From 03d907f8bfb57451f4d522bcc92d1705d0be77cd Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Mon, 20 Jan 2025 17:46:01 +0100 Subject: [PATCH 01/19] LLM answers --- security-questionnaire.md | 46 +++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/security-questionnaire.md b/security-questionnaire.md index e9aa221..e4eb436 100644 --- a/security-questionnaire.md +++ b/security-questionnaire.md @@ -2,88 +2,88 @@ ## 01. What information does this feature expose, and for what purposes? - +The COS API exposes the availability of files identified by their SHA-256 hash across different origins. The purpose is to enable efficient sharing of large files (e.g., AI models, SQLite databases, Wasm modules) to reduce redundant downloads and storage. ## 02. Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? - +Yes, the API exposes only the existence of a file and provides access to it after explicit user consent. No additional metadata or file contents are exposed. ## 03. Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? - +No. The API operates solely on file hashes and does not handle or expose any personal or identifiable user information. ## 04. How do the features in your specification deal with sensitive information? - +Files can only be accessed with explicit user consent. The API does not allow arbitrary file discovery or sharing of sensitive user data without permission. ## 05. Does data exposed by your specification carry related but distinct information that may not be obvious to users? - +No. The API design ensures that only the explicit file hash and its availability are exposed, with no hidden or derived information. ## 06. Do the features in your specification introduce state that persists across browsing sessions? - +Yes. Files stored in COS persist across sessions. However, their access is gated by user consent, and user agents can manage eviction policies to maintain control over this state. ## 07. Do the features in your specification expose information about the underlying platform to origins? - +No. The API does not provide any platform-specific details to origins. ## 08. Does this specification allow an origin to send data to the underlying platform? - +No. The API strictly enables storage and retrieval of files identified by hashes without direct interaction with the underlying platform. ## 09. Do features in this specification enable access to device sensors? - +No. ## 10. Do features in this specification enable new script execution/loading mechanisms? - +No. ## 11. Do features in this specification allow an origin to access other devices? - +No. ## 12. Do features in this specification allow an origin some measure of control over a user agent's native UI? - +No. The user agent remains in full control, particularly for displaying permission prompts. ## 13. What temporary identifiers do the features in this specification create or expose to the web? - +None. File access is based solely on static hashes, which are not session-specific identifiers. ## 14. How does this specification distinguish between behavior in first-party and third-party contexts? - +The permission model ensures that file access is user-controlled, regardless of the context. Explicit user consent is required for cross-origin access. ## 15. How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode? - +Files stored in COS are not accessible in Private Browsing or Incognito mode unless explicitly allowed by the user agent. Data stored during such sessions is not retained. ## 16. Does this specification have both "Security Considerations" and "Privacy Considerations" sections? - +Yes. The specification includes detailed sections addressing security and privacy implications, including hashing, user consent, and eviction policies. ## 17. Do features in your specification enable origins to downgrade default security protections? +No. The API requires explicit user consent for all access, ensuring that default security protections remain intact. +## 18. What happens when a document that uses your feature is kept alive in BFCache? -## 18. What happens when a document that uses your feature is kept alive in BFCache - - +The BFCache behavior should be aligned with user agent policies. File access requests may trigger re-validation if necessary. ## 19. What happens when a document that uses your feature gets disconnected? - +The file access operation will terminate, and any pending storage or retrieval will fail gracefully with appropriate errors. ## 20. Does your spec define when and how new kinds of errors should be raised? - +Yes. The specification defines specific errors such as `NotAllowedError` (for denied permissions) and `NotFoundError` (for unavailable files). ## 21. Does your feature allow sites to learn about the user's use of assistive technology? - +No. ## 22. What should this questionnaire have asked? - +It could include a question about whether the API promotes transparency in user-facing permission prompts to enhance user understanding of the implications of granting access. \ No newline at end of file From 0421d77fcfd6c124fbf3d3f667997180e18d28fa Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 10:38:47 +0100 Subject: [PATCH 02/19] Update security-questionnaire.md Co-authored-by: Christian Liebel --- security-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-questionnaire.md b/security-questionnaire.md index e4eb436..195131b 100644 --- a/security-questionnaire.md +++ b/security-questionnaire.md @@ -10,7 +10,7 @@ Yes, the API exposes only the existence of a file and provides access to it afte ## 03. Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? -No. The API operates solely on file hashes and does not handle or expose any personal or identifiable user information. +No. ## 04. How do the features in your specification deal with sensitive information? From b4116445fcce95a0420dc0ce6b0b448f7270b92a Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 10:38:59 +0100 Subject: [PATCH 03/19] Update security-questionnaire.md Co-authored-by: Christian Liebel --- security-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-questionnaire.md b/security-questionnaire.md index 195131b..1838774 100644 --- a/security-questionnaire.md +++ b/security-questionnaire.md @@ -18,7 +18,7 @@ Files can only be accessed with explicit user consent. The API does not allow ar ## 05. Does data exposed by your specification carry related but distinct information that may not be obvious to users? -No. The API design ensures that only the explicit file hash and its availability are exposed, with no hidden or derived information. +No. ## 06. Do the features in your specification introduce state that persists across browsing sessions? From 289007761180f9fb564b7237543263d18d4ac371 Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 10:39:07 +0100 Subject: [PATCH 04/19] Update security-questionnaire.md Co-authored-by: Christian Liebel --- security-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-questionnaire.md b/security-questionnaire.md index 1838774..0581cd8 100644 --- a/security-questionnaire.md +++ b/security-questionnaire.md @@ -26,7 +26,7 @@ Yes. Files stored in COS persist across sessions. However, their access is gated ## 07. Do the features in your specification expose information about the underlying platform to origins? -No. The API does not provide any platform-specific details to origins. +No. ## 08. Does this specification allow an origin to send data to the underlying platform? From c8a244e2ab7fc0a6b50ed389a3bb8c3276aa9476 Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 10:39:15 +0100 Subject: [PATCH 05/19] Update security-questionnaire.md Co-authored-by: Christian Liebel --- security-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-questionnaire.md b/security-questionnaire.md index 0581cd8..34cc61d 100644 --- a/security-questionnaire.md +++ b/security-questionnaire.md @@ -30,7 +30,7 @@ No. ## 08. Does this specification allow an origin to send data to the underlying platform? -No. The API strictly enables storage and retrieval of files identified by hashes without direct interaction with the underlying platform. +No. ## 09. Do features in this specification enable access to device sensors? From 4b62cc30be9ae778130f940466d098e8b1cee173 Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 10:39:23 +0100 Subject: [PATCH 06/19] Update security-questionnaire.md Co-authored-by: Christian Liebel --- security-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-questionnaire.md b/security-questionnaire.md index 34cc61d..8eb3cd6 100644 --- a/security-questionnaire.md +++ b/security-questionnaire.md @@ -46,7 +46,7 @@ No. ## 12. Do features in this specification allow an origin some measure of control over a user agent's native UI? -No. The user agent remains in full control, particularly for displaying permission prompts. +No. ## 13. What temporary identifiers do the features in this specification create or expose to the web? From eae2d2f40bdb9caf2de800116a8bea44c3980dcb Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 10:39:37 +0100 Subject: [PATCH 07/19] Update security-questionnaire.md Co-authored-by: Christian Liebel --- security-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-questionnaire.md b/security-questionnaire.md index 8eb3cd6..1df76e9 100644 --- a/security-questionnaire.md +++ b/security-questionnaire.md @@ -66,7 +66,7 @@ Yes. The specification includes detailed sections addressing security and privac ## 17. Do features in your specification enable origins to downgrade default security protections? -No. The API requires explicit user consent for all access, ensuring that default security protections remain intact. +No. ## 18. What happens when a document that uses your feature is kept alive in BFCache? From 31da86260627878e2d719bdb1e2ca0db2a162ac0 Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 10:39:55 +0100 Subject: [PATCH 08/19] Update security-questionnaire.md Co-authored-by: Christian Liebel --- security-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-questionnaire.md b/security-questionnaire.md