[css-nav-1] Gate the navigation events on a policy-controlled feature

frivoal · frivoal · commit 1ad7739fd617 · 2018-12-04T18:22:26.000+09:00
Closes #3390
diff --git a/css-nav-1/Overview.bs b/css-nav-1/Overview.bs
@@ -36,6 +36,9 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/;
 spec: dom; urlPrefix: https://dom.spec.whatwg.org/
     type: dfn;
         text: document element
+spec: feature-policy; urlPrefix: https://wicg.github.io/feature-policy/
+    type: dfn;
+        text: is enabled; url: is-feature-enabled
 spec: overscroll-behavior; urlPrefix: https://wicg.github.io/overscroll-behavior/;
     type: dfn;
         text: scroll boundary
@@ -959,6 +962,35 @@ and it cannot be scrolled at the same time.
 </div>
 </div>
 
+<h2 id=policy-feature>
+The <a>navigation-override</a> [=policy-controlled feature=]</h2>
+
+	The <dfn>navigation-override</dfn> [=policy-controlled feature=] controls
+	the availability of mechanisms that enables page authors
+	to take control over the behavior of spatial navigation,
+	or to cancel it outright.
+
+	* The feature name is "<code>navigation-override</code>"
+	* The [=default allowlist=] for <a>navigation-override</a> is "<code>self</code>"
+
+	As defined in further details in [[#nav]],
+	if <a>navigation-override</a> is disabled in a document,
+	the navigation events (see [[#events-navigationevent]]) will not be fired.
+
+	Note: This is to prevent a hostile iframe from using these events
+	in order to highjack the focus.
+	We recognize that there exists other mechanisms predating spatial navigation
+	that malicious authors could use
+	to interfere with the user's ability to control where the focus goes.
+	Despite that, it seems worthwile to attempt not to increase this attack surface,
+	although it is possible that such attacks are already sufficiently easy to perform
+	that this is a lost cause.
+	Further feedback on this topic,
+	based on experience with implementation or with mitigating such attacks,
+	is very welcome.
+
+
+
 <h2 id=processing-model>
 Processing Model</h2>
 
@@ -1044,13 +1076,15 @@ To run the <dfn>spatial navigation steps</dfn> in <var>direction</var>, do the f
         * If <var>candidates</var> contains at least 1 item:
             1. Let <var>bestCandidate</var> be the result of <a>selecting the best candidate</a>
                 within <var>candidates</var> in <var>direction</var> starting from <var>searchOrigin</var>
-            2. <span class=api><a>Fire an event</a> named <a event>navbeforefocus</a> at <var>eventTarget</var> using {{NavigationEvent}}
+            2. If <a>navigation-override</a> <a>is enabled</a> in the [=node document=] of <var>eventTarget</var> for the <a spec=html for="/">origin</a> of the [=active document=] of the [=top-level browsing context=], then
+                <span class=api><a>fire an event</a> named <a event>navbeforefocus</a> at <var>eventTarget</var> using {{NavigationEvent}}
                 with its {{NavigationEvent/dir}} set to <var>direction</var> and {{NavigationEvent/relatedTarget}} set to <var>bestCandidate</var>
                 and with it's <code>bubbles</code> and <code>cancelable</code> attributes set to <code>true</code>,
                 and return if the result is <code>false</code></span>
             3. Run the <a>focusing steps</a> for <var>bestCandidate</var> and return
         * Else if <var>eventTarget</var> <a>can be manually scrolled</a>:
-            1. <span class=api><a>Fire an event</a> named <a event>navbeforescroll</a> at <var>eventTarget</var> using {{NavigationEvent}}
+            1. If <a>navigation-override</a> <a>is enabled</a> in the [=node document=] of <var>eventTarget</var> for the <a spec=html for="/">origin</a> of the [=active document=] of the [=top-level browsing context=], then
+                <span class=api><a>fire an event</a> named <a event>navbeforescroll</a> at <var>eventTarget</var> using {{NavigationEvent}}
                 with its {{NavigationEvent/dir}} set to <var>direction</var>
                 and {{NavigationEvent/relatedTarget}} set to <var>eventTarget</var>
                 and with it's <code>bubbles</code> and <code>cancelable</code> attributes set to <code>true</code>,
@@ -1062,14 +1096,16 @@ To run the <dfn>spatial navigation steps</dfn> in <var>direction</var>, do the f
     within <var>container</var>, excluding <var>searchOrigin</var>
 8. If <var>candidates</var> is empty:
     * If <var>container</var> is a <a>scroll container</a> that <a>can be manually scrolled</a>:
-            1. <span class=api><a>Fire an event</a> named <a event>navbeforescroll</a> at <var>eventTarget</var> using {{NavigationEvent}}
+            1. If <a>navigation-override</a> <a>is enabled</a> in the [=node document=] of <var>eventTarget</var> for the <a spec=html for="/">origin</a> of the [=active document=] of the [=top-level browsing context=], then
+                <span class=api><a>fire an event</a> named <a event>navbeforescroll</a> at <var>eventTarget</var> using {{NavigationEvent}}
                 with its {{NavigationEvent/dir}} set to <var>direction</var>
                 and {{NavigationEvent/relatedTarget}} set to <var>container</var>
                 and with it's <code>bubbles</code> and <code>cancelable</code> attributes set to <code>true</code>,
                 and return if the result is <code>false</code></span>
             2. <a>Directionally scroll the element</a> <var>container</var> in <var>direction</var> and return.
     * Else,
-        1. <span class=api><a>Fire an event</a> named <a event>navnotarget</a> at <var>eventTarget</var> using {{NavigationEvent}}
+        1. If <a>navigation-override</a> <a>is enabled</a> in the [=node document=] of <var>eventTarget</var> for the <a spec=html for="/">origin</a> of the [=active document=] of the [=top-level browsing context=], then
+            <span class=api><a>fire an event</a> named <a event>navnotarget</a> at <var>eventTarget</var> using {{NavigationEvent}}
             with its {{NavigationEvent/dir}} set to <var>direction</var> and {{NavigationEvent/relatedTarget}} set to <var>container</var>
             and with it's <code>bubbles</code> and <code>cancelable</code> attributes set to <code>true</code>,
             and return if the result is <code>false</code>.</span>
@@ -1088,7 +1124,8 @@ To run the <dfn>spatial navigation steps</dfn> in <var>direction</var>, do the f
                 and return to the step labeled <i>loop</i>.
 9. Let <var>bestCandidate</var> be the result of <a>selecting the best candidate</a>
     within <var>candidates</var> in <var>direction</var> starting from <var>searchOrigin</var>
-10. <span class=api><a>Fire an event</a> named <a event>navbeforefocus</a> at <var>eventTarget</var> using {{NavigationEvent}}
+10. If <a>navigation-override</a> <a>is enabled</a> in the [=node document=] of <var>eventTarget</var> for the <a spec=html for="/">origin</a> of the [=active document=] of the [=top-level browsing context=], then
+    <span class=api><a>fire an event</a> named <a event>navbeforefocus</a> at <var>eventTarget</var> using {{NavigationEvent}}
     with its {{NavigationEvent/dir}} set to <var>direction</var> and {{NavigationEvent/relatedTarget}} set to <var>bestCandidate</var>
     and with it's <code>bubbles</code> and <code>cancelable</code> attributes set to <code>true</code>,
     and return if the result is <code>false</code></span>
@@ -1398,6 +1435,93 @@ To <dfn lt="directionally scroll an element | directionally scroll the element">
 
