From 10b153d41d30e2d90e9a08e978a40fc01fb96ecd Mon Sep 17 00:00:00 2001
From: Jeffrey Yasskin
+ Communication from websites can break the security model of some devices,
+ which assume they only receive messages from
+ the trusted operating system of a remote device.
+ Human Interface Devices are a prominent example,
+ where allowing a website to communicate would allow that site to log keystrokes.
+ This specification includes a blacklist of
+ such vulnerable services, characteristics, and descriptors
+ to prevent websites from taking advantage of them.
+
We expect that many devices are vulnerable to unexpected data delivered to their radio.
In the past, these devices had to be exploited one-by-one,
@@ -587,6 +598,11 @@ Device access is powerful
Attacks on devices
+ Device Discovery
If any of the BluetoothUUID.getService calls threw an exception,
reject promise with that exception and abort these steps.
+ {services: services}
to uuidFilters.Device Discovery
If any of the BluetoothUUID.getService calls threw an exception,
reject promise with that exception and abort these steps.
+ BluetoothGATTRemoteServer
If BluetoothUUID.getService threw an exception,
return a promise rejected with that exception and abort these steps.
BluetoothGATTRemoteServer
If BluetoothUUID.getService threw an exception,
return a promise rejected with that exception and abort these steps.
this@[[\representedDevice]]
@@ -1738,6 +1767,11 @@ BluetoothGATTService
If BluetoothUUID.getCharacteristic threw an exception,
return a promise rejected with that exception and abort these steps.
BluetoothGATTService
If BluetoothUUID.getCharacteristic threw an exception,
return a promise rejected with that exception and abort these steps.
BluetoothGATTService
If BluetoothUUID.getService threw an exception,
return a promise rejected with that exception and abort these steps.
BluetoothGATTService
If BluetoothUUID.getService threw an exception,
return a promise rejected with that exception and abort these steps.
BluetoothGATTCharacteristic
If BluetoothUUID.getDescriptor threw an exception,
return a promise rejected with that exception and abort these steps.
BluetoothGATTCharacteristic
If BluetoothUUID.getDescriptor threw an exception,
return a promise rejected with that exception and abort these steps.
BluetoothGATTCharacteristic
and run the following steps in parallel:
this.uuid
is blacklisted for reads,
+ return a promise rejected with a SecurityError
+ and abort these steps.
+ this
represents.
@@ -2018,6 +2082,11 @@ this.uuid
is blacklisted for writes,
+ return a promise rejected with a SecurityError
+ and abort these steps.
+ this
represents.
@@ -2076,6 +2145,10 @@ this.uuid
is blacklisted for reads,
+ reject promise with a SecurityError and abort these steps.
+ this
represents.
@@ -2311,6 +2384,11 @@ this.uuid
is blacklisted for reads,
+ return a promise rejected with a SecurityError
+ and abort these steps.
+ this
represents.
@@ -2344,6 +2422,11 @@ this.uuid
is blacklisted for writes,
+ return a promise rejected with a SecurityError
+ and abort these steps.
+ this
represents.
@@ -2935,6 +3018,77 @@ + This specification relies on a blacklist file in the + https://github.com/WebBluetoothCG/registries repository + to restrict the set of GATT attributes a website can access. +
+ ++ The result of parsing the blacklist at a URL url + is a map from valid UUIDs to tokens, or an error, + produced by the following algorithm: +
+'\n'
.'#'
,
+ continue to the next line.
+ exclude
" in result.
+ exclude-reads
" or "exclude-writes
",
+ add a mapping from that UUID, to the token.
+ + The GATT blacklist is the result of parsing the blacklist at + https://github.com/WebBluetoothCG/registries/blob/master/gatt_blacklist.txt. + The UA should re-fetch the blacklist periodically, but it's unspecified how often. +
+ +
+ A UUID is blacklisted if either
+ the GATT blacklist's value is an error,
+ or the UUID maps to "exclude
" in the GATT blacklist.
+
+ A UUID is blacklisted for reads if either
+ the GATT blacklist's value is an error,
+ or the UUID maps to either "exclude
" or "exclude-reads
"
+ in the GATT blacklist.
+
+ A UUID is blacklisted for writes if either
+ the GATT blacklist's value is an error,
+ or the UUID maps to either "exclude
" or "exclude-writes
"
+ in the GATT blacklist.
+
exclude
" in result.
+ let uuid be that UUID and
+ let token be "exclude
".
exclude-reads
" or "exclude-writes
",
- add a mapping from that UUID, to the token.
+ let uuid be that UUID and
+ let token be that token.