From 4f3cadf114adb9818c6e30a31fe7364e30a7e4aa Mon Sep 17 00:00:00 2001 From: Simone Onofri Date: Mon, 16 Jun 2025 18:07:13 +0200 Subject: [PATCH 1/7] Security Considerations: Writing first round of threats and mitigations (Web API level) A first draft of the identified threats and potential mitigations (some already applied), particularly at the Web API level. *Threats* - SOP Violation - Fingerprinting and Cross-Device Tracking - Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF) - Clickjacking & UI redressing - Reply Attack - Quishing - Phishing/Harvesting *Mitigations (already implemented or to be considered)* - Data Minimization - Secure contexts - Limit API usage - Informing the user - Transient activation Things to consider: - What else could go wrong (if there are other threats) - What can we do about the threats we have identified - Do we like the countermeasures we already have in place - Are there other mitigations to consider or write down [cc'ing @Sh-Amir and @ZAnsaroudi] --- index.html | 130 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/index.html b/index.html index 225f66ac..36a66f83 100644 --- a/index.html +++ b/index.html @@ -865,6 +865,136 @@

the session management utilized on the website.

+

Threats and Attacks

+

Same-Origin Policy Violations

+

SOP violation occurs when a script or resource from one origin breaks the browser's foundational Same-Origin + Policy—intended to segregate data between origins—by accessing or tampering with another origin's data, cookies, + DOM, or authenticated sessions.

+

Fingerprinting and Cross-Device Tracking

+

Fingerprinting and Cross‑Device Tracking occur when the Digital Credentials API (or its surrounding browser features) + exposes minute but identifiable configuration details—like supported protocols, hardware capabilities, or timing + behaviors—that can be collected over time to create a unique fingerprint for a device, user, or browser.

+

Mitigations

+ +

Cross-Site Scripting (XSS), Cross-Site Request Forgery + (CSRF)

+

XSS occurs when an attacker injects malicious JavaScript into a web page, enabling that script to silently call the + API within the context of a trusted site.

+

CSRF occurs when a malicious site tricks the user’s browser into sending a silent request to the API on a legitimate, + origin using hidden forms, images, or fetch calls to forge credential retrieval action.

+

Mitigations

+ +

Clickjacking & UI redressing

+

Clickjacking occurs when an attacker invisibly overlays a credential request prompt behind UI elements, tricking + users into approving unwarranted credential sharing.

+

Mitigations

+ +

Man-In-the-Middle

+

MiTM occurs when attackers insert themselves into the communication channel between two parties, intercepting, + relaying, or modifying messages at lower layers (like network or transport). At the same time, both endpoints + believe they are talking directly to each other.

+

Mitigations

+ +

Reply Attack

+

Replay Attacks occur when an attacker intercepts a legitimate credential exchange (via same- or cross-device flows) + and later replays that same exchange to another party. This tricks systems into accepting old, valid credentials as + fresh, leading to unauthorized authentication or credential disclosure.

+

Mitigations

+ +

Quishing

+

Quishing occurs when a malicious site tricks the user into replacing a legitimate QR code, tricking it into + generating a Verifiable Presentation for an unauthorized verifier, enabling impersonation or unauthorized access to + services or data.

+

Phishing/Harvesting

+

Phishing/Harvesting occurs when a malicious site tricks users into sharing credentials by imitating a legitimate + relying party, potentially harvesting sensitive identity data.

+

Mitigations

+

Data Minimization

+

Data Minimization occurs when the API restricts the information shared to only what’s necessary for each credential + operation. Such operations must expose the smallest possible dataset—aligned with the specific purpose the user + explicitly approved—while concealing any additional metadata or details about why data isn't available.

+

The API uses the same message if the response is unavailable because of software or hardware limitations, user + permission, or credentials, ensuring that this lack of availability cannot be used to infer device —or user-specific + information.

+

Threats and Attacks

+ +

Explicitly restrict the feature to first-party origins. +

+

Limiting this sensitive API to only first-party contexts, where the requesting origin matches the top-level site, + makes it possible to block third-party content (like ads or embedded widgets) from invoking credential operations. + This prevents untrusted embedded code from accessing or misusing digital credentials under your site's permission + and control.

+

The API is not available to third-party iframes without a permission policy.

+

Secure contexts

+

Secure contexts ensure that certain powerful or privacy-sensitive web features are only offered when pages are loaded + over authenticated, encrypted channels (e.g., HTTPS, or other “potentially trustworthy” schemes like file:// or + localhost), blocking access from insecure origins.

+

The API is only available in a secure context.

+

Mitigates

+ +

Limit API usage

+

Implementing multi-layered rate-limiting is essential to prevent API abuse, ensure reliability, and prevent + credential-related attacks.

+

Global: A global rate limit should be implemented to restrict the number of requests made within a certain + period (e.g., per minute or hour), preventing excessive use and over-asking
Session-Based: Set + session-based limits during a single-user session to prevent prolonged abuse.
Origin-based: per site + and subdomains

+

Informing the user

+

When handling sensitive API calls involving personal data or credentials, including explicit user approval at the + point of use is important. Instead of allowing background or automated exchanges, the user agent must present a + clear, interactive prompt, such as a chooser UI, that shows the requesting origin and the data being accessed. This + ensures users are fully informed and retain control over each operation, significantly reducing risks from silent + data sharing or unintended leaks.

+

The API prompts the user to show the request's origin before proceeding.

+

Permission request

+

Permission controls require explicit user permission before any API use is allowed. This ensures that users know when + their device’s vibration feature is being accessed. Permissions must be granted per site, ensuring each website + obtains consent separately (e.g., not subdomain permission).

