index.html

<!doctype html>
<html lang="en">
 <head>
  
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  
  
  <title>Self-Review Questionnaire: Security and Privacy</title>
  
  
  <style>
@media print {
  html { margin: 0 !important; }
  body { font-family: serif; }
  th, td { font-family: inherit; }
  a { color: inherit !important; }
  .example:before { font-family: serif !important; }
  a:link, a:visited { text-decoration: none !important; }
  a:link:after, a:visited:after { /* create a cross-ref "see..." */; }
}
@page {
  margin: 1.5cm 1.1cm;
}
h1, h2, h3, h4, h5, h6 { page-break-after: avoid; }
figure, div.figure, div.sidefigure, pre, table.propdef, table.propdef-extra,
.example { page-break-inside: avoid; }
dt { page-break-after: avoid; }

body {
  background: white;
  /* background-image: floating-margin-image-goes-here; */
  background-position: top left;
  background-attachment: fixed;
  background-repeat: no-repeat;
  color: black;
  counter-reset: exampleno figure issue;
  font-family: sans-serif;
  line-height: 1.5;
  margin: 0 auto;
  max-width: 50em;
  padding: 2em 1em 2em 70px;
}

/* General structural markup */

h1, h2, h3, h4, h5, h6 { text-align: left; }
h1, h2, h3 { color: #005A9C; }
h1 { font: 170% sans-serif; }
h2 { font: 140% sans-serif; }
h3 { font: 120% sans-serif; }
h4 { font: bold 100% sans-serif; }
h5 { font: italic 100% sans-serif; }
h6 { font: small-caps 100% sans-serif; }
h2, h3, h4, h5, h6 { margin-top: 3em; }
h1 + h2 { margin-top: 0em; }
h2 + h3, h3 + h4, h4 + h5, h5 + h6 { margin-top: 1.2em; }

.head { margin-bottom: 1em; }
.head h1 { margin-top: 2em; clear: both; }
.head table { margin-left: 2em; margin-top: 2em; }
.head dd { margin-bottom: 0; }

p.copyright { font-size: small; }
p.copyright small { font-size: small; }

pre { margin: 1em 0 1em 2em; overflow: auto; }
pre, code, .idl-code {
  font-size: .9em;
  font-family: Menlo, Consolas, "DejaVu Sans Mono", monospace;
}
pre .idl-code, pre code { font-size: 1em; }
dt dfn code { font-size: inherit; }

dfn { font-weight: bolder; }
dfn var { font-style: normal; }

s, del {text-decoration: line-through; color: red; }
u, ins {text-decoration: underline; background: #bfa; }

sup {
  vertical-align: super;
  font-size: 80%
}

details { display: block; }

dt { font-weight: bold; }
dd { margin: 0 0 1em 2em; }
ul, ol { margin-left: 0; padding-left: 2em; }
li { margin: 0.25em 2em 0.5em 0; padding-left: 0; }
[data-md] > :first-child { margin-top: 0; }
[data-md] > :last-child { margin-bottom: 0; }

td.pre {
  white-space: pre-wrap;
}

.css, .property { color: #005a9c; }
.property { white-space: nowrap; }


/* Boilerplate sections */

ul.indexlist { margin-left: 0; columns: 13em; }
ul.indexlist li { margin-left: 0; list-style: none }
ul.indexlist li li { margin-left: 1em; }
ul.indexlist a { font-weight: bold; }
ul.indexlist ul, ul.indexlist dl { font-size: smaller; }
ul.indexlist dl { margin-top: 0; }
ul.indexlist dt { margin: .2em 0 .2em 20px; }
ul.indexlist dd { margin: .2em 0 .2em 40px; }

.toc {
  font-weight: bold;
  line-height: 1.3;
  list-style: none;
  margin: 1em 0 0 5em;
  padding: 0;
}
.toc ul { margin: 0; padding: 0; font-weight: normal; }
.toc ul ul { margin: 0 0 0 2em; font-style: italic; }
.toc ul ul ul { margin: 0}
.toc > li { margin: 1.5em 0; padding: 0; }
.toc li { clear: both; }
.toc ul.toc li { margin: 0.3em 0 0 0; }
.toc a { border-bottom-style: none; }
.toc a:hover, ul.toc a:focus { border-bottom-style: solid; }
/* Section numbers in a column of their own */
.toc span.secno {float: left; width: 4em; margin-left: -5em}
.toc ul ul span.secno { margin-left: -7em; }

table.proptable {
  font-size: small;
  border-collapse: collapse;
  border-spacing: 0;
  text-align: left;
  margin: 1em 0;
}
table.proptable td, table.proptable th {
  padding: 0.4em;
  text-align: center;
}
table.proptable tr:hover td { background: #DEF; }


/* Links */

a[href] { color: inherit; border-bottom: 1px solid silver; text-decoration: none; }
a[href]:hover { background: #ffa; }
a[href]:active { color: #C00; background: transparent; }
img, a.logo { border-style: none; }
.heading, .issue, .note, .example, li, dt { position: relative; }
/* CSS-ish link types */
[data-link-type="property"]::before,
[data-link-type="propdesc"]::before,
[data-link-type="descriptor"]::before,
[data-link-type="value"]::before,
[data-link-type="function"]::before,
[data-link-type="at-rule"]::before,
[data-link-type="selector"]::before,
[data-link-type="maybe"]::before {content: "“";}
[data-link-type="property"]::after,
[data-link-type="propdesc"]::after,
[data-link-type="descriptor"]::after,
[data-link-type="value"]::after,
[data-link-type="function"]::after,
[data-link-type="at-rule"]::after,
[data-link-type="selector"]::after,
[data-link-type="maybe"]::after {content: "”";}
[data-link-type].production::before,
[data-link-type].production::after,
.prod [data-link-type]::before,
.prod [data-link-type]::after { content: ""; }
/* Element-type link styling */
[data-link-type=element] { font-family: monospace; }
[data-link-type=element]::before { content: "<" }
[data-link-type=element]::after { content: ">" }
/* Self-links */
a.self-link {
  position: absolute;
  top: 0;
  left: -2.5em;
  width: 2em;
  height: 2em;
  text-align: center;
  border: none;
  transition: opacity .2s;
  opacity: .5;
}
a.self-link:hover {
  opacity: 1;
}
.heading > a.self-link {
  font-size: 83%;
}
li > a.self-link {
  left: -3.5em;
}
dfn > a.self-link {
  top: auto;
  left: auto;
  opacity: 0;
  width: 1.5em;
  height: 1.5em;
  background: gray;
  color: white;
  font-style: normal;
  transition: opacity .2s, background-color .2s, color .2s;
}
dfn:hover > a.self-link {
  opacity: 1;
}
dfn > a.self-link:hover {
  color: black;
}
a.self-link::before { content: "¶"; }
.heading > a.self-link::before { content: "§"; }
dfn > a.self-link::before { content: "#"; }


/* Figures */

figure {
  display: block;
  text-align: center;
  margin: 2.5em 0;
}
figure.sidefigure {
  float: right;
  width: 50%;
  margin: 0 0 0.5em 0.5em
}
figure pre {
  text-align: left;
  display: table;
  margin: 1em auto;
}
figure table {
  margin: auto;
}
figure img, figure object {
  display: block;
  margin: auto;
  max-width: 100%
}
figcaption {
  counter-increment: figure;
  font-size: 90%;
  font-style: italic;
  text-align: center;
}
figcaption::before {
  content: "Figure " counter(figure) ". ";
  font-weight: bold;
}
dd figure { margin-left: -2em; }


