From 772dacac329befde492cf91632b6b42b54ce0ddf Mon Sep 17 00:00:00 2001 From: Manish Goregaokar Date: Fri, 11 Oct 2019 11:08:48 -0700 Subject: [PATCH 01/10] Fill out section on trusted UI --- index.bs | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/index.bs b/index.bs index 84ab7b70..587d49d7 100644 --- a/index.bs +++ b/index.bs @@ -2214,25 +2214,39 @@ Note: Is is suggested that poses reported relative to a {{XRReferenceSpaceType/" Note: Is is suggested that poses reported relative to a {{XRBoundedReferenceSpace}} be [=limiting|limited=] to a distance of 1 meter outside the {{XRBoundedReferenceSpace}}'s [=native bounds geometry=]. -
-Gaze Tracking {#gazetracking-security} -------------- - -While the API does not yet expose eye tracking capabilities a lot can be inferred about where the user is looking by tracking the orientation of their head. This is especially true of XR devices that have limited input capabilities, such as Google Cardboard, which frequently require users to control a "gaze cursor" with their head orientation. This means that it may be possible for a malicious page to infer what a user is typing on a virtual keyboard or how they are interacting with a virtual UI based solely on monitoring their head movements. For example: if not prevented from doing so a page could estimate what URL a user is entering into the user agent's URL bar. - -To prevent this risk the user agent MUST set the [=visibility state=] of all {{XRSession}}s to {{XRVisibilityState/"hidden"}} when the user is interacting with sensitive, trusted UI such as URL bars or system dialogs. Additionally, to prevent a malicious page from being able to monitor input on other pages the user agent MUST set the {{XRSession}}'s [=visibility state=] to {{XRVisibilityState/"hidden"}} if the [=currently focused area=] does belong to the document which created the {{XRSession}}. Trusted Environment {#trustedenvironment-security} ------------------- -If the virtual environment does not consistently track the user's head motion with low latency and at a high frame rate the user may become disoriented or physically ill. Since it is impossible to force pages to produce consistently performant and correct content the user agent MUST provide a tracked, trusted environment and an [=XR Compositor=] which runs asynchronously from page content. The compositor is responsible for compositing the trusted and untrusted content. If content is not performant, does not submit frames, or terminates unexpectedly the user agent should be able to continue presenting a responsive, trusted UI. +The user agent MUST support showing a Trusted UI, that is, an interface that the user can trust comes from the user agent, which the user may interact with without interference from the page. Some form of [=trusted UI=] MUST be used to show permissions prompts. + + +A [=trusted UI=] which does not exit immersive mode is known as a trusted immersive UI. User agents are not required to support [=trusted immersive UI=], they may instead temporarily pause/exit immersive mode to handle prompts to the user. + +
+Note: Examples of [=trusted UI=] include: + - The default 2D mode browser shown when not in immersive mode + - A prompt shown within immersive mode which can only be interacted with via a reserved hardware button to prevent spoofing + - Pausing the immersive session and showing some form of desktop environment in which a prompt can be shown + +
+ + -Additionally, page content has the ability to make users uncomfortable in ways not related to performance. Badly applied tracking, strobing colors, and content intended to offend, frighten, or intimidate are examples of content which may cause the user to want to quickly exit the XR experience. Removing the XR device in these cases may not always be a fast or practical option. To accommodate this the user agent SHOULD provide users with an action, such as pressing a reserved hardware button or performing a gesture, that escapes out of WebXR content and displays the user agent's trusted UI. +If the virtual environment does not consistently track the user's head motion with low latency and at a high frame rate the user may become disoriented or physically ill. Since it is impossible to force pages to produce consistently performant and correct content the user agent MUST provide a tracked, trusted environment and an [=XR Compositor=] which runs asynchronously from page content. The compositor is responsible for compositing the trusted and untrusted content. If content is not performant, does not submit frames, or terminates unexpectedly the user agent should be able to continue presenting a responsive, [=trusted UI=]. -When navigating between pages in XR the user agent should display trusted UI elements informing the user of the security information of the site they are navigating to which is normally presented by the 2D UI, such as the URL