 </div>
 
+<h2 class=no-num id=privsec>
+Appendix B. Privacy and Security Considerations</h2>
+
+The specification contributors believe that
+all known potential security risks associated with this specification
+have been adequately addressed.
+Further details are provided below.
+
+The TAG has developed a self-review questionaire
+to help editors and Working Groups evaluate the risks introduced by their specifications.
+Answers are provided below.
+
+<dl>
+  <dt>Does this specification deal with personally-identifiable information?
+  <dd>No.
+
+  <dt>Does this specification deal with high-value data?
+  <dd>No.
+
+  <dt>Does this specification introduce new state for an origin that persists across browsing sessions?
+  <dd>No.
+
+  <dt>Does this specification expose persistent, cross-origin state to the web?
+  <dd>No.
+
+  <dt>Does this specification expose any other data to an origin that it doesn’t currently have access to?
+  <dd>
+    Mostly, no.
+
+    The one exception identified would be in the following scenario:
+    if the author uses `window.navigate` while the focus is in a cross origin iframe,
+    if they don't get an event at all it means that either there was something scrollable or focusable within the iframe,
+    as the only case where they'd get an event is when the search didn't find anything at all goes up the tree.
+
+    This is so limited information that it does not seem it would introduces real a security risk,
+    but it is as far as the editors can tell information that the author could not get could not get otherwise.
+
+  <dt>Does this specification enable new script execution/loading mechanisms?
+  <dd>No.
+
+  <dt>Does this specification allow an origin access to a user’s location?
+  <dd>No.
+
+  <dt>Does this specification allow an origin access to sensors on a user’s device?
+  <dd>No.
+
+  <dt>Does this specification allow an origin access to aspects of a user’s local computing environment?
+  <dd>No.
+
+  <dt>Does this specification allow an origin access to other devices?
+  <dd>No.
+
+  <dt>Does this specification allow an origin some measure of control over a user agent’s native UI?
+  <dd>
+    No control is given over the appearance of the User Agent's UI.
+    Some control is given over how the User Agent performs spatial navigation,
+    which may be considered part of its user interface.
+    This is intentional, to let authors tailor the behavior of spatial navigation to their pages.
+    To prevent malicious authors to interefere with the users' desire to control focus and navigate the document,
+    this overriding mechanism is disabled by default for cross-origin iframes.
+    See [[#policy-feature]].
+
+  <dt>Does this specification expose temporary identifiers to the web?
+  <dd>No.
+
+  <dt>Does this specification distinguish between behavior in first-party and third-party contexts?
+  <dd>No.
+
+  <dt>How should this specification work in the context of a user agent’s "incognito" mode?
+  <dd>No Difference is expected.
+
+  <dt>Does this specification persist data to a user’s local device?<Paste>
+  <dd>No.
+
+  <dt>Does this specification have a "Security Considerations" and "Privacy Considerations" section?
+  <dd>Yes, this is the section you are reading now.
+
+  <dt>Does this specification allow downgrading default security characteristics?
+  <dd>
+    It does not allow downgrading any unrelated security mechanism.
+
+    It **does** allow authors to opt into allowing
+    the events needed to override the default behavior of spatial navigation
+    in cross origin iframes they trust
+    using [[feature-policy]].
+    See [[#policy-feature]].
+</dl>
 
 <h2 class=no-num id=ack>Acknowledgements</h2>
 
