Commit adec7962 authored by Andrew Whalley's avatar Andrew Whalley
Browse files

Add a requirment that all Powerful Web Platform Features are listed in 

documentaiton, and use that in a few assessment steps that should be
done on all such features.

Change the requirement on  permissions policy framework to one that
prevents embedded cross origin iframes from using powerful features
by default, rather than focusing on the allow mechanism.
parent 7fe323da

EN-304-617.md

+66 −34
Original line number Diff line number Diff line
@@ -477,7 +477,9 @@ Example: The extension execution process runs with no greater operating system p 


<mark>Editor's note: This covers the default configuration - the exploitation mitigation is covered in section 5.12.</mark>



**[REQ-PWR-SBD-1]** The product shall provide a mechanism for users to select the default behaviour when a web page wishes to use a given Powerful Web Platform Feature, which shall at least include denying by default.

**[REQ-PWR-SBD-1]** The product's technical documentation shall describe all web platform APIs it implements that fall under the definition of a Powerful Web Platform Feature, detailing the specific APIs and the mechanism by which express user permission is obtained before they can be used by a website.



**[REQ-PWR-SBD-2]** The product shall provide a mechanism for users to select the default behaviour when a web page wishes to use a given Powerful Web Platform Feature, which shall at least include denying by default.



## 5.4 Secure Updates
@@ -662,7 +664,7 @@ This clause addresses the requirements in the CRA [\[i.1\]](#_ref_i.1) Annex 1 P 


<mark>Editor's note: Discussion around this was not concluded. HAS did not like asking for technical docs. Sam raised asking for user docs instead. Andrew suggested that in some circumstances it's not needed at all, eg explicit cooperation between client and server. Daniel E had concerns about lowering the bar even in cooperation contexts.</mark>



**[REQ-PWR-IM-1]** The product shall implement a permissions policy framework that allows a top-level document to selectively limit the Powerful Web Platform Features available embedded iframes.

**[REQ-PWR-IM-1]** The product shall deny cross-origin iframes access to Powerful Web Platform Features by default.



## 5.11 Minimisation of Attack Surfaces
@@ -1108,6 +1110,36 @@ The following steps are to be carried out in order: 


Assessment of [REQ-PWR-SBD-1]



**Assessment Reference:** The product's technical documentation shall describe all web platform APIs it implements that fall under the definition of a Powerful Web Platform Feature, detailing the specific APIs and the mechanism by which express user permission is obtained before they can be used by a website.



**Assessment Objective:** The Powerful Web Platform Features supported by the product are documented.



**Assessment Preparation:**



- The product's technical documentation.



**Assessment Activities:**



-  Review the documentation.



**Assignment of Verdict:**



- **Pass**:



    - The product's technical documentation correctly lists the Powerful Web Platform Features supported by the product.

    - For each Powerful Web Platform Feature listed, the mechanism by which express user permission is obtained is detailed.



- **Fail**:

    - Any of the above are not fulfilled.



**Supporting Evidence:**



- Log of documentation review.



### [ACC-PWR-SBD-2]



Assessment of [REQ-PWR-SBD-2]



**Assessment Reference:** The product shall provide a mechanism for users to select the default behaviour when a web page wishes to use a given Powerful Web Platform Feature, which shall at least include denying by default.



**Assessment Objective:** The product provides a mechanism for users to configure default behaviour when a web page requests to use a Powerful Web Platform Feature.
@@ -1115,23 +1147,25 @@ Assessment of [REQ-PWR-SBD-1] 
**Assessment Preparation:**



- The product installed from scratch, or reset to its default settings.

- A test web page that uses a Powerful Web Platform Feature.

- Test web page or pages that exercises every Powerful Web Platform Feature identified in the product's technical documentation.



**Assessment Activities:**



The following steps are to be carried out in order:



1. Locate the product's UI that allows configuring the default behaviour of individual Powerful Web Platform Features.

2. Verify the existence of an option to deny or block access to the Powerful Web Platform Feature used by the test web page by default, and apply this setting.

3. Navigate to the test web page and trigger the request for access to the Powerful Web Platform Feature.

2. Verify the existence of options to deny or block access by default to every Powerful Web Platform Features supported by the product.

3. For each Powerful Web Platform Feature, set the default behaviour to block or deny.

3. Navigate to the test web page or pages and trigger the request to access every Powerful Web Platform Feature.



**Assignment of Verdict:**



- **Pass**:

    - The product settings provide an option to deny access to specific Powerful Web Platform Features by default.

    - Applying the setting automatically blocks the test web page's access to the Powerful Web Platform Feature without presenting a permission prompt to the user.

    - The product settings provide an option to individually deny access to all supported Powerful Web Platform Features by default.

    - Applying the setting automatically blocks the test web page's access to Powerful Web Platform Features without presenting a permission prompt to the user.

- **Fail**: 

    - The deny-by-default option does not exist.

   - The Powerful Web Platform Feature is still accessible or still prompts the user despite the deny-by-default setting being applied.

    - Any Powerful Web Platform Feature is still accessible, or still prompts the user despite the deny-by-default setting being applied.



**Supporting Evidence:**
@@ -1513,22 +1547,21 @@ Assessment of [REQ-PWR-AAC-1] 
**Assessment Preparation:**



- The product installed from scratch, or reset to its default settings.

- A test web page that uses various Powerful Web Platform Features.

- Test web page or pages that exercises every Powerful Web Platform Feature identified in the product's technical documentation.



**Assessment Activities:**



The following steps are to be carried out in order:



1. Navigate to the test web page.

2. Verify via the web page's behaviour and/or console log that the Powerful Web Platform Feature is not available to the web page.

3. Trigger the script to request the Powerful Web Platform Feature.

4. Take whatever action is necessary to allow the web page access to the Powerful Web Platform Feature.

5. Verify via the web page's behaviour and/or console log that the Powerful Web Platform Feature is now available to the web page.

- For every Powerful Web Platform Feature identified in the product's technical documentation:

	- Navigate to the test web page.

    - Verify via the web page's behaviour and/or console log that the Powerful Web Platform Feature is not available to the web page.

    - Trigger the script to request the Powerful Web Platform Feature.

    - Take whatever action is necessary to allow the web page access to the Powerful Web Platform Feature.

    - Verify via the web page's behaviour and/or console log that the Powerful Web Platform Feature is now available to the web page.



**Assignment of Verdict:**



- **Pass**:

    - The web page does not receive access to the Powerful Web Platform Feature unless the user has taken an action to explicitly approve.

    - The web page does not receive access to Powerful Web Platform Features unless the user has taken an action to explicitly approve.

- **Fail**: 

    - The above is not fulfilled.
@@ -1857,21 +1890,22 @@ Assessment of [REQ-PWR-INT-2] 
**Assessment Preparation:**



- The product installed from scratch, or reset to its default settings.

- A test web page that uses various Powerful Web Platform Features accessed via a non-secure context.

- Test web page or pages that exercises every Powerful Web Platform Feature identified in the product's technical documentation in a non-secure context.



**Assessment Activities:**



The following steps are to be carried out in order:



1. Navigate to the test web page.

2. Trigger the script to request the Powerful Web Platform Feature.

3. Verify via the web page's behaviour and/or console log that the Powerful Web Platform Feature is not available to the web page.

- For every Powerful Web Platform Feature identified in the product's technical documentation:

    - Navigate to the test web page.

    - Trigger the script to request the Powerful Web Platform Feature.

    - Verify via the web page's behaviour and/or console log that the Powerful Web Platform Feature is not available to the web page.



**Assignment of Verdict:**



- **Pass**:

    - The user is not prompted to grant access to the Powerful Web Platform Feature.

     - The web page does not receive access to the Powerful Web Platform Feature.

    - The user is not prompted to grant access to any Powerful Web Platform Feature.

    - The web page does not receive access to any Powerful Web Platform Feature.

- **Fail**: 

    - Any of the above are not fulfilled.
@@ -1950,7 +1984,6 @@ The following steps are to be carried out in order: 
- Console logs and/or UI captures from the test web page showing access to the Powerful Web Platform Features has been granted to the test page in Profile A.

- Console logs and/or UI captures from the test web page showing no access to the Powerful Web Platform Features to the test page in Profile B.





## 6.9 Availability Protection



Proposed ESR code: AP
@@ -2085,28 +2118,27 @@ The following steps are to be carried out in order: 


Assessment of [REQ-PWR-IM-1]



**Assessment Reference:** The product shall implement a permissions policy framework that allows a top-level document to selectively limit the Powerful Web Platform Features available to embedded iframes.

**Assessment Reference:** The product shall deny cross-origin iframes access to Powerful Web Platform Features by default.



**Assessment Objective:** The product enforces policy mechanisms that restrict Powerful Web Platform Features.

**Assessment Objective:** The product prevents cross-origin iframes from accessing Powerful Web Platform Features without explicit delegation from the top-level document.



**Assessment Preparation:**

- The product installed from scratch, or reset to its default settings.

- A top-level test web page such as to deny the use of a Powerful Web Platform Feature.

- An embedded cross-origin iframe inside the test page.

- Scripts in both the top-level page and the iframe attempting to request the restricted feature.

- A top-level test web page hosted on Origin A.

- An embedded cross-origin iframe hosted on Origin B inside the test page, configured without any explicit permission delegation.

- A script in the cross-origin iframe attempting to request a Powerful Web Platform Feature.



**Assessment Activities:**



The following steps are to be carried out in order:



1. Load the top-level test web page.

2. Attempt to use the feature from the top-level script.

3. Attempt to use the feature from the embedded iframe script.

2. Trigger the script to request the Powerful Web Platform Feature from within the embedded cross-origin iframe.



**Assignment of Verdict:**



- **Pass**:

    - Access to the feature is blocked for both the top-level page and the iframe automatically, without prompting the user, in accordance with the policy.

    - Access to the feature is blocked for the cross-origin iframe automatically, without prompting the user.

- **Fail**: 

    - The above is not fulfilled.