EN-304-617_v0.0.4.md

- CVE Critical Severity Guidelines: https://www.first.org/cvss/
- NIST Critical Patch Management: https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final

### Assessment: UPD-REQ-18 (Update verification chain)

**Reference**: UPD-REQ-18 - Browser shall implement complete chain-of-trust verification from update manifest through component signatures to final installation

**Given**: A conformant browser with UPD-1 or higher capability

**Task**: Verify that complete chain-of-trust verification prevents sophisticated supply chain attacks where attackers compromise individual components of the update distribution system. By requiring cryptographic validation at every level from root keys through manifests to individual component signatures, the browser ensures that compromise of any single element in the distribution chain cannot result in installation of malicious updates.

**Verification**:

1. Trace the complete update verification chain from initial update check to installation
2. Verify that update manifest is signed by trusted root key embedded in browser
3. Examine the signature chain: root key → manifest → component hashes → component signatures
4. Test that each level of the verification chain is validated before proceeding
5. Attempt to break the chain by presenting valid components with invalid manifest
6. Verify that intermediate certificate revocation breaks the verification chain
7. Test that the root keys used for update verification are embedded in browser binary and protected
8. Check that chain-of-trust validation occurs even for component updates
9. Verify that the entire verification chain is logged for audit purposes
10. Confirm that any break in verification chain prevents installation and triggers errors
11. Complete chain-of-trust from root keys to installed components
12. Root keys for update verification are embedded in browser binary
13. Update manifests are signed and verified against trusted root keys
14. Component signatures are verified against manifest hashes
15. Each verification step is performed in sequence with no shortcuts
16. Any break in verification chain prevents installation
17. Intermediate certificate revocation is detected and enforced
18. Verification chain is logged with details at each step
19. Chain-of-trust applies to both full and component updates

**Pass Criteria**: Complete verification chain from root keys to components AND each level is validated before proceeding AND breaks in chain prevent installation AND root keys are embedded and protected

**Fail Criteria**: Incomplete verification chain OR steps can be skipped OR root keys not embedded OR chain breaks do not prevent installation

**Evidence**: Verification chain documentation and diagrams, root key extraction from browser binary, signature verification logs at each chain level, test results from chain break attempts, intermediate certificate revocation tests, audit logs showing complete chain verification

**References**:

- Chrome Root Certificate Program: https://www.chromium.org/Home/chromium-security/root-ca-policy/
- Code Signing Certificate Chains: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/digital-signatures
- X.509 Certificate Path Validation: https://www.rfc-editor.org/rfc/rfc5280#section-6
- Mozilla Root Store Policy: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
- TUF Root of Trust: https://theupdateframework.github.io/specification/latest/#root-metadata
- NIST Trust Anchor Management: https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final

### Assessment: UPD-REQ-19 (Update source pinning)

**Reference**: UPD-REQ-19 - Browser shall implement update source pinning to prevent malicious redirection to unauthorized update servers

**Given**: A conformant browser with UPD-1 or higher capability

**Task**: Verify that update source pinning prevents malicious redirection attacks that could deliver compromised updates through DNS hijacking, BGP routing attacks, or compromised enterprise proxies. Hardcoded, pinned update server domains ensure that even if network infrastructure is compromised, browsers will only accept updates from authentic vendor-controlled servers validated through certificate pinning.

**Verification**:

1. Identify the configured update server URLs embedded in browser binary or configuration
2. Verify that update server domains are pinned and cannot be modified through configuration files
3. Attempt to modify system DNS or hosts file to redirect update domains to malicious servers
4. Test that certificate pinning for update domains prevents MITM attacks
5. Verify that update server URLs use multiple trusted domains with fallback mechanisms
6. Attempt to inject malicious update server URLs through registry/preference modifications
7. Test that update source pinning is enforced even for enterprise-managed deployments
8. Check that hardcoded update domains cannot be overridden by network-based attacks
9. Verify that fallback update servers are also pinned and verified
10. Confirm that update source pinning violations are logged and reported
11. Update server domains are hardcoded in browser binary
12. Update source URLs cannot be modified through configuration or registry
13. DNS redirection attacks are prevented through certificate pinning
14. Multiple trusted update domains with verified fallback mechanisms
15. Enterprise policies cannot override update source pinning for security updates
16. Network-based redirection attempts are detected and blocked
17. Fallback servers are subject to same pinning requirements
18. Source pinning violations are logged as security events

**Pass Criteria**: Update server domains are hardcoded AND cannot be modified by configuration OR DNS attacks AND certificate pinning prevents redirection AND fallback servers are also pinned

**Fail Criteria**: Update servers can be modified through configuration OR DNS redirection succeeds OR no certificate pinning OR enterprise policies can override source pinning

**Evidence**: Decompiled browser binary showing hardcoded update URLs, test results from DNS redirection attempts, certificate pinning verification, configuration modification tests, enterprise policy override tests, source pinning violation logs

**References**:

- Chrome Update Server Infrastructure: https://chromium.googlesource.com/chromium/src/+/main/docs/updater/protocol_3_1.md#update-server
- Certificate Pinning Implementation: https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning
- DNS Rebinding Protection: https://en.wikipedia.org/wiki/DNS_rebinding
- Mozilla Update Server Security: https://wiki.mozilla.org/Software_Update#Security
- Google Omaha Server Protocol: https://github.com/google/omaha/blob/main/doc/ServerProtocolV3.md
- NIST Supply Chain Risk Management: https://csrc.nist.gov/Projects/cyber-supply-chain-risk-management

### Assessment: UPD-REQ-20 (Update integrity verification)

**Reference**: UPD-REQ-20 - Browser shall verify integrity of installed components after update application to detect corruption or tampering

**Given**: A conformant browser with UPD-1 or higher capability

**Task**: Verify that post-installation integrity verification detects tampering or corruption that occurs after updates are applied, protecting against attacks where malware modifies browser components between installation and execution. This closes the security window where installed files are vulnerable to modification before integrity checks run, ensuring that any tampering triggers immediate remediation.