/* Definition tables */

table.definition {
  border-spacing: 0;
  padding: 0 1em 0.5em;
  width: 100%;
  table-layout: fixed;
  margin: 1.2em 0;
}
table.definition td, table.definition th {
  padding: 0.5em;
  vertical-align: baseline;
  border-bottom: 1px solid #bbd7e9;
}
table.definition th:first-child {
  font-style: italic;
  font-weight: normal;
  text-align: left;
  width: 8.3em;
  padding-left: 1em;
}
table.definition > tbody > tr:last-child > th,
table.definition > tbody > tr:last-child > td {
  border-bottom: none;
}
table.definition tr:first-child > th,
table.definition tr:first-child > td {
  padding-top: 1em;
}
/* Footnotes at the bottom of a definition table */
table.definition td.footnote {
  font-style: normal;
  padding-top: .6em;
  width: auto;
}
table.definition td.footnote::before {
  content: " ";
  display: block;
  height: 0.6em;
  width: 4em;
  border-top: thin solid;
}


/* IDL fragments */

pre.idl {
  padding: .5em 1em;
  margin: 1.2em 0;
}
pre.idl :link, pre.idl :visited {
  color:inherit;
  background:transparent;
}


/* Data tables */
/* Comes in plain, long, complex, or define varieties */

.data {
  margin: 1em auto;
  border-collapse: collapse;
  width: 100%;
  border: hidden;
}
.data {
  text-align: center;
  width: auto;
}
.data caption {
  width: 100%;
}
.data td, .data th {
  padding: 0.5em;
  border-width: 1px;
  border-color: silver;
  border-top-style: solid;
}
.data thead td:empty {
  padding: 0;
  border: 0;
}
.data thead th[scope="row"] {
  text-align: right;
  color: inherit;
}
.data thead,
.data tbody {
  color: inherit;
  border-bottom: 2px solid;
}
.data colgroup {
  border-left: 2px solid;
}
.data tbody th:first-child,
.data tbody td[scope="row"]:first-child {
  text-align: right;
  color: inherit;
  border-right: 2px solid;
  border-top: 1px solid silver;
  padding-right: 1em;
}
.data.define td:last-child {
  text-align: left;
}
.data tbody th[rowspan],
.data tbody td[rowspan] {
  border-left: 1px solid silver;
}
.data tbody th[rowspan]:first-child,
.data tbody td[rowspan]:first-child {
  border-left: 0;
  border-right: 1px solid silver;
}
.data.complex th,
.data.complex td {
  border: 1px solid silver;
}
.data td.long {
 vertical-align: baseline;
 text-align: left;
}
.data img {
  vertical-align: middle;
}


/* Switch/case <dl>s */

dl.switch {
 padding-left: 2em;
}
dl.switch > dt {
 text-indent: -1.5em;
}
dl.switch > dt:before {
 content: '↪';
 padding: 0 0.5em 0 0;
 display: inline-block;
 width: 1em;
 text-align: right;
 line-height: 0.5em;
}


/* Style for At Risk features (intended as editorial aid, not intended for publishing) */
.atrisk::before {
 position: absolute;
 margin-left: -5em;
 margin-top: -2px;
 padding: 4px;
 border: 1px solid;
 content: 'At risk';
 font-size: small;
 background-color: white;
 color: gray;
 border-radius: 1em;
 text-align: center;
}


/* Obsoletion notice */
details.annoying-warning[open] {
  background: #fdd;
  color: red;
  font-weight: bold;
  text-align: center;
  padding: .5em;
  border: thick solid red;
  border-radius: 1em;
  position: fixed;
  left: 1em;
  right: 1em;
  bottom: 1em;
  z-index: 1000;
}
details.annoying-warning:not([open]) > summary {
  background: #fdd;
  color: red;
  font-weight: bold;
  text-align: center;
  padding: .5em;
}


/* Examples */

.example {
  counter-increment: exampleno;
}
.example::before {
  content: "Example";
  content: "Example " counter(exampleno);
  min-width: 7.5em;
  text-transform: uppercase;
  display: block;
}
.illegal-example::before {
  content: "Invalid Example";
  content: "Invalid Example" counter(exampleno);
}
.example, .illegal-example, .html, .illegal-html, .xml, .illegal-xml {
  padding: 0.5em;
  margin: 1em 0;
  position: relative;
  clear: both;
}
pre.example, pre.illegal-example, pre.html,
pre.illegal-html, pre.xml, pre.illegal-xml {
  padding-top: 1.5em;
}
.illegal-example { color: red; }
.illegal-example p { color: black; }
.html { color: #600; }
.illegal-html { color: red; }
.illegal-html p { color: black; }
.xml { color: #600; }
.illegal-xml { color: red; }
.illegal-xml p { color: black; }
code.css { font-family: inherit; font-size: 100% }
code.html { color: #600 } /* inline HTML */
code.xml { color: #600 }  /* inline XML */


/* Issues */

.issue {
  border-color: #E05252;
  background: #FBE9E9;
  counter-increment: issue;
}
.issue:before {
  content: "Issue " counter(issue);
  padding-right: 1em;
  text-transform: uppercase;
  color: #E05252;
}


/* Whys */

details.why > summary {
  font-style: italic;
}
details.why[open] > summary {
  border-bottom: 1px silver solid;
}


/* All the blocks get similarly styled */

table.definition, pre.idl, .example, .note, details.why, .issue {
  border: none;
  border-left: .5em solid black;
  border-left: .5rem solid black;
}
.issue, .note, .example, .why {
  padding: .5em;
  margin-top: 1em;
  margin-bottom: 1em;
}
table.definition, pre.idl {
  background: hsl(210, 70%, 95%);
  border-color: hsl(210, 80%, 75%);
}
.example {
  background: hsl(50, 70%, 95%);
  border-color: hsl(50, 70%, 60%);
}
.example::before {
  color: hsl(50, 70%, 60%);
}
.note, details.why {
  background: hsl(120, 70%, 95%);
  border-color: hsl(120, 70%, 60%);
}
.note::before {
  color: hsl(120, 70%, 60%);
}
.issue {
  background: hsl(0, 70%, 95%);
  border-color: hsl(0, 70%, 60%);
}
.issue::before {
  color: hsl(0, 70%, 60%);
}
span.issue, span.note {
  padding: .1em .5em .15em;
  border-right-width: .5em;
  border-right-style: solid;
}
  </style>
  

  <meta content="Bikeshed 1.0.0" name="generator">
 </head>
 

 <body class="h-entry">

  <div class="head">
  
   <p data-fill-with="logo"></p>
  
   <h1 class="p-name no-ref" id="title">Self-Review Questionnaire: Security and Privacy</h1>
  
   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">A Collection of Interesting Ideas,
    <time class="dt-updated" datetime="2015-05-11">11 May 2015</time></span></h2>
  
   <div data-fill-with="spec-metadata">
    <dl>
     <dt>This version:
     <dd><a class="u-url" href="https://w3ctag.github.io/security-questionnaire/">https://w3ctag.github.io/security-questionnaire/</a>
     <dt>Version History:
     <dd><a href="https://github.com/w3ctag/security-questionnaire/commits/master/index.src.html">https://github.com/w3ctag/security-questionnaire/commits/master/index.src.html</a>
     <dt>Issue Tracking:
     <dd><a href="#issues-index">Inline In Spec</a>
     <dt class="editor">Editor:
     <dd class="editor p-author h-card vcard"><a class="p-name fn u-email email" href="mailto:mkwst@google.com">Mike West</a> (<span class="p-org org">Google Inc.</span>)
     <dt>Bug Reports:
     <dd><span><a href="https://github.com/w3ctag/security-questionnaire/issues/new">via the w3ctag/security-questionnaire repository on GitHub</a></span>
    </dl>
   </div>
  
