Skip to content

Commit

Permalink
Expand the abuse section in the explainer.
Browse files Browse the repository at this point in the history
Also add some UI requirements in the spec
  • Loading branch information
rayankans committed Jan 2, 2020
1 parent 13fa9c1 commit 507fb15
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 10 deletions.
18 changes: 15 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,10 +69,22 @@ partial interface Navigator {
* Some future might include the ability to add contacts, or even _contact management_, so having an intermediary object on `navigator` helps extensibility.

## Security and Privacy
Exposing contact information has a clear privacy impact. We propose a picker model so that the user agent can make it clear what information is going to be shared with the website. This differs from native APIs where the permission is requested once, after which the application gets perpetual access to the user's contacts. With the picker model, access to contact information is restricted by the contacts selected by the user in the picker. Furthermore, the spec will have a MUST requirement to ensure that the user can understand which contacts (and information) will be shared.
Exposing contact information has a clear privacy impact. The spec proposes a picker model so that the user agent can make it clear what information is going to be shared with the website. This differs from native APIs where the permission is requested once, after which the application gets perpetual access to the user's contacts. With the picker model, the website gets a one-off list of contacts selected by the user. Furthermore, The API will only be available from secure top-level contexts.

## Abuse
To prevent abuse and user annoyance, the API will have some usability restrictions. The API will only be available from secure top-level contexts. This will prevent embedded iframes from requesting user contacts and the user accidentally sharing information with an unintended destination. The picker can only be brought up if the API call was initiated by a user gesture. This will prevent websites from bringing up the picker on website load.
## Abuse Scenarios

### Sharing contacts with unintended recipients
The first mitigation against this abuse vector is that the API is only available from top-level contexts. This means embedded iframes can't request contact information.

The spec also enforces that the picker UI shows which origin the contacts will be shared with, which contacts will be shared, and what information regarding the contacts will be shared.

### Websites forcing users to share contacts
The picker UI MUST have a cancel/return option for the user to not share any contacts. The spec also recommends that the UI have a way for users to opt out of sharing certain contact information, in a way that the website cannot know whether the user opted out.

Implementers should be wary of malicious website UI that can be rendered side-by-side with the picker. The UI can pretend to be part of the user agent's UI and encourage users to share more information than they intended to. A potential workaround to avoid this would be making the picker fullscreen.

### Websites spamming users with the picker
To prevent abuse and user annoyance, the API has some usability restrictions. The picker can only be brought up if the API call was initiated by a user gesture. This means websites can't bring up the picker on website load. There can also be one instance of the picker at any given time, so websites can't request multiple stacked pickers on top of each other.

## Alternatives Considered

Expand Down
10 changes: 9 additions & 1 deletion spec/index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -341,10 +341,18 @@ interface ContactsManager {
* If presenting a user interface fails or accessing the [=contacts source=]'s
[=contacts source/available contacts=] fails, then return failure.
* The UI MUST prominently display the [=browsing context=]'s [=origin=].
* The UI MUST make it clear which `properties` of the contact will be shared.
* The UI MUST make it clear which `properties` of the contacts are requested.

NOTE: This information is derived from |properties|.

* The UI SHOULD provide a way for users to opt out of sharing certain contact information.

NOTE: If the user opts out, the appropriate [=user contact=] fields should be modified before
returning the selected contacts. It should be indistinguishable from the returned
[=user contact=]s whether the user opted out from sharing some information or if the
information was not present to begin with.

* The UI MUST make it clear which information will be shared.
* The UI MUST provide a way to select individual contacts. If |allowMultiple| is false, only one
contact should be pickable.
* The UI MUST provide an option to cancel/return without sharing any contacts, in which case
Expand Down
18 changes: 12 additions & 6 deletions spec/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -1215,7 +1215,7 @@
<link href="https://www.w3.org/StyleSheets/TR/2016/W3C-UD" rel="stylesheet">
<meta content="Bikeshed version c80088ef848c5e5446a2eaced80623027d194593" name="generator">
<link href="https://wicg.github.io/contact-api/spec" rel="canonical">
<meta content="5f5206f4a6407a08e9cedfd3625baee12ffde836" name="document-revision">
<meta content="13fa9c1e63896e4cbf7fbbc9389fd25f7bdbf0bd" name="document-revision">
<style>/* style-md-lists */