+

Threats and Attacks

+ +

Transient activation

+

Transient activation ensures that powerful or sensitive web features can only be triggered immediately following a + real user interaction, such as a mouse click, keyboard press, touch, or menu selection, guarding against stealthy or + automated execution. This mechanism prevents malicious scripts from silently invoking functions like pop‑ups, + clipboard access, sharing dialogs, or system permissions without the user’s knowledge.

+

The API uses transient activation.

+

Threats and Attacks

+

From 6c31c56ff49d777081c8a2ab14241b5d19f9c961 Mon Sep 17 00:00:00 2001 From: Simone Onofri Date: Mon, 23 Jun 2025 15:44:52 +0200 Subject: [PATCH 2/7] Update index.html MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Marcos Cáceres --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 36a66f83..97ed44d3 100644 --- a/index.html +++ b/index.html @@ -868,7 +868,7 @@

Threats and Attacks

Same-Origin Policy Violations

SOP violation occurs when a script or resource from one origin breaks the browser's foundational Same-Origin - Policy—intended to segregate data between origins—by accessing or tampering with another origin's data, cookies, + Policy, which is intended to segregate data between origins, by accessing or tampering with another origin's data, cookies, DOM, or authenticated sessions.

Fingerprinting and Cross-Device Tracking

Fingerprinting and Cross‑Device Tracking occur when the Digital Credentials API (or its surrounding browser features) From 14f252672a714f278280456d6e18dce204b669e2 Mon Sep 17 00:00:00 2001 From: Simone Onofri Date: Mon, 23 Jun 2025 15:45:29 +0200 Subject: [PATCH 3/7] Update index.html Co-authored-by: Nick Doty --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 97ed44d3..ea6cdea6 100644 --- a/index.html +++ b/index.html @@ -914,7 +914,7 @@

Man-In-the-Middle

  • Nonce (Protocol level)
    • -

    Reply Attack

    +

    Replay Attack

    Replay Attacks occur when an attacker intercepts a legitimate credential exchange (via same- or cross-device flows) and later replays that same exchange to another party. This tricks systems into accepting old, valid credentials as fresh, leading to unauthorized authentication or credential disclosure.

    From f89076db5bfe86e965fc769920d8fa0c452ab5ad Mon Sep 17 00:00:00 2001 From: Simone Onofri Date: Mon, 23 Jun 2025 17:02:03 +0200 Subject: [PATCH 4/7] Update index.html fix --- index.html | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/index.html b/index.html index ea6cdea6..b70f6565 100644 --- a/index.html +++ b/index.html @@ -976,8 +976,7 @@

    Informing the user

    data sharing or unintended leaks.

    The API prompts the user to show the request's origin before proceeding.

    Permission request

    -

    Permission controls require explicit user permission before any API use is allowed. This ensures that users know when - their device’s vibration feature is being accessed. Permissions must be granted per site, ensuring each website +

    Permission controls require explicit user permission before allowing API use. Permissions must be granted per site, ensuring each website obtains consent separately (e.g., not subdomain permission).

    Threats and Attacks

      From fc7d8fa1439c07752e44fecf89ad49f71b34991d Mon Sep 17 00:00:00 2001 From: Simone Onofri Date: Mon, 23 Jun 2025 17:55:13 +0200 Subject: [PATCH 5/7] Update index.html removed Permission API, added Permission policy --- index.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/index.html b/index.html index b70f6565..e274f72d 100644 --- a/index.html +++ b/index.html @@ -975,9 +975,9 @@

      Informing the user

      ensures users are fully informed and retain control over each operation, significantly reducing risks from silent data sharing or unintended leaks.

      The API prompts the user to show the request's origin before proceeding.

      -

      Permission request

      -

      Permission controls require explicit user permission before allowing API use. Permissions must be granted per site, ensuring each website - obtains consent separately (e.g., not subdomain permission).

      +

      Permission Policy

      +

      Permission policy allows developers to selectively enable and disable use of various browser features and APIs.

      +

      This API defines a policy-controlled feature

      Threats and Attacks

      • Fingerprinting and Cross-Device Tracking
        • From c65ca414a98091e7e3026e4495d9ce5f5d788638 Mon Sep 17 00:00:00 2001 From: Simone Onofri Date: Mon, 23 Jun 2025 19:08:31 +0200 Subject: [PATCH 6/7] Update index.html --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index e274f72d..db1be436 100644 --- a/index.html +++ b/index.html @@ -977,7 +977,7 @@

        Informing the user

        The API prompts the user to show the request's origin before proceeding.

        Permission Policy

        Permission policy allows developers to selectively enable and disable use of various browser features and APIs.

        -

        This API defines a policy-controlled feature

        +

        This API defines a policy-controlled feature, to prevent third-party iframes from calling the API.

        Threats and Attacks

        • Fingerprinting and Cross-Device Tracking
          • From 31b1b9ab0696d9d13e7109b174d4a15b109e9071 Mon Sep 17 00:00:00 2001 From: Simone Onofri Date: Wed, 25 Jun 2025 22:55:38 +0200 Subject: [PATCH 7/7] Update index.html update transient activation --- index.html | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/index.html b/index.html index db1be436..67663efe 100644 --- a/index.html +++ b/index.html @@ -984,11 +984,7 @@

          Permission Policy

        Transient activation

        -

        Transient activation ensures that powerful or sensitive web features can only be triggered immediately following a - real user interaction, such as a mouse click, keyboard press, touch, or menu selection, guarding against stealthy or - automated execution. This mechanism prevents malicious scripts from silently invoking functions like pop‑ups, - clipboard access, sharing dialogs, or system permissions without the user’s knowledge.

        -

        The API uses transient activation.

        +

        The API relies on transient activation, preventing websites from calling the API without user interaction.

        Threats and Attacks

        • Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)