Powerful features: Changes to requirements, and addition of assessments

Same-origin policy: A security model in browser products used to determine whether assets and state should be shared or not between web page execution contexts.

Powerful Web Platform Feature: A web platform feature (usually an API) the web browser provides to a website that directly exposes: video capture, audio capture, location information, filesystem contents, clipboard contents, the host operating system, external applications, screen contents, system notifications, connected peripherals, local network services, Personally Identifiable Information, or other such highly sensitive data or capabilities.

Powerful Web Platform Feature: A web platform API the web browser provides to a website that directly exposes: cameras, microphones, location information, clipboard contents, screen contents, system notifications, external peripherals, or payment methods.

Secure Context: Typically a web page that meets minimum standards of authentication and confidentiality by delivering content over an encrypted and authenticated channel like HTTPS, as fully defined by https://w3c.github.io/webappsec-secure-contexts/.

<mark>Editor's note: This covers the default configuration - the exploitation mitigation is covered in section 5.12.</mark>

**[REQ-PWR-SBD-1]** Web browsers shall provide a mechanism for users to select the default behaviour when a webpage wishes to use a given Powerful Web Platform Feature, which shall at least include denying by default.

**[REQ-PWR-SBD-2]** The web browser may support enterprise or parental policy controls that allow administrators to alter how access to Powerful Web Platform Features is controlled.

**[REQ-PWR-SBD-1]** The product shall provide a mechanism for users to select the default behaviour when a web page wishes to use a given Powerful Web Platform Feature, which shall at least include denying by default.

## 5.4 Secure Updates

<mark>Editor's note: need to add examples for cross domain storage access is allowed, etc.</mark>

**[REQ-PWR-AAC-1]** The web browser shall require express user permission before exposing data via Powerful Web Platform Features.

**[REQ-PWR-AAC-2]** The web browser shall allow the user to limit the grant of a Powerful Web Platform Feature to the current browsing session.

**[REQ-PWR-AAC-3]** The product shall allow the user to deny the granting of the Powerful Web Platform Feature.

**[REQ-PWR-AAC-1]** The product shall require express user permission before allowing a web page to use Powerful Web Platform Features.

## 5.6 Confidentiality

**[REQ-EXT-INT-1]**: The product shall cryptographically verify extensions before installation and update.

**[REQ-PWR-INT-1]** The web browser shall protect permission prompts against manipulation by the webpage.

**[REQ-PWR-INT-1]** The product shall protect permission prompts against manipulation by the web page.

**[REQ-PWR-INT-2]** The product shall only enable Powerful Web Platform Features for use within Secure Contexts.

Note: TLS-related clauses contribute to data minimization.

**[REQ-PWR-DM-1]** Powerful Web Platform Feature permissions shall be origin-scoped by default, with broader scoping permitted only via express user action (e.g. in settings), or opt-in by the origins.

**[REQ-PWR-DM-1]** Powerful Web Platform Feature permissions shall be origin-scoped by default, with broader scoping permitted only via express user action, or opt-in by the origins.

**[REQ-PWR-DM-2]** Powerful Web Platform Feature permissions decisions shall apply to each Browser Profile separately.

**[REQ-PWR-DM-3]** Web browsers shall provide users with the ability to grant granular permission to Powerful Web Platform Features.

## 5.9 Availability Protection

Proposed ESR code: AP

<mark>Editor's note: Discussion around this was not concluded. HAS did not like asking for technical docs. Sam raised asking for user docs instead. Andrew suggested that in some circumstances it's not needed at all, eg explicit cooperation between client and server. Daniel E had concerns about lowering the bar even in cooperation contexts.</mark>

**[REQ-PWR-IM-1]** The product shall implement a permissions policy framework that allows a top-level website to selectively limit the Powerful Web Platform Features available to itself and any embedded iframes.

**[REQ-PWR-IM-2]** The product shall implement a permissions policy framework that allows a top-level website to explicitly delegate access to specific Powerful Web Platform Features to embedded iframes.

**[REQ-PWR-IM-1]** The product shall implement a permissions policy framework that allows a top-level document to selectively limit the Powerful Web Platform Features available embedded iframes.

## 5.11 Minimisation of Attack Surfaces

**[REQ-STORE-LOG-1]** The product shall provide an interface for viewing information about stored data at a granularity of site or narrower (e.g. origin).

**[REQ-PWR-LOG-1]** The web browser shall provide a user interface listing the Powerful Web Platform Features granted or denied to the web page being displayed.