**Verification**:

1. Perform a complete browser update and monitor the post-installation verification phase
2. Verify that installed files are checked against expected cryptographic hashes after installation
3. Attempt to modify an installed file immediately after update completion
4. Test that modified files are detected on next browser launch
5. Verify that integrity verification occurs both after installation and at browser startup
6. Check that integrity verification covers all critical components (binaries, libraries, resources)
7. Test that integrity failures trigger repair or re-installation mechanisms
8. Verify that integrity verification results are logged with specific failure details
9. Test that browser refuses to launch if critical component integrity verification fails
10. Confirm that integrity verification uses same cryptographic strength as update verification (SHA-256+)
11. Post-installation integrity verification checks all installed components
12. Cryptographic hashes (SHA-256+) are used for integrity verification
13. Modified files are detected immediately after installation
14. Startup integrity checks detect tampering between sessions
15. Critical components are verified (binaries, libraries, key resources)
16. Integrity failures trigger automatic repair or update mechanisms
17. Browser refuses to launch if critical components fail verification
18. Integrity verification results are logged with specific error details
19. Verification coverage includes all security-critical components

**Pass Criteria**: Post-installation integrity verification is performed AND uses strong cryptographic hashes (SHA-256+) AND modified files are detected AND integrity failures trigger repair OR prevent launch

**Fail Criteria**: No post-installation verification OR weak hash algorithms OR modified files not detected OR integrity failures do not trigger corrective actions

**Evidence**: Post-installation verification logs, hash algorithm analysis, test results from file modification attacks, startup integrity check logs, repair mechanism demonstrations, critical component verification coverage analysis

**References**:

- Chrome Component Integrity Verification: https://www.chromium.org/Home/chromium-security/education/tls#TOC-Certificate-Verification
- Windows Code Integrity: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control
- macOS Gatekeeper and Code Signing: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution
- Linux Integrity Measurement Architecture: https://sourceforge.net/p/linux-ima/wiki/Home/
- NIST File Integrity Monitoring: https://csrc.nist.gov/glossary/term/file_integrity_monitoring
- OWASP Software Component Verification: https://owasp.org/www-project-software-component-verification-standard/

### Assessment: UPD-REQ-21 (Staged rollout support)

**Reference**: UPD-REQ-21 - Browser shall support staged rollout mechanisms to gradually deploy updates to user populations with rollback capability

**Given**: A conformant browser with UPD-2 or higher capability

**Task**: Verify that staged rollout mechanisms limit the blast radius of defective updates while maintaining rapid response capability for critical security fixes. Gradual deployment with rollback capability prevents scenarios where buggy updates simultaneously impact millions of users, while emergency bypass ensures that actively exploited vulnerabilities can still be patched immediately across the entire user base.

**Verification**:

1. Review browser update architecture for staged rollout or canary deployment support
2. Verify that update manifests include rollout percentage or cohort targeting information
3. Test that updates are delivered to progressively larger user populations over time
4. Check that rollout stages are controlled by server-side configuration, not client manipulation
5. Verify that users cannot force-join or opt-out of rollout cohorts
6. Test that rollout can be paused or rolled back if issues are detected
7. Monitor multiple browser instances to observe different rollout timing
8. Verify that critical security updates can bypass staged rollout for immediate deployment
9. Test that rollout cohorts are assigned using stable user identifiers (not random per check)
10. Confirm that staged rollout status is logged for monitoring and analysis
11. Update system supports staged rollout with progressive deployment
12. Rollout percentages are specified in update manifests and enforced server-side
13. Users cannot manipulate rollout cohort assignment
14. Rollout can be paused or reversed if issues are detected
15. Critical security updates can bypass staged rollout
16. Cohort assignment is stable (same user gets consistent rollout timing)
17. Multiple instances show varied rollout timing based on cohort
18. Rollout status and cohort information are logged
19. Rollout progression follows defined stages (e.g., 1%, 10%, 50%, 100%)

**Pass Criteria**: Staged rollout mechanism is implemented AND rollout percentages are server-controlled AND users cannot manipulate cohorts AND critical updates can bypass rollout AND rollback capability exists

**Fail Criteria**: No staged rollout support OR users can manipulate rollout OR all users receive updates simultaneously OR no rollback capability OR critical updates follow slow rollout

**Evidence**: Update manifest files showing rollout percentages, server-side rollout configuration documentation, test results from multiple instances showing varied timing, rollout logs with cohort information, critical update bypass demonstrations, rollback process documentation

**References**:

- Chrome Staged Rollout: https://chromium.googlesource.com/chromium/src/+/main/docs/updater/functional_spec.md#staged-rollout
- Google Omaha Rollout Mechanisms: https://github.com/google/omaha/blob/main/doc/ServerProtocolV3.md#rollout
- Canary Deployments: https://martinfowler.com/bliki/CanaryRelease.html
- Progressive Delivery Patterns: https://www.split.io/glossary/progressive-delivery/
- NIST Phased Deployment: https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final

### Assessment: UPD-REQ-22 (Update domain validation)

**Reference**: UPD-REQ-22 - Browser shall validate that update requests and responses originate from authorized domains with strict certificate requirements

**Given**: A conformant browser with UPD-1 or higher capability

**Task**: Verify that update domain validation prevents server-side request forgery and domain confusion attacks where attackers redirect update requests to malicious servers through HTTP redirects, DNS manipulation, or compromised network infrastructure. Strict domain allowlisting ensures that browsers only download updates from explicitly authorized vendor domains, rejecting any deviation regardless of certificate validity.

**Verification**:

1. Capture update network traffic to identify all domains involved in update process
2. Verify that all update domains are whitelisted or hardcoded in browser configuration
3. Examine TLS certificates for update domains to verify they meet strict requirements (EV or equivalent)
4. Attempt to redirect update requests to unauthorized domains using DNS attacks
5. Test that update domain acceptlist cannot be modified by users or malware
6. Verify that update responses from unauthorized domains are rejected
7. Check that update domain validation includes subdomain restrictions (no wildcards)
8. Test that HTTP redirects to unauthorized domains during update process are rejected
9. Verify that update domain validation occurs for all update-related requests (manifests, downloads, telemetry)
10. Confirm that domain validation failures are logged with domain details
11. All update domains are explicitly whitelisted or hardcoded
12. TLS certificates for update domains meet strict requirements
13. Unauthorized domains are rejected even with valid TLS certificates
14. Domain acceptlist cannot be modified through configuration or registry
15. Subdomain validation is strict (no wildcard matching)
16. HTTP redirects to unauthorized domains are blocked
17. Domain validation applies to all update-related traffic
18. Validation failures are logged with attempted domain information
19. Update domain list is protected and verified at startup

**Pass Criteria**: Update domains are whitelisted/hardcoded AND unauthorized domains are rejected AND domain list cannot be modified AND validation applies to all update traffic AND redirects to unauthorized domains are blocked

**Fail Criteria**: No domain acceptlist OR unauthorized domains accepted OR domain list can be modified OR validation can be bypassed with redirects OR logging insufficient

**Evidence**: Network traffic captures showing update domains, domain acceptlist extraction from browser binary, test results from unauthorized domain redirects, TLS certificate analysis, domain validation logs, configuration modification attempt results