   <div data-fill-with="warning"></div>
  
   <p class="copyright" data-fill-with="copyright"><a href="http://creativecommons.org/publicdomain/zero/1.0/" rel="license"><img alt="CC0" src="https://licensebuttons.net/p/zero/1.0/80x15.png"></a>
To the extent possible under law, the editors have waived all copyright
and related or neighboring rights to this work.
In addition, as of 11 May 2015,
the editors have made this specification available under the
<a href="http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0" rel="license">Open Web Foundation Agreement Version 1.0</a>,
which is available at http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0.
Parts of this work may be from another specification document.  If so, those parts are instead covered by the license of that specification document.
</p>
  
   <hr title="Separator for header">
</div>


  <h2 class="no-num no-toc no-ref heading settled" id="abstract"><span class="content">Abstract</span></h2>

  <div class="p-summary" data-fill-with="abstract">
   <p>This document lists a set of questions one could ask about the security and

privacy impact of a new feature or specification. It is meant as a tool that
groups or individuals can use as a guide during a self-review, pointing
towards important questions in areas where expertise might be lacking.</p>




   <p>It is not meant as a "security checklist", nor does an editor or group’s use

of this questionnaire obviate the editor or group’s responsibility to obtain
"wide review" of a specification’s security and privacy properties before
publication.</p>

</div>

  <div data-fill-with="at-risk"></div>


  <h2 class="no-num no-toc no-ref heading settled" id="contents"><span class="content">Table of Contents</span></h2>

  <div data-fill-with="table-of-contents" role="navigation">
   <ul class="toc" role="directory">
    <li><a href="#intro"><span class="secno">1</span> <span class="content">Introduction</span></a>
    <li><a href="#threats"><span class="secno">2</span> <span class="content">Threat Models</span></a>
     <ul class="toc">
      <li><a href="#passive-network"><span class="secno">2.1</span> <span class="content">Passive Network Attackers</span></a>
      <li><a href="#active-network"><span class="secno">2.2</span> <span class="content">Active Network Attackers</span></a>
      <li><a href="#sop-violations"><span class="secno">2.3</span> <span class="content">Same-Origin Policy Violations</span></a>
      <li><a href="#third-party-tracking"><span class="secno">2.4</span> <span class="content">Third-Party Tracking</span></a>
     </ul>
    <li><a href="#questions"><span class="secno">3</span> <span class="content">Questions to Consider</span></a>
     <ul class="toc">
      <li><a href="#pii"><span class="secno">3.1</span> <span class="content">
    Does this specification deal with personally-identifiable information?
  </span></a>
      <li><a href="#credentials"><span class="secno">3.2</span> <span class="content">
    Does this specification deal with high-value data?
  </span></a>
      <li><a href="#persistent-origin-specific-state"><span class="secno">3.3</span> <span class="content">
    Does this specification introduce new state for an origin that persists
    across browsing sessions?
  </span></a>
      <li><a href="#persistent-identifiers"><span class="secno">3.4</span> <span class="content">
    Does this specification expose persistent, cross-origin state to the web?
  </span></a>
      <li><a href="#other-data"><span class="secno">3.5</span> <span class="content">
    Does this specification expose any other data to an origin that it doesn’t
    currently have access to?
  </span></a>
      <li><a href="#string-to-script"><span class="secno">3.6</span> <span class="content">
    Does this specification enable new script execution/loading mechanisms?
  </span></a>
      <li><a href="#location"><span class="secno">3.7</span> <span class="content">Does this specification allow an origin access to a user’s location?</span></a>
      <li><a href="#sensors"><span class="secno">3.8</span> <span class="content">Does this specification allow an origin access to sensors on a user’s device?</span></a>
      <li><a href="#local-device"><span class="secno">3.9</span> <span class="content">Does this specification allow an origin access to aspects of a user’s local computing environment?</span></a>
      <li><a href="#remote-device"><span class="secno">3.10</span> <span class="content">
    Does this specification allow an origin access to other devices?
  </span></a>
      <li><a href="#native-ui"><span class="secno">3.11</span> <span class="content">
    Does this specification allow an origin some measure of control over a user
    agent’s native UI?
  </span></a>
      <li><a href="#temporary-id"><span class="secno">3.12</span> <span class="content">Does this specification expose temporary identifiers to the web?</span></a>
      <li><a href="#first-third-party"><span class="secno">3.13</span> <span class="content">Does this specification distinguish between behavior in first-party and third-party contexts?</span></a>
      <li><a href="#incognito"><span class="secno">3.14</span> <span class="content">
    How should this specification work in the context of a user agent’s
    "incognito" mode?
  </span></a>
      <li><a href="#storage"><span class="secno">3.15</span> <span class="content">
    Does this specification persist data to a user’s local device?
  </span></a>
      <li><a href="#considerations"><span class="secno">3.16</span> <span class="content">
    Does this specification have a "Security Considerations" and "Privacy
    Considerations" section?
  </span></a>
      <li><a href="#relaxed-sop"><span class="secno">3.17</span> <span class="content">
    Does this specification allow downgrading default security characteristics?
  </span></a>
     </ul>
    <li><a href="#mitigations"><span class="secno">4</span> <span class="content">
    Mitigation Strategies
  </span></a>
     <ul class="toc">
      <li><a href="#secure-contexts"><span class="secno">4.1</span> <span class="content">
    Secure Contexts
  </span></a>
      <li><a href="#user-mediation"><span class="secno">4.2</span> <span class="content">
    Explicit user mediation
  </span></a>
      <li><a href="#drop-feature"><span class="secno">4.3</span> <span class="content">
    Drop the feature
  </span></a>
     </ul>
    <li><a href="#conformance"><span class="secno"></span> <span class="content">
Conformance</span></a>
    <li><a href="#index"><span class="secno"></span> <span class="content">Index</span></a>
     <ul class="toc">
      <li><a href="#index-defined-here"><span class="secno"></span> <span class="content">Terms defined by this specification</span></a>
      <li><a href="#index-defined-elsewhere"><span class="secno"></span> <span class="content">Terms defined by reference</span></a>
     </ul>
    <li><a href="#references"><span class="secno"></span> <span class="content">References</span></a>
     <ul class="toc">
      <li><a href="#normative"><span class="secno"></span> <span class="content">Normative References</span></a>
      <li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a>
     </ul>
    <li><a href="#issues-index"><span class="secno"></span> <span class="content">Issues Index</span></a>
   </ul></div>

  <main>





   <section>
  
    <h2 class="heading settled" data-level="1" id="intro"><span class="secno">1. </span><span class="content">Introduction</span><a class="self-link" href="#intro"></a></h2>


    <p>Adding features to the web is a tricky thing; on the one hand, we want to
  provide developers with access to all the things they need in order to build
  amazing experiences. On the other, we need to ensure that we don’t
  accidentally hand over too much power to malicious folks who could abuse it,
  or unintentionally expose people’s private data without adequate controls.
  Ideally, careful review of every specification we publish will allow us to
  strike the right balance.</p>


    <p>Working groups can (and should) begin this review process early, of course.
  It’s <em>easy</em> to mitigate risks to users on the web <em>before</em> a
  feature is finalized and shipped in user agents. Changing APIs or
  introducing restrictions becomes nigh impossible once the web begins to
  depend on a particular implementation.</p>


    <p>This document encourages early review by posing a number of questions that
  you as a individual reader of a specification can ask—and that working
  groups and spec editors might consider themselves, before asking for more
  formal review. The intent is to highlight areas which have historically had
  interesting implications on a user’s security or privacy, and thereby to
  focus the editor’s attention and working group’s attention and reviewers'
  attention on areas that might previously have been overlooked.</p>


