From f1e8a19b947452fd4e9c451ba52da9144107e012 Mon Sep 17 00:00:00 2001 From: Derek Schuff Date: Wed, 2 Oct 2024 17:37:53 -0700 Subject: [PATCH] Add a minimal Security and Privacy Considerations section to Web API (#1818) These considerations are aimed at answering the questions to consider from the TAG security and privacy questionnaire: https://www.w3.org/TR/security-privacy-questionnaire/ --- document/web-api/index.bs | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/document/web-api/index.bs b/document/web-api/index.bs index 4bbc8a5f27..c086c43208 100644 --- a/document/web-api/index.bs +++ b/document/web-api/index.bs @@ -305,6 +305,18 @@ application/wasm +

Security and Privacy Considerations

+ +

This section is non-normative.

+WebAssembly provides no access to the surrounding environment other than via the JavaScript API described in the [[WASMJS|JS API]] specification. +Therefore, WebAssembly cannot collect or expose any information (personal, sensitive or otherwise) to Web sites or other parties beyond what can be collected, exposed or processed with JavaScript. +WebAssembly memory has the same lifetime as the objects in the surrounding JavaScript environment and is not persisted or serialized (other than by copying it out to JavaScript and using existing serialization APIs). +No access is provided to the underlying platform or hardware, or to other devices, or to the user agent’s native UI. + +WebAssembly is an additional program execution mechanism, and can be executed wherever JavaScript can be executed. +Therefore the threat model is essentially the same as for JavaScript code, and has similar considerations for delivery (e.g. WebAssembly code should be protected in transit from active and passive network attackers) +and policy (e.g. some loading mechanisms or execution are restricted via mechanisms such as the same-origin policy or Content Security Policy). +

Change History

This section is non-normative.