**[REQ-PWR-LOG-1]** The product shall provide a user interface listing the Powerful Web Platform Features granted or denied to the web page being displayed.

## 5.14 Data Removal and Transparency

Proposed ESR code: DRT

**[REQ-STORE-DRT-3]** The product shall have a user interface for deleting storage at a granularity of site or narrower (e.g. origin).

**[REQ-PWR-DRT-1]** The web browser shall provide a user interface allowing revocation of previously granted permissions for Powerful Web Platform Features.

**[REQ-PWR-DRT-1]** The product shall provide a user interface allowing revocation of previously granted permissions for Powerful Web Platform Features.

## 5.15 Vulnerability Handling

**Supporting Evidence:**

- Console log output from the test extension demonstrated state access or denial.

### [ACC-PWR-SBD-1]

Assessment of [REQ-PWR-SBD-1]

**Assessment Reference:** The product shall provide a mechanism for users to select the default behaviour when a web page wishes to use a given Powerful Web Platform Feature, which shall at least include denying by default.

**Assessment Objective:** The product provides a mechanism for users to configure default behaviour when a web page requests to use a Powerful Web Platform Feature.

**Assessment Preparation:**

- The product installed from scratch, or reset to its default settings.

- A test web page that uses a Powerful Web Platform Feature.

**Assessment Activities:**

The following steps are to be carried out in order:

1. Locate the product's UI that allows configuring the default behaviour of individual Powerful Web Platform Features.

2. Verify the existence of an option to deny or block access to the Powerful Web Platform Feature used by the test web page by default, and apply this setting.

3. Navigate to the test web page and trigger the request for access to the Powerful Web Platform Feature.

**Assignment of Verdict:**

- **Pass**:

    - The product settings provide an option to deny access to specific Powerful Web Platform Features by default.

    - Applying the setting automatically blocks the test web page's access to the Powerful Web Platform Feature without presenting a permission prompt to the user.

- **Fail**: 

   - The deny-by-default option does not exist.

   - The Powerful Web Platform Feature is still accessible or still prompts the user despite the deny-by-default setting being applied.

**Supporting Evidence:**

- Screenshots of the settings UI presenting the option.

- Console logs and/or UI captures from the test web page showing the denied request.

## 6.4 Secure Updates

Proposed ESR code: SU

**Assessment Objective:** The product's root store is kept up to date in accordance with the documented policy.

**Assessment Preparation:**

- Install the product from scratch, or reset it to its default settings.

- Locate the documented policy describing how and when the trusted root store is updated.

- Capture the initial trusted root store contents.

3. Compare the change against the documented policy.

**Assignment of Verdict:**

- **Pass**:

    - The documented update mechanism functions as documented

    - The resulting change to the root store is consistent with the documented policy.

- **Fail**: Either of the above are not fulfilled.

**Supporting Evidence:**

- Documented root store update policy.

- List of trusted roots before and after the update.

- **Supporting Evidence**: 

    - Screenshot(s) or log output from tooling to demonstrate each verdict

### [ACC-PWR-AAC-1]

Assessment of [REQ-PWR-AAC-1]

**Assessment Reference:** The product shall require express user permission before allowing a web page to use Powerful Web Platform Features.

**Assessment Objective:** The product does not allow web pages to access Powerful Web Platform Features without express user permission.

**Assessment Preparation:**

- The product installed from scratch, or reset to its default settings.

- A test web page that uses various Powerful Web Platform Features.

**Assessment Activities:**

The following steps are to be carried out in order:

1. Navigate to the test web page.

2. Verify via the web page's behaviour and/or console log that the Powerful Web Platform Feature is not available to the web page.

3. Trigger the script to request the Powerful Web Platform Feature.

4. Take whatever action is necessary to allow the web page access to the Powerful Web Platform Feature.

5. Verify via the web page's behaviour and/or console log that the Powerful Web Platform Feature is now available to the web page.

**Assignment of Verdict:**

- **Pass**:

    - The web page does not receive access to the Powerful Web Platform Feature unless the user has taken an action to explicitly approve.

- **Fail**: 

    - The above is not fulfilled.

**Supporting Evidence:**

- Screenshots of the UI allowing the user to give express permission to access the Powerful Web Platform Feature.

- Console logs and/or UI captures from the test web page showing no access was possible prior to user approval.

- Console logs and/or UI captures from the test web page showing access was possible after user approval.

## 6.6 Confidentiality

Proposed ESR code: CON

- Extension console logs.

- Product user interface captures.

