diff --git a/README.md b/README.md index 0e5c90b..cac210a 100644 --- a/README.md +++ b/README.md @@ -207,7 +207,7 @@ The shared storage worklet invocation methods (`addModule`, `createWorklet`, and * Redirects are not allowed. * When the module script's URL's origin is cross-origin with the worklet's creator window's origin and when `dataOrigin` is "script-origin" (or when `dataOrigin` is a valid serialized HTTPS URL that is same-origin to the worklet's script's origin), the check for trusted origins at the [/.well-known/ path](#well-known) will be skipped, and a `Shared-Storage-Cross-Origin-Worklet-Allowed: ?1` response header is required instead. * The script server must carefully consider the security risks of allowing worklet creation by other origins (via `Shared-Storage-Cross-Origin-Worklet-Allowed: ?1` and CORS), because this will also allow the worklet creator to run subsequent operations, and a malicious actor could poison and use up the worklet origin's budget. - * Note that for the script server's infomation, the request header "Sec-Shared-Storage-Data-Origin" will be included with the value of the serialized data partition origin to be used if the data partition origin is cross-origin to the invoking context's origin. + * Note that for the script server's information, the request header "Sec-Shared-Storage-Data-Origin" will be included with the value of the serialized data partition origin to be used if the data partition origin is cross-origin to the invoking context's origin. diff --git a/select-url.md b/select-url.md index a825d36..3fa1a10 100644 --- a/select-url.md +++ b/select-url.md @@ -272,4 +272,4 @@ When `sharedStorage.selectURL()` doesn’t return a valid output (including thro ## Preventing timing attacks -Revealing the time an operation takes to run could also leak information. We avoid this by having `sharedStorage.selectURL()` immediately return the promise which later resolves into an [fenced frame config](https://github.com/WICG/fenced-frame/blob/master/explainer/fenced_frame_config.md) that contains the opaque URL that is mapped to the selected URL once the operation completes. A Fenced Frame can be created with the returned fenced frame config even before the selectURL operation has completed. The frame will wait for it to complete first. Similarly, outside a worklet, `set()`, `remove()`, etc. return promises that resolve after queueing the writes. Inside a worklet, these writes join the same queue but their promises only resolve after completion. +Revealing the time an operation takes to run could also leak information. We avoid this by having `sharedStorage.selectURL()` immediately return the promise which later resolves into an [fenced frame config](https://github.com/WICG/fenced-frame/blob/master/explainer/fenced_frame_config.md) that contains the opaque URL that is mapped to the selected URL once the operation completes. A Fenced Frame can be created with the returned fenced frame config even before the selectURL operation has completed. The frame will wait for it to complete first. Similarly, outside a worklet, `set()`, `remove()`, etc. return promises that resolve after queuing the writes. Inside a worklet, these writes join the same queue but their promises only resolve after completion. diff --git a/spec.bs b/spec.bs index 4189a24..58b582b 100644 --- a/spec.bs +++ b/spec.bs @@ -55,7 +55,7 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/ text: boolean attributes; url: common-microsyntaxes.html#boolean-attributes text: content attributes; url: dom.html#concept-element-attributes text: update the image data; url: images.html#update-the-image-data - text: create navigation params by fetching; url: browsing-the-web.html#create-navigation-params-by-fetchin + text: create navigation params by fetching; url: browsing-the-web.html#create-navigation-params-by-fetching text: serialization; for: origin; url: browsers.html#ascii-serialisation-of-an-origin text: initialize the navigable; url: document-sequences.html#initialize-the-navigable spec: url; urlPrefix: https://url.spec.whatwg.org/ @@ -220,7 +220,7 @@ Introduction {#intro} In order to prevent cross-site user tracking, browsers are partitioning all forms of storage by [=top-level traversable=] site; see [=Client-Side Storage Partitioning=]. But, there are many [=legitimate use cases=] currently relying on unpartitioned storage. -This document introduces a new storage API that is intentionally not partitioned by [=top-level traversable=] site (though still partitioned by context origin), in order to serve a number of the use cases needing unpartitioned storage. To limit cross-site reidentification of users, data in Shared Storage may only be read in a restricted environment, called a worklet, and any output from the worklet is in the form of a [=fenced frame=] or a [=Private Aggregation=] report. Over time, there may be additional ouput gates included in the standard. +This document introduces a new storage API that is intentionally not partitioned by [=top-level traversable=] site (though still partitioned by context origin), in order to serve a number of the use cases needing unpartitioned storage. To limit cross-site reidentification of users, data in Shared Storage may only be read in a restricted environment, called a worklet, and any output from the worklet is in the form of a [=fenced frame=] or a [=Private Aggregation=] report. Over time, there may be additional output gates included in the standard.
`a.example` randomly assigns users to groups in a way that is consistent cross-site. @@ -414,7 +414,7 @@ Moreover, each {{SharedStorageWorklet}}'s [=global scopes|list of global scopes= 1. If |shouldChargeTopLevelBudgets| is true: 1. Let |pageBudgetResult| be the result of running [=charge shared storage top-level traversable budgets=] with |navigable|, |site|, and |pendingBits|. 1. If |pageBudgetResult| is false, set |shouldUseDefaultIndex| to true. - 1. If |pendingBits| is greather than |remainingBudget|, set |shouldUseDefaultIndex| to true. + 1. If |pendingBits| is greater than |remainingBudget|, set |shouldUseDefaultIndex| to true. 1. If |shouldUseDefaultIndex| is true, set |resultIndex| to the [=default selectURL index=]. 1. Let |finalConfig| be a new [=fenced frame config=]. 1. Set |finalConfig|'s [=fenced frame config/mapped url=] to |urlList|[|resultIndex|]. @@ -586,7 +586,7 @@ Moreover, each {{SharedStorageWorklet}}'s [=global scopes|list of global scopes= To set up the Private Aggregation scopes given an [=/origin=] |workletDataOrigin|, a [=pre-specified report parameters=] or null |preSpecifiedParams| and an [=aggregation coordinator=] or null - |aggregationCoordinator|, peform the following steps. They return an + |aggregationCoordinator|, perform the following steps. They return an algorithm. Note: The returned algorithm should be run when the associated operation is @@ -797,14 +797,14 @@ Moreover, each {{SharedStorageWorklet}}'s [=global scopes|list of global scopes= A trusted origin type is a [=string=] or [=list=] of [=strings=].