**References**:

- Chrome Update Domain Security: https://chromium.googlesource.com/chromium/src/+/main/docs/updater/protocol_3_1.md#security
- Mozilla Update Domain Policies: https://wiki.mozilla.org/Software_Update#Security
- DNS Security Extensions (DNSSEC): https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
- Extended Validation Certificates: https://en.wikipedia.org/wiki/Extended_Validation_Certificate
- OWASP Server-Side Request Forgery Prevention: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
- NIST Domain Validation Guidelines: https://csrc.nist.gov/publications/detail/sp/800-63/3/final

### Assessment: UPD-REQ-23 (Update binary reproducibility)

**Reference**: UPD-REQ-23 - Browser shall support mechanisms to enable verification of binary reproducibility for update transparency and supply chain security

**Given**: A conformant browser with UPD-2 or higher capability

**Task**: Verify that binary reproducibility enables independent verification of update authenticity, protecting against sophisticated supply chain attacks where build infrastructure is compromised to inject backdoors. Reproducible builds allow security researchers and organizations to verify that distributed binaries match published source code, detecting unauthorized modifications introduced during compilation or packaging.

**Verification**:

1. Review browser build and release documentation for reproducible build support
2. Verify that update packages include build metadata (compiler version, build timestamp, source commit)
3. Attempt to reproduce an official update binary from published source code using documented build process
4. Compare reproduced binary hash with official release hash to verify reproducibility
5. Check that build process documentation includes all dependencies and toolchain versions
6. Verify that update transparency logs include binary hashes for independent verification
7. Test that multiple independent parties can reproduce identical binaries from same source
8. Check for availability of build attestations or signed build manifests
9. Verify that non-reproducible elements (timestamps, randomness) are minimized or eliminated
10. Confirm that reproducibility documentation and verification tools are publicly available
11. Browser supports reproducible builds with documented build process
12. Update packages include complete build metadata
13. Independent verification of binary reproducibility is possible
14. Build process documentation includes all dependencies and toolchain versions
15. Multiple builds from same source produce bit-identical binaries
16. Update transparency logs enable third-party verification
17. Non-deterministic build elements are minimized or documented
18. Build attestations or signed manifests are available
19. Public documentation and tools support reproducibility verification

**Pass Criteria**: Reproducible build process is documented AND build metadata is included in updates AND independent parties can verify binary reproducibility AND update transparency supports third-party verification

**Fail Criteria**: No reproducible build support OR build process not documented OR independent verification not possible OR build metadata missing OR excessive non-deterministic elements

**Evidence**: Build process documentation, reproduced binary hash comparisons, build metadata extraction from update packages, transparency log entries, independent build verification results, build attestation signatures, reproducibility verification tool outputs

**References**:

- Reproducible Builds Project: https://reproducible-builds.org/
- Chromium Build Documentation: https://chromium.googlesource.com/chromium/src/+/main/docs/linux/build_instructions.md
- Debian Reproducible Builds: https://wiki.debian.org/ReproducibleBuilds
- NIST Secure Software Development Framework: https://csrc.nist.gov/Projects/ssdf
- SLSA Supply Chain Security Framework: https://slsa.dev/

### Assessment: UPD-REQ-24 (Automatic update application without user intervention)

**Reference**: UPD-0-REQ-23 - Updates shall be applied without user intervention or postponement

**Given**: A conformant browser with UPD-0 capability (forced automatic updates)

**Task**: Verify that updates are applied automatically without any user intervention or ability to postpone, ensuring that security patches are deployed immediately to minimize the window of vulnerability exploitation, protecting users who might otherwise delay critical updates, while accepting the trade-off of reduced user control in exchange for maximum security posture.

**Verification**:

1. Configure browser in UPD-0 mode with forced automatic updates
2. Trigger an update availability (use test update server if available)
3. Verify that update is downloaded automatically without user prompt
4. Verify that update is applied immediately without user confirmation
5. Test that no UI options exist to postpone or decline update
6. Verify that update application proceeds even during active browsing sessions
7. Test that updates install in background without interrupting user workflows
8. Verify that only browser restart (if needed) may be delayed to safe moment
9. Test that critical updates force installation even if browser is in use
10. Verify that users cannot disable automatic update mechanism
11. Test that settings UI shows no postponement options
12. Verify that update process cannot be interrupted or canceled by user
13. Test that updates proceed even if user is not actively using browser

**Pass Criteria**: Updates download automatically AND install without user confirmation AND no postponement options available AND settings prevent disabling automatic updates

**Fail Criteria**: Updates require user confirmation OR postponement is possible OR automatic updates can be disabled OR update process can be interrupted

**Evidence**: Update installation logs showing automatic application, UI screenshots showing no postponement options, settings verification showing forced updates, test scenarios demonstrating immediate installation

**References**:

- NIST Secure Software Development: https://csrc.nist.gov/projects/ssdf
- Automatic Security Updates Best Practices: https://www.us-cert.gov/ncas/tips/ST04-006

### Assessment: UPD-REQ-25 (Automatic browser restart after critical updates)

**Reference**: UPD-0-REQ-24 - Browser shall restart automatically after critical updates when safe

**Given**: A conformant browser with UPD-0 capability after critical update installation

**Task**: Verify that the browser automatically restarts after critical security updates are installed, but only when safe to do so (when user is not in middle of sensitive tasks), ensuring updates become effective immediately while minimizing disruption, balancing security urgency against user experience by detecting safe restart windows and providing brief warnings.

**Verification**:

1. Install critical security update that requires browser restart
2. Verify that browser detects restart requirement
3. Test browser behavior in various states:
   - Idle state (no active tabs or forms)
   - Active browsing (tabs open but no form input)
   - Form input in progress (unsaved data)
   - File downloads in progress
   - Media playback active
4. Verify that browser waits for safe moment to restart in each scenario
5. Test that unsaved form data prevents immediate restart
6. Verify that active downloads are protected from restart
7. Test that brief warning is displayed before automatic restart (e.g., 60 seconds)
8. Verify that warning cannot be dismissed or canceled for critical updates
9. Test that browser session state is preserved across restart
10. Verify that tabs, windows, and browsing history are restored
11. Test that restart occurs automatically if browser remains idle after update
12. Verify that maximum delay before forced restart is reasonable (e.g., 8 hours)

**Pass Criteria**: Browser restarts automatically after critical updates AND waits for safe moments AND preserves user session AND provides brief warning AND forced restart occurs if delayed too long

**Fail Criteria**: No automatic restart OR unsafe restart timing OR session not preserved OR no warning provided OR indefinite delay possible

**Evidence**: Restart behavior logs, timing analysis across different browser states, session preservation verification, warning dialog screenshots, maximum delay testing

**References**:

- User Experience in Security Updates: https://www.usenix.org/conference/soups2016/technical-sessions/presentation/mathur
- Browser Session Management: https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage

### Assessment: UPD-REQ-26 (Update postponement with time limits)

**Reference**: UPD-1-REQ-23 - Users shall be able to postpone non-critical updates for limited time (max 7 days)

**Given**: A conformant browser with UPD-1 capability (automatic with postponement)

**Task**: Verify that users can postpone non-critical updates for a limited time (maximum 7 days), providing flexibility for users to control update timing while ensuring that security patches are not delayed indefinitely, balancing user autonomy with security needs by enforcing reasonable time limits after which updates shall be applied.

