[css-view-transitions-1][css-view-transitions-2] Fix some refs and add security section (#9073)

* [css-view-transitions-1][css-view-transitions-2] Fix some refs and add security section

* Clarify security issues

Author: noamr

css-view-transitions-1/Overview.bs

@@ -1049,17 +1049,17 @@ urlPrefix: https://wicg.github.io/navigation-api/; type: interface;
 			which causes the transition to [=skip the view transition|skip=].
 			[Discussion of this behavior](https://github.com/w3c/csswg-drafts/issues/8045).
 
-		: <dfn>old state captured steps</dfn>
+		: <dfn>process old state captured</dfn>
 		:: An algorithm accepting nothing, or null.
 			Initially null.
 
 			Note: this is used for cross-document view transitions.
 	</dl>
 
-	A {{ViewTransition}} must never have both an [=ViewTransition/update callback=] and a [=ViewTransition/old state captured steps=].
+	A {{ViewTransition}} must never have both an [=ViewTransition/update callback=] and a [=ViewTransition/process old state captured=].
 
 	Note: [=ViewTransition/update callback=] is optionally set for same-document view transitions,
-		and [=ViewTransition/old state captured steps=] is set for cross-document view transitions.
+		and [=ViewTransition/process old state captured=] is set for cross-document view transitions.
 
 	The {{ViewTransition/finished}} [=getter steps=] are to return [=this's=] [=ViewTransition/finished promise=].
 

css-view-transitions-2/Overview.bs

@@ -26,7 +26,6 @@ spec:css-view-transitions-1;
 	text: named elements; for: ViewTransition; type: dfn;
 	text: update callback done promise; for: ViewTransition; type: dfn;
 	text: initial snapshot containing block size; for: ViewTransition; type: dfn;
-	text: activate view transition; type: dfn;
 	text: captured elements; type: dfn;
 	text: updateCallbackDone; type: property; for: ViewTransition;
 	text: phase; type: dfn; for: ViewTransition;
@@ -245,8 +244,6 @@ plus the additional rules noted below:
 		: <dfn>enabled</dfn>
 		:: The transition will be enabled if the navigation is same-origin, without cross-origin
 			redirects.
-
-			See <a href="https://github.com/w3c/csswg-drafts/issues/8684">Issue #8684</a>.
 	</dl>
 
 # API # {#api}
@@ -414,3 +411,28 @@ The <dfn attribute for=PageRevealEvent>viewTransition</dfn> [=getter steps=] are
 This specification introduces no new privacy considerations.
 
 <h2 id="sec" class="no-num">Security Considerations</h2>
+
+To prevent cross-origin issues, at this point cross-document view transitions can only be enabled for
+same-origin navigations. As discussed in <a href="https://github.com/WICG/view-transitions/issues/200">WICG/view-transitions#200</a>,
+this still presents two potential threats:
+
+1. The <a data-xref-type="http-header">Cross-Origin-Opener-Policy</a> of both documents might be different.
+	This can cause a situation where a {{Document}} that is [=environment settings object/cross-origin isolated capability|cross-origin isolated=]
+	can read image data from a document that is not cross-origin isolated. This is already mitigated in [[css-view-transitions-1#sec],
+	as the same restriction applies for captured cross-origin iframes.
+
+1. A same-origin navigation might still occur via a cross-origin redirect, e.g. <code>https://example.com</code>
+	links to <code>https://auth-provider.com/</code> which redirects back to <code>https://example.com/loggedin</code>.
+
+	This can cause a (minor) situation where the cross-origin party would redirect the user to an
+	unexpected first-party URL, causing an unexpected transition and obfuscating that fact that there was a redirect.
+	To mitigate this, currently view transitions are disabled for navigations if the {{Document}} [=was created via cross-origin redirects=].
+	Note that this check doesn't apply when the {{Document}} is being [=Document/reactivated=], as in that case
+	the cross-origin redirect has already taken place.
+
+	Note: this only applies to server-side redirects. A client-side redirect, e.g. using
+	[^meta/http-equiv/refresh^], is equivalent to a new navigation.
+
+See <a href="https://github.com/w3c/csswg-drafts/issues/8684">Issue #8684</a> and
+<a href="https://github.com/WICG/view-transitions/issues/200">WICG/view-transitions#200</a> for
+detailed discussion.