and encryption status. +Additionally, page content has the ability to make users uncomfortable in ways not related to performance. Badly applied tracking, strobing colors, and content intended to offend, frighten, or intimidate are examples of content which may cause the user to want to quickly exit the XR experience. Removing the XR device in these cases may not always be a fast or practical option. To accommodate this the user agent SHOULD provide users with an action, such as pressing a reserved hardware button or performing a gesture, that escapes out of WebXR content and displays the user agent's [=trusted UI=]. {{XRSession}}s MUST have their [=visibility state=] set to {{XRVisibilityState/"hidden"}} when the user is interacting with potentially sensitive UI from the user agent (such as entering a URL) in the trusted environment. +
+Gaze Tracking {#gazetracking-security} +------------- + +While the API does not yet expose eye tracking capabilities a lot can be inferred about where the user is looking by tracking the orientation of their head. This is especially true of XR devices that have limited input capabilities, such as Google Cardboard, which frequently require users to control a "gaze cursor" with their head orientation. This means that it may be possible for a malicious page to infer what a user is typing on a virtual keyboard or how they are interacting with a virtual UI based solely on monitoring their head movements. For example: if not prevented from doing so a page could estimate what URL a user is entering into the user agent's URL bar. + +To prevent this risk the user agent MUST set the [=visibility state=] of all {{XRSession}}s to {{XRVisibilityState/"hidden"}} when the user is interacting with sensitive, trusted UI such as URL bars or system dialogs. Additionally, to prevent a malicious page from being able to monitor input on other pages the user agent MUST set the {{XRSession}}'s [=visibility state=] to {{XRVisibilityState/"hidden"}} if the [=currently focused area=] does belong to the document which created the {{XRSession}}. + Context Isolation {#contextisolation-security} ----------------- From 3bcdfe88b7991fdc02c8a8007ea3b8df7843dfdf Mon Sep 17 00:00:00 2001 From: Manish Goregaokar Date: Wed, 16 Oct 2019 16:56:30 -0700 Subject: [PATCH 02/10] add the properties diane came up with --- index.bs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/index.bs b/index.bs index 587d49d7..ee3a4b92 100644 --- a/index.bs +++ b/index.bs @@ -2223,6 +2223,14 @@ The user agent MUST support showing a Trusted UI, that is, an interfa A [=trusted UI=] which does not exit immersive mode is known as a trusted immersive UI. User agents are not required to support [=trusted immersive UI=], they may instead temporarily pause/exit immersive mode to handle prompts to the user. +A [=trusted UI=] MUST have the following properties: + + + - It must not be spoofable + - It indicates where the request/content displayed originates from + - It doesn't rely on a shared secret that can be observed by a mixed reality capture (e.g. a gesture that can be seen by the camera) + - It is consistent between immersive experiences in the same UA +
Note: Examples of [=trusted UI=] include: - The default 2D mode browser shown when not in immersive mode From effd538e826223a03af00b1b40fb5588a50c6aff Mon Sep 17 00:00:00 2001 From: Manish Goregaokar Date: Thu, 17 Oct 2019 14:18:31 -0700 Subject: [PATCH 03/10] remove mention of desktop --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index ee3a4b92..4d52a192 100644 --- a/index.bs +++ b/index.bs @@ -2235,7 +2235,7 @@ A [=trusted UI=] MUST have the following properties: Note: Examples of [=trusted UI=] include: - The default 2D mode browser shown when not in immersive mode - A prompt shown within immersive mode which can only be interacted with via a reserved hardware button to prevent spoofing - - Pausing the immersive session and showing some form of desktop environment in which a prompt can be shown + - Pausing the immersive session and showing some form of native system environment in which a prompt can be shown
From 992c0942d5a0df4e98db18b733b3a3c7d53c3fd5 Mon Sep 17 00:00:00 2001 From: Manish Goregaokar Date: Mon, 21 Oct 2019 15:26:58 -0700 Subject: [PATCH 04/10] Address Nell's comments --- index.bs | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/index.bs b/index.bs index 4d52a192..f0b46892 100644 --- a/index.bs +++ b/index.bs @@ -2218,17 +2218,16 @@ Note: Is is suggested that poses reported relative to a {{XRBoundedReferenceSpac Trusted Environment {#trustedenvironment-security} ------------------- -The user agent MUST support showing a Trusted UI, that is, an interface that the user can trust comes from the user agent, which the user may interact with without interference from the page. Some form of [=trusted UI=] MUST be used to show permissions prompts. +A Trusted UI is an interface