**Verification**:

1. Trigger availability of non-critical update
2. Verify that update notification provides postponement option
3. Test postponing update and verify it is not installed immediately
4. Verify that postponement options offer reasonable durations (1 day, 3 days, 7 days)
5. Test selecting maximum postponement period (7 days)
6. Verify that browser tracks postponement deadline
7. Test that postponed update becomes mandatory when deadline approaches
8. Verify that warning increases in urgency as deadline nears
9. Test that update is automatically installed when maximum postponement expires
10. Verify that users cannot extend postponement beyond maximum limit
11. Test that multiple postponements don't extend total delay beyond limit
12. Verify that update notification persists until user takes action
13. Test that critical severity updates have shorter or no postponement allowed

**Pass Criteria**: Non-critical updates can be postponed AND maximum postponement is 7 days AND forced installation after deadline AND multiple postponements don't exceed limit AND critical updates have stricter limits

**Fail Criteria**: Indefinite postponement possible OR maximum exceeds 7 days OR no forced installation after deadline OR deadline can be extended indefinitely

**Evidence**: Postponement UI screenshots, deadline tracking verification, forced installation logs after expiry, multiple postponement tests, critical vs non-critical update handling comparison

**References**:

- Update Management Best Practices: https://www.cisecurity.org/insights/white-papers/software-update-and-patch-management-best-practices
- User Control in Security Updates: https://www.usenix.org/conference/soups2016/technical-sessions/presentation/mathur

### Assessment: UPD-REQ-27 (Critical update postponement restrictions)

**Reference**: UPD-1-REQ-24 - Critical security updates shall not be postponable beyond 24 hours

**Given**: A conformant browser with UPD-1 capability with critical security update available

**Task**: Verify that critical security updates addressing actively exploited vulnerabilities or high-severity issues cannot be postponed beyond 24 hours, ensuring that urgent patches are deployed rapidly while still providing minimal user control, recognizing that critical vulnerabilities represent immediate threats requiring prompt mitigation despite user preference for delayed updates.

**Verification**:

1. Trigger availability of critical security update (e.g., zero-day patch)
2. Verify that update is clearly marked as "Critical" or "Security Update"
3. Test that postponement options are limited for critical updates
4. Verify that maximum postponement for critical update is 24 hours or less
5. Test that postponement UI emphasizes urgency and security risk
6. Verify that security rationale is provided explaining criticality
7. Test that warning messages escalate as postponement deadline approaches
8. Verify that browser displays prominent warning if critical update is postponed
9. Test that update is automatically installed when 24-hour deadline expires
10. Verify that users cannot extend critical update postponement
11. Test that "remind me later" options are limited (1 hour, 4 hours, 24 hours max)
12. Verify that background browser processes trigger update even if UI postponed
13. Test that critical updates take priority over user-configured update windows

**Pass Criteria**: Critical updates identified separately AND maximum postponement is 24 hours AND forced installation after deadline AND prominent warnings displayed AND no extension possible

**Fail Criteria**: Critical updates can be postponed beyond 24 hours OR no distinction from non-critical OR insufficient warnings OR deadline can be extended OR no forced installation

**Evidence**: Critical update UI showing restricted postponement, urgency warnings, 24-hour deadline enforcement logs, automatic installation verification, security rationale display

**References**:

- CISA Known Exploited Vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Rapid Security Update Deployment: https://www.nist.gov/publications/guide-enterprise-patch-management-technologies

### Assessment: UPD-REQ-28 (Update severity indication)

**Reference**: UPD-1-REQ-25 - Browser shall notify users of pending updates with severity indication

**Given**: A conformant browser with UPD-1 capability with updates available

**Task**: Verify that update notifications clearly indicate update severity (critical, high, medium, low) to help users understand urgency and make informed decisions about update timing, providing transparency about security impact and enabling users to prioritize critical patches while potentially deferring less urgent updates, supporting risk-aware update management.

**Verification**:

1. Trigger updates of various severity levels:
   - Critical security fix for actively exploited vulnerability
   - High severity security patch
   - Medium priority bug fixes and security improvements
   - Low priority feature updates
2. Verify that update notifications display severity level prominently
3. Test that severity is indicated through multiple cues:
   - Text labels ("Critical", "High", "Medium", "Low")
   - Color coding (red for critical, yellow for medium, etc.)
   - Icon indicators (warning symbols, shields)
   - Urgency language in notification text
4. Verify that severity explanation is provided when requested
5. Test that critical severity triggers most prominent notification
6. Verify that postponement options vary based on severity
7. Test that update details explain security impact:
   - CVE identifiers for security issues
   - Brief description of vulnerability addressed
   - Potential attack scenarios prevented
8. Verify that severity assessment is based on objective criteria
9. Test that multiple updates are ordered by severity in UI
10. Verify that severity indication is consistent across all notification channels

**Pass Criteria**: Severity clearly indicated through multiple UI cues AND explanation provided AND varies postponement options AND includes security impact details AND consistent across notifications

**Fail Criteria**: No severity indication OR unclear severity communication OR severity doesn't affect options OR no security impact details OR inconsistent indication

**Evidence**: Notification screenshots for each severity level, severity explanation text, postponement option variations, security impact descriptions, CVE references in updates

**References**:

- CVSS (Common Vulnerability Scoring System): https://www.first.org/cvss/
- Security Update Communication Best Practices: https://www.cisa.gov/coordinated-vulnerability-disclosure-process

### Assessment: UPD-REQ-29 (Automatic updates disabled by default)

**Reference**: UPD-2-REQ-14 - Automatic updates shall be disabled by default

**Given**: A conformant browser with UPD-2 capability (optional automatic updates)

**Task**: Verify that automatic updates are disabled by default in UPD-2 mode, requiring explicit user opt-in before automated update installation occurs, respecting user autonomy and system control in environments where automatic changes may conflict with testing requirements, system stability needs, or bandwidth constraints, while clearly communicating the security risks of manual update management.

