use by third party resources is mandatory for
conformance, please explain why and what privacy mitigations are in place.
This is particularly important as user agents may take steps to reduce the
availability or functionality of certain features to third parties if the
third parties are found to be abusing the functionality.
<h3 class=question id="private-browsing">
How do the features in this specification work in the context of a browser’s
Private Browsing or Incognito mode?
</h3>
Most browsers implement a private browsing or incognito mode,
though they vary significantly in what functionality they provide and
how that protection is described to users [[WU-PRIVATE-BROWSING]].
One commonality is that they provide a different set of state
than the browser's 'normal' state.
Do features in this spec provide information that would allow for the
correlation of a single user's activity across normal and private
browsing / incognito modes? Do features in the spec result in
information being written to a user’s host that would persist
following a private browsing / incognito mode session ending?
There has been research into both:
* Detecting whether a user agent is in private browsing mode [[RIVERA]]
using non-standardized methods such as <code>[window.requestFileSystem()](https://developer.mozilla.org/en-US/docs/Web/API/Window/requestFileSystem)</code>.
* Using features to fingerprint a browser and correlate private and
non-private mode sessions for a given user. [[OLEJNIK-PAYMENTS]]
Spec authors should avoid, as much as possible, making the presence of
private browsing mode detectable to sites. [[DESIGN-PRINCIPLES#do-not-expose-use-of-private-browsing-mode]]
<h3 class=question id="considerations">
Does this specification have both "Security Considerations" and "Privacy
Considerations" sections?
</h3>
Specifications should have both "Security Considerations" and "Privacy
Considerations" sections to help implementers and web developers
understand the risks that a feature presents and to ensure that
adequate mitigations are in place. While your answers to the
questions in this document will inform your writing of those sections,
do not merely copy this questionnaire into those sections. Instead,
craft language specific to your specification that will be helpful to
implementers and web developers.
[[RFC6973]] is an excellent resource to consult when considering
privacy impacts of your specification, particularly Section 7 of
RFC6973. [[RFC3552]] provides general advice as to writing Security
Consideration sections, and Section 5 of RFC3552 has specific requirements.
Generally, these sections should contain clear descriptions of the
privacy and security risks for the features your spec introduces. It is also
appropriate to document risks that are mitigated elsewhere in the
specification and to call out details that, if implemented
other-than-according-to-spec, are likely to lead to vulnerabilities.
If it seems like none of the features in your specification have security or
privacy impacts, say so in-line, e.g.:
> There are no known security impacts of the features in this specification.
Be aware, though, that most specifications include features that have at least some
impact on the fingerprinting surface of the browser. If you believe
your specification in an outlier, justifying that claim is in
order.
<h3 class=question id="relaxed-sop">
Do features in your specification enable origins to downgrade default
security protections?
</h3>
Do features in your spec
enable an origin to opt-out of security settings
in order to accomplish something?
If so,
in what situations do these features allow such downgrading, and why?
Can this be avoided in the first place?
If not, are mitigations in place
to make sure this downgrading doesn’t dramatically increase risk to users?
For instance,
[[PERMISSIONS-POLICY]] defines a mechanism
that can be used by sites to prevent untrusted <{iframe}>s from using such a feature.
<div class=example>
The {{Document/domain|document.domain}} setter can be used to relax the [=same-origin policy=].
The most effective mitigation
would be to remove it from the platform (see [[#drop-feature]]),
though that
[may be challenging](https://github.com/mikewest/deprecating-document-domain/)
for compatibility reasons.
</div>
<div class=example>
The Fullscreen API enables
a (portion of a) web page
to expand to fill the display. [[FULLSCREEN]]
This can hide
several User Agent user interface elements
which help users to understand
what web page they are visiting
and whether or not the User Agent believes they are [safe](https://w3ctag.github.io/design-principles/#safe-to-browse).
Several mitigations are defined in the specification
and are widely deployed in implementations.
For instance, the Fullscreen API is a [=policy-controlled feature=],
which enables sites to disable the API in <{iframe}>s.
