Updates to persistent storage security

[mattgarrish]

This pull request removes the recommendation about limiting access to persistent storage from "unrelated documents" since the unique origin requirement already prevents other epub publications from accessing this data. (Note that this deletes a test id. Not sure if the test would be useful to keep for the unique origin requirement?)

Although I think this is sufficient for reading systems, I've also added a new paragraph to the security section in the core specification to make epub creators aware that older reading systems are susceptible to exploits. It recommends not storing sensitive user data in persistent storage, but if there is no other option then the data should be encrypted to prevent trivial access to the information. Feedback welcome on whether this is sufficient, or if we should be saying something more or something else.

Fixes #2264

---

💥 Error: 500 Internal Server Error 💥

PR Preview failed to build. (Last tried on May 22, 2022, 10:14 AM UTC).

More

PR Preview relies on a number of web services to run. There seems to be an issue with the following one:

🚨 Spec Generator - Spec Generator is the web service used to build specs that rely on ReSpec.

🔗 Related URL

😭  Sorry, there was an error generating the HTML. Please report this issue!
Specification: http://labs.w3.org/spec-generator/uploads/fPU5fW?isPreview=true&publishDate=2022-05-22
ReSpec version: 32.1.6
File a bug: https://github.com/w3c/respec/
Error: Error: Evaluation failed: Timeout: document.respec.ready didn't resolve in 27624ms.
    at ExecutionContext._evaluateInternal (/u/spec-generator/node_modules/puppeteer/lib/cjs/puppeteer/common/ExecutionContext.js:221:19)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async ExecutionContext.evaluate (/u/spec-generator/node_modules/puppeteer/lib/cjs/puppeteer/common/ExecutionContext.js:110:16)
    at async generateHTML (/u/spec-generator/node_modules/respec/tools/respecDocWriter.js:221:12)
    at async toHTML (/u/spec-generator/node_modules/respec/tools/respecDocWriter.js:92:18)
    at async Object.generate [as respec] (file:///u/spec-generator/generators/respec.js:15:44)
    at async file:///u/spec-generator/server.js:244:48

If you don't have enough information above to solve the error by yourself (or to understand to which web service the error is related to, if any), please file an issue.

[mattgarrish]

• EPUB 3.3:
  • Preview
  • Diff
• EPUB Reading Systems 3.3:
  • Preview
  • Diff

[dlazin]

I have removed the deleted MUST from tinyurl.com/epub-tests in anticipation of this being committed.

[iherman]

The issue was discussed in a meeting on 2022-05-26

List of resolutions:

• Resolution No. 3: Approve PR 2301, close issue 2264.

View the transcript

1.5. Persistent storage security.

See github pull request epub-specs#2301.

See github issue epub-specs#2264.

Dave Cramer: about unrelated documents.

Matt Garrish: this is about two requirements that were still in the spec, but which are no longer applicable.
… i.e., language around each document being treated as its own domain.
… if you absolutely need to use persistent storage, then we recommend you encrypt instead of storing as plaintext.

Dave Cramer: a lot of people have done proofs of concept of drafting epubs that can read data from local storage created by a different epub.

Matt Garrish: not sure if javascript encrypting is trivial to break or not, but at least we are saying to pay attention to this.
… we also recommend just not storing sensitive data in the first place, if you don't have to.

Proposed resolution: Approve PR 2301, close issue 2264. (Wendy Reid)

Dave Cramer: +1.

Matt Garrish: +1.

Brady Duga: +1.

Shinya Takami (高見真也): +1.

Wendy Reid: +1.

Dan Lazin: +1.

Toshiaki Koike: +1.

Matthew Chan: +1.

Masakazu Kitahara: +1.

Resolution #3: Approve PR 2301, close issue 2264.