    <p class="note" role="note">Note: Answering these questions obviously doesn’t constitute "wide review" in
  and of itself, but could provide a helpful basis of understanding upon which
  future reviewers can build.</p>
</section>



   <section>
  
    <h2 class="heading settled" data-level="2" id="threats"><span class="secno">2. </span><span class="content">Threat Models</span><a class="self-link" href="#threats"></a></h2>


    <p>"Security" and "Privacy" are big concepts. In order to pare them down to
  something which could feasibly guide working groups' decisions, let’s consider
  the types of threats to both which the web makes possible:</p>

  
    <h3 class="heading settled" data-level="2.1" id="passive-network"><span class="secno">2.1. </span><span class="content">Passive Network Attackers</span><a class="self-link" href="#passive-network"></a></h3>


    <p>A <dfn data-dfn-type="dfn" data-noexport="" id="passive-network-attacker">passive network attacker<a class="self-link" href="#passive-network-attacker"></a></dfn> has read-access to the bits going over
  the wire between users and the servers they’re communicating with. They can’t
  <em>modify</em> the bytes, but they can collect and analyze them.</p>


    <p>Due to the decentralized nature of the internet, and the general level of
  interest in user activity, it’s reasonable to assume that practically every
  unencrypted bit that’s bouncing around the network of proxies, routers, and
  servers you’re using right now is being read by someone. It’s equally likely
  that some of these attackers are doing their best to understand the encrypted
  bits as well (though that requires significantly more effort).</p>


    <ul>
     <li data-md="">
      <p>The IETF’s "Pervasive Monitoring Is an Attack" document <a data-link-type="biblio" href="#biblio-rfc7258">[RFC7258]</a> is
  useful reading, outlining some of the impacts on privacy that this
  assumption entails.</p>
      


     <li data-md="">
      <p>Governments aren’t the only concern; your local coffee shop is likely to
  be gathering information on its customers, your ISP at home is likely to
  be doing the same.</p>
      
</ul>
  
    <h3 class="heading settled" data-level="2.2" id="active-network"><span class="secno">2.2. </span><span class="content">Active Network Attackers</span><a class="self-link" href="#active-network"></a></h3>


    <p>An <dfn data-dfn-type="dfn" data-noexport="" id="active-network-attacker">active network attacker<a class="self-link" href="#active-network-attacker"></a></dfn> has both read- and write-access to the
  bits going over the wire between users and the servers they’re communicating
  with. They can collect and analyze data, but also modify it in-flight,
  injecting and manipulating JavaScript and HTML at will. This is more common
  than you might expect, for both benign and malicious purposes:</p>


    <ul>
     <li data-md="">
      <p>ISPs and caching proxies regularly cache and compress images before
  delivering them to users in an effort to reduce data usage. This can be
  especially useful for users on low-bandwidth, high-latency devices like
  phones.</p>
      


     <li data-md="">
      <p>ISPs also regularly inject JavaScript <a data-link-type="biblio" href="#biblio-comcast">[COMCAST]</a> and other identifiers
  <a data-link-type="biblio" href="#biblio-verizon">[VERIZON]</a> for less benign purposes.</p>
      


     <li data-md="">
      <p>If your ISP is willing to modify substantial amounts of traffic flowing
  through it for profit, it’s difficult to believe that state-level 
  attackers will remain passive.</p>
      
</ul>
  
    <h3 class="heading settled" data-level="2.3" id="sop-violations"><span class="secno">2.3. </span><span class="content">Same-Origin Policy Violations</span><a class="self-link" href="#sop-violations"></a></h3>


    <p>The <dfn data-dfn-type="dfn" data-noexport="" id="same_origin-policy">same-origin policy<a class="self-link" href="#same_origin-policy"></a></dfn> is the cornerstone of security on the web;
  one origin should not have direct access to another origin’s data (the policy
  is more formally defined in Section 3 of <a data-link-type="biblio" href="#biblio-rfc6454">[RFC6454]</a>). A corollary to this
  policy is that an origin should not have direct access to data that isn’t
  associated with <em>any</em> origin: the contents of a user’s hard drive,
  for instance. Various kinds of attacks bypass this protection in one way or
  another. For example:</p>


    <ul>
     <li data-md="">
      <p><dfn data-dfn-type="dfn" data-local-lt="XSS" data-noexport="" id="cross_site-scripting-attacks">Cross-site scripting attacks<a class="self-link" href="#cross_site-scripting-attacks"></a></dfn> involve an
  attacker tricking an origin into executing attacker-controlled code in
  the context of a target origin.</p>
      


     <li data-md="">
      <p><dfn data-dfn-type="dfn" data-local-lt="CSRF" data-noexport="" id="cross_site-request-forgery-attacks">Cross-site request forgery attacks<a class="self-link" href="#cross_site-request-forgery-attacks"></a></dfn> trick
  user agents into exerting a user’s ambient authority on sites where
  they’ve logged in by submitting requests on their behalf.</p>
      


     <li data-md="">
      <p>Data leakage occurs when bits of information are inadvertantly made
  available cross-origin, either explicitly via CORS headers <a data-link-type="biblio" href="#biblio-cors">[CORS]</a>,
  or implicitly, via side-channel attacks like <a data-link-type="biblio" href="#biblio-timing">[TIMING]</a>.</p>
      
</ul>
  
    <h3 class="heading settled" data-level="2.4" id="third-party-tracking"><span class="secno">2.4. </span><span class="content">Third-Party Tracking</span><a class="self-link" href="#third-party-tracking"></a></h3>


    <p class="issue" id="issue-af65255c"><a class="self-link" href="#issue-af65255c"></a>Flesh this out. <a href="https://github.com/w3ctag/security-questionnaire/issues/7">&lt;https://github.com/w3ctag/security-questionnaire/issues/7></a></p>

</section>



   <section>
  
    <h2 class="heading settled" data-level="3" id="questions"><span class="secno">3. </span><span class="content">Questions to Consider</span><a class="self-link" href="#questions"></a></h2>

  
    <h3 class="heading settled" data-level="3.1" id="pii"><span class="secno">3.1. </span><span class="content">
    Does this specification deal with personally-identifiable information?
  </span><a class="self-link" href="#pii"></a></h3>


    <p><dfn data-dfn-type="dfn" data-local-lt="personally-identifiable" data-noexport="" id="personally_identifiable-information">Personally-identifiable
  information<a class="self-link" href="#personally_identifiable-information"></a></dfn> (PII) includes a large swath of data which could be used on
  its own, or in combination with other information, to identify a single
  person. The exact definition of what’s considered PII varies from jurisdiction
  to jurisdiction, but could certainly include things like a home address, an
  email address, birthdates, usernames, fingerprints etc. Wikipedia has a fairly
  good description at <a data-link-type="biblio" href="#biblio-pii">[PII]</a>.</p>


    <p>If the specification under consideration exposes PII to the web, it’s
  important to consider ways to mitigate the obvious impacts. For instance:</p>


    <ul>
     <li data-md="">
      <p>A feature which uses biometric data (fingerprints or retina scans) could
  refuse to expose the raw data to the web, instead using the raw data only
  to unlock some origin-specific and ephemeral secret and transmitting that
  secret instead.</p>
      


     <li data-md="">
      <p>User mediation could be required, in order to ensure that no data is
  exposed without a user’s explicit choice (and hopefully understanding).</p>
      
