Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CR Request for Device Posture API - device-posture #667

Open
himorin opened this issue Nov 13, 2024 · 13 comments
Open

CR Request for Device Posture API - device-posture #667

himorin opened this issue Nov 13, 2024 · 13 comments
Assignees
Labels
Awaiting Publication Approved by the Director, waiting on publication Entering CR First Candidate Recommendation wg:das

Comments

@himorin
Copy link

himorin commented Nov 13, 2024

Document title, URLs, estimated publication date

Device Posture API
https://www.w3.org/TR/2024/WD-device-posture-20241115/
2024-11-26

NOTE: this issue will be marked as transition review after PR for changes section merged merged

Abstract

https://www.w3.org/TR/2024/WD-device-posture-20241115/#abstract

Status

https://www.w3.org/TR/2024/WD-device-posture-20241115/#sotd

Link to group's decision to request transition

CfC: https://lists.w3.org/Archives/Public/public-device-apis/2024Nov/0000.html
resolution: https://lists.w3.org/Archives/Public/public-device-apis/2024Nov/0002.html

Changes

https://www.w3.org/TR/2024/WD-device-posture-20241115/#substantive-changes-summary-fpwd

Requirements satisfied

yes

Dependencies met (or not)

dependencies unlikely to change

Wide Review

Issues addressed

https://github.com/w3c/device-posture/issues?q=is%3Aissue+is%3Aclosed

Formal Objections

no

Implementation

will be prepared from https://wpt.fyi/results/device-posture

Patent disclosures

https://www.w3.org/groups/wg/das/ipr/

/cc @diekus @kenchris @darktears @anssiko @reillyeon

@himorin himorin added Entering CR First Candidate Recommendation Awaiting Team Verification Awaiting the verification of the W3C Team labels Nov 15, 2024
@himorin
Copy link
Author

himorin commented Nov 15, 2024

updated URL following PR (on changes section) merged.
would take some time (on r?) for html tidyup for actual publication.

@w3cbot w3cbot added the wg:das label Nov 15, 2024
@plehegar
Copy link
Member

plehegar commented Nov 15, 2024

@simoneonofri , we're wondering if the cross-origin section in this specification was looked at from a security perspective.

(this wasn't flagged as problematic by the privacy folks)

@darktears
Copy link

darktears commented Nov 15, 2024

@plehegar yes it was. We went through PING review. I don't want to discuss again what was discussed before (see PING minutes) but long story short, there isn't a mechanism existing in the web platform to guard CSS API (specifically CSS MQs) behind a permission policy so adding permission policy would only apply to the JS surface (and thus defeating the purpose). PING and CSS WGs have started a discussion around that (which has been silent so far). At the end it was deemed that the fingerprinting is very low risk provided it doesn't expose much information useful to bad actors and is getting less and less relevant as more devices hit the market.

@plehegar
Copy link
Member

@darktears , yes, we did note that it was reviewed by PING. But we also noticed that the TAG wasn't asked for the changes and we're wondering if that particular section is of interest to the security folks.

@darktears
Copy link

I did not request another TAG look on this specific section. When TAG reviewed this specification there were never plans to add a permission policy in the first place. This specific section was documented to be concise about the problem space that's really it.

FWIW this API just shipped in Chromium.

@plehegar
Copy link
Member

we're double-checking with @simoneonofri and did not see anything otherwise.

@simoneonofri
Copy link

simoneonofri commented Nov 15, 2024

hi @plehegar, thank you for the pointer.

@darktears i am reading the spec (from a security point of view)

@simoneonofri
Copy link

Since the API only provides information, the security part is assimilated to privacy concerns (it should also be nice to reference fingerprinting here).

I am specifically reasoning about this message concerning possible abuse cases (e.g., how this can be abused by aggressive advertising? or for XS-leaks).

No further issues for now.

@darktears
Copy link

darktears commented Nov 15, 2024

Thanks @simoneonofri for taking a look.

We do cover fingerprinting over here.

There isn't much value in the API for abuse by advertisers. If the intention is to detect a foldable device there are many other ways to detect them without that API. If it's to track them across contexts again it's only possible to potentially track a user which is using the 'folded' posture (any other devices will return continuous and non folded foldable devices as well) but it will all fall apart if the posture changes while changing context (posture change is a user triggered action). Also many many devices are shipping now so folded devices are getting more and more common. It does add a bit of entropy for sure but I don't think it's very sensitive.

We do want to expose the API to iframes because there are legit use cases for it (as some developers commented).

@simoneonofri
Copy link

@darktears, you're welcome.

Could you put in the Security Considerations Section the reference to that point already mentioned in the privacy considerations?

Another Threat Actor we can consider is someone who places in the iframe something like BeEF - back in the day, I tended to put it inside an iframe :).

@darktears
Copy link

I could add the reference but I'm not sure it provides any value provided that the Security Considerations Section is right above the Privacy section and the first paragraph is what we're talking about, no-scrolling required pretty much.

@plehegar
Copy link
Member

Approved.

Thank you @simoneonofri and @darktears .

@plehegar plehegar added Awaiting Publication Approved by the Director, waiting on publication and removed Awaiting Team Verification Awaiting the verification of the W3C Team labels Nov 18, 2024
@plehegar plehegar assigned himorin and unassigned plehegar Nov 18, 2024
@darktears
Copy link

Thanks @plehegar for the approval.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Awaiting Publication Approved by the Director, waiting on publication Entering CR First Candidate Recommendation wg:das
Projects
None yet
Development

No branches or pull requests

5 participants