### [ACC-PWR-INT-1]

Assessment of [REQ-PWR-INT-1]

**Assessment Reference:** The product shall protect permission prompts against manipulation by the web page.

**Assessment Objective:** Permission prompts cannot be obscured, modified, or approved by web pages.

**Assessment Preparation:**

- The product installed from scratch, or reset to its default settings.

- A test web page that uses a Powerful Web Platform Feature and attempts to manipulate the product's permission prompt. For example by utilizing CSS z-index overlays, transparent iframes, DOM manipulation etc.

**Assessment Activities:**

The following steps are to be carried out in order:

1. Navigate to the test web page.

2. Trigger the script to request access to the Powerful Web Platform Feature.

**Assignment of Verdict:**

- **Pass**:

    - Any permission prompt is unable to be obscured or manipulated by the test web page.

- **Fail**: 

    - The above is not fulfilled.

**Supporting Evidence:**

- Screenshot of the permission prompt or other UI surface.

### [ACC-PWR-INT-2]

Assessment of [REQ-PWR-INT-2]

**Assessment Reference:** The product shall only enable Powerful Web Platform Features for use within Secure Contexts.

**Assessment Objective:** Web pages accessed via non-secure contexts are unable to use Powerful Web Platform Features. 

**Assessment Preparation:**

- The product installed from scratch, or reset to its default settings.

- A test web page that uses various Powerful Web Platform Features accessed via a non-secure context.

**Assessment Activities:**

The following steps are to be carried out in order:

1. Navigate to the test web page.

2. Trigger the script to request the Powerful Web Platform Feature.

3. Verify via the web page's behaviour and/or console log that the Powerful Web Platform Feature is not available to the web page.

**Assignment of Verdict:**

- **Pass**:

    - The user is not prompted to grant access to the Powerful Web Platform Feature.

     - The web page does not receive access to the Powerful Web Platform Feature.

- **Fail**: 

    - Any of the above are not fulfilled.

**Supporting Evidence:**

- Console logs and/or UI captures from the test web page showing no access to the Powerful Web Platform Features.

## 6.8 Data Minimisation

Proposed ESR code: DM

### [ACC-PWR-DM-1]

Assessment of [REQ-PWR-DM-1]

**Assessment Reference:**  Powerful Web Platform Feature permissions shall be origin-scoped by default, with broader scoping permitted only via express user action, or opt-in by the origins.

**Assessment Objective:** A permission granted to one origin is not automatically inherited by a different origin without explicit intent.

**Assessment Preparation:**

- The product installed from scratch, or reset to its default settings.

- Two test web pages hosted on distinct origin (Origin A and Origin B), that both request the same Powerful Web Platform Feature.

- Two test web pages hosted on distinct sites (Site A and Site B), that both request the same Powerful Web Platform Feature.

**Assessment Activities:**

The following steps are to be carried out in order:

1. Load Origin A, trigger the request, and explicitly grant the permission.

2. Verify Origin A has access.

3. Load Origin B and attempt to access the Powerful Web Platform Feature.

4. Load Site A, trigger the request, and explicitly grant the permission.

5. Verify Site A has access.

6. Load Site B and attempt to access the Powerful Web Platform Feature.

**Assignment of Verdict:**

- **Pass**:

    - Origin B does not inherit the permission and must prompt the user independently or fail automatically.

    - Site B does not inherit the permission and must prompt the user independently or fail automatically.

- **Fail**: 

    - Any of the above are not fulfilled.

**Supporting Evidence:**

- Console logs and/or UI captures from the test web page showing access to the Powerful Web Platform Features has been granted to the test page on Origin A.

- Console logs and/or UI captures from the test web page showing no access to the Powerful Web Platform Features to the test page on Origin B.

### [ACC-PWR-DM-2]

Assessment of [REQ-PWR-DM-2]

**Assessment Reference:**  Powerful Web Platform Feature permissions decisions shall apply to each Browser Profile separately.

**Assessment Objective:** A permission granted or denied in one Browser Profile does not extend to another Browser Profile.

**Assessment Preparation:**

- The product installed from scratch, or reset to its default settings and configured with two distinct Browser Profiles (e.g., Profile A and Profile B).

- A test web page that uses a Powerful Web Platform Feature.

**Assessment Activities:**

The following steps are to be carried out in order:

1. Load the test site in Profile A, trigger the request, and explicitly grant the permission.

2. Load the test site in Profile B and attempt to access the Powerful Web Platform Feature.

**Assignment of Verdict:**

- **Pass**:

    - The permission state in Profile B is unaffected by Profile A, and the product does not provide access to the Powerful Web Platform Feature on step 2 of the assessment activities without express user permission.

