diff --git a/index.bs b/index.bs index eebfe27..d3a0686 100644 --- a/index.bs +++ b/index.bs @@ -950,12 +950,19 @@ actor can determine that the text fragment was successfully found in victim page as a result of such a navigation, they can infer the existence of any text on the page. -The following subsections restrict the feature to mitigate the expected attack -vectors. In summary, text directives are invoked only on full (non-same-page) -navigations that are the result of a user activation. Additionally, -navigations originating from a different origin than the destination will -require the navigation to take place in a "noopener" context, such that the -destination page is known to be sufficiently isolated. +The processing model in the following subsections restricts the feature to +mitigate the expected attack vectors. In summary, text directives are restricted +to: + +* top level navigables (i.e. no iframes). + * ISSUE(WICG/scroll-to-text-fragment#240): This isn't strictly true, Chrome + allows this for same-origin initiators. Need to update the spec on this + point. +* navigations that are the result of a user action +* in cases where the navigation has a cross-origin initiator, the destination + must be opener isolated (i.e. no references to its global objects in other + documents) + ### Scroll On Navigation ### {#scroll-on-navigation} @@ -981,14 +988,6 @@ detectable and distinguished from natural user scrolls. of the fragment search based on the order of requests for DNS lookup. -
- A malicious page embeds a cross-origin victim in an iframe. The victim page - contains information sensitive to the user. The malicious page navigates the - victim to a text fragment. Since a successful fragment match will cause - focus, the malicious page can determine if the text appears in the victim by - listening for a blur event in its own document. -
-
An attacker sends a link to a victim, sending them to a page that displays a private token. The attacker asks the victim to read back the token. Using diff --git a/index.html b/index.html index 03dd3dd..ef2a342 100644 --- a/index.html +++ b/index.html @@ -813,7 +813,7 @@

URL Fragment Text Directives

-

Draft Community Group Report,

+

Draft Community Group Report,

This version: @@ -1809,12 +1809,25 @@

+

The processing model in the following subsections restricts the feature to +mitigate the expected attack vectors. In summary, text directives are restricted +to:

+
    +
  • +

    top level navigables (i.e. no iframes).

    + +
  • +

    navigations that are the result of a user action

    +
  • +

    in cases where the navigation has a cross-origin initiator, the destination +must be opener isolated (i.e. no references to its global objects in other +documents)

    +

3.5.2. Scroll On Navigation

A UA may choose to automatically scroll a matched text passage into view. This can be a convenient experience for the user but does present some risks that @@ -1830,11 +1843,6 @@

-
A malicious page embeds a cross-origin victim in an iframe. The victim page - contains information sensitive to the user. The malicious page navigates the - victim to a text fragment. Since a successful fragment match will cause - focus, the malicious page can determine if the text appears in the victim by - listening for a blur event in its own document.
An attacker sends a link to a victim, sending them to a page that displays a private token. The attacker asks the victim to read back the token. Using a text fragment, the attacker gets the page to load for the victim such that @@ -3146,6 +3154,9 @@

#186

Implementation note: Blink doesn’t currently set focus for text fragments, it probably should? TODO: file crbug.
+
This isn’t strictly true, Chrome +allows this for same-origin initiators. Need to update the spec on this +point. [Issue #WICG/scroll-to-text-fragment#240]
data is not correct here since that’s the text data as it exists in the DOM. This algorithm means to run over the text as rendered (and then convert back