index 1df76e9..8836df1 100644 --- a/security-questionnaire.md +++ b/security-questionnaire.md @@ -58,7 +58,7 @@ The permission model ensures that file access is user-controlled, regardless of ## 15. How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode? -Files stored in COS are not accessible in Private Browsing or Incognito mode unless explicitly allowed by the user agent. Data stored during such sessions is not retained. +Files previously stored in COS are not accessible in Private Browsing or Incognito mode. Browser vendors may allow COS to work during an Incognito session, but the data would not be retained. Alternatively, Browser vendors may disable COS entirely. ## 16. Does this specification have both "Security Considerations" and "Privacy Considerations" sections? From 02828b788ef09e51be5641ed684890b781c72d66 Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 10:40:04 +0100 Subject: [PATCH 09/19] Update security-questionnaire.md Co-authored-by: Christian Liebel --- security-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-questionnaire.md b/security-questionnaire.md index 8836df1..8ca0b4b 100644 --- a/security-questionnaire.md +++ b/security-questionnaire.md @@ -54,7 +54,7 @@ None. File access is based solely on static hashes, which are not session-specif ## 14. How does this specification distinguish between behavior in first-party and third-party contexts? -The permission model ensures that file access is user-controlled, regardless of the context. Explicit user consent is required for cross-origin access. +Explicit user consent is required for cross-origin access. ## 15. How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode? From d04af35f8461c81513695a41d59b602bd45197f7 Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 10:40:14 +0100 Subject: [PATCH 10/19] Update security-questionnaire.md Co-authored-by: Christian Liebel --- security-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-questionnaire.md b/security-questionnaire.md index 8ca0b4b..4c318a0 100644 --- a/security-questionnaire.md +++ b/security-questionnaire.md @@ -50,7 +50,7 @@ No. ## 13. What temporary identifiers do the features in this specification create or expose to the web? -None. File access is based solely on static hashes, which are not session-specific identifiers. +None. ## 14. How does this specification distinguish between behavior in first-party and third-party contexts? From 363bfe89810bac58368e740c912fb2e03cb87b10 Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 10:40:25 +0100 Subject: [PATCH 11/19] Update security-questionnaire.md Co-authored-by: Christian Liebel --- security-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-questionnaire.md b/security-questionnaire.md index 4c318a0..14087cf 100644 --- a/security-questionnaire.md +++ b/security-questionnaire.md @@ -6,7 +6,7 @@ The COS API exposes the availability of files identified by their SHA-256 hash a ## 02. Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? -Yes, the API exposes only the existence of a file and provides access to it after explicit user consent. No additional metadata or file contents are exposed. +Yes, after explicit user consent, the API exposes only the existence of a file with a known hash and provides access to it. No additional metadata is exposed. ## 03. Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? From bd9591b0a8333b177ae44fb9610b4c8dc8d52a57 Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 14:04:11 +0100 Subject: [PATCH 12/19] Update security-questionnaire.md Co-authored-by: Christian Liebel --- security-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-questionnaire.md b/security-questionnaire.md index 14087cf..fbe7ccf 100644 --- a/security-questionnaire.md +++ b/security-questionnaire.md @@ -58,7 +58,7 @@ Explicit user consent is required for cross-origin access. ## 15. How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode? -Files previously stored in COS are not accessible in Private Browsing or Incognito mode. Browser vendors may allow COS to work during an Incognito session, but the data would not be retained. Alternatively, Browser vendors may disable COS entirely. +Files previously stored in COS are not accessible in Private Browsing or Incognito mode. Browser vendors may allow COS to work during an Incognito session, but the data would not be retained. Alternatively, browser vendors may disable COS entirely. ## 16. Does this specification have both "Security Considerations" and "Privacy Considerations" sections? From a71ef5a56840a3f100b34f3791ac96cd15e7640a Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 14:07:51 +0100 Subject: [PATCH 13/19] Tune some of the answers --- security-questionnaire.