Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Eligibility for autofill #831

Open
1 task done
schwering opened this issue Apr 4, 2023 · 32 comments
Open
1 task done

Eligibility for autofill #831

schwering opened this issue Apr 4, 2023 · 32 comments
Assignees
Labels
Missing: Multi-stakeholder support Lack of multi-stakeholder support Missing: venue privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response. Progress: pending external feedback The TAG is waiting on response to comments/questions asked by the TAG during the review

Comments

@schwering
Copy link

こんにちは TAG-さん!

I'm requesting a TAG review of shared-autofill.

Payment service providers (PSPs) often distribute form controls (e.g., credit card number, CVC) over multiple distinct PSP iframes on a merchant checkout page. We propose a same-origin policy for autofilling such frame-transcending forms. Additionally, some less-sensitive fields from a PSP point of view (such as cardholder name) are often part of the main merchant frame instead of inside PSP iframes. For this case, we propose a policy-controlled feature which allows a parent frame to designate child frames as trusted for the purposes of Autofill, irrespective of their origin, allowing the browser to fully fill such cross-frame forms.

Further details:

  • I have reviewed the TAG's Web Platform Design Principles
  • Relevant time constraints or deadlines: none
  • The group where the work on this specification is currently being done: whatwg (note that we are still waiting on feedback on the PR from other whatwg members)
  • The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue):
  • Major unresolved issues with or opposition to this specification: none
  • This work is being funded by: Google

We'd prefer the TAG provide feedback as:

💬 leave review feedback as a comment in this issue and @-notify @schwering, @stephenmcgruer

Questionnaire

2.1 What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?

Our proposal restricts which origins a browser may share Autofill information with.

The HTML standard currently does not specify which kinds of information are shared, which user action (if any) is necessary to share the information, and which origins the information may be shared with. Most browsers display a list of suggestions when the user interacts with a form control, and they share the selected information with the form control’s document when the user confirms a suggestion.

We propose to restrict this information sharing to documents which either have the same origin as the form control the user interacted with or have the newly proposed shared-autofill enabled. As a policy-controlled feature, only the first party can enable shared-autofill in child frames.

2.2 Do features in your specification expose the minimum amount of information necessary to enable their intended uses?

Yes, our proposal minimizes the scope the information is shared. It will improve transparency in the following way.

Today’s browsers do not fill across origins. Many payment service providers work around by posting autofilled information from one frame to other frames using postMessage(). Naturally, such workarounds break the preview of to-be-autofilled information built into many browsers. Our spec makes such workarounds obsolete and lets the browser preview and autofill form controls in cross-origin form documents (if shared-enable is enabled in the respective document).

2.3 How do the features in your specification deal with personal information, personally-identifiable information (PII), or information derived from them?

Our specification fills a gap in formalizing the conditions under which the browser may fill such information.

Our proposal allows sharing such information according to a same-origin policy and a newly proposed policy-controlled feature shared-autofill, which can be passed by parent frames to their child frames to designate such frames as trustworthy for autofill purposes.

As argued in 2.2, our proposal intends to make JavaScript workarounds obsolete and increase transparency.

2.4 How do the features in your specification deal with sensitive information?

See 2.3.

2.5 Do the features in your specification introduce new state for an origin that persists across browsing sessions?

No.

2.6 Do the features in your specification expose information about the underlying platform to origins?

No.

2.7 Does this specification allow an origin to send data to the underlying platform?

No.

2.8 Do features in this specification enable access to device sensors?

No.

2.9 Do features in this specification enable new script execution/loading mechanisms?

No.

2.10 Do features in this specification allow an origin to access other devices?

No.

2.11 Do features in this specification allow an origin some measure of control over a user agent’s native UI?

No.

2.12 What temporary identifiers do the features in this specification create or expose to the web?

None.

2.13 How does this specification distinguish between behavior in first-party and third-party contexts?

The first party can enable shared-autofill in third-party child frames, and these child frames in turn can enable shared-autofill in their respective child frames. This behaviour is due to shared-autofill being a policy-controlled feature.

2.14 How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?

The proposal is unrelated to private browsing or incognito mode. A browser may decide to disable Autofill in such a mode.

2.15 Does this specification have both "Security Considerations" and "Privacy Considerations" sections?

It doesn’t have sections with these titles, but it does have a section on attack vectors.

2.16 Do features in your specification enable origins to downgrade default security protections?

There are currently no security protections for Autofill. This proposal introduces default protections, as well as a policy-controlled feature that is disabled by default for cross-origin iframes.

2.17 How does your feature handle non-"fully active" documents?

Our specification excludes non-”fully-active” documents.

2.18 What should this questionnaire have asked?

It seems sufficient.

@cynthia cynthia added this to the 2023-04-17-f2f-tokyo milestone Apr 19, 2023
@torgo torgo added privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response. Missing: venue and removed Topic: HTML Progress: untriaged Review type: CG early review An early review of general direction from a Community Group Missing: venue Topic: authentication Topic: payments labels Apr 19, 2023
@torgo
Copy link
Member

torgo commented Apr 19, 2023

Hi - can you clarify where this work is currently happening? Is this slated to be done in WICG? Has there been any engagement on this topic with other engines / browsers?

