diff --git a/Overview.src.html b/Overview.src.html index 7311d94..20027ac 100755 --- a/Overview.src.html +++ b/Overview.src.html @@ -775,7 +775,7 @@

Queue a task to fire an event named - statechange at s.onstatechange. + statechange at s. @@ -1015,7 +1015,7 @@

ISSUE: Do we want to distinguish the permission-denied outcome from the no-screens-available outcome? Developers would be able to infer - it anyway from onavailablechange. + it anyway from availablechange.

@@ -1144,8 +1144,7 @@

Queue a task to fire an event - named statechange at - s.onstatechange. + named statechange at s. @@ -1216,14 +1215,14 @@

"https://github.com/w3c/presentation-api/blob/gh-pages/uc-req.md#req08-power-saving-friendly"> power saving non-functional requirement, the user agent must keep track of the number of EventHandlers registered - to the onavailablechange event. Using this - information, implementation specific discovery of availablechange event. Using this information, + implementation specific discovery of presentation displays can be resumed or suspended, in order to save power.

The user agent must keep a list of available presentation displays. According to the number of event handlers for - onavailablechange, the user agent must also keep the - list up to date by running the algorithm for availablechange, the user agent must also keep the list + up to date by running the algorithm for monitoring the list of available presentation displays.
@@ -1233,7 +1232,7 @@

When an event handler is added to the list of event handlers - registered for the onavailablechange event, the user + registered for the availablechange event, the user agent must run the algorithm to monitor the list of available presentation displays. @@ -1245,7 +1244,7 @@

When an event handler is removed from the list of event handlers - registered to the onavailablechange event, the user + registered to the availablechange event, the user agent must run the following steps:

    @@ -1288,7 +1287,8 @@
    Queue a task to fire an event named - availablechange at with the event's + availablechange at + NavigatorPresentation with the event's available property set to true. @@ -1301,7 +1301,8 @@
    Queue a task to fire an event named - availablechange with the event's + availablechange at + NavigatorPresentation with the event's available property set to false. @@ -1333,9 +1334,9 @@
    Queue a task to fire an event named - availablechange at E (and only - E) with the event's available property - set to false. + availablechange at + NavigatorPresentation with the event's + available property set to false.
@@ -1403,6 +1404,120 @@

ISSUE 45: Security and privacy considerations section

+

+ Personally identifiable information +

+

+ The availablechange event reveals one bit of information + about the presence (or non-presence) of a presentation + screen typically discovered through the local area network. This + could be used in conjunction with other information for fingerprinting + the user. However, this information is also dependent on the user's + local network context, so the risk is minimized. +

+

+ If we allow the page to filter the set of presentation screens based on + capabilities, then more bits of more information would be revealed. + This feature, if implemented, should take privacy into consideration. + See ISSUE 9: + How to filter available screens according to the content being + presented? +

+

+ We do not want to require user permission before disclosing the + presence of a presentation display, as it is counter to the initial + purpose of improving the user experience. See ISSUE 10: Is user + permission required to prompt for screen availability information? +

+

+ Cross-origin access +

+

+ A presentation session is allowed to be accessed across + origins; the presentation URL and presentation ID used to create the + presentation are the only information needed to join a session from any + origin in that user agent. In other words, a presentation is not tied + to a particular opening origin. +

+

+ This design allows controlling contexts from different domains to + connect to a shared presentation resource. The security of the + presentation ID prevents arbitrary pages from connecting to an existing + presentation. +

+

+ This specification does not prohibit a user agent from publishing + information about its set of presentations. The group + envisions a user agent on a another device (distinct from the + controller or presentation) becoming authorized to join the + presentation, either by user action or by discovering the + presentation's URL and id. +

+

+ This section should provide informative guidance as to what constitutes + a reasonable context for a Web page to become authorized to control a + presentation session. +

+

+ Device Access +

+

+ The presentation API abstracts away what "local" means for displays, + meaning that it exposes network-accessible displays as though they were + local displays. The Presentation API requires user permission for a + page to access any display to mitigate issues that could arise, such as + showing unwanted content on a display viewable by others. +

+

+ Temporary identifiers and browser state +

+

+ The presentation URL and presentation ID can be used to connect to a + presentation session from another browsing context. They can be + intercepted if an attacker can inject content into the controlling + page. +

+

+ Should we restrict the API to some extent in non secure contexts? +

+

+ Incognito mode and clearing of browsing data +

+

+ The content displayed on the presentation is different from the + controller. In particular, if the user is logged in in both contexts, + then logs out of the controlling browsing context, she will not be + automatically logged out from the presenting browsing context. + Applications that use authentication should pay extra care when + communicating between devices. +

+

+ The set of presentations known to the user agent should be cleared when + the user requests to "clear browsing data." +

+

+ The spec should specify any restrictions on the presenting browsing + context when the opening browsing context is in "incognito" mode. See + ISSUE 14: + Define user agent context for rendering the presentation +

+

+ The spec should clarify what is to happen to the set of known + presentations in "incognito" (private browsing context) mode. +

+

+ Messaging between presentation sessions +

+

+ This spec will not mandate communication protocols, but it should set + some guarantees of message confidentiality and authenticity. +

+

+ ISSUE 80: + Define security requirements for messaging channel between secure + origins +

diff --git a/index.html b/index.html index b86423c..a16f60b 100644 --- a/index.html +++ b/index.html @@ -77,8 +77,8 @@

Presentation API

-

- Editor's Draft 1 June 2015 +

+ Editor's Draft 3 June 2015

@@ -299,7 +299,26 @@

  • 7 Security and privacy considerations + +
      +
    1. 7.1 + Personally identifiable information +
      2. +
    2. 7.2 + Cross-origin access +
      3. +
    3. 7.3 + Device Access +
      4. +
    4. 7.4 + Temporary identifiers and browser state
      5. +
    5. 7.5 + Incognito mode and clearing of browsing data +
      6. +
    6. 7.6 + Messaging between presentation sessions +
  • 8 References
    • @@ -823,7 +842,7 @@

    6.2.3
  • Queue a task to fire an event named - statechange at s.onstatechange. + statechange at s.
    • @@ -1048,7 +1067,7 @@

    6.3.1

    ISSUE: Do we want to distinguish the permission-denied outcome from the no-screens-available outcome? Developers would be able to infer - it anyway from onavailablechange. + it anyway from availablechange.