that the user can trust comes from the user agent, which the user may interact with without interference from the page. The user agent MUST support showing a [=trusted UI=]. Some form of [=trusted UI=] MUST be used to show permissions prompts. -A [=trusted UI=] which does not exit immersive mode is known as a trusted immersive UI. User agents are not required to support [=trusted immersive UI=], they may instead temporarily pause/exit immersive mode to handle prompts to the user. +Broadly speaking, there are two options for user agents who wish to support [=trusted UI=]. One option is the trusted immersive UI, which is a [=trusted UI=] which does not exit immersive mode. It is tricky to design a good [=trusted immersive UI=] since the page can effectively draw any pixels it wishes to. User agents are not required to support [=trusted immersive UI=], they may instead temporarily pause/exit immersive mode and show non-immersive [=trusted UI=] to the user. A [=trusted UI=] MUST have the following properties: - - It must not be spoofable - It indicates where the request/content displayed originates from - - It doesn't rely on a shared secret that can be observed by a mixed reality capture (e.g. a gesture that can be seen by the camera) + - If it relies on a shared secret with the user, this shared secret cannot be observed by a mixed reality capture (e.g. it may not be a gesture that can be seen by the camera) - It is consistent between immersive experiences in the same UA
@@ -2239,21 +2238,17 @@ Note: Examples of [=trusted UI=] include:
+In some cases it may be possible for a malicious page to infer what a user is typing on a virtual keyboard or how they are interacting with a virtual UI based solely on monitoring their head movements. This is especially true on devices that have limited input capabilities, such as Google Cardboard, which frequently require users to control a "gaze cursor" with their head orientation. For example: if not prevented from doing so a page could estimate what URL a user is entering into the user agent's URL bar by monitoring the user's interaction with the keyboard. + +To prevent this risk the user agent MUST set the [=visibility state=] of all {{XRSession}}s to {{XRVisibilityState/"hidden"}} when the user is interacting with sensitive, [=trusted UI=] ([=trusted immersive ui|immersive=] or non-immersive) such as URL bars or system dialogs. Additionally, to prevent a malicious page from being able to monitor input on other pages the user agent MUST set the {{XRSession}}'s [=visibility state=] to {{XRVisibilityState/"hidden"}} if the [=currently focused area=] does belong to the document which created the {{XRSession}}. If the virtual environment does not consistently track the user's head motion with low latency and at a high frame rate the user may become disoriented or physically ill. Since it is impossible to force pages to produce consistently performant and correct content the user agent MUST provide a tracked, trusted environment and an [=XR Compositor=] which runs asynchronously from page content. The compositor is responsible for compositing the trusted and untrusted content. If content is not performant, does not submit frames, or terminates unexpectedly the user agent should be able to continue presenting a responsive, [=trusted UI=]. Additionally, page content has the ability to make users uncomfortable in ways not related to performance. Badly applied tracking, strobing colors, and content intended to offend, frighten, or intimidate are examples of content which may cause the user to want to quickly exit the XR experience. Removing the XR device in these cases may not always be a fast or practical option. To accommodate this the user agent SHOULD provide users with an action, such as pressing a reserved hardware button or performing a gesture, that escapes out of WebXR content and displays the user agent's [=trusted UI=]. -{{XRSession}}s MUST have their [=visibility state=] set to {{XRVisibilityState/"hidden"}} when the user is interacting with potentially sensitive UI from the user agent (such as entering a URL) in the trusted environment. -
-Gaze Tracking {#gazetracking-security} -------------- - -While the API does not yet expose eye tracking capabilities a lot can be inferred about where the user is looking by tracking the orientation of their head. This is especially true of XR devices that have limited input capabilities, such as Google Cardboard, which frequently require users to control a "gaze cursor" with their head orientation. This means that it may be possible for a malicious page to infer what a user is typing on a virtual keyboard or how they are interacting with a virtual UI based solely on monitoring their head movements. For example: if not prevented from doing so a page could estimate what URL a user is entering into the user agent's URL bar. -To prevent this risk the