- To check for script and context origin match, given [=trusted origin type=] |itemScriptOrigin|, [=url/origin=] |actualScriptOrigin|, [=trusted origin type=] |itemContextOrigin|, and [=environment settings object/origin=] |actualContextOrigin|, peform the following steps: + To check for script and context origin match, given [=trusted origin type=] |itemScriptOrigin|, [=url/origin=] |actualScriptOrigin|, [=trusted origin type=] |itemContextOrigin|, and [=environment settings object/origin=] |actualContextOrigin|, perform the following steps: 1. If the result of running [=check for trusted origin match=], given |itemScriptOrigin| and |actualScriptOrigin| is false, return false. 1. Return the result of running [=check for trusted origin match=], given |itemContextOrigin| and |actualContextOrigin|.
- To check for trusted origin match, given [=trusted origin type=] |itemOrigin| and [=url/origin=] |actualOrigin|, peform the following steps: + To check for trusted origin match, given [=trusted origin type=] |itemOrigin| and [=url/origin=] |actualOrigin|, perform the following steps: 1. If |itemOrigin| is a [=string=], return the result of running [=check for trusted origin match on a string=], given |itemOrigin| and |actualOrigin|. 1. Otherwise, for each |originString| in |itemOrigin|: @@ -814,7 +814,7 @@ Moreover, each {{SharedStorageWorklet}}'s [=global scopes|list of global scopes=
- To check for trusted origin match on a string, given [=string=] |itemOrigin| and [=url/origin=] |actualOrigin|, peform the following steps: + To check for trusted origin match on a string, given [=string=] |itemOrigin| and [=url/origin=] |actualOrigin|, perform the following steps: 1. If |itemOrigin| is `"*"`, return true. 1. Let |itemOriginUrl| be the result of running a [=URL parser=] on |itemOrigin|. @@ -1733,7 +1733,7 @@ The [=SharedStorageIterator/asynchronous iterator initialization steps=] and [=S 1. Create an object |doneObject|. 1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with |doneObject|. 1. Abort these steps. - 1. Otherwise, let |entry| be the result of [=queue/dequeue|dequeueing=] from |iterator|'s [=SharedStorageIterator/pending entries=]. + 1. Otherwise, let |entry| be the result of [=queue/dequeue|dequeuing=] from |iterator|'s [=SharedStorageIterator/pending entries=]. 1. [=Queue a global task=] on the [=DOM manipulation task source=], given |realm|'s [=global object=], to [=resolve=] |promise| with |entry|. 1. Return |promise|.
@@ -2098,7 +2098,7 @@ Permissions Policy Integration {#permission} This specification defines a [=policy-controlled feature=] identified by the string "shared-storage," along with a second [=policy-controlled feature=] identified by "shared-storage-select-url". -"[=PermissionsPolicy/shared-storage=]" gates access to Shared Storage in general, whereas "[=shared-storage-select-url=]" adds an exra permission layer to {{SharedStorageWorklet/selectURL()}}. For each of these, the default allowlist is *. +"[=PermissionsPolicy/shared-storage=]" gates access to Shared Storage in general, whereas "[=shared-storage-select-url=]" adds an extra permission layer to {{SharedStorageWorklet/selectURL()}}. For each of these, the default allowlist is *. Clear Site Data Integration {#clear} ==================================== @@ -2109,6 +2109,6 @@ Privacy Considerations {#privacy} The Shared Storage API attempts to provide the ability to use cross-site data for a range of use cases in a way that better protects user privacy than the use of third-party cookies. Shared Storage's main privacy safeguard is that read access of the data stored in its storage may only occur within an embedder's {{SharedStorageWorklet}}. Well-defined limits restrict output of data from the {{SharedStorageWorklet}} to a minimum. - In particular, an embedder can select a [=/URL=] from a short list of [=/URL=]s based on data in their shared storage and then display the result in a [=fenced frame=]. The embedder will not be able to know which [=/URL=] was chosen except through specifc mechanisms that will be better-mitigated in the longer term. Currently, a few bits of entropy can leak each time that the user clicks on the [=fenced frame=] to initiate a [=top-level traversable=] [=navigate|navigation=] and/or the [=fenced frame=] calls the {{reportEvent()}} API. + In particular, an embedder can select a [=/URL=] from a short list of [=/URL=]s based on data in their shared storage and then display the result in a [=fenced frame=]. The embedder will not be able to know which [=/URL=] was chosen except through specific mechanisms that will be better-mitigated in the longer term. Currently, a few bits of entropy can leak each time that the user clicks on the [=fenced frame=] to initiate a [=top-level traversable=] [=navigate|navigation=] and/or the [=fenced frame=] calls the {{reportEvent()}} API. An embedder is also able to send aggregatable reports via the [=Private Aggregation=] API, which adds noise in order to achieve differential privacy, uses a time delay to send reports, imposes limits on the number of reports sent, and processes the reports into aggregate data so that individual privacy is protected.