</ul>
  
    <h3 class="heading settled" data-level="3.2" id="credentials"><span class="secno">3.2. </span><span class="content">
    Does this specification deal with high-value data?
  </span><a class="self-link" href="#credentials"></a></h3>


    <p>Data which isn’t <a data-link-type="dfn" href="#personally_identifiable-information">personally-identifiable</a> can still be quite valuable.
  Sign-in credentials (like username/password pairs, or OAuth refresh tokens)
  can be extrememly powerful in the wrong hands, as can financial instruments
  like credit card data. Making this data available to JavaScript, for instance,
  could expose it to <a data-link-type="dfn" href="#cross_site-scripting-attacks">XSS</a> attacks and <a data-link-type="dfn" href="#active-network-attacker">active network attackers</a> who
  could inject code to read and exfiltrate the data. For instance:</p>


    <ul>
     <li data-md="">
      <p>Credential Management <a data-link-type="biblio" href="#biblio-credential-management">[CREDENTIAL-MANAGEMENT]</a> allows sites to request
  a user’s credentials from a user agent’s password manager in order to
  sign the user in quickly and easily. This opens the door for abuse, as
  a single XSS could expose user data trivially to JavaScript. They mitigate
  the risk by only offering the username and password as an opaque
  <code>FormData</code> object which cannot be directly read by JavaScript,
  and strongly suggest that authors use Content Security Policy <a data-link-type="biblio" href="#biblio-csp">[CSP]</a> with
  resonable <code>connect-src</code> and <code>form-action</code> values to
  further mitigate the risk of exfiltration.</p>
      
</ul>
  
    <h3 class="heading settled" data-level="3.3" id="persistent-origin-specific-state"><span class="secno">3.3. </span><span class="content">
    Does this specification introduce new state for an origin that persists
    across browsing sessions?
  </span><a class="self-link" href="#persistent-origin-specific-state"></a></h3>


    <p>For example:</p>


    <ul>
     <li data-md="">
      <p>Service Worker <a data-link-type="biblio" href="#biblio-service-workers">[SERVICE-WORKERS]</a> intercept all requests made by an
  origin, allowing sites to function perfectly even when offline. A
  maliciously-injected service worker, however, would be devastating (as
  documented in that spec’s
  <a href="http://www.w3.org/TR/service-workers/#security-considerations">security
  considerations section</a>). They mitigate the risks an <a data-link-type="dfn" href="#active-network-attacker">active network
  attacker</a> or <a data-link-type="dfn" href="#cross_site-scripting-attacks">XSS</a> vulnerability present by requiring an
  encrypted and authenticated connection in order to register a service
  worker.</p>
      


     <li data-md="">
      <p>Platform-specific DRM implementations might expose origin-specific
  information in order to help identify users and determine whether they
  ought to be granted access to a specific piece of media. These kinds of
  identifiers should be carefully evaluated to determine how abuse can be
  mitigated; identifiers which a user cannot easily change are very
  valuable from a tracking perspective, and protecting the identifiers from
  an active network attacker is an important concern.</p>
      


     <li data-md="">
      <p>Cookies, <code>ETag</code>, <code>Last Modified</code>, <code>Local
  Storage</code>, <code>Indexed DB</code>, etc. all allow an origin to
  store information about a user, and retrieve it later, directly or
  indirectly. User agents mitigate the risk that these kinds of storage
  mechanisms will form a persistent identifier by offering users the
  ability to wipe out the data contained in these types of storage.</p>
      
</ul>
  
    <h3 class="heading settled" data-level="3.4" id="persistent-identifiers"><span class="secno">3.4. </span><span class="content">
    Does this specification expose persistent, cross-origin state to the web?
  </span><a class="self-link" href="#persistent-identifiers"></a></h3>


    <p>For example:</p>


    <ul>
     <li data-md="">
      <p>The <code>GL_RENDERER</code> string exposed by some WebGL implementations
  improves performance in some kinds of applications, but does so at the
  cost of adding persistent state to a user’s fingerprint. These kinds of
  device-level details should be carefully weighed to ensure that the costs
  are outweighed by the benefits.</p>
      


     <li data-md="">
      <p>The <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/webappapis.html#navigatorplugins">NavigatorPlugins</a></code> list exposed via the DOM practically never
  changes for most users. Some user agents have taken steps to reduce the
  entropy introduced by
  <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=757726">disallowing
  direct enumeration of the plugin list</a>.</p>
      
</ul>
  
    <h3 class="heading settled" data-level="3.5" id="other-data"><span class="secno">3.5. </span><span class="content">
    Does this specification expose any other data to an origin that it doesn’t
    currently have access to?
  </span><a class="self-link" href="#other-data"></a></h3>


    <p>As noted above in <a href="#sop-violations">§2.3 Same-Origin Policy Violations</a>, the <a data-link-type="dfn" href="#same_origin-policy">same-origin policy</a> is an
  important security barrier that new features need to carefully consider.
  If a specification exposes details about another origin’s state, or allows
  POST or GET requests to be made to another origin, the consequences can be
  severe.</p>


    <ul>
     <li data-md="">
      <p>Content Security Policy <a data-link-type="biblio" href="#biblio-csp">[CSP]</a> unintentionally exposed redirect targets
  cross-origin by allowing one origin to infer details about another origin
  through violation reports (see <a data-link-type="biblio" href="#biblio-homakov">[HOMAKOV]</a>). The working group eventually
  mitigated the risk by reducing a policy’s granularity after a redirect.</p>
      


     <li data-md="">
      <p>Beacon <a data-link-type="biblio" href="#biblio-beacon">[BEACON]</a> allows an origin to send POST requests to an endpoint
  on another origin. They decided that this feature didn’t add any new
  attack surface above and beyond what normal form submission entails, so
  no extra mitigation was necessary.</p>
      
</ul>
  
    <h3 class="heading settled" data-level="3.6" id="string-to-script"><span class="secno">3.6. </span><span class="content">
    Does this specification enable new script execution/loading mechanisms?
  </span><a class="self-link" href="#string-to-script"></a></h3>


    <ul>
     <li data-md="">
      <p>HTML Imports <a data-link-type="biblio" href="#biblio-html-imports">[HTML-IMPORTS]</a> create a new script-loading mechanism, using
<code><a data-link-type="element" href="https://html.spec.whatwg.org/#the-link-element">link</a></code> rather than <code><a data-link-type="element" href="https://html.spec.whatwg.org/#script">script</a></code>, which might be easy to overlook when
evaluating an application’s attack surface. The working group notes this
risk, and ensured that they required reasonable interactions with Content
Security Policy’s <code>script-src</code> directive.</p>
      


     <li data-md="">
      <p>New string-to-script mechanism? (e.g. `eval()` or `setTimeout([string], ...)`)</p>
      


     <li data-md="">
      <p>What about style?</p>
      
</ul>
  
    <h3 class="heading settled" data-level="3.7" id="location"><span class="secno">3.7. </span><span class="content">Does this specification allow an origin access to a user’s location?</span><a class="self-link" href="#location"></a></h3>


    <p>A user’s location is highly-desirable information for a variety of use cases.
  It is also, understandably, information which many users are reluctant to
  share, as it can be both highly identifying, and potentially creepy. New
  features which make use of geolocation information, or which expose it to the
  web in new ways should carefully consider the ways in which the risks of
  unfettered access to a user’s location could be mitigated. For instance:</p>


    <ul>
     <li data-md="">
      <p>Geolocation information can serve many use cases at a much less granular
  precision than the user agent can offer. For instance, a resturaunt
  recommendation can be generated by asking for a user’s city-level location
  rather than a position accurate to the centimeter.</p>
      