@cynthia
Copy link
Member

cynthia commented Apr 19, 2023

Thanks for bringing this to our attention. We looked at this during our F2F, and overall we are happy with this. It solves an immediate user need, which is being able to autofill cross origin forms, which as far as the user is concerned should work like any other form.

We have a couple points we'd like to discuss here, both of which are likely out of your immediate control but would like to see some progress on.

  1. Interest from other implementors. This seems like a useful, safe feature which would be more powerful if at least one other implementor is interested in implementing this (setting aside the depedency on permission policy, which is a dependency).
  2. We do see the immediate reason why multi-frame forms is a thing, but we would like form domain experts to think about a future direction where we move away from this somewhat convoluted architecture. We understand the proposal is working around layers of limitations, but we feel like it shouldn't be this way.
  3. In an ideal world, the solution to (2) might be web payments.

@hober
Copy link
Contributor

hober commented Apr 20, 2023

As @annevk said elsewhere, autofill "is a user interface feature and as such the call as to whether or not to make it work in a particular case is with the user agent and not the HTML Standard." If some browsers' autofill doesn't work with fields in Shadow DOM, for instance, that seems like a bug in such browsers, and not with the spec.

@schwering
Copy link
Author

Thank you all for the feedback and comments!

Re @torgo

We intend to pursue this in the WHATWG as part of the HTML spec, and are looking to drive consensus on the autofill definitions within that group.

Re @cynthia

  1. The final positions on the proposal from Mozilla and Apple are pending and discussions are ongoing.
  2. We agree. We suppose this would need cooperation of the implementors, payment industry, and payment service providers.
  3. Acknowledged.

Re @hober

Thanks Tess (and Anne!); we do appreciate and agree that autofill is a user interface feature. However, we think there is value in giving web developers some structure around what they can roughly expect, and in particular we think specing shared-autofill as a clear (though non-binding) signal to the browser is valuable. Much like how autocomplete="cc-number" is a valuable signal for web developers to know about.

We're happy to work with Anne to find the right middle-ground of what to spec – see our latest reply in the WebKit request for positions where we changed the text, and we can keep iterating on that!

@torgo
Copy link
Member

torgo commented Jun 15, 2023

Hi folks – We discussed this in today's TAG breakout.

We remain concerned with the level of information available to the user about what they have agreed to share with whom via auto-fill. Is it possible to advise UA providers to surface this information to the user in some way "are you OK with sharing your cc number with ecommerce site who uses payment provider as a payment provider?"

We also remain concerned about the multi-stakeholder buy in. If this is going to be adopted by the industry then we'd like to make sure it's widely adopted across browsers.

Apart from that can you let us know any other status or updates?

@torgo torgo added this to the 2023-09-04-week milestone Sep 3, 2023
@RByers
Copy link

RByers commented Sep 18, 2023

A few of us met at TPAC to discuss this: @torgo, @stephenmcgruer, Gerhard Oosthuizen, @cynthia and myself. Here's my summary of the conversation, please let me know if I missed or mis-recalled anything.

First Dan said the TAG wanted to understand how we could help web payments shift towards something better than forms long-term. We all agree that entering strings into text fields is a sub-optimal user experience for completing a payment. @stephenmcgruer described the many years of efforts from WPWG and others, and how the industry is continuing to shift towards payment apps - whether via PaymentRequest or some other mechanism on top of web platform primitives. We talked a bit about things we may (or may not) be able to do to further accelerate a reduction on reliance of input fields, but I think there was agreement that input fields weren't going to just go away anytime soon. Certainly @stephenmcgruer and I intend to continue investing in approaches in Chrome to help meet the needs of the payments industry outside of input fields, but feel we need to address this tactical and pragmatic issue with payment forms in parallel with that.

Secondly we discussed my proposal above to shift the policy away from a nuanced implementation detail of autofill (shared-autofill) to more of a trust model for the embedder/embedee relationship around collecting user data. We heard that pii-input was a bad name because "PII" has a very specific legal meaning we wouldn't want to confuse things with. Otherwise Dan said he'd like to discuss this more with the TAG and get back to us ASAP.

On Chrome, we'd like to proceed with some urgency in this direction. Our current thinking is that we'll update our proposal to use the permission name input but defined in a way that gives the user agent latitude in deciding which forms of "input" are risky enough to disallow in frames lacking this permission. Frames with the input permission would be expected to accept all forms of input exactly as if they were operating in the top frame. In Chrome we'd start by only gating new automated input scenarios like shared-autofill on the input permission, but over time we'd explore whether there are existing classes of input we could begin to warn about or restrict when this permission is lacking. We welcome feedback on this approach, and I'll post pointers here as we proceed down the path of trying to ship this.