    @@ -1170,8 +1189,7 @@

    6.3.3 Queue a task to fire an event - named statechange at - s.onstatechange. + named statechange at s. @@ -1241,13 +1259,13 @@

    6.3.4 In order to satisfy the power saving non-functional requirement, the user agent must keep track of the number of EventHandlers registered - to the onavailablechange event. Using this - information, implementation specific discovery of presentation displays can be resumed + to the availablechange event. Using this information, + implementation specific discovery of presentation displays can be resumed or suspended, in order to save power.

    The user agent must keep a list of available presentation displays. According to the number of event handlers for - onavailablechange, the user agent must also keep the - list up to date by running the algorithm for monitoring the list of available + availablechange, the user agent must also keep the list + up to date by running the algorithm for monitoring the list of available presentation displays.
    6.3.4.1 @@ -1256,7 +1274,7 @@
    6.3.4.1

    When an event handler is added to the list of event handlers - registered for the onavailablechange event, the user + registered for the availablechange event, the user agent must run the algorithm to monitor the list of available presentation displays.

    @@ -1267,7 +1285,7 @@
    6.3.4.2

    When an event handler is removed from the list of event handlers - registered to the onavailablechange event, the user + registered to the availablechange event, the user agent must run the following steps:

      @@ -1307,7 +1325,8 @@
      Queue a task to fire an event named - availablechange at with the event's + availablechange at + NavigatorPresentation with the event's available property set to true. @@ -1319,7 +1338,8 @@
      Queue a task to fire an event named - availablechange with the event's + availablechange at + NavigatorPresentation with the event's available property set to false. @@ -1349,9 +1369,9 @@
      Queue a task to fire an event named - availablechange at E (and only - E) with the event's available property - set to false. + availablechange at + NavigatorPresentation with the event's + available property set to false.
    @@ -1417,6 +1437,119 @@

    7 ISSUE 45: Security and privacy considerations section

    +

    7.1 + Personally identifiable information +

    +

    + The availablechange event reveals one bit of information + about the presence (or non-presence) of a presentation + screen typically discovered through the local area network. This + could be used in conjunction with other information for fingerprinting + the user. However, this information is also dependent on the user's + local network context, so the risk is minimized. +

    +

    + If we allow the page to filter the set of presentation screens based on + capabilities, then more bits of more information would be revealed. + This feature, if implemented, should take privacy into consideration. + See ISSUE 9: + How to filter available screens according to the content being + presented? +

    +

    + We do not want to require user permission before disclosing the + presence of a presentation display, as it is counter to the initial + purpose of improving the user experience. See ISSUE 10: Is user + permission required to prompt for screen availability information? +

    +

    7.2 + Cross-origin access +

    +

    + A presentation session is allowed to be accessed across + origins; the presentation URL and presentation ID used to create the + presentation are the only information needed to join a session from any + origin in that user agent. In other words, a presentation is not tied + to a particular opening origin. +

    +

    + This design allows controlling contexts from different domains to + connect to a shared presentation resource. The security of the + presentation ID prevents arbitrary pages from connecting to an existing + presentation. +

    +

    + This specification does not prohibit a user agent from publishing + information about its set of presentations. The group + envisions a user agent on a another device (distinct from the + controller or presentation) becoming authorized to join the + presentation, either by user action or by discovering the + presentation's URL and id. +

    +

    + This section should provide informative guidance as to what constitutes + a reasonable context for a Web page to become authorized to control a + presentation session. +

    +

    7.3 + Device Access +

    +

    + The presentation API abstracts away what "local" means for displays, + meaning that it exposes network-accessible displays as though they were + local displays. The Presentation API requires user permission for a + page to access any display to mitigate issues that could arise, such as + showing unwanted content on a display viewable by others. +

    +

    7.4 + Temporary identifiers and browser state +

    +

    + The presentation URL and presentation ID can be used to connect to a + presentation session from another browsing context. They can be + intercepted if an attacker can inject content into the controlling + page. +

    +

    + Should we restrict the API to some extent in non secure contexts? +

    +

    7.5 + Incognito mode and clearing of browsing data +

    +

    + The content displayed on the presentation is different from the + controller. In particular, if the user is logged in in both contexts, + then logs out of the controlling browsing context, she will not be + automatically logged out from the presenting browsing context. + Applications that use authentication should pay extra care when + communicating between devices. +

    +

    + The set of presentations known to the user agent should be cleared when + the user requests to "clear browsing data." +

    +

    + The spec should specify any restrictions on the presenting browsing + context when the opening browsing context is in "incognito" mode. See + ISSUE 14: + Define user agent context for rendering the presentation +

    +

    + The spec should clarify what is to happen to the set of known + presentations in "incognito" (private browsing context) mode. +

    +

    7.6 + Messaging between presentation sessions +

    +

    + This spec will not mandate communication protocols, but it should set + some guarantees of message confidentiality and authenticity. +

    +

    + ISSUE 80: + Define security requirements for messaging channel between secure + origins +

    8