[[FULLSCREEN#security-and-privacy-considerations]] encourages implementations
to display an overlay which informs the user that they have entered fullscreen,
and to advertise a simple mechanism to exit fullscreen (typically the `Esc` key).
</div>
<h3 class=question id="bfcache">
What happens when a document that uses your feature is kept alive in BFCache
(instead of getting destroyed) after navigation, and potentially gets reused
on future navigations back to the document?
</h3>
After a user navigates away from a document,
the document might stay around in a non-"[=Document/fully active=]" state
and kept in the "back/forward cache (BFCache)",
and might be reused when the user navigates back to the document.
From the user’s perspective,
the non-[=Document/fully active=] document is already discarded
and thus should not get updates/events that happen after they navigated away from it,
especially privacy-sensitive information (e.g. geolocation).
Also, as a document might be reused even after navigation,
be aware that tying something to a document’s lifetime
also means reusing it after navigations.
If this is not desirable,
consider listening to changes to the [=Document/fully active=] state
and doing cleanup as necessary.
For more detailed guidance on how to handle BFCached documents,
see [[DESIGN-PRINCIPLES#non-fully-active]] and the [Supporting BFCached Documents](https://w3ctag.github.io/bfcache-guide/) guide.
Note: It is possible for a document to become non-[=Document/fully active=] for other reasons not related to BFcaching,
such as when the iframe holding the document [=becomes disconnected=].
Our advice is that all non-[=Document/fully active=] documents should be treated the same way.
The only difference is that BFCached documents might become [=Document/fully active=] again,
whereas documents in detached iframes will stay inactive forever.
Thus, we suggest paying extra attention to the BFCache case.
<div class=example>
Screen WakeLock API [releases the wake lock](https://w3c.github.io/screen-wake-lock/#handling-document-loss-of-full-activity)
when a document becomes no longer fully active.
</div>
<div class=example>
[=Sticky activation=] is determined by the "last activation timestamp",
which is tied to a document.
This means after a user triggers activation once on a document,
the document will have sticky activation forever,
even after the user navigated away and back to it again.
</div>
<h3 class=question id="non-fully-active">
What happens when a document that uses your feature gets disconnected?
</h3>
If the iframe element containing a document [=becomes disconnected=],
the document will no longer be [=Document/fully active=].
The document will never become fully active again,
because if the iframe element [=becomes connected=] again, it will load a new document.
The document is gone from the user's perspective,
and should be treated as such by your feature as well.
You may follow the guidelines for <a href="bfcache">BFCache</a> mentioned above,
as we expect BFCached and detached documents to be treated the same way,
with the only difference being that BFCached documents can become [=Document/fully active=] again.
<h3 id="error-handling">
Does your spec define when and how new kinds of errors should be raised?
</h3>
Error handling,
and what conditions constitute error states,
can be the source of unintended information leaks and privacy vulnerabilities.
Triggering an error,
what information is included with (or learnable by) the error,
and which parties in an application can learn about the error can all
effect (or weaken) user privacy.
Proposal authors should carefully think
through each of these dimensions to ensure that user privacy and security are
not harmed through error handling.
A partial list of how error definitions and error handling can put
users at risk include:
- If your spec defines an error state based whether certain system resources
are available,
applications can use that error state as a probe to learn
about the availability of those system resources.
This can harm user privacy
when user agents do not intend for applications to learn about those system
resources.
- Specs often include information with error objects that are intended to help
authors identify and debug issues in applications.
Spec authors should
carefully think through what information such debugging information exposes,
and whether (and which) actors on a page are able to access that information.
<h3 class=question id="accessibility-devices">
Does your feature allow sites to learn about the users use of assistive technology?
</h3>
The Web is designed to work for everyone, and Web standards should be designed
for people using assistive technology (<abbr title="assistive technology">AT</abbr>) just as much as for users relying
on mice, keyboards, and touch screens. Accessibility and universal access
are core to the W3C's mission.
Specification authors though should keep in mind that Web users that rely on
assistive technology face some unique risks when using the Web.
The use of assistive technologies may cause those Web users to stand
out among other Web users, increasing the risk of unwanted reidentification
and privacy harm. Similarly, some Web site operators may try to
discriminate against Web users who rely on assistive technology.