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/security-questionnaire.md b/security-questionnaire.md index fbe7ccf..9f622c2 100644 --- a/security-questionnaire.md +++ b/security-questionnaire.md @@ -2,11 +2,11 @@ ## 01. What information does this feature expose, and for what purposes? -The COS API exposes the availability of files identified by their SHA-256 hash across different origins. The purpose is to enable efficient sharing of large files (e.g., AI models, SQLite databases, Wasm modules) to reduce redundant downloads and storage. +The COS API exposes the availability of files identified by their hash across different origins. The purpose is to enable efficient sharing of large files (e.g., AI models, SQLite databases, Wasm modules) to reduce redundant downloads and storage. ## 02. Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? -Yes, after explicit user consent, the API exposes only the existence of a file with a known hash and provides access to it. No additional metadata is exposed. +Yes, after explicit user consent, the API exposes only the existence of a file with a known hash and provides read access to it. No additional metadata nor write access is exposed. ## 03. Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? @@ -66,7 +66,7 @@ Yes. The specification includes detailed sections addressing security and privac ## 17. Do features in your specification enable origins to downgrade default security protections? -No. +Yes, upon explicit user consent. ## 18. What happens when a document that uses your feature is kept alive in BFCache? @@ -78,7 +78,7 @@ The file access operation will terminate, and any pending storage or retrieval w ## 20. Does your spec define when and how new kinds of errors should be raised? -Yes. The specification defines specific errors such as `NotAllowedError` (for denied permissions) and `NotFoundError` (for unavailable files). +No. ## 21. Does your feature allow sites to learn about the user's use of assistive technology? From 6a8e7332faae4a0fd966e9369769c70052070ebd Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 14:21:43 +0100 Subject: [PATCH 14/19] Update security-questionnaire.md --- security-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-questionnaire.md b/security-questionnaire.md index 9f622c2..7dba619 100644 --- a/security-questionnaire.md +++ b/security-questionnaire.md @@ -70,7 +70,7 @@ Yes, upon explicit user consent. ## 18. What happens when a document that uses your feature is kept alive in BFCache? -The BFCache behavior should be aligned with user agent policies. File access requests may trigger re-validation if necessary. +The BFCache behavior is aligned with that of the File System Standard ([whatwg/fs#17](https://github.com/whatwg/fs/issues/17)). ## 19. What happens when a document that uses your feature gets disconnected? From 69599524da84099c37674f59c721506810c291b2 Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 14:28:17 +0100 Subject: [PATCH 15/19] Rename questionnaire --- README.md | 6 +----- ...ty-questionnaire.md => security-privacy-questionnaire.md | 0 2 files changed, 1 insertion(+), 5 deletions(-) rename security-questionnaire.md => security-privacy-questionnaire.md (100%) diff --git a/README.md b/README.md index a4726d7..63de588 100644 --- a/README.md +++ b/README.md @@ -385,7 +385,7 @@ AI models are admittedly the biggest motivation for working on COS, so one alter ## Security and privacy considerations -See the complete [questionnaire](security-questionnaire.md) for details. +See the complete [questionnaire](security-privacy-questionnaire.md) for details. ## Stakeholder feedback / opposition @@ -400,10 +400,6 @@ See the complete [questionnaire](security-questionnaire.md) for details. ## Acknowledgements -Many thanks for valuable feedback from: - -- **François Beaufort**, Google Chrome - Many thanks for valuable inspiration or ideas from: - **Kenji Baheux**, Google Chrome diff --git a/security-questionnaire.md b/security-privacy-questionnaire.md similarity index 100% rename from security-questionnaire.md rename to security-privacy-questionnaire.md From 495572c3fb508adb0048e7ebf1b65c4f9c41c60d Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 16:51:44 +0100 Subject: [PATCH 16/19] Add security and privacy considerations --- README.md | 20 ++++++++++++++++++++ security-privacy-questionnaire.md | 2 +- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 63de588..7573517 100644 --- a/README.md +++ b/README.md @@ -387,6 +387,26 @@ AI models are admittedly the biggest motivation for working on COS, so one alter See the complete [questionnaire](security-privacy-questionnaire.md) for details. +### Security considerations + +The API mandates [explicit user consent](#user-consent-and-permissions)) before any file access or storage operation, and permission prompts clearly inform users of the requesting site's intent, providing options to allow or deny access. There's no implicit cross-origin information leakage as files in COS are inaccessible without explicit user permission, ensuring no site can infer the presence or absence of specific files without user interaction. User agents can customize permission prompts to minimize confusion while providing transparency. For example, user agents may decide that origins that stored files previously may access them without prompting, provided user agents deem it