Manifest for web application privacy review from Nick Doty on 2015-03-06 (public-webapps@w3.org from January to March 2015)

From: Nick Doty <npdoty@w3.org>
Date: Thu, 5 Mar 2015 22:40:47 -0800
To: public-webapps@w3.org
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-Id: <05FB3DE2-DE66-4450-8E50-3B5C04C6BFAB@w3.org>

Hi Webapps,

Per your request for wide review, I've done a brief review of the "Manifest for web application" draft with an eye to privacy issues. The comments below are informed by discussions with the Privacy Interest Group and based on Mike West's privacy/security questionnaire [0] and my fingerprinting guidance doc [1] -- documents which might be useful for you as well. All mistakes and misunderstandings are solely my own.

I have a few suggested changes below, but for the most part I have questions about how a feature is intended to be implemented or what guidance would be necessary for features to be implemented consistently in a way that wouldn't have bad security or privacy outcomes. Apologies; I recognize that direct text change proposals are easier to evaluate, but I don't know the intended implementation as well as you all certainly do. If it would be helpful to discuss these questions/answers, please feel free to include public-privacy@w3.org <mailto:public-privacy@w3.org> (the Privacy Interest Group).

Hope this helps,
Nick

## Persistent state (Questionnaire 3.3)

What does "installing" an app via use of the app manifest have on persistent state? Does the start_url parameter introduce an effective permanent cookie upon "installing" the app? How should UAs handle clearing of cookies or other local state when it comes to installed apps? I believe this should be marked as contributing to fingerprinting and creating a new cookie-like local state mechanism.

Should we indicate to sites that they shouldn't customize manifests to users for this reason? (If so, could browsers effectively detect such violations and prevent it?) Are there use cases where user-specific start_url's are advantageous?

Is it clear that pages receive the information that the user has "installed" the page? (This should at least be noted as a consideration.)

While it is noted that user agents may choose not to use the start_url hint for an installed web application, we should say more about why not. For example, when I bookmark a URL in my desktop browser and come back to it, I may have a look at the URL and get an impression of what it contains; but if the start_url is not typically shown to the user at bookmarking time but is used for future navigations, then it could be persisting login state in an unexpected way. User agents serving those particularly conscious about fingerprinting are likely to specifically not implement this feature; if sites are going to depend on it but it's going to be implemented inconsistently, that might be a reason to re-think it. Are sites sufficiently forewarned of the reasons why start_url shouldn't be relied upon?

## Cross-origin persistent state (Questionnaire 3.4)

Though not required by interop requirements in this spec, installation is likely to include caching (for example, of icons) which may be observable by the server on subsequent uses of the app. Via timing attacks, is it possible for other pages or apps to detect whether another particular Web application is installed? What protections are necessary to prevent one page/app from enumerating the other installed web apps?

## Control over native UI (Questionnaire 3.11)

The majority of my security/privacy concerns lie in this area, and the existing security considerations text is predominantly about this as well. It seems worth emphasizing the potential challenges of implementing this installation, deep-linking and browser display mode control in a way not vulnerable to phishing and other attacks. Some concerns:

What are the use cases for unbounded scope? What are the implications for my manifest "applying" to navigations to other origins entirely? Beyond the potential security dangers (phishing, in particular) cases of fullscreen and navigating to different origins, what are the advantages?
> "for legacy reasons, this is the default behavior"

That is a parenthetical in a section describing this potential security risk. What are the legacy reasons? Are legacy reasons a sufficient reason for the specified default behavior to incur security risks for the user?

Are the security considerations of scope and display mode "fullscreen" limited to unbounded cases? I believe not. For example, if a user installs evil-weather.com <http://evil-weather.com/> to their phone and then clicks on a Google search result for evil-weather.com/app/blah <http://evil-weather.com/app/blah> and that sends the user directly to a fullscreen mode of evil-weather.com <http://evil-weather.com/>, they could show an apparent Google login screen with no indication of the URL. ("Oh, I guess I have to login to my Google account to get to this search result.")

Why is the display mode "fullscreen" orthogonal to the Fullscreen API? Do the security considerations of the Fullscreen API all apply here as well?

This is noted in the section on updates, but I think it's important beyond that:
> To avoid one application masquerading as another, it is RECOMMENDED that users be made aware of any such updates using implementation or platform specific conventions.
What are the privacy and security considerations of using site-provided names and icons when installing an app? Say I go to evil-weather.com <http://evil-weather.com/>, click install/bookmark (so that I can easily get to my weather tomorrow), and evil-weather.com <http://evil-weather.com/> provides "Bank of America" and a BofA icon in its manifest, display mode of minimal or full screen and a start_url to go to a special sub-page that mimics my bank's website. When I look at my list of icons tomorrow morning, how will I know that "Bank of America" is hosted by evil-weather.com <http://evil-weather.com/>?

## Other

Yay for explicitly noting that developer errors may be reported or may be ignored.

> "This specification distinguishes between behavior in first-party and third-party contexts."
But "first-party" and "third-party" aren't defined anywhere. This paragraph could be better explained.

In particular, security considerations are noted for displaymode and navigations. The media type registration notes a long list of related privacy and security considerations. That may be helpful, but it would also be useful to elaborate on which parts are specific to implementation of this feature.

"Manifest for web application" seems strange wording for a title. "Manifests for Web applications", maybe, or "Web application manifest"?

[0] https://mikewest.github.io/spec-questionnaire/security-privacy/ <https://mikewest.github.io/spec-questionnaire/security-privacy/>
[1] http://w3c.github.io/fingerprinting-guidance/ <http://w3c.github.io/fingerprinting-guidance/>

Received on Friday, 6 March 2015 06:40:59 UTC