/* This is a weird hack for me not yet following the commonmark spec
Expand Down Expand Up @@ -1473,7 +1473,7 @@
<div class="head">
<p data-fill-with="logo"></p>
<h1 class="p-name no-ref" id="title">Contact Picker API</h1>
<h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Unofficial Proposal Draft, <time class="dt-updated" datetime="2019-11-04">4 November 2019</time></span></h2>
<h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Unofficial Proposal Draft, <time class="dt-updated" datetime="2020-01-02">2 January 2020</time></span></h2>
<div data-fill-with="spec-metadata">
<dl>
<dt>This version:
Expand All @@ -1486,7 +1486,7 @@ <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="cont
</dl>
</div>
<div data-fill-with="warning"></div>
<p class="copyright" data-fill-with="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2019 the Contributors to the Contact Picker API Specification, published by the <a href="https://www.w3.org/community/wicg/">Web Platform Incubator Community Group</a> under the <a href="https://www.w3.org/community/about/agreements/cla/">W3C Community Contributor License Agreement (CLA)</a>.
<p class="copyright" data-fill-with="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2020 the Contributors to the Contact Picker API Specification, published by the <a href="https://www.w3.org/community/wicg/">Web Platform Incubator Community Group</a> under the <a href="https://www.w3.org/community/about/agreements/cla/">W3C Community Contributor License Agreement (CLA)</a>.
A human-readable <a href="http://www.w3.org/community/about/agreements/cla-deed/">summary</a> is available. </p>
<hr title="Separator for header">
</div>
Expand Down Expand Up @@ -1860,8 +1860,14 @@ <h2 class="heading settled" data-level="6" id="contact-picker"><span class="secn
<li data-md>
<p>The UI MUST prominently display the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context①">browsing context</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin">origin</a>.</p>
<li data-md>
<p>The UI MUST make it clear which <code>properties</code> of the contact will be shared.</p>
<p>The UI MUST make it clear which <code>properties</code> of the contacts are requested.</p>
<p class="note" role="note"><span>NOTE:</span> This information is derived from <var>properties</var>.</p>
<li data-md>
<p>The UI SHOULD provide a way for users to opt out of sharing certain contact information.</p>
<p class="note" role="note"><span>NOTE:</span> If the user opts out, the appropriate <a data-link-type="dfn" href="#user-contact" id="ref-for-user-contact⑧">user contact</a> fields should be modified before
returning the selected contacts. It should be indistinguishable whether the returned <a data-link-type="dfn" href="#user-contact" id="ref-for-user-contact⑨">user contact</a>s have opted-out information or the information was not present to begin with.</p>
<li data-md>
<p>The UI MUST make it clear which information will be shared.</p>
<li data-md>
<p>The UI MUST provide a way to select individual contacts. If <var>allowMultiple</var> is false, only one
contact should be pickable.</p>
Expand All @@ -1870,7 +1876,7 @@ <h2 class="heading settled" data-level="6" id="contact-picker"><span class="secn
remove the UI and return an empty <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list" id="ref-for-list⑨">list</a>.</p>
<li data-md>
<p>The UI MUST provide an a way for users to indicate that they are done selecting, in which case
remove the UI and return a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list" id="ref-for-list①⓪">list</a> of the selected contacts as <a data-link-type="dfn" href="#user-contact" id="ref-for-user-contact">user contacts</a>.</p>
remove the UI and return a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list" id="ref-for-list①⓪">list</a> of the selected contacts as <a data-link-type="dfn" href="#user-contact" id="ref-for-user-contact①⓪">user contacts</a>.</p>
</ul>
</div>
</div>
Expand Down Expand Up @@ -2475,7 +2481,7 @@ <h2 class="no-num no-ref heading settled" id="idl-index"><span class="content">I
<li><a href="#ref-for-user-contact">4.1. User contact</a>
<li><a href="#ref-for-user-contact①">4.2. Contacts source</a>
<li><a href="#ref-for-user-contact②">5.2. ContactProperty</a> <a href="#ref-for-user-contact③">(2)</a> <a href="#ref-for-user-contact④">(3)</a> <a href="#ref-for-user-contact⑤">(4)</a> <a href="#ref-for-user-contact⑥">(5)</a> <a href="#ref-for-user-contact⑦">(6)</a>
<li><a href="#ref-for-user-contact⑧">6. Contact Picker</a>
<li><a href="#ref-for-user-contact⑧">6. Contact Picker</a> <a href="#ref-for-user-contact⑨">(2)</a> <a href="#ref-for-user-contact①⓪">(3)</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="user-contact-names">
Expand Down

0 comments on commit 507fb15

Please sign in to comment.