Updates to persistent storage security

epub33/core/index.html

@@ -9423,10 +9423,21 @@ <h3>Recommendations</h3>
 					creators should also allow users to opt out of tracking, when feasible, and provide users the
 					ability to manage and delete any data that is collected about them.</p>
 
-				<p>Content authors also need to consider the inadvertent collection of information about users. Linking
-					to content on a publisher's web site, or remotely hosting resources on their servers, can lead to
+				<p>EPUB creators also need to consider the inadvertent collection of information about users. Linking to
+					content on a publisher's web site, or remotely hosting resources on their servers, can lead to
 					profiling users, especially if unique tracking identifiers are added to the URLs.</p>
 
+				<p>When collecting and storing user information within an EPUB publication (e.g., through the use of <a
+						data-cite="html#dom-document-cookie">cookies</a> and <a data-cite="html#webstorage">web
+						storage</a> [[?html]]), EPUB creators need to consider to potential for data theft by other EPUB
+					publications on a reading system. Although [[epub-rs-33]] introduces a <a
+						data-cite="epub-rs-33#sec-container-iri">unique origin requirement</a> for EPUB publications,
+					which limits the potential for attacks, there is still a risk that reading systems will allow EPUB
+					publications access to shared persistent storage (e.g., older reading systems that have not been
+					updated and non-conforming newer reading systems). Consequently, EPUB creators SHOULD NOT store
+					sensitive user data in persistent storage. If EPUB creators must store sensitive data, they SHOULD
+					encrypt the data to prevent trivial access to it in the case of an exploit.</p>
+
 				<p>When publishers and vendors must use digital rights management schemes, they should prefer schemes
 					that do not utilize or transmit information about the user or their content to external parties to
 					perform encryption or decryption.</p>
@@ -11503,6 +11514,9 @@ <h2>Change log</h2>
 					>Working Group's issue tracker</a>.</p>
 
 			<ul>
+				<li>20-May-2022: Add recommendation not to store sensitive user data in persistent storage, and to
+					encrypt it if there is no other choice. See <a href="https://github.com/w3c/epub-specs/issues/2264"
+						>issue 2264</a>.</li>
 				<li>17-May-2022: Added an index of terms. See <a href="https://github.com/w3c/epub-specs/issues/2260"
 						>issue 2260</a>.</li>
 				<li>12-Apr-2022: Added note about complexities of escaping from nested escapable structures and updated

epub33/rs/index.html

@@ -1152,8 +1152,8 @@ <h3>Cascading Style Sheets (CSS)</h3>
 					</li>
 					<li>
 						<p id="confreq-css-rs-fonts" data-tests="#cnt-css-fonts">MUST support [[truetype]],
-							[[opentype]], [[woff]], and [[woff2]] font resources referenced from
-							<a data-cite="css-fonts-4#font-face-rule"><code>@font-face</code> rules</a>
+							[[opentype]], [[woff]], and [[woff2]] font resources referenced from <a
+								data-cite="css-fonts-4#font-face-rule"><code>@font-face</code> rules</a>
 							[[css-fonts-4]].</p>
 					</li>
 					<li>
@@ -1278,15 +1278,9 @@ <h3>Scripting</h3>
 				<section id="sec-local-storage">
 					<h4>Local storage</h4>
 
-					<p>
-						<span id="confreq-rs-scripted-storage-block">Scripts may save persistent data through <a
-								data-cite="html#dom-document-cookie">cookies</a> and <a data-cite="html#webstorage">web
-								storage</a> [[html]], but reading systems MAY block such attempts. </span>
-						<span id="confreq-rs-scripted-storage-protection">Reading systems that allow users to store data
-							MUST ensure they do not make that data available to other unrelated documents (e.g., ones
-							that could be spoofed). In particular, checking for a matching document identifier (or
-							similar metadata) is not a valid method to control access to persistent data. </span>
-					</p>
+					<p id="confreq-rs-scripted-storage-block">Reading systems MAY block scripts from saving persistent
+						data through <a data-cite="html#dom-document-cookie">cookies</a> and <a
+							data-cite="html#webstorage">web storage</a> [[html]].</p>
 
 					<p>Reading systems that allow <a data-cite="html#dom-localstorage">local storage</a> [[html]] SHOULD
 						provide methods for users to inspect or delete that data.</p>
@@ -2544,6 +2538,10 @@ <h2>Change log</h2>
 					>Working Group's issue tracker</a>.</p>
 
 			<ul>
+				<li>20-May-2022: Removed the recommendation to prevent access to persistent storage from "unrelated
+					documents". This recommendation conflicts with, and is made redundant by, the unique origin
+					requirement introduced in this revision. See <a href="https://github.com/w3c/epub-specs/issues/2264"
+						>issue 2264</a>.</li>
 				<li>17-May-2022: Added an index of terms. See <a href="https://github.com/w3c/epub-specs/issues/2260"
 						>issue 2260</a>.</li>
 				<li>31-Mar-2022: Moved custom attribute authoring requirements to the authoring specification. Added