Fill out section on trusted UI #875
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - Pausing the immersive session and showing some form of desktop environment in which a prompt can be shown | ||
|
|
||
| </div> | ||
|
|
There was a problem hiding this comment.
Did we also want to enumerate the properties of a trusted UI from #718
|
Ah, yes I definitely should do that, thanks
…On Wed, Oct 16, 2019, 7:17 AM Diane Hosfelt ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In index.bs
<#875 (comment)>:
>
Trusted Environment {#trustedenvironment-security}
-------------------
-If the virtual environment does not consistently track the user's head motion with low latency and at a high frame rate the user may become disoriented or physically ill. Since it is impossible to force pages to produce consistently performant and correct content the user agent MUST provide a tracked, trusted environment and an [=XR Compositor=] which runs asynchronously from page content. The compositor is responsible for compositing the trusted and untrusted content. If content is not performant, does not submit frames, or terminates unexpectedly the user agent should be able to continue presenting a responsive, trusted UI.
+The user agent MUST support showing a <dfn>Trusted UI</dfn>, that is, an interface that the user can trust comes from the user agent, which the user may interact with without interference from the page. Some form of [=trusted UI=] MUST be used to show permissions prompts.
+
+
+A [=trusted UI=] which does not exit immersive mode is known as a <dfn>trusted immersive UI</dfn>. User agents are not required to support [=trusted immersive UI=], they may instead temporarily pause/exit immersive mode to handle prompts to the user.
+
+<div class="note">
+Note: Examples of [=trusted UI=] include:
+ - The default 2D mode browser shown when not in immersive mode
+ - A prompt shown within immersive mode which can only be interacted with via a reserved hardware button to prevent spoofing
+ - Pausing the immersive session and showing some form of desktop environment in which a prompt can be shown
+
+</div>
+
Did we also want to enumerate the properties of a trusted UI from #718
<#718>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#875?email_source=notifications&email_token=AAMK6SEDNAY23A7ACVMJPATQO4O7LA5CNFSM4JAVIL7KYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCIEXYLI#pullrequestreview-302611501>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAMK6SD3R6LLT3LS7U4CSD3QO4O7LANCNFSM4JAVIL7A>
.
|
toji
reviewed
Oct 17, 2019
index.bs
Outdated
| Note: Examples of [=trusted UI=] include: | ||
| - The default 2D mode browser shown when not in immersive mode | ||
| - A prompt shown within immersive mode which can only be interacted with via a reserved hardware button to prevent spoofing | ||
| - Pausing the immersive session and showing some form of desktop environment in which a prompt can be shown |
There was a problem hiding this comment.
Pausing the immersive session and showing some form of desktop environment in which a prompt can be shown
I feel like the phrasing on this one is maybe a tad bit too restrictive? Specifically the use of the phrase "desktop environment", which seems to suggest a very specific and potentially mobile-excluding concept.
What about something along the lines of this?
Pausing the immersive session to show a prompt in the native system environment.
index.bs
Outdated
|
|
||
| Trusted Environment {#trustedenvironment-security} | ||
| ------------------- | ||
|
|
||
| If the virtual environment does not consistently track the user's head motion with low latency and at a high frame rate the user may become disoriented or physically ill. Since it is impossible to force pages to produce consistently performant and correct content the user agent MUST provide a tracked, trusted environment and an [=XR Compositor=] which runs asynchronously from page content. The compositor is responsible for compositing the trusted and untrusted content. If content is not performant, does not submit frames, or terminates unexpectedly the user agent should be able to continue presenting a responsive, trusted UI. | ||
| The user agent MUST support showing a <dfn>Trusted UI</dfn>, that is, an interface that the user can trust comes from the user agent, which the user may interact with without interference from the page. Some form of [=trusted UI=] MUST be used to show permissions prompts. |
There was a problem hiding this comment.
It might be a good idea to put a couple sentences before this elaborating on why trusted UI is a harder problem in immersive experiences (i.e. all pixels can be drawn by the developer which allows for spoofing).
index.bs
Outdated
|
|
||
| If the virtual environment does not consistently track the user's head motion with low latency and at a high frame rate the user may become disoriented or physically ill. Since it is impossible to force pages to produce consistently performant and correct content the user agent MUST provide a tracked, trusted environment and an [=XR Compositor=] which runs asynchronously from page content. The compositor is responsible for compositing the trusted and untrusted content. If content is not performant, does not submit frames, or terminates unexpectedly the user agent should be able to continue presenting a responsive, [=trusted UI=]. | ||
|
|
||
| Additionally, page content has the ability to make users uncomfortable in ways not related to performance. Badly applied tracking, strobing colors, and content intended to offend, frighten, or intimidate are examples of content which may cause the user to want to quickly exit the XR experience. Removing the XR device in these cases may not always be a fast or practical option. To accommodate this the user agent SHOULD provide users with an action, such as pressing a reserved hardware button or performing a gesture, that escapes out of WebXR content and displays the user agent's [=trusted UI=]. | ||
|
|
||
| {{XRSession}}s MUST have their [=visibility state=] set to {{XRVisibilityState/"hidden"}} when the user is interacting with potentially sensitive UI from the user agent (such as entering a URL) in the trusted environment. |
There was a problem hiding this comment.
