Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make WebNN API a policy-controlled feature with default allowlist 'self' #145

Closed
anssiko opened this issue Feb 18, 2021 · 3 comments · Fixed by #159
Closed

Make WebNN API a policy-controlled feature with default allowlist 'self' #145

anssiko opened this issue Feb 18, 2021 · 3 comments · Fixed by #159
Labels
privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.

Comments

@anssiko
Copy link
Member

anssiko commented Feb 18, 2021

PING review feedback:

Is the API restricted to first-party contexts? Or do third-party frames have access? (The answer to 2.13 of the Self-Review: Security and Privacy Questionnaire (above) suggests they do, and that you are exploring the potential of a policy-controlled feature approach.) Is there any reason not to simply restrict to first party context? (i.e. what are the likely use cases you envision that would require third-party frames to have access to the API?)

Discussed on WebML CG Teleconference – 18 February 2021 with an initial agreement to make WebNN API a policy controlled feature.

We have additional knobs at our disposal with the default allowlist with two possible values:

*
The feature is allowed in documents in top-level browsing contexts by default, and when allowed, is allowed by default to documents in child browsing contexts.
self
The feature is allowed in documents in top-level browsing contexts by default, and when allowed, is allowed by default to same-origin domain documents in child browsing contexts, but is disallowed by default in cross-origin documents in child browsing contexts

Per PING feedback I infer we should set the default allowlist to ['self'] that allow same-origin domain iframe elements have access to this API, while disallow by default cross-origin iframe access to this API.

@RafaelCintron @sandandsnow
@anssiko anssiko added the privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response. label Feb 18, 2021
@anssiko anssiko changed the title Make WebNN API a policy-controlled feature with default allowlist Make WebNN API a policy-controlled feature with default allowlist 'self' Feb 18, 2021
This was referenced Feb 18, 2021
Closed
Merged
@w3cbot w3cbot mentioned this issue Feb 18, 2021
Open
@sandandsnow
Copy link

sandandsnow commented Mar 5, 2021
edited
Loading

Thank you @annssiko for considering our feedback and for proposing solutions to mitigate the privacy vulnerabilities. Restricting access to same-origin domain iframe and disallowing by default cross-original iframe cross-origin access to the API is a good approach.

anssiko added a commit that referenced this issue Apr 7, 2021
@anssiko
Add Permissions Policy Integration and initial createContext() hooks
ce01a73 
Fix #145
@anssiko anssiko mentioned this issue Apr 7, 2021
Merged
@anssiko
Copy link
Member Author

anssiko commented Apr 15, 2021

@sandandsnow, FYI, we just landed your proposed privacy-hardening feature to the Web Neural Network API spec, see #159. Please let us know if you have any further feedback. Thank you for reviewing the WebNN API from privacy perspective.

@sandandsnow
Copy link

Thank you @anssiko and colleagues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Permissions Policy Integration and initial createContext() hooks webmachinelearning/webnn
2 participants
@anssiko @sandandsnow