**Verification**:

1. Perform fresh browser installation in UPD-2 mode
2. Verify that automatic updates are disabled by default on first run
3. Check browser settings to confirm automatic update state
4. Trigger update availability with automatic updates disabled
5. Verify that update is not downloaded or installed automatically
6. Test that update notification is displayed but requires user action
7. Verify that settings clearly show automatic updates are disabled
8. Test that manual update check is available
9. Verify that enabling automatic updates requires explicit user opt-in:
   - Navigate to settings
   - Locate automatic update toggle
   - Click to enable with confirmation
10. Test that opt-in decision is persistent across browser restarts
11. Verify that first-run wizard or setup offers automatic update option with clear explanation
12. Test that security implications of disabled automatic updates are explained

**Pass Criteria**: Automatic updates disabled by default AND manual action required for updates AND explicit opt-in to enable automatic updates AND security implications explained AND opt-in persists

**Fail Criteria**: Automatic updates enabled by default OR automatic installation occurs without opt-in OR no clear opt-in mechanism OR no security explanation

**Evidence**: Fresh installation default state verification, settings screenshots showing disabled state, manual update workflow, opt-in process documentation, security warning examples

**References**:

- User Autonomy in Software Updates: https://www.w3.org/TR/design-principles/#user-control
- Update Policy Best Practices: https://www.cisecurity.org/insights/blog/patch-management-best-practices

### Assessment: UPD-REQ-30 (Automatic update recommendations)

**Reference**: UPD-2-REQ-15 - Browser shall prominently recommend enabling automatic updates

**Given**: A conformant browser with UPD-2 capability with automatic updates disabled

**Task**: Verify that the browser prominently recommends enabling automatic security updates, educating users about security benefits while respecting their choice to manage updates manually, using clear messaging that explains risks of manual update management without employing dark patterns or coercive tactics, supporting informed decision-making about update policies.

**Verification**:

1. Access browser with automatic updates disabled
2. Verify that recommendation to enable automatic updates is displayed:
   - During initial browser setup/first run
   - In browser settings near update controls
   - In security or privacy dashboard
   - Periodically as gentle reminder (not nagging)
3. Test that recommendation clearly explains benefits:
   - Automatic security patches protect against threats
   - Reduced window of vulnerability exploitation
   - No need to remember to check for updates
   - Background installation minimizes disruption
4. Verify that recommendation is prominent but not intrusive:
   - Visible and easy to find
   - Not blocking workflow or annoying
   - Can be acknowledged/dismissed
   - Does not reappear constantly (dark pattern)
5. Test that enabling automatic updates from recommendation is easy (single click)
6. Verify that recommendation respects user's choice to decline:
   - Clear "No thanks" or "Keep manual" option
   - Choice is remembered
   - Not repeatedly prompted in same session
7. Test that recommendation is balanced and informative, not fear-mongering
8. Verify that recommendation links to detailed information if user wants to learn more

**Pass Criteria**: Recommendation is prominent and visible AND clearly explains benefits AND easy to enable from recommendation AND respects user's choice to decline AND not intrusive or nagging

**Fail Criteria**: No recommendation shown OR unclear benefits OR difficult to enable OR forced enablement OR dark patterns used OR constantly nagging user

**Evidence**: Recommendation display locations and frequency, message content analysis, enablement workflow, dismissal behavior, user choice respect verification

**References**:

- Ethical Design Principles: https://www.w3.org/TR/design-principles/
- Dark Pattern Prevention: https://www.deceptive.design/
- Security Awareness Communication: https://www.nist.gov/itl/applied-cybersecurity/nice/resources/online-learning-content

### Assessment: UPD-REQ-31 (Security warnings for available updates)

**Reference**: UPD-2-REQ-16 - Browser shall display security warnings when updates are available

**Given**: A conformant browser with UPD-2 capability with security updates available

**Task**: Verify that the browser displays clear security warnings when security updates are available but not yet installed, informing users about increased risk from running outdated versions with known vulnerabilities, providing actionable information to encourage timely manual installation without resorting to scare tactics, supporting security awareness for users managing updates manually.

**Verification**:

1. Trigger availability of security update (patch for known vulnerability)
2. Verify that security warning is displayed prominently:
   - Banner or notification in browser UI
   - Icon or badge indicating security risk
   - Entry in security dashboard or settings
3. Test that warning clearly communicates security risk:
   - Updates address security vulnerabilities
   - Outdated version may be vulnerable to attacks
   - Recommendation to install updates promptly
   - Severity indicator if critical update
4. Verify that warning provides direct link to update installation
5. Test that warning persists until update is installed
6. Verify that warning visibility increases with time since update available:
   - Subtle notification initially
   - More prominent after several days
   - Prominent warning after one week
7. Test that warning is informative but not alarmist:
   - Factual language about security risks
   - No fear-mongering or exaggeration
   - Clear call to action
8. Verify that warning includes timestamp (update available since X days)
9. Test that multiple security updates aggregate into single clear warning
10. Verify that warning disappears immediately after update installation

**Pass Criteria**: Security warnings displayed prominently AND clearly communicate risk AND provide direct update link AND escalate with time AND informative without fear-mongering AND disappear after installation

**Fail Criteria**: No security warnings OR unclear risk communication OR no update link OR static visibility OR alarmist language OR warnings persist after update

**Evidence**: Security warning screenshots, warning visibility escalation timeline, language tone analysis, update link functionality, persistence behavior verification

**References**:

- Security Warning Design: https://www.usenix.org/conference/soups2016/technical-sessions/presentation/felt
- Effective Security Communication: https://www.usenix.org/conference/soups2013/proceedings/presentation/akhawe

### Assessment: UPD-REQ-32 (Easy update check and install mechanism)

**Reference**: UPD-2-REQ-17 - Browser shall provide easy mechanism to check for and install updates

**Given**: A conformant browser with UPD-2 capability (optional automatic updates)

**Task**: Verify that users can easily check for available updates and install them manually through intuitive UI controls, ensuring that manual update management is practical and convenient for users who prefer explicit control, providing clear workflow from update check to installation without requiring technical knowledge or complex procedures.

