From ea62fe49545cd6aba699854073844208562ce8d4 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Tue, 16 Mar 2021 15:44:04 -0400
Subject: [PATCH] Clarify that URL bar spoofing is not possible

Based on https://github.com/w3ctag/design-reviews/issues/605#issuecomment-800057558.
---
 README.md                         | 5 ++++-
 security-privacy-questionnaire.md | 8 +++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 99a3ca9..002b8e1 100644
--- a/README.md
+++ b/README.md
@@ -1060,6 +1060,8 @@ One particular point of interest is the user-agent generated `appHistoryEntry.ke
 
 Security-wise, this feature has been carefully designed to give no new abilities that might be disruptive to the user or to delicate parts of browser code. See, for example, the restrictions on [navigation monitoring and interception](#navigation-monitoring-and-interception) to ensure that it does not allow trapping the user, or the discussion of how this proposal [does not impact how browser UI presents session history](#impact-on-back-button-and-user-agent-ui).
 
+In particular, note that navigation interception can only update the URL bar to perform single-page app navigations to the same extent as `history.pushState()` does: the destination URL must only differ from the page's current URL in path, query, or fragment components. Thus, the `navigate` event does not allow URL spoofing by updating the URL bar to a cross-origin destination while providing your own origin's content.
+
 See also the [W3C TAG security and privacy questionnaire answers](./security-privacy-questionnaire.md).
 
 ## Stakeholder feedback
@@ -1089,7 +1091,8 @@ Thanks also to
 [@natechapin](https://github.com/natechapin),
 [@pshrmn](https://github.com/pshrmn),
 [@SetTrend](https://github.com/SetTrend),
-[@slightlyoff](https://github.com/slightlyoff), and
+[@slightlyoff](https://github.com/slightlyoff),
+[@torgo](https://github.com/torgo), and
 [@Yay295](https://github.com/Yay295)
 for their help in exploring this space and providing feedback.
 
diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md
index 47a8922..f0cda8e 100644
--- a/security-privacy-questionnaire.md
+++ b/security-privacy-questionnaire.md
@@ -48,7 +48,13 @@ No.
 
 **Do features in this specification allow an origin some measure of control over a user agent’s native UI?**
 
-Importantly, no. Navigations through native UI such as the URL bar or back button do not trigger a cancelable `navigate` event. See the abuse prevention discussion in the ["Navigation monitoring and interception"](./README.md#navigation-monitoring-and-interception) section as well as the ["Impact on the back button and user agent UI"](./README.md#impact-on-the-back-button-and-user-agent-ui) section.
+No more than is possible today.
+
+Navigations through native UI such as the URL bar or back button do not trigger a cancelable `navigate` event. See the abuse prevention discussion in the ["Navigation monitoring and interception"](./README.md#navigation-monitoring-and-interception) section as well as the ["Impact on the back button and user agent UI"](./README.md#impact-on-the-back-button-and-user-agent-ui) section.
+
+The API does provide pages the ability to update the contents of the browser's URL bar, by intercepting the `navigate` event and converting what would normally be a cross-document navigation into a same-document one. But, this capability is restricted in the same way that `history.pushState()` is: the new URL being navigated to must differ from the current one only in the path/query/fragment components.
+
+So, this can't be used for spoofing the URL by, for example, responding to a navigation from `https://evil.example/` to `https://good.example/` with custom contents from `https://evil.example/`. Since the URLs differ in their host component, such a navigation cannot be intercepted by `https://evil.example/`. In other words, when the URL bar reads `https://good.example/`, only `https://good.example/` controls the contents displayed.
 
 **What temporary identifiers do the features in this specification create or expose to the web?**