-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make WebNN API a policy-controlled feature with default allowlist 'self' #145
Comments
Thank you @annssiko for considering our feedback and for proposing solutions to mitigate the privacy vulnerabilities. Restricting access to same-origin domain iframe and disallowing by default cross-original iframe cross-origin access to the API is a good approach. |
@sandandsnow, FYI, we just landed your proposed privacy-hardening feature to the Web Neural Network API spec, see #159. Please let us know if you have any further feedback. Thank you for reviewing the WebNN API from privacy perspective. |
Thank you @anssiko and colleagues |
PING review feedback:
Discussed on WebML CG Teleconference – 18 February 2021 with an initial agreement to make WebNN API a policy controlled feature.
We have additional knobs at our disposal with the default allowlist with two possible values:
Per PING feedback I infer we should set the default allowlist to
['self']
that allow same-origin domain iframe elements have access to this API, while disallow by default cross-origin iframe access to this API.@RafaelCintron @sandandsnow
The text was updated successfully, but these errors were encountered: