[EME] Added text about secure origins (bug 26332) to prompts/consent text; added consent text to Security Considerations.
authorDavid Dorwin <ddorwin@google.com>
Fri, 18 Jul 2014 18:19:39 -0700
changeset 374 7595e9457f23
parent 373 e68902b0f30d
child 375 3368787fe08e
[EME] Added text about secure origins (bug 26332) to prompts/consent text; added consent text to Security Considerations.
encrypted-media/encrypted-media.html
encrypted-media/encrypted-media.xml
--- a/encrypted-media/encrypted-media.html	Fri Jul 18 17:43:15 2014 -0700
+++ b/encrypted-media/encrypted-media.html	Fri Jul 18 18:19:39 2014 -0700
@@ -1506,6 +1506,10 @@
     Such user agents should also properly handle <a href="https://w3c.github.io/webappsec/specs/mixedcontent/">Mixed Content</a> to avoid potential exposure to insecure content.
     See also <a href="#privacy-secureorigin">Use Secure Origin and Transport</a>.
     </p>
+    
+    <p>If a user agent chooses to support a Key System implementation that cannot be sufficiently sandboxed or otherwise secured, the user agent should ensure that users are fully informed and/or give explicit consent before loading or invoking it.
+    See also <a href="#privacy-prompts">User Alerts / Prompts</a>.
+    </p>
 
     </div>
 
@@ -1578,11 +1582,15 @@
       <dt>Shared blacklists</dt>
       <dd>User agents may allow users to share their Key System domain blacklists. This would allow communities to act together to protect their privacy.</dd>
 
-      <dt>User alerts / prompts</dt>
-      <dd>User Agents could ensure that users are fully informed and / or give explicit consent before identifiers are exposed in messages from Key Systems.</dd>
+      <dt id="privacy-prompts">User Alerts / Prompts</dt>
+      <dd>User Agents should ensure that users are fully informed and/or give explicit consent before identifiers are exposed in messages from Key Systems.
+        Such alerts and consent should be per origin to avoid valid uses enabling subsequent malicious access.
+        User agents that consider such alerts or consent appropriate should only support such Key Systems on secure origins (see <a href="#privacy-secureorigin">Use Secure Origin and Transport</a>), especially if they allow such consent to be persisted.
+        (Granting permissions to unauthenticated origins is equivalent to granting the permissions to any origin in the presence of a network attacker.)
+      </dd>
 
       <dt>User controls to disable Key Systems or Key System use of identifiers</dt>
-      <dd>User Agents could provide users with a global control of whether a Key System is enabled / disabled and / or whether Key System use of user / device identifiers is enabled or disabled (if supported by the Key System).</dd>
+      <dd>User Agents could provide users with a global control of whether a Key System is enabled / disabled and/or whether Key System use of user / device identifiers is enabled or disabled (if supported by the Key System).</dd>
     </dl>
 
     <p>While these suggestions prevent trivial use of this feature for user tracking, they do not block it altogether. Within a single domain, a site can continue to track the user during a session, and can then pass all this information to a third party along with any identifying information (names, credit card numbers, addresses) obtained by the site. If a third party cooperates with multiple sites to obtain such information, and if identifiers are not per-origin, then a profile can still be created.</p>
--- a/encrypted-media/encrypted-media.xml	Fri Jul 18 17:43:15 2014 -0700
+++ b/encrypted-media/encrypted-media.xml	Fri Jul 18 18:19:39 2014 -0700
@@ -1426,6 +1426,10 @@
     Such user agents should also properly handle <a href="https://w3c.github.io/webappsec/specs/mixedcontent/">Mixed Content</a> to avoid potential exposure to insecure content.
     See also <a href="#privacy-secureorigin">Use Secure Origin and Transport</a>.
     </p>
+    
+    <p>If a user agent chooses to support a Key System implementation that cannot be sufficiently sandboxed or otherwise secured, the user agent should ensure that users are fully informed and/or give explicit consent before loading or invoking it.
+    See also <a href="#privacy-prompts">User Alerts / Prompts</a>.
+    </p>
 
     </div>
 
@@ -1497,11 +1501,15 @@
       <dt>Shared blacklists</dt>
       <dd>User agents may allow users to share their Key System domain blacklists. This would allow communities to act together to protect their privacy.</dd>
 
-      <dt>User alerts / prompts</dt>
-      <dd>User Agents could ensure that users are fully informed and / or give explicit consent before identifiers are exposed in messages from Key Systems.</dd>
+      <dt id="privacy-prompts">User Alerts / Prompts</dt>
+      <dd>User Agents should ensure that users are fully informed and/or give explicit consent before identifiers are exposed in messages from Key Systems.
+        Such alerts and consent should be per origin to avoid valid uses enabling subsequent malicious access.
+        User agents that consider such alerts or consent appropriate should only support such Key Systems on secure origins (see <a href="#privacy-secureorigin">Use Secure Origin and Transport</a>), especially if they allow such consent to be persisted.
+        (Granting permissions to unauthenticated origins is equivalent to granting the permissions to any origin in the presence of a network attacker.)
+      </dd>
 
       <dt>User controls to disable Key Systems or Key System use of identifiers</dt>
-      <dd>User Agents could provide users with a global control of whether a Key System is enabled / disabled and / or whether Key System use of user / device identifiers is enabled or disabled (if supported by the Key System).</dd>
+      <dd>User Agents could provide users with a global control of whether a Key System is enabled / disabled and/or whether Key System use of user / device identifiers is enabled or disabled (if supported by the Key System).</dd>
     </dl>
 
     <p>While these suggestions prevent trivial use of this feature for user tracking, they do not block it altogether. Within a single domain, a site can continue to track the user during a session, and can then pass all this information to a third party along with any identifying information (names, credit card numbers, addresses) obtained by the site. If a third party cooperates with multiple sites to obtain such information, and if identifiers are not per-origin, then a profile can still be created.</p>