     <li data-md="">
      <p>A recent Geofencing proposal <a data-link-type="biblio" href="#biblio-geofencing">[GEOFENCING]</a> ties itself to service workers
  and therefore to encrypted and authenticated origins.</p>
      
</ul>
  
    <h3 class="heading settled" data-level="3.8" id="sensors"><span class="secno">3.8. </span><span class="content">Does this specification allow an origin access to sensors on a user’s device?</span><a class="self-link" href="#sensors"></a></h3>


    <p class="issue" id="issue-95f2d23a"><a class="self-link" href="#issue-95f2d23a"></a>TODO.</p>

  
    <h3 class="heading settled" data-level="3.9" id="local-device"><span class="secno">3.9. </span><span class="content">Does this specification allow an origin access to aspects of a user’s local computing environment?</span><a class="self-link" href="#local-device"></a></h3>


    <p>(e.g. screen sizes, installed fonts, installed plugins, bluetooth or network interface identifiers)?</p>


    <p class="issue" id="issue-95f2d23a0"><a class="self-link" href="#issue-95f2d23a0"></a>TODO.</p>

  
    <h3 class="heading settled" data-level="3.10" id="remote-device"><span class="secno">3.10. </span><span class="content">
    Does this specification allow an origin access to other devices?
  </span><a class="self-link" href="#remote-device"></a></h3>


    <p>Specifically, it’s interesting whether or not this specification allows access
  to devices on a user’s local network that would be otherwise inaccessible to
  a web origin. In particular, connection via Bluetooth and USB should be
  carefully evaluated to avoid exposing devices to the web that aren’t created
  with the web in mind; doing so has security implications, as these devices
  may not be hardened against malicious input as well as they should be.</p>


    <ul>
     <li data-md="">
      <p>The Network Service Discovery API <a data-link-type="biblio" href="#biblio-discovery">[DISCOVERY]</a> recommends CORS preflights
  before granting access to a device, and requires user agents to involve
  the user with a permission request of some kind. The spec’s
  <a href="https://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html#security-and-privacy-considerations">Security
  and privacy considerations"</a> section has more details.</p>
      


     <li data-md="">
      <p>Likewise, the Web Bluetooth <a data-link-type="biblio" href="#biblio-bluetooth">[BLUETOOTH]</a> has an extensive discussion of
  <a href="https://webbluetoothcg.github.io/web-bluetooth/#security-and-privacy-considerations">"Security
  and privacy considerations"</a>, which is worth reading as an example for
  similar work.</p>
      

</ul>
  
    <h3 class="heading settled" data-level="3.11" id="native-ui"><span class="secno">3.11. </span><span class="content">
    Does this specification allow an origin some measure of control over a user
    agent’s native UI?
  </span><a class="self-link" href="#native-ui"></a></h3>


    <p>(showing, hiding, or modifying certain details, especially if those details are relevant to security)?</p>


    <p class="issue" id="issue-95f2d23a1"><a class="self-link" href="#issue-95f2d23a1"></a>TODO.</p>

  
    <h3 class="heading settled" data-level="3.12" id="temporary-id"><span class="secno">3.12. </span><span class="content">Does this specification expose temporary identifiers to the web?</span><a class="self-link" href="#temporary-id"></a></h3>


    <p>(e.g. TLS features like Channel ID, session identifiers/tickets, etc)?</p>


    <p class="issue" id="issue-95f2d23a2"><a class="self-link" href="#issue-95f2d23a2"></a>TODO.</p>

  
    <h3 class="heading settled" data-level="3.13" id="first-third-party"><span class="secno">3.13. </span><span class="content">Does this specification distinguish between behavior in first-party and third-party contexts?</span><a class="self-link" href="#first-third-party"></a></h3>


    <ul>
     <li data-md="">
      <p>Section 2.1 of <a data-link-type="biblio" href="#biblio-first-party-only">[FIRST-PARTY-ONLY]</a> defines "first-party" in line with
  existing browser behavior (Chrome and Firefox).</p>
      
</ul>
  
    <h3 class="heading settled" data-level="3.14" id="incognito"><span class="secno">3.14. </span><span class="content">
    How should this specification work in the context of a user agent’s
    "incognito" mode?
  </span><a class="self-link" href="#incognito"></a></h3>


    <ul>
     <li data-md="">
      <p>Ideally, the feature would work in such a way that the website would not
  be able to determine that the user was in "incognito".</p>
      


     <li data-md="">
      <p>Less ideally, the feature wouldn’t work, but the website still wouldn’t
  be able to distinguish "incognito" from simply being denied permission to
  use the feature (for instance).</p>
      


     <li data-md="">
      <p>Unideally, the feature wouldn’t exist at all in "incognito", which means
  that the user wouldn’t be exposing data, but the website can probably tell
  that the user is in that state.</p>
      
</ul>
  
    <h3 class="heading settled" data-level="3.15" id="storage"><span class="secno">3.15. </span><span class="content">
    Does this specification persist data to a user’s local device?
  </span><a class="self-link" href="#storage"></a></h3>


    <ul>
     <li data-md="">
      <p>How should user agent’s "Clear browsing data" functionality work with
  this data? Are there caches that the user agent needs to be particularly
  careful with?</p>
      
</ul>
  
    <h3 class="heading settled" data-level="3.16" id="considerations"><span class="secno">3.16. </span><span class="content">
    Does this specification have a "Security Considerations" and "Privacy
    Considerations" section?
  </span><a class="self-link" href="#considerations"></a></h3>


    <p>Interesting features added to the web platform generally have security and/or
  privacy impacts. Documenting the various concerns and potential abuses in
  "Security Considerations" and "Privacy Considerations" sections of a document
  is a good way to help implementers and web developers understand the risks
  that a feature presents, and to ensure that adequate mitigations are in place.</p>


    <p>If it seems like a feature does not have security or privacy impacts,
  then say so inline in the spec section for that feature:</p>

  
    <blockquote>
    There are no known security or privacy impacts of this feature.
  </blockquote>


    <p>Saying so explicitly in the specification serves several purposes:</p>
  
    <ol>
    
     <li>
      Shows that a spec author/editor has explicitly considered security and
      privacy when designing a feature.
    
     
    
     <li>
      Provides some sense of confidence that there are no such impacts.
    
     
    
     <li>
      Challenges security and privacy minded individuals to think of and find
      even the potential for such impacts.
    
     
    
     <li>
      Demonstrates the spec author/editor’s receptivity to feedback about such
      impacts.
    
     
  
    </ol>

  
    <h3 class="heading settled" data-level="3.17" id="relaxed-sop"><span class="secno">3.17. </span><span class="content">
    Does this specification allow downgrading default security characteristics?
  </span><a class="self-link" href="#relaxed-sop"></a></h3>


    <ul>
     <li data-md="">
      <p><code>document.domain</code></p>
      

     <li data-md="">
      <p><a data-link-type="biblio" href="#biblio-cors">[CORS]</a></p>
      

     <li data-md="">
      <p><a data-link-type="biblio" href="#biblio-webmessaging">[WEBMESSAGING]</a></p>
      

     <li data-md="">
      <p><code>referrer <a class="property" data-link-type="propdesc">unsafe-always</a></code></p>
      
</ul>
</section>


   <section>
  
    <h2 class="heading settled" data-level="4" id="mitigations"><span class="secno">4. </span><span class="content">
    Mitigation Strategies
  </span><a class="self-link" href="#mitigations"></a></h2>

  
    <h3 class="heading settled" data-level="4.1" id="secure-contexts"><span class="secno">4.1. </span><span class="content">
    Secure Contexts
  </span><a class="self-link" href="#secure-contexts"></a></h3>