user agent MUST set the [=visibility state=] of all {{XRSession}}s to {{XRVisibilityState/"hidden"}} when the user is interacting with sensitive, trusted UI such as URL bars or system dialogs. Additionally, to prevent a malicious page from being able to monitor input on other pages the user agent MUST set the {{XRSession}}'s [=visibility state=] to {{XRVisibilityState/"hidden"}} if the [=currently focused area=] does belong to the document which created the {{XRSession}}. Context Isolation {#contextisolation-security} ----------------- From ffaa000da4ce892a7f7539720c69c73dde414d52 Mon Sep 17 00:00:00 2001 From: Manish Goregaokar Date: Wed, 23 Oct 2019 15:11:52 -0700 Subject: [PATCH 05/10] Apply suggestions from code review Co-Authored-By: Nell Waliczek --- index.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index f0b46892..c2947cb4 100644 --- a/index.bs +++ b/index.bs @@ -2218,10 +2218,10 @@ Note: Is is suggested that poses reported relative to a {{XRBoundedReferenceSpac Trusted Environment {#trustedenvironment-security} ------------------- -A Trusted UI is an interface that the user can trust comes from the user agent, which the user may interact with without interference from the page. The user agent MUST support showing a [=trusted UI=]. Some form of [=trusted UI=] MUST be used to show permissions prompts. +A Trusted UI is an interface presented by the User Agent that the user is able to interact with but the page cannot. The user agent MUST support showing [=trusted UI=] and the [=trusted UI=] MUST be used to show permissions prompts when needed. -Broadly speaking, there are two options for user agents who wish to support [=trusted UI=]. One option is the trusted immersive UI, which is a [=trusted UI=] which does not exit immersive mode. It is tricky to design a good [=trusted immersive UI=] since the page can effectively draw any pixels it wishes to. User agents are not required to support [=trusted immersive UI=], they may instead temporarily pause/exit immersive mode and show non-immersive [=trusted UI=] to the user. +Broadly speaking, there are two options for user agents who wish to support [=trusted UI=]. One option is trusted immersive UI, which is a [=trusted UI=] which does not exit immersive mode. Implementing [=trusted immersive UI=] can be challenging because `XRWebGLLayer` buffers fill the XR Device display and the User Agent does not typically "reserve" pixels for its own use. User agents are not required to support [=trusted immersive UI=], they may instead temporarily pause/exit immersive mode and show non-immersive [=trusted UI=] to the user. A [=trusted UI=] MUST have the following properties: From 2e45ad9918e281ee593ddb636ad420ab9f781d4e Mon Sep 17 00:00:00 2001 From: Manish Goregaokar Date: Wed, 23 Oct 2019 15:13:22 -0700 Subject: [PATCH 06/10] SHOULD -> MUST for reserved button --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index c2947cb4..5ab5e5b8 100644 --- a/index.bs +++ b/index.bs @@ -2245,7 +2245,7 @@ To prevent this risk the user agent MUST set the [=visibility state=] of all {{X If the virtual environment does not consistently track the user's head motion with low latency and at a high frame rate the user may become disoriented or physically ill. Since it is impossible to force pages to produce consistently performant and correct content the user agent MUST provide a tracked, trusted environment and an [=XR Compositor=] which runs asynchronously from page content. The compositor is responsible for compositing the trusted and untrusted content. If content is not performant, does not submit frames, or terminates unexpectedly the user agent should be able to continue presenting a responsive, [=trusted UI=]. -Additionally, page content has the ability to make users uncomfortable in ways not related to performance. Badly applied tracking, strobing colors, and content intended to offend, frighten, or intimidate are examples of content which may cause the user to want to quickly exit the XR experience. Removing the XR device in these cases may not always be a fast or practical option. To accommodate this the user agent SHOULD provide users with an action, such as pressing a reserved hardware button or performing a gesture, that escapes out of WebXR content and displays the user agent's [=trusted UI=]. +Additionally, page content has the ability to make users uncomfortable in ways not related to performance. Badly applied tracking, strobing colors, and content intended to offend, frighten, or intimidate are examples of content which may cause the user to want to quickly exit the XR experience. Removing the XR device in these cases may not always be a fast or practical option. To accommodate this the user agent MUST provide users with an action, such as pressing a reserved hardware button or performing a gesture, that escapes out of WebXR content and displays the user agent's [=trusted UI=].