Is this a duplicate of the last paragraph in the gaze tracking section?
index.bs
Outdated
|
|
||
| Trusted Environment {#trustedenvironment-security} | ||
| ------------------- | ||
|
|
||
| If the virtual environment does not consistently track the user's head motion with low latency and at a high frame rate the user may become disoriented or physically ill. Since it is impossible to force pages to produce consistently performant and correct content the user agent MUST provide a tracked, trusted environment and an [=XR Compositor=] which runs asynchronously from page content. The compositor is responsible for compositing the trusted and untrusted content. If content is not performant, does not submit frames, or terminates unexpectedly the user agent should be able to continue presenting a responsive, trusted UI. | ||
| The user agent MUST support showing a <dfn>Trusted UI</dfn>, that is, an interface that the user can trust comes from the user agent, which the user may interact with without interference from the page. Some form of [=trusted UI=] MUST be used to show permissions prompts. |
There was a problem hiding this comment.
Nit: there's something about this sentence that seems somewhat oddly phrased, but I can't put my finger on how it might be clearer.
The user agent MUST support showing a Trusted UI, that is, an interface that the user can trust comes from the user agent, which the user may interact with without interference from the page.
index.bs
Outdated
|
|
||
|
|
||
|
|
||
| If the virtual environment does not consistently track the user's head motion with low latency and at a high frame rate the user may become disoriented or physically ill. Since it is impossible to force pages to produce consistently performant and correct content the user agent MUST provide a tracked, trusted environment and an [=XR Compositor=] which runs asynchronously from page content. The compositor is responsible for compositing the trusted and untrusted content. If content is not performant, does not submit frames, or terminates unexpectedly the user agent should be able to continue presenting a responsive, [=trusted UI=]. |
There was a problem hiding this comment.
This seems unrelated enough to trusted ui that it probably warrants its own section heading.
index.bs
Outdated
| Gaze Tracking {#gazetracking-security} | ||
| ------------- | ||
|
|
||
| While the API does not yet expose eye tracking capabilities a lot can be inferred about where the user is looking by tracking the orientation of their head. This is especially true of XR devices that have limited input capabilities, such as Google Cardboard, which frequently require users to control a "gaze cursor" with their head orientation. This means that it may be possible for a malicious page to infer what a user is typing on a virtual keyboard or how they are interacting with a virtual UI based solely on monitoring their head movements. For example: if not prevented from doing so a page could estimate what URL a user is entering into the user agent's URL bar. |
There was a problem hiding this comment.
Is this text still helpful?
While the API does not yet expose eye tracking capabilities a lot can be inferred about where the user is looking by tracking the orientation of their head. This is especially true of XR devices that have limited input capabilities, such as Google Cardboard, which frequently require users to control a "gaze cursor" with their head orientation.
index.bs
Outdated
| Gaze Tracking {#gazetracking-security} | ||
| ------------- | ||
|
|
||
| While the API does not yet expose eye tracking capabilities a lot can be inferred about where the user is looking by tracking the orientation of their head. This is especially true of XR devices that have limited input capabilities, such as Google Cardboard, which frequently require users to control a "gaze cursor" with their head orientation. This means that it may be possible for a malicious page to infer what a user is typing on a virtual keyboard or how they are interacting with a virtual UI based solely on monitoring their head movements. For example: if not prevented from doing so a page could estimate what URL a user is entering into the user agent's URL bar. |
There was a problem hiding this comment.
This text can probably be repurposed as the intro paragraph if it is adjusted slightly.
This means that it may be possible for a malicious page to infer what a user is typing on a virtual keyboard or how they are interacting with a virtual UI based solely on monitoring their head movements. For example: if not prevented from doing so a page could estimate what URL a user is entering into the user agent's URL bar.
index.bs
Outdated
|
|
||
| While the API does not yet expose eye tracking capabilities a lot can be inferred about where the user is looking by tracking the orientation of their head. This is especially true of XR devices that have limited input capabilities, such as Google Cardboard, which frequently require users to control a "gaze cursor" with their head orientation. This means that it may be possible for a malicious page to infer what a user is typing on a virtual keyboard or how they are interacting with a virtual UI based solely on monitoring their head movements. For example: if not prevented from doing so a page could estimate what URL a user is entering into the user agent's URL bar. | ||
|
|
||
| To prevent this risk the user agent MUST set the [=visibility state=] of all {{XRSession}}s to {{XRVisibilityState/"hidden"}} when the user is interacting with sensitive, trusted UI such as URL bars or system dialogs. Additionally, to prevent a malicious page from being able to monitor input on other pages the user agent MUST set the {{XRSession}}'s [=visibility state=] to {{XRVisibilityState/"hidden"}} if the [=currently focused area=] does belong to the document which created the {{XRSession}}. |
There was a problem hiding this comment.
We should make it clear that this applies to both types of trusted UI
Manishearth
changed the title
|
Comments addressed. |
Manishearth
force-pushed
the
trusted-ui
branch
from
413b4e0 to
ec4d15f
Compare
Manishearth
force-pushed
the
trusted-ui
branch
from
ec4d15f to
992c094
Compare
This was referenced Oct 22, 2019
NellWaliczek
approved these changes
Oct 23, 2019
|
Addressed. |
|
Thanks everyone! |
avadacatavra
pushed a commit
to avadacatavra/webxr
that referenced
this pull request
Nov 14, 2019
…about immersive UIs
toji
pushed a commit
that referenced
this pull request
Nov 15, 2019
kearwood
pushed a commit
to kearwood/webxr
that referenced
this pull request
Mar 11, 2020
…about immersive UIs
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
/fixes #718, /fixes #719
Unsure of this approach, still working on things.