Re: [w3ctag/design-reviews] TAG review request: User Activation Delegation through postMessages (#347) from Mustaq Ahmed on 2019-03-20 (public-webapps-github@w3.org from March 2019)

From: Mustaq Ahmed <notifications@github.com>
Date: Wed, 20 Mar 2019 10:00:07 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/347/474931364@github.com>

@torgo: There is no privacy concern here since only information we are transferring here is "whether user is interacting (or has interacted) with a frame".  This is a trivial information any page can easily collect today through event handlers and then store/communicate using other APIs.

---

Thanks @dbaron for highlighting this tricky abusability scenario.  Let me explain why I think this transfer API is the safest choice we have:

- If this transfer API is used in conjunction with UAv2 (TAG review [here](https://github.com/w3ctag/design-reviews/issues/295), successfully shipped in Chrome 72), all user inputs (even multiple clicks) within a time-limit of few seconds already fuse into a single activation, and consuming the activation in any frame already clears the whole frame tree.  So multiple consumption is impossible.  See the [Security Considerations](https://docs.google.com/document/d/1NKLJ2MBa9lA_FKRgD2ZIO7vIftOJ_YiXXMYfRMdlV-s/edit#bookmark=id.cqi2u6o606ro) section in our design doc.
  (This solves problem (a) in your post, and prevents (b) too.)

- If this transfer API is used without UAv2, it's the job of the underlying model to _guarantee_ single consumption with and without activation transfer.  We believe that existing non-UAv2 models are too complicated to be able to provide this guarantee; for example Chrome had this [serious bug](https://crbug.com/937330) with cross-process `postMessage` despite many years of effort (got fixed through UAv2).

- For user activation, there is no interop today even with a plain `postMessage`: see [this comparison](https://docs.google.com/document/d/1hYRTEkfWDl-KO4Y6cG469FBC3nyBy9_SYItZ1EEsXUA/edit#bookmark=id.6qbgn696hu7x
) from 2017.  We can't expect interop only with the transfer option here.  This has been broken for many years, and will need a long-term plan to fix.
  (A related note on interop: [not all browsers](https://docs.google.com/spreadsheets/d/1DGXjhQ6D3yZXIePOMo0dsd2agz0t5W7rYH1NwJ-QGJo) trigger user activation through `mousedown`.  In Chrome we have a [bug](https://crbug.com/769796) to possibly drop `mousedown` to match Firefox.  Spec discussion [here](https://github.com/whatwg/html/issues/3849).)

To emphasize, our long-term goal here is interop with user activation.  In Chrome 72 we proved through UAv2 that a simple, token-less, easy-to-implement solution works for the Web.  We encountered a few breakages, for which the transfer API proposed here is a workaround.  Once we are done with both of these successfully, we will encourage other browsers to switch.



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/347#issuecomment-474931364

Received on Wednesday, 20 March 2019 17:00:35 UTC