- **Fail**: 

    - The above is not fulfilled.

**Supporting Evidence:**

- Console logs and/or UI captures from the test web page showing access to the Powerful Web Platform Features has been granted to the test page in Profile A.

- Console logs and/or UI captures from the test web page showing no access to the Powerful Web Platform Features to the test page in Profile B.

## 6.9 Availability Protection

Proposed ESR code: AP

- Extension console logging.

- Native application logging.

### [ACC-PWR-IM-1]

Assessment of [REQ-PWR-IM-1]

**Assessment Reference:** The product shall implement a permissions policy framework that allows a top-level document to selectively limit the Powerful Web Platform Features available to embedded iframes.

**Assessment Objective:** The product enforces policy mechanisms that restrict Powerful Web Platform Features.

**Assessment Preparation:**

- The product installed from scratch, or reset to its default settings.

- A top-level test web page such as to deny the use of a Powerful Web Platform Feature.

- An embedded cross-origin iframe inside the test page.

- Scripts in both the top-level page and the iframe attempting to request the restricted feature.

**Assessment Activities:**

The following steps are to be carried out in order:

1. Load the top-level test web page.

2. Attempt to use the feature from the top-level script.

3. Attempt to use the feature from the embedded iframe script.

**Assignment of Verdict:**

- **Pass**:

    - Access to the feature is blocked for both the top-level page and the iframe automatically, without prompting the user, in accordance with the policy.

- **Fail**: 

    - The above is not fulfilled.

**Supporting Evidence:**

- Console logs and/or UI captures from the test web page showing access to the Powerful Web Platform Feature is being blocked.

### [ACC-EXT-IM-3]

Assessment of [REQ-EXT-IM-3]

    - Screenshot or log output from tooling at each step to show data.

    - User documentation providing instructions for data removal.

### [ACC-PWR-LOG-1]

Assessment of [REQ-PWR-LOG-1]

**Assessment Reference:** The product shall provide a user interface listing the Powerful Web Platform Features granted or denied to the web page being displayed.

**Assessment Objective:** The product provides a user interface allowing the user to view the current permission status of Powerful Web Platform Features for the active web page.

**Assessment Preparation:**

    - The product installed from scratch, or reset to its default settings.

    - A test web page that uses several Powerful Web Platform Features.

**Assessment Activities:**

The following steps are to be carried out in order:

1. Navigate to the test web page.

2. Trigger two feature requests: grant access to the first, and deny access to the second.

3. Open the product's site-specific security/permissions UI.

**Assignment of Verdict:**

- **Pass**:

    - The UI accurately lists the specific Powerful Web Platform Features and explicitly reflects their current states as "granted/allowed" and "denied/blocked" for that page.

    - Applying the setting automatically blocks the test web page's access to the Powerful Web Platform Feature without presenting a permission prompt to the user.

- **Fail**: 

    - The UI is missing, or it does not accurately reflect the active permission states.

**Supporting Evidence:**

- UI screenshots of the site information/permission panel showing the correct status.

## 6.14 Data Removal and Transparency

Proposed ESR code: DRT

### [ACC-PWR-DRT-1]

Assessment of [REQ-PWR-DRT-1]

**Assessment Reference:** The product shall provide a user interface allowing revocation of previously granted permissions for Powerful Web Platform Features.

**Assessment Objective:** Permission to use Powerful Web Platform Features granted to a web page can be easily revoked by the user via a provided interface.

**Assessment Preparation:**

    - The product installed from scratch, or reset to its default settings.

    - A test web page that uses a Powerful Web Platform Feature.

**Assessment Activities:**

The following steps are to be carried out in order:

1. Load the test page, trigger the request, and explicitly grant the permission.

2. Verify the web page can successfully access the feature.

3. Open the product's user interface (either site-specific controls or global settings) and revoke the permission.

4. Reload the test page and attempt to use the feature again.

**Assignment of Verdict:**

- **Pass**:

    - The product provides a UI to revoke the permission.

    - The revocation UI indicates the permission is removed, and the web page loses access to the feature.

- **Fail**: 

    - The revocation UI is missing.

    - The revocation UI indicates the permission is removed, but the web page retains access.

**Supporting Evidence:**

- UI screenshots of the revocation process.

- Console logs and/or UI captures from the test web page showing no access to the Powerful Web Platform Features after revocation.

### [ACC-TLS-DRT-1]

Assessment of [REQ-TLS-DRT-1]