    <p>In the presence of an <a data-link-type="dfn" href="#active-network-attacker">active network attacker</a>, offering a feature to
  an insecure origin is the same as offering that feature to every origin (as
  the attacker can inject frames and code at will). Requiring an encrypted and
  authenticated connection in order to use a feature can mitigate this kind of
  risk.</p>

  
    <h3 class="heading settled" data-level="4.2" id="user-mediation"><span class="secno">4.2. </span><span class="content">
    Explicit user mediation
  </span><a class="self-link" href="#user-mediation"></a></h3>


    <p>If a feature has privacy or security impacts that are endemic to the feature
  itself, then one valid strategy for exposing it to the web is to require user
  mediation before granting an origin access. For instance, <a data-link-type="biblio" href="#biblio-geolocation-api">[GEOLOCATION-API]</a>
  reveals a user’s location, and wouldn’t be particularly useful if it didn’t;
  user agents generally gate access to the feature on a permission prompt which
  the user may choose to accept.</p>


    <p>Designing such prompts is difficult. Choosers are good. Walls of text are bad.</p>


    <p class="issue" id="issue-4800b8c7"><a class="self-link" href="#issue-4800b8c7"></a>Bring in some of felt@'s ideas here.</p>

  
    <h3 class="heading settled" data-level="4.3" id="drop-feature"><span class="secno">4.3. </span><span class="content">
    Drop the feature
  </span><a class="self-link" href="#drop-feature"></a></h3>


    <p>One way to mitigate the risks that a feature presents is to remove it from
  a specification.</p>

  
    <div class="example" id="example-0b4b5e09"><a class="self-link" href="#example-0b4b5e09"></a>
    The easiest way to mitigate potential negative security or privacy
    impacts of a feature, and even discussing the possibility,
    is to drop the feature.


     <p>Every feature in a spec should be considered guilty
    (of harming security and/or privacy) until proven otherwise.
    Every specification should seek to be as small as possible,
    even if only for the reasons of reducing and minimizing
    security/privacy attack surface(s).</p>
     


     <p>By doing so we can reduce the overall security (and privacy) attack surface
    of not only a particular feature, but of a module (related set of features),
    a specification, and the overall web platform.</p>
     


     <p>Ideally this is one of many motivations to reduce each of those to the minimum viable:</p>
     

    
     <ol>
      
      <li>
      Minimum viable feature:
      cut/drop values, options, or optional aspects.
      
      
      
      <li>
      Minimum viable web format/protocol/API:
      cut/drop a module, or even just one feature.
      
      
      
      <li>
      Minimum viable web platform:
      Cut/drop/obsolete entire specification(s).
      
      
    
     </ol>
     


     <p class="issue" id="issue-94f4168a"><a class="self-link" href="#issue-94f4168a"></a>Move Tantek’s thoughts somewhere. They don’t really fit well here,
    though the sentiment of a minimum viable web platform might fit into some
    other TAG finding.</p>
     
  
    </div>
</section>







</main>

  <h2 class="no-ref no-num heading settled" id="conformance"><span class="content">
Conformance</span><a class="self-link" href="#conformance"></a></h2>

    
  <p>
        Conformance requirements are expressed with a combination of descriptive assertions and RFC 2119 terminology.
        The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL”
        in the normative parts of this document
        are to be interpreted as described in RFC 2119.
        However, for readability,
        these words do not appear in all uppercase letters in this specification.

    </p>
  <p>
        All of the text of this specification is normative
        except sections explicitly marked as non-normative, examples, and notes. <a data-link-type="biblio" href="#biblio-rfc2119">[RFC2119]</a>

    </p>
  <p>
        Examples in this specification are introduced with the words “for example”
        or are set apart from the normative text with <code>class="example"</code>, like this:

    </p>
  <div class="example" id="example-ae2b6bc0"><a class="self-link" href="#example-ae2b6bc0"></a>
        This is an example of an informative example.
    </div>

    
  <p>
        Informative notes begin with the word “Note”
        and are set apart from the normative text with <code>class="note"</code>, like this:

    </p>
  <p class="note" role="note">
        Note, this is an informative note.



