You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: privacy-security-explainer.md
+20-1
Original file line number
Diff line number
Diff line change
@@ -86,7 +86,26 @@ When sensitive information can be exposed, the requesting document must be:
86
86
In addition to the WebXR specific feature policy, feature policies for underlying sensors must also be respected if a site could isolate and extract sensor data that would otherwise be blocked by those feature policies. WebXR must not be a 'back door' for accessing data that is otherwise prevented.
87
87
88
88
## Trusted UI
89
-
**TODO** Fill this in with what is agreed upon in [#718](https://github.com/immersive-web/webxr/issues/718) and [#719](https://github.com/immersive-web/webxr/issues/719).
89
+
The concept of [“Trusted UI”](https://github.com/immersive-web/webxr/issues/719) is what allows User Agents to display a UI to end users on which sensitive information can be displayed and interacted with such that a website cannot snoop on it and cannot spoof it. Some features which use Trusted UI are user consent prompts, URL bars, navigation controls, favorite/bookmarks, and many more.
90
+
91
+
In 2D browsers, Trusted UI is presented either exclusively around the outside of a web page’s visual container or overlapping with it partially. In the context of an immersive experience, the definition of a [“Trusted Immersive UI”](https://github.com/immersive-web/webxr/issues/718) is a bit more complex due to the fact there is no “outside” of immersive content; all pixels the user sees are rendered by the immersive content.
92
+
93
+
User agents must support a Trusted UI with the following properties:
94
+
- non-spoofable
95
+
- indicates where the request/content displayed originates from
96
+
- if it relies on a shared secret with the user, the shared secret must be unobservable by an MR capture
97
+
- it is consistent between immersive experiences in the same UA
98
+
- avoid spamming/overloading the user with prompts
99
+
- easy to intentionally grant consent (e.g. the UI should be easily discovered)
100
+
- hard to unintentionally grant user consent (e.g. the UI should prevent clickjacking)
101
+
- provides clear methods for the user to revoke consent and verify the current state of consent
102
+
103
+
A Trusted UI may be immersive or non-immersive, provided it conforms to the above properties. A Trusted Immersive UI does not exit immersive mode. UAs are not required to provide a Trusted Immersive UI and may instead temporarily pause/exit immersive mode and provide a non-immersive Trusted UI.
104
+
105
+
Examples of Trusted UIs are:
106
+
- the default 2D mode browser in non-immersive mode
107
+
- a prompt shown within immersive mode which can only be interacted with via a reserved hardware button
108
+
- pausing the immersive session to show a form of non-spoofable native system environment
90
109
91
110
## User intention
92
111
It is often necessary to be sure of user intent before exposing sensitive information or allowing actions with a significant effect on the user's experience. This intent may be communicated or observed in a number of ways.
0 commit comments