Feature designers and <abbr title=specification>spec</abbr> authors should therefore be thoughtful and
careful to limit if, and what, websites can learn about the use of assistive
technologies. <abbr>Spec</abbr> authors must minimize both what information about
assistive technology use their features reveal, both explicitly
and implicitly. Examples of <em>explicit</em> information about assistive technology
include device identifiers or model names. Examples of <em>implicit</em>
information about the use of assistive technology might include
user interaction patterns that are unlikely to be generated by a
mouse, keyboard, or touch screen.
<p class=example>
The [[wai-aria-1.3]] defines additional markup authors can use to make
their pages easier to navigate with assistive technology. The <abbr>spec</abbr>
includes the [`aria-hidden`](https://w3c.github.io/aria/#aria-hidden)
attribute, that site authors can use to indicate that certain content
should be hidden from assistive technology.
A malicious site author might
abuse the `aria-hidden` attribute to learn if a user is using assistive
technology, possibly by revealing certain page content to assistive technology,
while showing very different page content to other users. A malicious
site author could then possibly infer from the user's behavior which
content the user was interacting with, and so whether assistive technology
was being used.
</p>
<h3 class=question id="missing-questions">
What should this questionnaire have asked?
</h3>
This questionnaire is not exhaustive.
After completing a privacy review,
it may be that
there are privacy aspects of your specification
that a strict reading, and response to, this questionnaire,
would not have revealed.
If this is the case,
please convey those privacy concerns,
and indicate if you can think of improved or new questions
that would have covered this aspect.
Please consider [filing an issue](https://github.com/w3ctag/security-questionnaire/issues/new)
to let us know what the questionnaire should have asked.
<h2 id="threats">Threat Models</h2>
To consider security and privacy it is convenient to think in terms of threat
models, a way to illuminate the possible risks.
There are some concrete privacy concerns that should be considered when
developing a feature for the web platform [[RFC6973]]:
* Surveillance: Surveillance is the observation or monitoring of an
individual's communications or activities.
* Stored Data Compromise: End systems that do not take adequate measures to
secure stored data from unauthorized or inappropriate access.
* Intrusion: Intrusion consists of invasive acts that disturb or interrupt
one's life or activities.
* Misattribution: Misattribution occurs when data or communications related
to one individual are attributed to another.
* Correlation: Correlation is the combination of various pieces of
information related to an individual or that obtain that characteristic
when combined.
* Identification: Identification is the linking of information to a
particular individual to infer an individual's identity or to allow the
inference of an individual's identity.
* Secondary Use: Secondary use is the use of collected information about an
individual without the individual's consent for a purpose different from
that for which the information was collected.
* Disclosure: Disclosure is the revelation of information about an
individual that affects the way others judge the individual.
* Exclusion: Exclusion is the failure to allow individuals to know about
the data that others have about them and to participate in its handling
and use.
In the mitigations section, this document outlines a number of techniques
that can be applied to mitigate these risks.
Enumerated below are some broad classes of threats that should be
considered when developing a web feature.
<h3 id="passive-network">
Passive Network Attackers
</h3>
A <dfn>passive network attacker</dfn> has read-access to the bits going over
the wire between users and the servers they're communicating with. She can't
*modify* the bytes, but she can collect and analyze them.
Due to the decentralized nature of the internet, and the general level of
interest in user activity, it's reasonable to assume that practically every
unencrypted bit that's bouncing around the network of proxies, routers, and
servers you're using right now is being read by someone. It's equally likely
that some of these attackers are doing their best to understand the encrypted
bits as well, including storing encrypted communications for later
cryptanalysis (though that requires significantly more effort).
* The IETF's "Pervasive Monitoring Is an Attack" document [[RFC7258]] is
useful reading, outlining some of the impacts on privacy that this
assumption entails.
* Governments aren't the only concern; your local coffee shop is likely to
be gathering information on its customers, your ISP at home is likely to
be doing the same.
<h3 id="active-network">
Active Network Attackers
</h3>
An <dfn>active network attacker</dfn> has both read- and write-access to the