</p>
  <h2 class="no-num heading settled" id="index"><span class="content">Index</span><a class="self-link" href="#index"></a></h2>
  <h3 class="no-num heading settled" id="index-defined-here"><span class="content">Terms defined by this specification</span><a class="self-link" href="#index-defined-here"></a></h3>
  <ul class="indexlist">
   <li>active network attacker, <a href="#active-network-attacker">2.2</a>
   <li>Cross-site request forgery attacks, <a href="#cross_site-request-forgery-attacks">2.3</a>
   <li>Cross-site scripting attacks, <a href="#cross_site-scripting-attacks">2.3</a>
   <li>CSRF, <a href="#cross_site-request-forgery-attacks">2.3</a>
   <li>passive network attacker, <a href="#passive-network-attacker">2.1</a>
   <li>personally-identifiable, <a href="#personally_identifiable-information">3.1</a>
   <li>Personally-identifiable
  information, <a href="#personally_identifiable-information">3.1</a>
   <li>same-origin policy, <a href="#same_origin-policy">2.3</a>
   <li>XSS, <a href="#cross_site-scripting-attacks">2.3</a>
  </ul>
  <h3 class="no-num heading settled" id="index-defined-elsewhere"><span class="content">Terms defined by reference</span><a class="self-link" href="#index-defined-elsewhere"></a></h3>
  <ul class="indexlist">
   <li><a data-link-type="biblio" href="#biblio-html5">[html5]</a> defines the following terms:
    <ul>
     <li><a href="https://html.spec.whatwg.org/#the-link-element">link</a>
     <li><a href="https://html.spec.whatwg.org/#script">script</a>
    </ul>
  </ul>
  <h2 class="no-num heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>
  <h3 class="no-num heading settled" id="normative"><span class="content">Normative References</span><a class="self-link" href="#normative"></a></h3>
  <dl>
   <dt id="biblio-html5"><a class="self-link" href="#biblio-html5"></a>[HTML5]
   <dd>Robin Berjon; et al. <a href="http://www.w3.org/TR/html5/">HTML5</a>. 28 October 2014. REC. URL: <a href="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a>
   <dt id="biblio-rfc2119"><a class="self-link" href="#biblio-rfc2119"></a>[RFC2119]
   <dd>S. Bradner. <a href="http://www.ietf.org/rfc/rfc2119.txt">Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href="http://www.ietf.org/rfc/rfc2119.txt">http://www.ietf.org/rfc/rfc2119.txt</a>
  </dl>
  <h3 class="no-num heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3>
  <dl>
   <dt id="biblio-bluetooth"><a class="self-link" href="#biblio-bluetooth"></a>[BLUETOOTH]
   <dd>Jeffrey Yasskin; Vincent Scheib. <a href="https://webbluetoothcg.github.io/web-bluetooth/">Web Bluetooth</a>. URL: <a href="https://webbluetoothcg.github.io/web-bluetooth/">https://webbluetoothcg.github.io/web-bluetooth/</a>
   <dt id="biblio-comcast"><a class="self-link" href="#biblio-comcast"></a>[COMCAST]
   <dd>David Kravets. <a href="http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/">Comcast Wi-Fi serving self-promotional ads via JavaScript injection</a>. URL: <a href="http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/">http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/</a>
   <dt id="biblio-credential-management"><a class="self-link" href="#biblio-credential-management"></a>[CREDENTIAL-MANAGEMENT]
   <dd>Mike West. <a href="https://w3c.github.io/webappsec/specs/credentialmanagement/">Credential Management</a>. URL: <a href="https://w3c.github.io/webappsec/specs/credentialmanagement/">https://w3c.github.io/webappsec/specs/credentialmanagement/</a>
   <dt id="biblio-csp"><a class="self-link" href="#biblio-csp"></a>[CSP]
   <dd>Brandon Sterne; Adam Barth. <a href="http://www.w3.org/TR/CSP/">Content Security Policy 1.0</a>. 15 November 2012. CR. URL: <a href="http://www.w3.org/TR/CSP/">http://www.w3.org/TR/CSP/</a>
   <dt id="biblio-discovery"><a class="self-link" href="#biblio-discovery"></a>[DISCOVERY]
   <dd>Rich Tibbett. <a href="http://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html">Network Service Discovery</a>. URL: <a href="http://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html">http://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html</a>
   <dt id="biblio-first-party-only"><a class="self-link" href="#biblio-first-party-only"></a>[FIRST-PARTY-ONLY]
   <dd>Mike West. <a href="https://tools.ietf.org/html/draft-west-first-party-cookies">'First-Party-Only' Cookies</a>. URL: <a href="https://tools.ietf.org/html/draft-west-first-party-cookies">https://tools.ietf.org/html/draft-west-first-party-cookies</a>
   <dt id="biblio-geofencing"><a class="self-link" href="#biblio-geofencing"></a>[GEOFENCING]
   <dd>Alex Russell. <a href="https://github.com/slightlyoff/Geofencing/blob/master/explainer.md">Geofencing Explained</a>. URL: <a href="https://github.com/slightlyoff/Geofencing/blob/master/explainer.md">https://github.com/slightlyoff/Geofencing/blob/master/explainer.md</a>
   <dt id="biblio-homakov"><a class="self-link" href="#biblio-homakov"></a>[HOMAKOV]
   <dd>Egor Homakov. <a href="http://homakov.blogspot.de/2014/01/using-content-security-policy-for-evil.html">Using Content-Security-Policy for Evil</a>. URL: <a href="http://homakov.blogspot.de/2014/01/using-content-security-policy-for-evil.html">http://homakov.blogspot.de/2014/01/using-content-security-policy-for-evil.html</a>
   <dt id="biblio-pii"><a class="self-link" href="#biblio-pii"></a>[PII]
   <dd><a href="https://en.wikipedia.org/wiki/Personally_identifiable_information">Personally identifiable information</a>. URL: <a href="https://en.wikipedia.org/wiki/Personally_identifiable_information">https://en.wikipedia.org/wiki/Personally_identifiable_information</a>
   <dt id="biblio-rfc6454"><a class="self-link" href="#biblio-rfc6454"></a>[RFC6454]
   <dd>Adam Barth. <a href="https://tools.ietf.org/html/rfc6454">The Web Origin Concept</a>. URL: <a href="https://tools.ietf.org/html/rfc6454">https://tools.ietf.org/html/rfc6454</a>
   <dt id="biblio-rfc7258"><a class="self-link" href="#biblio-rfc7258"></a>[RFC7258]
   <dd>Stephen Farrell; Hannes Tschofenig. <a href="http://tools.ietf.org/html/rfc7258">Pervasive Monitoring Is an Attack</a>. URL: <a href="http://tools.ietf.org/html/rfc7258">http://tools.ietf.org/html/rfc7258</a>
   <dt id="biblio-timing"><a class="self-link" href="#biblio-timing"></a>[TIMING]
   <dd>Paul Stone. <a href="http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf">Pixel Perfect Timing Attacks with HTML5</a>. URL: <a href="http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf">http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf</a>
   <dt id="biblio-verizon"><a class="self-link" href="#biblio-verizon"></a>[VERIZON]
   <dd>Mark Bergen; Alex Kantrowitz. <a href="http://adage.com/article/digital/verizon-target-mobile-subscribers-ads/293356/">Verizon looks to target its mobile subscribers with ads</a>. URL: <a href="http://adage.com/article/digital/verizon-target-mobile-subscribers-ads/293356/">http://adage.com/article/digital/verizon-target-mobile-subscribers-ads/293356/</a>
   <dt id="biblio-beacon"><a class="self-link" href="#biblio-beacon"></a>[BEACON]
   <dd>Arvind Jain; Jatinder Mann. <a href="http://www.w3.org/TR/beacon/">Beacon</a>. 24 June 2014. LCWD. URL: <a href="http://www.w3.org/TR/beacon/">http://www.w3.org/TR/beacon/</a>
   <dt id="biblio-cors"><a class="self-link" href="#biblio-cors"></a>[CORS]
   <dd>Anne van Kesteren. <a href="http://www.w3.org/TR/cors/">Cross-Origin Resource Sharing</a>. 16 January 2014. REC. URL: <a href="http://www.w3.org/TR/cors/">http://www.w3.org/TR/cors/</a>
   <dt id="biblio-geolocation-api"><a class="self-link" href="#biblio-geolocation-api"></a>[geolocation-API]
   <dd>Andrei Popescu. <a href="http://www.w3.org/TR/geolocation-API/">Geolocation API Specification</a>. 24 October 2013. REC. URL: <a href="http://www.w3.org/TR/geolocation-API/">http://www.w3.org/TR/geolocation-API/</a>
   <dt id="biblio-html-imports"><a class="self-link" href="#biblio-html-imports"></a>[HTML-IMPORTS]
   <dd>Dimitri Glazkov; Hajime Morita. <a href="http://www.w3.org/TR/html-imports/">HTML Imports</a>. 11 March 2014. WD. URL: <a href="http://www.w3.org/TR/html-imports/">http://www.w3.org/TR/html-imports/</a>
   <dt id="biblio-service-workers"><a class="self-link" href="#biblio-service-workers"></a>[SERVICE-WORKERS]
   <dd>Alex Russell; Jungkee Song. <a href="http://www.w3.org/TR/service-workers/">Service Workers</a>. 8 May 2014. WD. URL: <a href="http://www.w3.org/TR/service-workers/">http://www.w3.org/TR/service-workers/</a>
   <dt id="biblio-webmessaging"><a class="self-link" href="#biblio-webmessaging"></a>[WEBMESSAGING]
   <dd>Ian Hickson. <a href="http://www.w3.org/TR/webmessaging/">HTML5 Web Messaging</a>. 1 May 2012. CR. URL: <a href="http://www.w3.org/TR/webmessaging/">http://www.w3.org/TR/webmessaging/</a>
  </dl>
  <h2 class="no-num heading settled" id="issues-index"><span class="content">Issues Index</span><a class="self-link" href="#issues-index"></a></h2>
  <div style="counter-reset:issue">
   <div class="issue">Flesh this out. <a href="https://github.com/w3ctag/security-questionnaire/issues/7">&lt;https://github.com/w3ctag/security-questionnaire/issues/7></a><a href="#issue-af65255c"> ↵ </a></div>
   <div class="issue">TODO.<a href="#issue-95f2d23a"> ↵ </a></div>
   <div class="issue">TODO.<a href="#issue-95f2d23a0"> ↵ </a></div>
   <div class="issue">TODO.<a href="#issue-95f2d23a1"> ↵ </a></div>
   <div class="issue">TODO.<a href="#issue-95f2d23a2"> ↵ </a></div>
   <div class="issue">Bring in some of felt@'s ideas here.<a href="#issue-4800b8c7"> ↵ </a></div>
   <div class="issue">Move Tantek’s thoughts somewhere. They don’t really fit well here,
    though the sentiment of a minimum viable web platform might fit into some
    other TAG finding.<a href="#issue-94f4168a"> ↵ </a></div>
  </div></body>
</html>