**Verification**:

1. Access browser settings or help menu
2. Verify that "Check for Updates" option is easily findable:
   - Located in expected place (About, Settings, Help menu)
   - Clear, understandable label
   - Accessible within 2-3 clicks from main UI
3. Test manually triggering update check
4. Verify that update check provides clear feedback:
   - Checking animation or progress indicator
   - Clear result message (up-to-date or updates available)
   - Details about available updates
5. Test that update installation is straightforward:
   - Single "Install Update" or "Update Now" button
   - Clear indication of what will happen
   - Progress indicator during download and installation
6. Verify that update process doesn't require advanced technical knowledge
7. Test that update installation is reliable and completes successfully
8. Verify that any restart requirement is clearly communicated
9. Test that update check and install work from multiple entry points
10. Verify that update changelog or release notes are accessible
11. Test that errors during update are handled gracefully with clear messages
12. Verify that users can cancel update download if needed (before installation)

**Pass Criteria**: Update check easily accessible AND clear feedback provided AND simple installation process AND reliable completion AND restart requirements communicated AND multiple access points AND release notes available

**Fail Criteria**: Update check hard to find OR no feedback OR complex installation OR frequent failures OR unclear requirements OR only one access point OR no release information

**Evidence**: UI navigation path to update check, update check workflow screenshots, installation process recordings, error handling examples, accessibility from multiple locations

**References**:

- Usability in Security Features: https://www.usenix.org/conference/soups2006/proceedings
- User-Centered Design for Updates: https://www.w3.org/TR/design-principles/#user-control

### Assessment: UPD-REQ-33 (Full user control over update timing)

**Reference**: UPD-2-REQ-18 - Users shall have full control over update timing and installation

**Given**: A conformant browser with UPD-2 capability with updates available

**Task**: Verify that users have complete control over when and whether to install updates, enabling users to manage update timing according to their needs, workflows, and system requirements, respecting user autonomy fully while acknowledging the security trade-offs, ensuring that users who choose manual update management have necessary tools and information to do so effectively.

**Verification**:

1. Trigger availability of various updates (critical and non-critical)
2. Verify that users can choose whether to install each update
3. Test that users can defer updates indefinitely:
   - No forced installation deadlines
   - No automatic installation after time period
   - User always has option to decline
4. Verify that update notifications can be dismissed
5. Test that dismissed updates don't automatically reinstall
6. Verify that users can choose specific installation timing:
   - Install now
   - Install on next restart
   - Install later (no deadline)
   - Don't install (skip update)
7. Test that users can selectively install some updates while skipping others
8. Verify that skipping updates doesn't prevent checking for newer updates
9. Test that users can postpone updates without time limits
10. Verify that even critical security updates can be declined by user
11. Test that users understand consequences of their choices through clear warnings
12. Verify that update preferences are respected across browser sessions

**Pass Criteria**: Users can defer updates indefinitely AND can decline any update AND can choose specific installation timing AND selective installation possible AND preferences persist AND consequences clearly communicated

**Fail Criteria**: Forced installation occurs OR time limits enforced OR cannot decline updates OR no selective installation OR preferences not persistent OR inadequate consequence communication

**Evidence**: Update control UI showing all options, indefinite deferral testing, selective installation demonstrations, critical update decline verification, preference persistence tests, warning message examples

**References**:

- User Autonomy in Software Design: https://www.w3.org/TR/design-principles/#user-control
- Update Management for Advanced Users: https://www.cisecurity.org/insights/white-papers/software-update-and-patch-management-best-practices

### Assessment: UPD-REQ-34 (Manual update check mechanism)

**Reference**: UPD-3-REQ-11 - Browser shall provide manual update check mechanism

**Given**: A conformant browser with UPD-3 capability (manual updates only)

**Task**: Verify that the browser provides a reliable manual update check mechanism allowing users to check for available updates on demand, ensuring that users who have disabled all automatic update behaviors can still maintain security through manual update management, providing necessary tools for deliberate update workflows in controlled environments.

**Verification**:

1. Verify that automatic update checks are fully disabled in UPD-3 mode
2. Access manual update check mechanism in browser UI
3. Verify that "Check for Updates" is easily accessible:
   - Available in About page, Settings, or Help menu
   - Clear labeling and prominent placement
   - Functional even with all automatic features disabled
4. Test triggering manual update check
5. Verify that check contacts update servers and retrieves current information:
   - Network request to update endpoint
   - Retrieval of latest version metadata
   - Comparison with current browser version
6. Test that check provides clear results:
   - "You are up to date" if current
   - "Update available" with version details if outdated
   - Error message if check fails (network issue, server unavailable)
7. Verify that update check can be performed multiple times without restriction
8. Test that check does not automatically download or install anything
9. Verify that check completes in reasonable time (< 10 seconds typically)
10. Test that check works across different network conditions
11. Verify that check failure doesn't prevent retrying
12. Test that update metadata includes security information and changelog

**Pass Criteria**: Manual check mechanism easily accessible AND reliably contacts update servers AND provides clear results AND doesn't auto-download/install AND works in various network conditions AND includes security information

**Fail Criteria**: No manual check OR difficult to access OR unreliable OR automatically downloads/installs OR frequent failures OR no security information

**Evidence**: Update check UI location and access path, network traffic during check, result message examples for various scenarios, reliability testing across networks, metadata content analysis

**References**:

- Manual Update Management: https://www.cisecurity.org/controls/v8/
- User-Initiated Security Updates: https://www.nist.gov/publications/guide-enterprise-patch-management-technologies

### Assessment: UPD-REQ-35 (Outdated version security warnings)

**Reference**: UPD-3-REQ-12 - Browser shall display security warnings for outdated versions

**Given**: A conformant browser with UPD-3 capability running outdated version

**Task**: Verify that the browser displays persistent security warnings when running significantly outdated versions with known vulnerabilities, informing users about security risks of delayed updates and encouraging timely manual installation, balancing respect for user autonomy with responsibility to communicate security status, especially when manual update management results in vulnerable configurations.

**Verification**:

1. Run browser with outdated version (multiple updates behind current)
2. Verify that security warning is displayed indicating outdated status:
   - Visible banner, icon, or notification
   - Clear message about being out of date
   - Indication of how far behind current version
3. Test that warning communicates security implications:
   - Known vulnerabilities in current version
   - Security fixes available in newer versions
   - Recommendation to update
4. Verify that warning escalates with age of browser version:
   - Minor warning if one version behind
   - Moderate warning if several versions behind
   - Strong warning if critically outdated (>6 months, contains CVEs)
5. Test that warning provides direct path to update mechanism
6. Verify that warning persists across browser sessions
7. Test that warning can be acknowledged but returns periodically
8. Verify that warning does not block browser functionality (not modal dialog)
9. Test that warning includes last update check timestamp
10. Verify that critically outdated versions show prominent, persistent warnings
11. Test that warning differentiates between minor feature updates and security patches
12. Verify that warning disappears after update installation

**Pass Criteria**: Warnings displayed for outdated versions AND clearly communicate security risk AND escalate with version age AND provide update path AND persistent but not blocking AND distinguish security vs feature updates

**Fail Criteria**: No warnings for outdated versions OR unclear risk communication OR static visibility regardless of age OR no update path OR blocking workflow OR doesn't distinguish update types

**Evidence**: Warning screenshots at various version ages, warning escalation timeline, security messaging content, update path accessibility, persistence behavior across sessions

**References**:

- Security Communication Best Practices: https://www.usenix.org/conference/soups2016/technical-sessions/presentation/felt
- Vulnerability Disclosure: https://www.cisa.gov/coordinated-vulnerability-disclosure-process

### Assessment: UPD-REQ-36 (Clear indication of available security updates)

**Reference**: UPD-3-REQ-13 - Browser shall provide clear indication of available security updates

**Given**: A conformant browser with UPD-3 capability with security updates available

**Task**: Verify that the browser clearly distinguishes security updates from feature updates, providing prominent indication when security patches are available, enabling users to prioritize security-critical updates over general improvements, supporting informed manual update decisions by highlighting updates that address vulnerabilities even when user prefers manual installation control.