safe. + +Access is scoped to individual files, [identified by their hashes](#hashing). Developers can't arbitrarily access all files, ensuring limited and precise access control. Files are uniquely identified by their cryptographic hashes (e.g., SHA-256), ensuring data integrity. Hashes prevent tampering with the file contens, that is, a site can be sure it gets the same contents from COS as if it had downloaded the file itself as COS guarantees that the file content matches its hash. + +File handles provided by the API can [only perform specific operations based on their context](#user-consent-and-permissions) (e.g., writing, but not reading, during creation). Misuse of file handles is mitigated by these constraints. + +User agents are envisioned to offer [settings UI for managing COS files](#handling-of-eviction), showing stored files and their associated origins. Users can manually evict files or clear all COS data, maintaining control over their storage. + +### Privacy considerations + +The use of explicit user permission ensures that COS cannot be exploited for tracking or persistent storage across origins without user awareness. Files in COS can't become unvolunatary [supercookies](https://blog.mozilla.org/en/internet-culture/mozilla-explains-cookies-and-supercookies/) without the user noticing. + +Prompts can [differentiate between file existence checks and access requests](#user-consent-and-permissions), reducing the risk of misuse or user misunderstanding. Recent origin access to a file is only visible to users via envisioned browser settings UI, not to other origins. + +COS [use cases](#use-cases) are limited on purpose to mitigate abuse. The API is designed for large files, discouraging use for smaller assets like JavaScript libraries. Its permission model inherently discourages overuse due to user interruption. + +Files in COS may be evicted under critical storage pressure, maintaining system performance and preventing abuse of storage space. + ## Stakeholder feedback / opposition - **Web Developers**: Positive feedback for enabling sharing large files without repeated downloads and storage, particularly in the context of huge AI models, SQLite databases, offline storage archives, and large Wasm modules. diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index 7dba619..ef08147 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -62,7 +62,7 @@ Files previously stored in COS are not accessible in Private Browsing or Incogni ## 16. Does this specification have both "Security Considerations" and "Privacy Considerations" sections? -Yes. The specification includes detailed sections addressing security and privacy implications, including hashing, user consent, and eviction policies. +Yes. The specification includes detailed sections addressing [security considerations](README.MD#security-considerations) and [privacy implications](README.MD#privacy-considerations). ## 17. Do features in your specification enable origins to downgrade default security protections? From bc5d1e7a4b1dd91b08913fcc14b785582c60e1ea Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 16:56:33 +0100 Subject: [PATCH 17/19] Address https://github.com/tomayac/cross-origin-storage/pull/18/files#r1923939451. --- security-privacy-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index ef08147..6332471 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -6,7 +6,7 @@ The COS API exposes the availability of files identified by their hash across di ## 02. Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? -Yes, after explicit user consent, the API exposes only the existence of a file with a known hash and provides read access to it. No additional metadata nor write access is exposed. +Yes, after explicit user consent, the API exposes only the existence of a file with a known hash and provides read access to it. No additional metadata is exposed. Write access is always granted, just like any page can freely and until its storage quota is reached store arbitrary data in other storage mechanisms like the bucket file system (origin private file system), IndexedDB, or the Cache API. ## 03. Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? From 172e86cc3ce0d5f940b912ab5f72e3fdb446d5cd Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 16:59:00 +0100 Subject: [PATCH 18/19] Fix markup --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7573517..b948d26 100644 --- a/README.md +++ b/README.md @@ -389,7 +389,7 @@ See the complete [questionnaire](security-privacy-questionnaire.md) for details. ### Security considerations -The API mandates [explicit user consent](#user-consent-and-permissions)) before any file access or storage operation, and permission prompts clearly inform users of the requesting site's intent, providing options to allow or deny access. There's no implicit cross-origin information leakage as files in COS are inaccessible without explicit user permission, ensuring no site can infer the presence or absence of specific files without user interaction. User agents can customize