@torgo torgo modified the milestones: 2023-09-04-week, 2023-10-09-week Oct 8, 2023
@torgo
Copy link
Member

torgo commented Oct 10, 2023

Hi @RByers - Discussed briefly today and there is rough consensus that this is the right approach. We'd like to see it written up in a revised proposal – is that in the works?

@RByers
Copy link

RByers commented Oct 11, 2023

Great, glad to hear it @torgo! I'm personally excited about taking steps towards making the web's model for user data acquisition more explicit...

Yes @schwering is working on an updated proposal but it may be delayed a bit now as something more urgent came up for him. We'll ping this review whenever the explainer and spec PR have been updated. But also this is really just a change of positioning / long-term goal (and policy name) with the immediate next step otherwise unchanged.

@hadleybeeman
Copy link
Member

Hi @RByers! Just to clarify, after a quick conversation at our plenary meeting today — we would appreciate it if you could explore some abuse scenarios in your updated proposal. We had some concerns, and would really value your thoughts on how to mitigate any potential problems. Huge thanks!

@RByers
Copy link

RByers commented Oct 12, 2023

Hi @hadleybeeman, do you mean improving on the existing attack vectors section of the explainer which focuses on how the narrow case of autofill split across frames could potentially be abused? Or do you mean broaden the abuse discussion to autofill in 3p iframes generally (i.e. status quo in multiple browsers) and how the new proposal gives a path to potentially reduce that risk over time? Or maybe both?

@torgo
Copy link
Member

torgo commented Nov 16, 2023

Hi @RByers - we just discussed in TAG plenary today and I think what we're asking for is more the first thing - expansion on the existing attack vectors discussion - although in my view "attack vectors" may be too narrow a framing. What we're concerned about is general abuse scenarios of this new proposal: given that this new proposal is in place, what are the abuse scenarios, including by actors who may be "legitimate actors", and what are the mitigations against those? In other words, how may this be mis-used by players in the web ecosystem?

@torgo
Copy link
Member

torgo commented May 15, 2024

Hi @RByers - we were just briefly reviewing status on this. First of all, has there been any update that we should be aware of? Should we be re-reviewing at this point?

@schwering
Copy link
Author

Hi Daniel! I'm currently revising the proposal, broadening its scope from autofill to (keyboard) input in iframes. I'll update the thread here when I have something to share.

@plinss plinss removed this from the 2024-05-20-week:e milestone May 27, 2024
@torgo torgo added this to the 2024-06-17-week:a milestone Jun 16, 2024
@plinss plinss removed this from the 2024-06-17-week:a milestone Jun 24, 2024
@schwering
Copy link
Author

Hi folks, resurrecting this :-).

We've generalized the proposal to addresses the problem of (text) input in 3P documents.

As @RByers wrote above:

the fundamental big-picture challenge here is that an <iframe> implicitly indicates a 3P is trusted to both present information (draw pixels) and collect information (input), potentially even highly sensitive information, with no ability to separate these concepts. [...] Ultimately users can really only reason about a trust relationship with the top-level origin (what's displayed in a URL bar) and that origin needs the ability to delegate trust appropriately to it's 3P dependencies.

In this spirit, we're proposing two policy-controlled features by which the embedding document can limit an embedded document's ability to receive text input.

These features are non-normative hints that text input may be unsafe. The browser can use them as signal to warn the user or even suppress the input events in the embedded document. We'd want to roll this out carefully to avoid breaking changes, with the long term vision of default-disabling text input in 3P documents.

We propose two policy-controlled features:

The difference between the two is that autofill may target multiple documents at once. That is, a document may receive autofill input without the user interacting with that document directly. We think this presupposes a greater level of trust than, say, keyboard input, and therefore requires a separate policy-controlled feature.

I'd be curious to hear the TAG's thoughts on this revision!

The proposal has of course changed quite a bit from what this TAG review was about initially. Happy to file a separate a issue if you prefer.

@jyasskin
Copy link
Contributor

Could you update https://github.com/schwering/shared-autofill to point at the active proposals? You should probably also close whatwg/html#8801.

What would you expect to happen if an iframe has allow="autofill" without including manual-text? It might be user-hostile to force them to only use autofill? Should UAs assume that autofill implies manual-text, or do you know of attacks that allows?

Do you have a sense of what fraction of user input this would break, and how many entities would need to update their code to fix the desired input?

@schwering
Copy link
Author

Should UAs assume that autofill implies manual-text

Yes, I think that'd be sensible. If the UA dispatches one of the text-producing events while autofilling a form control, that'd even be necessary (well, except that manual-text isn't normative, of course).

Do you have a sense of what fraction of user input this would break, and how many entities would need to update their code to fix the desired input?

It affects about 18% of the credit card forms. I don't have more general numbers at the moment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Missing: Multi-stakeholder support Lack of multi-stakeholder support Missing: venue privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response. Progress: pending external feedback The TAG is waiting on response to comments/questions asked by the TAG during the review
Projects
None yet
Development

No branches or pull requests

10 participants