From 9f5ca7c855e270a145522edac6abe36a0c048ec0 Mon Sep 17 00:00:00 2001 From: Andrew Verge Date: Tue, 3 Sep 2024 09:25:02 -0400 Subject: [PATCH] Update Click Privacy section with event caching explanation. (#186) * Update Click Privacy section with event caching explanation. This patch explains why cached trusted events cannot be reused by notifyEvent() after the initial dispatch by the browser completes. * Respond to comments --- .../fenced_frames_with_local_unpartitioned_data_access.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/explainer/fenced_frames_with_local_unpartitioned_data_access.md b/explainer/fenced_frames_with_local_unpartitioned_data_access.md index 9baa316..d1f0d9c 100644 --- a/explainer/fenced_frames_with_local_unpartitioned_data_access.md +++ b/explainer/fenced_frames_with_local_unpartitioned_data_access.md @@ -198,8 +198,8 @@ The `notifyEvent()` method will not be available in iframes (same-origin or cros Since this is exfiltrating some information (that a click happened) outside the fenced frame, we will need to consider the following privacy considerations: * A possible attack using multiple fenced frames: an embedder creates `n` fenced frames, which all disable network and then determine (by predetermined behavior, or through communication over shared storage) which one of them should display nonempty content. Then if a user clicks on the only nonempty fenced frame, this exfiltrates log(n) bits of information through the click notification. Mitigating this will require some rate limits on the number of fenced frames on a page that are allowed to read from shared storage. This is similar to [shared storage’s existing rate limits](https://github.com/WICG/shared-storage#:~:text=per%2Dsite%20(the%20site%20of%20the%20Shared%20Storage%20worklet)%20budget). -* Click timing could be a channel to exfiltrate shared storage data, but it’s a relatively weak attack since it requires user gesture and is therefore non-deterministic and less accurate. In addition, as a policy based mitigation, shared storage APIs’ invocation will be gated behind [enrollment](https://developer.chrome.com/en/docs/privacy-sandbox/enroll/). - +* Click timing could be a channel to exfiltrate shared storage data, but it’s a relatively weak attack since it requires user gesture and is therefore non-deterministic and less accurate. In addition, as a policy based mitigation, shared storage APIs’ invocation will be gated behind [enrollment](https://developer.chrome.com/en/docs/privacy-sandbox/enroll/). +* One potential concern around the `notifyEvent()` API shape is that a single trusted `click` event could be cached by the JS running in the fenced frame and reused in additional `notifyEvent()` calls. However, the requirement that the trusted event *must be dispatching* mitigates this concern. Once the dispatch initiated by the browser completes, `notifyEvent()` will no longer accept the cached event object. If JavaScript on the page then tries to manually re-dispatch the cached event, the object will no longer be trusted (its `isTrusted` field will be set to false). ## Code Example