From b36b1435a32dc813705e1bae21d390fd8edadfd1 Mon Sep 17 00:00:00 2001 From: Manish Goregaokar Date: Wed, 23 Oct 2019 15:14:27 -0700 Subject: [PATCH 07/10] remove sensitive --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 5ab5e5b8..680097cd 100644 --- a/index.bs +++ b/index.bs @@ -2240,7 +2240,7 @@ Note: Examples of [=trusted UI=] include: In some cases it may be possible for a malicious page to infer what a user is typing on a virtual keyboard or how they are interacting with a virtual UI based solely on monitoring their head movements. This is especially true on devices that have limited input capabilities, such as Google Cardboard, which frequently require users to control a "gaze cursor" with their head orientation. For example: if not prevented from doing so a page could estimate what URL a user is entering into the user agent's URL bar by monitoring the user's interaction with the keyboard. -To prevent this risk the user agent MUST set the [=visibility state=] of all {{XRSession}}s to {{XRVisibilityState/"hidden"}} when the user is interacting with sensitive, [=trusted UI=] ([=trusted immersive ui|immersive=] or non-immersive) such as URL bars or system dialogs. Additionally, to prevent a malicious page from being able to monitor input on other pages the user agent MUST set the {{XRSession}}'s [=visibility state=] to {{XRVisibilityState/"hidden"}} if the [=currently focused area=] does belong to the document which created the {{XRSession}}. +To prevent this risk the user agent MUST set the [=visibility state=] of all {{XRSession}}s to {{XRVisibilityState/"hidden"}} when the user is interacting with [=trusted UI=] ([=trusted immersive ui|immersive=] or non-immersive) such as URL bars or system dialogs. Additionally, to prevent a malicious page from being able to monitor input on other pages the user agent MUST set the {{XRSession}}'s [=visibility state=] to {{XRVisibilityState/"hidden"}} if the [=currently focused area=] does belong to the document which created the {{XRSession}}. If the virtual environment does not consistently track the user's head motion with low latency and at a high frame rate the user may become disoriented or physically ill. Since it is impossible to force pages to produce consistently performant and correct content the user agent MUST provide a tracked, trusted environment and an [=XR Compositor=] which runs asynchronously from page content. The compositor is responsible for compositing the trusted and untrusted content. If content is not performant, does not submit frames, or terminates unexpectedly the user agent should be able to continue presenting a responsive, [=trusted UI=]. From 4a0b3582b2c82e7705395e11b286b076aafc1859 Mon Sep 17 00:00:00 2001 From: Manish Goregaokar Date: Wed, 23 Oct 2019 15:14:49 -0700 Subject: [PATCH 08/10] Move paragraph --- index.bs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/index.bs b/index.bs index 680097cd..0ee45b5c 100644 --- a/index.bs +++ b/index.bs @@ -2220,9 +2220,6 @@ Trusted Environment {#trustedenvironment-security} A Trusted UI is an interface presented by the User Agent that the user is able to interact with but the page cannot. The user agent MUST support showing [=trusted UI=] and the [=trusted UI=] MUST be used to show permissions prompts when needed. - -Broadly speaking, there are two options for user agents who wish to support [=trusted UI=]. One option is trusted immersive UI, which is a [=trusted UI=] which does not exit immersive mode. Implementing [=trusted immersive UI=] can be challenging because `XRWebGLLayer` buffers fill the XR Device display and the User Agent does not typically "reserve" pixels for its own use. User agents are not required to support [=trusted immersive UI=], they may instead temporarily pause/exit immersive mode and show non-immersive [=trusted UI=] to the user. - A [=trusted UI=] MUST have the following properties: - It must not be spoofable @@ -2230,6 +2227,8 @@ A [=trusted UI=] MUST have the following properties: - If it relies on a shared secret with the user, this shared secret cannot be observed by a mixed reality capture (e.g. it may not be a gesture that can be seen by the camera) - It is consistent between immersive experiences in the same UA +Broadly speaking, there are two options for user agents who wish to support [=trusted UI=]. One option is trusted immersive UI, which is a [=trusted UI=] which does not exit immersive mode. Implementing [=trusted immersive UI=] can be challenging because `XRWebGLLayer` buffers fill the XR Device display and the User Agent does not typically "reserve" pixels for its own use. User agents are not required to support [=trusted immersive UI=], they may instead temporarily pause/exit immersive mode and show non-immersive [=trusted UI=] to the user. +