**Verification**:

1. Trigger availability of mixed updates:
   - Security patch fixing vulnerabilities
   - Feature update adding new capabilities
   - Bug fix update improving stability
2. Verify that security updates are clearly marked:
   - "Security Update" label or badge
   - Security icon (shield, lock) indicator
   - Color coding (red or yellow for security)
   - Separate section in update list
3. Test that security update details explain vulnerability addressed:
   - CVE identifier if applicable
   - Brief vulnerability description
   - Severity rating
   - Potential attack scenarios prevented
4. Verify that security updates are visually prioritized in UI:
   - Listed first in update list
   - Larger or bold text
   - More prominent notification
5. Test that non-security updates are clearly differentiated:
   - "Feature Update" or "Bug Fix" labels
   - Different visual treatment
   - Lower priority in list
6. Verify that mixed updates (security + features) are accurately labeled
7. Test that security update indicators are consistent across all UI locations
8. Verify that users can filter or view only security updates
9. Test that security update urgency is communicated appropriately
10. Verify that users can choose to install only security updates, skipping features

**Pass Criteria**: Security updates clearly distinguished from other types AND vulnerability details provided AND visual prioritization AND consistent indicators AND filtering possible AND selective installation supported

**Fail Criteria**: No distinction between update types OR missing vulnerability details OR no visual differentiation OR inconsistent indicators OR no filtering OR cannot selectively install security updates

**Evidence**: Update list screenshots showing mixed update types, security indicators across various UI locations, CVE information display, filtering UI, selective installation workflow

**References**:

- CVE Program: https://cve.mitre.org/
- Security Update Best Practices: https://www.cisa.gov/sites/default/files/publications/CISA-Cyber-Essentials-Toolkit_Mar2022_508.pdf

### Assessment: UPD-REQ-37 (Explicit user initiation for all updates)

**Reference**: UPD-3-REQ-14 - All updates shall require explicit user initiation

**Given**: A conformant browser with UPD-3 capability with updates available

**Task**: Verify that absolutely no updates occur without explicit user initiation, ensuring complete user control over browser modifications and system changes, respecting environments requiring change control procedures, stability priorities, or bandwidth management, confirming that manual-only update mode provides true autonomy without any automatic behaviors.

**Verification**:

1. Configure browser in UPD-3 (manual only) mode
2. Trigger availability of various updates (critical security and non-critical)
3. Verify that no automatic update checks occur:
   - Monitor network traffic for update check requests
   - Confirm no scheduled background checks
   - Verify no update checks on browser startup
4. Test that updates are not downloaded automatically:
   - Available updates not pre-downloaded
   - No background downloads
   - Network traffic shows no update downloads
5. Verify that updates are not installed without user action:
   - No automatic installation during idle time
   - No installation on browser restart
   - No forced installation for critical updates
6. Test that user should explicitly:
   - Manually check for updates
   - Manually trigger download
   - Manually initiate installation
   - Manually restart browser if needed
7. Verify that even critical security updates require user initiation
8. Test that no "soft" automatic behaviors occur (e.g., automatic check with manual install)
9. Verify that update configuration cannot be bypassed by browser or OS
10. Test that enterprise policies cannot override manual-only setting
11. Verify that browser respects manual-only mode across updates to browser itself

**Pass Criteria**: No automatic update checks AND no automatic downloads AND no automatic installation AND all actions require explicit user initiation AND applies to all update types AND cannot be bypassed

**Fail Criteria**: Any automatic update behavior OR checks without user action OR downloads without initiation OR installation without explicit action OR critical updates bypass manual mode

**Evidence**: Network traffic analysis showing no automatic update activity, manual workflow verification for all update steps, critical update handling in manual mode, policy override testing, mode persistence across updates

**References**:

- Change Control Procedures: https://www.cisecurity.org/controls/v8/
- User Autonomy Principles: https://www.w3.org/TR/design-principles/#user-control

### Assessment: UPD-REQ-38 (Update changelog and security impact display)

**Reference**: UPD-3-REQ-15 - Browser shall display update changelog and security impact

**Given**: A conformant browser with UPD-3 capability with updates available

**Task**: Verify that the browser provides comprehensive changelog and security impact information for updates, enabling informed manual update decisions by clearly documenting what changes each update introduces, what vulnerabilities are addressed, and what security improvements are included, supporting users who need detailed information before authorizing system changes.

**Verification**:

1. Trigger availability of update with mixed changes (security fixes, features, bug fixes)
2. Access update details or changelog in browser UI
3. Verify that changelog is comprehensive and well-organized:
   - Grouped by category (security, features, bug fixes, performance)
   - Chronological or logical ordering
   - Clear, understandable language
4. Test that security section is prominent and detailed:
   - List of CVEs addressed
   - Vulnerability descriptions
   - Severity ratings
   - Attack scenarios prevented
   - Credit to security researchers if applicable
5. Verify that feature changes are clearly documented:
   - New capabilities added
   - Changed behaviors
   - Deprecated features
6. Test that bug fixes are listed with impact descriptions
7. Verify that changelog includes version numbers and dates
8. Test that changelog is accessible before update installation:
   - Available in update notification
   - Viewable in update check results
   - Accessible from browser help/about page
9. Verify that changelog links to detailed documentation if available
10. Test that changelog format is readable (not raw git commits)
11. Verify that security impact is emphasized visually in changelog
12. Test that changelog is available in multiple languages if browser is localized

**Pass Criteria**: Comprehensive changelog provided AND security impact prominently detailed AND CVE information included AND accessible before installation AND well-organized and readable AND emphasized security sections

**Fail Criteria**: No changelog available OR minimal security details OR missing CVE information OR only accessible after installation OR poorly formatted OR security not emphasized

**Evidence**: Changelog screenshots showing all sections, security detail depth analysis, CVE reference verification, accessibility before installation, formatting quality assessment, localization testing

**References**:

- Security Disclosure Best Practices: https://www.cisa.gov/coordinated-vulnerability-disclosure-process
- Software Release Notes Standards: https://docs.gitlab.com/ee/development/changelog.html

## 6.6 Protocol Handler Security Assessments

This section covers assessment procedures for requirements PRO-REQ-1 through PRO-REQ-23, addressing custom protocol handler registration, scheme hijacking prevention, protocol allowlisting, URL scheme security, mobile deep linking, and handler isolation.

