diff --git a/index.html b/index.html index 6a3678f..993c2a1 100644 --- a/index.html +++ b/index.html @@ -1079,6 +1079,131 @@

the session management utilized on the website.

+

Threats and Attacks

+

Same-Origin Policy Violations

+

SOP violation occurs when a script or resource from one origin breaks the browser's foundational Same-Origin + Policy, which is intended to segregate data between origins, by accessing or tampering with another origin's data, cookies, + DOM, or authenticated sessions.

+

Fingerprinting and Cross-Device Tracking

+

Fingerprinting and Cross‑Device Tracking occur when the Digital Credentials API (or its surrounding browser features) + exposes minute but identifiable configuration details—like supported protocols, hardware capabilities, or timing + behaviors—that can be collected over time to create a unique fingerprint for a device, user, or browser.

+

Mitigations

+ +

Cross-Site Scripting (XSS), Cross-Site Request Forgery + (CSRF)

+

XSS occurs when an attacker injects malicious JavaScript into a web page, enabling that script to silently call the + API within the context of a trusted site.

+

CSRF occurs when a malicious site tricks the user’s browser into sending a silent request to the API on a legitimate, + origin using hidden forms, images, or fetch calls to forge credential retrieval action.

+

Mitigations

+ +

Clickjacking & UI redressing

+

Clickjacking occurs when an attacker invisibly overlays a credential request prompt behind UI elements, tricking + users into approving unwarranted credential sharing.

+

Mitigations

+ +

Man-In-the-Middle

+

MiTM occurs when attackers insert themselves into the communication channel between two parties, intercepting, + relaying, or modifying messages at lower layers (like network or transport). At the same time, both endpoints + believe they are talking directly to each other.

+

Mitigations

+ +

Replay Attack

+

Replay Attacks occur when an attacker intercepts a legitimate credential exchange (via same- or cross-device flows) + and later replays that same exchange to another party. This tricks systems into accepting old, valid credentials as + fresh, leading to unauthorized authentication or credential disclosure.

+

Mitigations

+ +

Quishing

+

Quishing occurs when a malicious site tricks the user into replacing a legitimate QR code, tricking it into + generating a Verifiable Presentation for an unauthorized verifier, enabling impersonation or unauthorized access to + services or data.

+

Phishing/Harvesting

+

Phishing/Harvesting occurs when a malicious site tricks users into sharing credentials by imitating a legitimate + relying party, potentially harvesting sensitive identity data.

+

Mitigations

+

Data Minimization

+

Data Minimization occurs when the API restricts the information shared to only what’s necessary for each credential + operation. Such operations must expose the smallest possible dataset—aligned with the specific purpose the user + explicitly approved—while concealing any additional metadata or details about why data isn't available.

+

The API uses the same message if the response is unavailable because of software or hardware limitations, user + permission, or credentials, ensuring that this lack of availability cannot be used to infer device —or user-specific + information.

+

Threats and Attacks

+ +

Explicitly restrict the feature to first-party origins. +

+

Limiting this sensitive API to only first-party contexts, where the requesting origin matches the top-level site, + makes it possible to block third-party content (like ads or embedded widgets) from invoking credential operations. + This prevents untrusted embedded code from accessing or misusing digital credentials under your site's permission + and control.

+

The API is not available to third-party iframes without a permission policy.

+

Secure contexts

+

Secure contexts ensure that certain powerful or privacy-sensitive web features are only offered when pages are loaded + over authenticated, encrypted channels (e.g., HTTPS, or other “potentially trustworthy” schemes like file:// or + localhost), blocking access from insecure origins.

+

The API is only available in a secure context.

+

Mitigates

+ +

Limit API usage

+

Implementing multi-layered rate-limiting is essential to prevent API abuse, ensure reliability, and prevent + credential-related attacks.

+

Global: A global rate limit should be implemented to restrict the number of requests made within a certain + period (e.g., per minute or hour), preventing excessive use and over-asking
Session-Based: Set + session-based limits during a single-user session to prevent prolonged abuse.
Origin-based: per site + and subdomains

+

Informing the user

+

When handling sensitive API calls involving personal data or credentials, including explicit user approval at the + point of use is important. Instead of allowing background or automated exchanges, the user agent must present a + clear, interactive prompt, such as a chooser UI, that shows the requesting origin and the data being accessed. This + ensures users are fully informed and retain control over each operation, significantly reducing risks from silent + data sharing or unintended leaks.

+

The API prompts the user to show the request's origin before proceeding.

+

Permission Policy

+

Permission policy allows developers to selectively enable and disable use of various browser features and APIs.

+

This API defines a policy-controlled feature, to prevent third-party iframes from calling the API.

+

Threats and Attacks

+ +

Transient activation

+

The API relies on transient activation, preventing websites from calling the API without user interaction.

+

Threats and Attacks

+