permission prompts to minimize confusion while providing transparency. For example, user agents may decide that origins that stored files previously may access them without prompting, provided user agents deem it safe. +The API mandates [explicit user consent](#user-consent-and-permissions) before any file access or storage operation, and permission prompts clearly inform users of the requesting site's intent, providing options to allow or deny access. There's no implicit cross-origin information leakage as files in COS are inaccessible without explicit user permission, ensuring no site can infer the presence or absence of specific files without user interaction. User agents can customize permission prompts to minimize confusion while providing transparency. For example, user agents may decide that origins that stored files previously may access them without prompting, provided user agents deem it safe. Access is scoped to individual files, [identified by their hashes](#hashing). Developers can't arbitrarily access all files, ensuring limited and precise access control. Files are uniquely identified by their cryptographic hashes (e.g., SHA-256), ensuring data integrity. Hashes prevent tampering with the file contens, that is, a site can be sure it gets the same contents from COS as if it had downloaded the file itself as COS guarantees that the file content matches its hash. From 7a1ce47b0349f9a131c1ecf6f87d92d4c130b586 Mon Sep 17 00:00:00 2001 From: Thomas Steiner Date: Tue, 21 Jan 2025 17:54:01 +0100 Subject: [PATCH 19/19] No e.g. --- README.md | 4 ++-- security-privacy-questionnaire.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b948d26..3f24d5f 100644 --- a/README.md +++ b/README.md @@ -391,9 +391,9 @@ See the complete [questionnaire](security-privacy-questionnaire.md) for details. The API mandates [explicit user consent](#user-consent-and-permissions) before any file access or storage operation, and permission prompts clearly inform users of the requesting site's intent, providing options to allow or deny access. There's no implicit cross-origin information leakage as files in COS are inaccessible without explicit user permission, ensuring no site can infer the presence or absence of specific files without user interaction. User agents can customize permission prompts to minimize confusion while providing transparency. For example, user agents may decide that origins that stored files previously may access them without prompting, provided user agents deem it safe. -Access is scoped to individual files, [identified by their hashes](#hashing). Developers can't arbitrarily access all files, ensuring limited and precise access control. Files are uniquely identified by their cryptographic hashes (e.g., SHA-256), ensuring data integrity. Hashes prevent tampering with the file contens, that is, a site can be sure it gets the same contents from COS as if it had downloaded the file itself as COS guarantees that the file content matches its hash. +Access is scoped to individual files, [identified by their hashes](#hashing). Developers can't arbitrarily access all files, ensuring limited and precise access control. Files are uniquely identified by their cryptographic hashes (for example, SHA-256), ensuring data integrity. Hashes prevent tampering with the file contens, that is, a site can be sure it gets the same contents from COS as if it had downloaded the file itself as COS guarantees that the file content matches its hash. -File handles provided by the API can [only perform specific operations based on their context](#user-consent-and-permissions) (e.g., writing, but not reading, during creation). Misuse of file handles is mitigated by these constraints. +File handles provided by the API can [only perform specific operations based on their context](#user-consent-and-permissions) (for example, writing, but not reading, during creation). Misuse of file handles is mitigated by these constraints. User agents are envisioned to offer [settings UI for managing COS files](#handling-of-eviction), showing stored files and their associated origins. Users can manually evict files or clear all COS data, maintaining control over their storage. diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index 6332471..c309089 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -2,7 +2,7 @@ ## 01. What information does this feature expose, and for what purposes? -The COS API exposes the availability of files identified by their hash across different origins. The purpose is to enable efficient sharing of large files (e.g., AI models, SQLite databases, Wasm modules) to reduce redundant downloads and storage. +The COS API exposes the availability of files identified by their hash across different origins. The purpose is to enable efficient sharing of large files (for example, AI models, SQLite databases, Wasm modules) to reduce redundant downloads and storage. ## 02. Do features in your specification expose the minimum amount of information necessary to implement the intended functionality?