Note: Examples of [=trusted UI=] include: - The default 2D mode browser shown when not in immersive mode From 91a9c44171ff89ac6247d974e562fa47359a5c45 Mon Sep 17 00:00:00 2001 From: Manish Goregaokar Date: Wed, 23 Oct 2019 15:16:10 -0700 Subject: [PATCH 09/10] Move text about permissions prompts below --- index.bs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 0ee45b5c..12c1476c 100644 --- a/index.bs +++ b/index.bs @@ -2218,7 +2218,7 @@ Note: Is is suggested that poses reported relative to a {{XRBoundedReferenceSpac Trusted Environment {#trustedenvironment-security} ------------------- -A Trusted UI is an interface presented by the User Agent that the user is able to interact with but the page cannot. The user agent MUST support showing [=trusted UI=] and the [=trusted UI=] MUST be used to show permissions prompts when needed. +A Trusted UI is an interface presented by the User Agent that the user is able to interact with but the page cannot. The user agent MUST support showing [=trusted UI=]. A [=trusted UI=] MUST have the following properties: @@ -2242,6 +2242,8 @@ In some cases it may be possible for a malicious page to infer what a user is ty To prevent this risk the user agent MUST set the [=visibility state=] of all {{XRSession}}s to {{XRVisibilityState/"hidden"}} when the user is interacting with [=trusted UI=] ([=trusted immersive ui|immersive=] or non-immersive) such as URL bars or system dialogs. Additionally, to prevent a malicious page from being able to monitor input on other pages the user agent MUST set the {{XRSession}}'s [=visibility state=] to {{XRVisibilityState/"hidden"}} if the [=currently focused area=] does belong to the document which created the {{XRSession}}. +The user agent MUST use [=trusted UI=] to show permissions prompts. + If the virtual environment does not consistently track the user's head motion with low latency and at a high frame rate the user may become disoriented or physically ill. Since it is impossible to force pages to produce consistently performant and correct content the user agent MUST provide a tracked, trusted environment and an [=XR Compositor=] which runs asynchronously from page content. The compositor is responsible for compositing the trusted and untrusted content. If content is not performant, does not submit frames, or terminates unexpectedly the user agent should be able to continue presenting a responsive, [=trusted UI=]. Additionally, page content has the ability to make users uncomfortable in ways not related to performance. Badly applied tracking, strobing colors, and content intended to offend, frighten, or intimidate are examples of content which may cause the user to want to quickly exit the XR experience. Removing the XR device in these cases may not always be a fast or practical option. To accommodate this the user agent MUST provide users with an action, such as pressing a reserved hardware button or performing a gesture, that escapes out of WebXR content and displays the user agent's [=trusted UI=]. From dd9065cd059714143f141a2d124c5a289ae9f567 Mon Sep 17 00:00:00 2001 From: Manish Goregaokar Date: Wed, 23 Oct 2019 15:18:34 -0700 Subject: [PATCH 10/10] Clean up snooping --- index.bs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/index.bs b/index.bs index 12c1476c..1ace5fbe 100644 --- a/index.bs +++ b/index.bs @@ -2237,9 +2237,7 @@ Note: Examples of [=trusted UI=] include:
-In some cases it may be possible for a malicious page to infer what a user is typing on a virtual keyboard or how they are interacting with a virtual UI based solely on monitoring their head movements. This is especially true on devices that have limited input capabilities, such as Google Cardboard, which frequently require users to control a "gaze cursor" with their head orientation. For example: if not prevented from doing so a page could estimate what URL a user is entering into the user agent's URL bar by monitoring the user's interaction with the keyboard. - -To prevent this risk the user agent MUST set the [=visibility state=] of all {{XRSession}}s to {{XRVisibilityState/"hidden"}} when the user is interacting with [=trusted UI=] ([=trusted immersive ui|immersive=] or non-immersive) such as URL bars or system dialogs. Additionally, to prevent a malicious page from being able to monitor input on other pages the user agent MUST set the {{XRSession}}'s [=visibility state=] to {{XRVisibilityState/"hidden"}} if the [=currently focused area=] does belong to the document which created the {{XRSession}}. +The ability to read input information (head pose, input pose, etc) poses a risk to the integrity of [=trusted UI=] as the page may use this information to snoop on the choices made by the user while interacting with the [=trusted UI=]. To prevent this risk the user agent MUST set the [=visibility state=] of all {{XRSession}}s to {{XRVisibilityState/"hidden"}} when the user is interacting with [=trusted UI=] ([=trusted immersive ui|immersive=] or non-immersive) such as URL bars or system dialogs. Additionally, to prevent a malicious page from being able to monitor input on other pages the user agent MUST set the {{XRSession}}'s [=visibility state=] to {{XRVisibilityState/"hidden"}} if the [=currently focused area=] does belong to the document which created the {{XRSession}}. The user agent MUST use [=trusted UI=] to show permissions prompts.