Security Considerations: Writing first round of threats and mitigatio… #277

simoneonofri · 2025-06-16T16:08:38Z

(Web API level)

A first draft of the identified threats and potential mitigations (some already applied), particularly at the Web API level.

Threats

SOP Violation
Fingerprinting and Cross-Device Tracking
Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF)
Clickjacking & UI redressing
Reply Attack
Quishing
Phishing/Harvesting

Mitigations (already implemented or to be considered)

Data Minimization
Secure contexts
Limit API usage
Informing the user
Transient activation

Things to consider:

What else could go wrong (if there are other threats)
What can we do about the threats we have identified
Do we like the countermeasures we already have in place
Are there other mitigations to consider or write down
Overlaps/joint with Privacy

[cc'ing @Sh-Amir and @ZAnsaroudi]

Preview | Diff

@Sh-Amir

…ns (Web API level) A first draft of the identified threats and potential mitigations (some already applied), particularly at the Web API level. *Threats* - SOP Violation - Fingerprinting and Cross-Device Tracking - Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF) - Clickjacking & UI redressing - Reply Attack - Quishing - Phishing/Harvesting *Mitigations (already implemented or to be considered)* - Data Minimization - Secure contexts - Limit API usage - Informing the user - Transient activation Things to consider: - What else could go wrong (if there are other threats) - What can we do about the threats we have identified - Do we like the countermeasures we already have in place - Are there other mitigations to consider or write down [cc'ing @Sh-Amir and @ZAnsaroudi]

index.html

marcoscaceres · 2025-06-19T11:15:29Z

This still feel overly broad and not necessarily related to the API.

index.html

npdoty · 2025-06-20T15:18:39Z

index.html

+
+  </ul>
+  <h4 id='quishing'>Quishing</h4>
+  <p>Quishing occurs when a malicious site tricks the user into replacing a legitimate QR code, tricking it into


I don't understand "replacing" here. It seems like the attack is presenting the user with a maliciously-crafted QR code which when followed, will lead to a credential presentation request that will deliver the results to an unexpected party (either the attacker, or as a confused deputy confirming the user's identity for a request that the attacker made to some other verifier). Maybe the attacker is inserting it in a place where it looks to the user like a legitimate request from a different verifier, and that's a kind of replacement?

For the framing I was giving it, the QR code is managed directly by the API and displayed securely and not via an (controlled by an adversary).

Does that make sense to you, or do you think we should frame it differently?

index.html

Co-authored-by: Marcos Cáceres <marcosc@apple.com>

Co-authored-by: Nick Doty <npdoty@ischool.berkeley.edu>

fix

removed Permission API, added Permission policy

update transient activation

simoneonofri requested a review from a team as a code owner June 16, 2025 16:08

simoneonofri requested review from RByers and removed request for a team June 16, 2025 16:08

simoneonofri self-assigned this Jun 16, 2025

simoneonofri added security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response. security-considerations labels Jun 16, 2025

w3cbot mentioned this pull request Jun 16, 2025

Security Considerations: Writing first round of threats and mitigatio… w3c/security-review#261

Open

marcoscaceres reviewed Jun 19, 2025

View reviewed changes