### Assessment: PRO-REQ-1 (Protocol handler registration validation)

**Reference**: PRO-REQ-1 - Browser shall validate all custom protocol handler registrations to ensure they meet security requirements before registration

**Given**: A conformant browser with PRO-1 or higher capability

**Task**: Verify that protocol handler registration validation prevents malicious websites from hijacking critical URL schemes or injecting XSS vectors through handler templates. Without strict validation, attackers could register handlers for privileged schemes like javascript: or craft handler URLs containing script injection, enabling cross-site scripting attacks when victims click protocol links.

**Verification**:

1. Navigate to a test page that attempts to register a custom protocol handler using registerProtocolHandler()
2. Test registration with a valid web+custom scheme (e.g., web+music, web+calendar)
3. Attempt to register a handler for a dangerous built-in scheme (http, https, file, javascript)
4. Verify that the browser rejects registration attempts for privileged schemes
5. Test registration with malformed URL templates (missing %s placeholder, invalid URL format)
6. Verify that only HTTPS origins can register protocol handlers (HTTP origins should be rejected)
7. Test that the handler URL template is properly validated for XSS vectors
8. Attempt to register handlers with data: or blob: URLs and verify rejection
9. Test registration from an iframe and verify same-origin policy enforcement
10. Verify that successful registrations require user permission or confirmation
11. Valid web+custom scheme registrations are accepted after validation
12. Built-in privileged schemes (http, https, file, javascript, data, blob) cannot be registered
13. Only HTTPS origins can register protocol handlers
14. URL templates shall include %s placeholder and be valid URLs
15. Malformed registrations are rejected with appropriate error messages
16. XSS vectors in handler URLs are sanitized or rejected
17. Registration from iframes follows same-origin policy
18. User permission is required before handler activation

**Pass Criteria**: Browser validates protocol registrations AND rejects privileged schemes AND requires HTTPS origins AND validates URL templates AND requires user permission

**Fail Criteria**: Privileged schemes can be registered OR HTTP origins accepted OR invalid URL templates accepted OR no user permission required OR XSS vectors not sanitized

**Evidence**: Screenshots of registration attempts for various schemes, console error messages for rejected registrations, permission prompt screenshots, network traces showing HTTPS enforcement, XSS test results, developer console outputs

**References**:

- WHATWG HTML Standard - registerProtocolHandler: https://html.spec.whatwg.org/multipage/system-state.html#custom-handlers
- MDN registerProtocolHandler API: https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProtocolHandler
- Custom URL Scheme Security: https://tools.ietf.org/html/rfc8252#section-7.1
- Protocol Handler Security Best Practices: https://www.chromium.org/developers/design-documents/create-amazing-password-forms/
- OWASP URL Validation: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
- Web Application Security Working Group: https://www.w3.org/2011/webappsec/

### Assessment: PRO-REQ-2 (User consent for custom protocols)

**Reference**: PRO-REQ-2 - Browser shall obtain explicit user consent before activating custom protocol handlers

**Given**: A conformant browser with PRO-1 or higher capability

**Task**: Verify that protocol handler consent requirements prevent malicious websites from silently registering handlers that could launch local applications or exfiltrate data through custom protocols without user knowledge. Explicit consent ensures users understand which websites can intercept specific protocol schemes, protecting against protocol handler hijacking where attackers register handlers to intercept sensitive protocol activations.

**Verification**:

1. Register a custom protocol handler (web+test) on a test page
2. Verify that registration triggers a permission prompt to the user
3. Test that the permission prompt clearly identifies the scheme and handling origin
4. Click a link with the custom protocol (web+test:example) and verify activation prompt
5. Test that users can allow, deny, or remember the choice for the handler
6. Verify that denying handler activation falls back to default behavior or shows error
7. Test that remembered choices persist across browser sessions
8. Navigate to browser settings and verify users can revoke protocol handler permissions
9. Test that each origin requires separate consent (cross-origin isolation)
10. Verify that permission prompts cannot be spoofed or triggered without user action
11. Protocol handler registration shows clear permission prompt
12. Permission prompt identifies the custom scheme and requesting origin
13. Activation of custom protocol shows confirmation before launching handler
14. Users can allow, deny, or set persistent preferences
15. Permission choices persist across sessions
16. Settings provide UI to view and revoke handler permissions
17. Each origin requires independent user consent
18. Permission prompts are genuine browser UI (not web content)
19. Consent is required for each distinct protocol scheme

**Pass Criteria**: Explicit user consent required for registration AND activation prompts shown before launching AND permissions are manageable in settings AND cross-origin isolation enforced

**Fail Criteria**: No consent prompts displayed OR handlers activate without user permission OR permissions cannot be revoked OR cross-origin handlers share permissions

**Evidence**: Screenshots of permission prompts (registration and activation), settings UI showing handler permissions, video recording of consent flow, persistent permission test results, cross-origin permission isolation tests, prompt timing analysis

**References**:

- WHATWG HTML Standard - User Activation: https://html.spec.whatwg.org/multipage/interaction.html#tracking-user-activation
- Permissions API Specification: https://www.w3.org/TR/permissions/
- User Consent Best Practices: https://www.w3.org/TR/security-privacy-questionnaire/
- GDPR Consent Requirements: https://gdpr.eu/gdpr-consent-requirements/
- Chrome Permission UX Guidelines: https://developer.chrome.com/docs/extensions/mv3/permission_warnings/
- Mozilla Permission Prompts: https://support.mozilla.org/en-US/kb/permissions-manager-give-ability-store-passwords-set-cookies-more

### Assessment: PRO-REQ-3 (Protocol allowlist enforcement)

**Reference**: PRO-REQ-3 - Browser shall enforce protocol allowlists that restrict which custom schemes can be registered

**Given**: A conformant browser with PRO-1 or higher capability

**Task**: Verify that protocol allowlist enforcement prevents registration of dangerous schemes that could enable code execution, data exfiltration, or privilege escalation through protocol handlers. Strict allowlisting blocks attackers from registering handlers for privileged schemes like vbscript: or shell: that could execute arbitrary code when activated.

**Verification**: