From c2c7f20a47db86d68a8b70690124064d0702621f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= <marcos@marcosc.com>
Date: Thu, 27 Aug 2020 15:47:35 +1000
Subject: [PATCH 1/5] Reject non-http URLs for url member

---
 index.html | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/index.html b/index.html
index c44c55a..f082690 100644
--- a/index.html
+++ b/index.html
@@ -177,6 +177,9 @@ <h4>
                 <li>If |url| is failure, return <a>a promise rejected with</a>
                 {{TypeError}}.
                 </li>
+                <li>If |url|'s [=URL/scheme=] is not "http" or "https",
+                return <a>a promise rejected with</a> {{TypeError}}.
+                </li>
                 <li>Set |data| to a copy of |data|, with its {{ShareData/url}}
                 member set to the result of running the <a>URL serializer</a>
                 on |url|.

From 440cb3167f998c4987d35d8dacf7c8d3fe362c21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= <marcos@marcosc.com>
Date: Thu, 27 Aug 2020 17:19:15 +1000
Subject: [PATCH 2/5] Add security consideration

---
 index.html | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/index.html b/index.html
index f082690..ddd033b 100644
--- a/index.html
+++ b/index.html
@@ -36,6 +36,14 @@
           browsers: ["chrome", "firefox", "safari", "edge", "and_chr", "and_ff", "ios_saf"],
         },
         xref: "web-platform",
+        localBiblio: {
+          "Wylecial": {
+            "date": "2020-08-25",
+            "title": "Stealing local files using Safari Web Share API",
+            "Author": "Pawel Wylecial",
+            "href": "https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html"
+          }
+        }
       };
     </script>
   </head>
@@ -177,8 +185,8 @@ <h4>
                 <li>If |url| is failure, return <a>a promise rejected with</a>
                 {{TypeError}}.
                 </li>
-                <li>If |url|'s [=URL/scheme=] is not "http" or "https",
-                return <a>a promise rejected with</a> {{TypeError}}.
+                <li>If |url|'s [=URL/scheme=] is not "http" or "https", return
+                <a>a promise rejected with</a> {{TypeError}}.
                 </li>
                 <li>Set |data| to a copy of |data|, with its {{ShareData/url}}
                 member set to the result of running the <a>URL serializer</a>
@@ -468,6 +476,21 @@ <h2>
         guard against this, but implementors will want to be aware that it is a
         possibility.
         </li>
+        <li>Earlier iterations of this API allowed sharing URLs of any scheme
+        type via {{ShareData}}'s {{ShareData/url}} member. This was shown to be
+        a <a data-cite="Wylecial#">security vulnerability</a> and the
+        {{ShareData/url}} member was restricted to only accepting the "http:"
+        and "https:" URL schemes. However, this mitigation is insufficient to
+        fully protect applications or operating systems that accept URLs as
+        part of a share (i.e, "share targets"). Share targets need to be
+        careful when dereferencing shared URLs for the purposes of, for
+        example, generating user-friendly previews: The risk is that share
+        targets could retrieve content from the URL, and that they might follow
+        redirects (or be subject to DNS tweaking) in order to exploit their
+        position in the network to access information that might otherwise be
+        protected by firewalls and similar. If the application also passes on
+        that information, that leads to an unexpected information leakage.
+        </li>
       </ul>
     </section>
     <section class="appendix informative">

From 26b3bea5cba87ed887f3ea92a1d3ea75085c623d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= <mcaceres@mozilla.com>
Date: Fri, 11 Sep 2020 16:09:33 +1000
Subject: [PATCH 3/5] Update index.html

Co-authored-by: Martin Thomson <mt@lowentropy.net>
---
 index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.html b/index.html
index ddd033b..89f4552 100644
--- a/index.html
+++ b/index.html
@@ -482,7 +482,7 @@ <h2>
         {{ShareData/url}} member was restricted to only accepting the "http:"
         and "https:" URL schemes. However, this mitigation is insufficient to
         fully protect applications or operating systems that accept URLs as
-        part of a share (i.e, "share targets"). Share targets need to be
+        part of a share (i.e., "share targets"). Share targets need to be
         careful when dereferencing shared URLs for the purposes of, for
         example, generating user-friendly previews: The risk is that share
         targets could retrieve content from the URL, and that they might follow

From 78191dd9999253e9085974870cf00c549daff43e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= <marcos@marcosc.com>
Date: Wed, 16 Sep 2020 19:20:20 +1000
Subject: [PATCH 4/5] Update based on Martin's updated wording

---
 index.html | 49 +++++++++++++++++++++++++++++++++++--------------
 1 file changed, 35 insertions(+), 14 deletions(-)

diff --git a/index.html b/index.html
index f3f275f..289f098 100644
--- a/index.html
+++ b/index.html
@@ -475,20 +475,41 @@ <h2>
         guard against this, but implementors will want to be aware that it is a
         possibility.
         </li>
-        <li>Earlier iterations of this API allowed sharing URLs of any scheme
-        type via {{ShareData}}'s {{ShareData/url}} member. This was shown to be
-        a <a data-cite="Wylecial#">security vulnerability</a> and the
-        {{ShareData/url}} member was restricted to only accepting the "http:"
-        and "https:" URL schemes. However, this mitigation is insufficient to
-        fully protect applications or operating systems that accept URLs as
-        part of a share (i.e., "share targets"). Share targets need to be
-        careful when dereferencing shared URLs for the purposes of, for
-        example, generating user-friendly previews: The risk is that share
-        targets could retrieve content from the URL, and that they might follow
-        redirects (or be subject to DNS tweaking) in order to exploit their
-        position in the network to access information that might otherwise be
-        protected by firewalls and similar. If the application also passes on
-        that information, that leads to an unexpected information leakage.
+        <li>
+          <p>
+            Share targets that dereference a shared URL and forward that
+            information on might inadvertently forward information that might
+            be otherwise confidential. This can lead to unexpected information
+            leakage if shares reference content that is only accessible by that
+            application, the host on which it runs, or its network location.
+          </p>
+          <p>
+            Malicious sites might exploit share targets that leak information
+            by providing URLs that ultimately resolve to local resources,
+            including, but not limited to, "file:" URLs or local services that
+            might otherwise be inaccessible. Even though this API limits shared
+            URLS to "http:" and "https:", use of redirects to other URLs or
+            tweaks to DNS records for hosts in those URLs might be used to
+            cause applications to acquire content.
+          </p>
+          <p>
+            To avoid being used in these attacks, share targets can consume the
+            URL, retrieve the content, and process that information without
+            sharing it. For instance, a photo editing application might
+            retrieve an image that is "shared" with it. A share target can also
+            share the URL without fetching any of the referenced content.
+          </p>
+          <p>
+            Share targets that fetch content for the purposes of offering a
+            preview or for sharing content risk information leakage. Content
+            that is previewed and authorized by a user might be safe to
+            forward, however it is not always possible for a person to identify
+            when information should be confidential, so forwarding any content
+            presents a risk. In particular, the {{ShareData/title}} might be
+            used by an attacker to trick a user into misinterpreting the nature
+            of the content, as demonstrated in the [[Wylecial]] <a data-cite=
+            "Wylecial#">proof of concept attack</a>.
+          </p>
         </li>
       </ul>
     </section>

From 65c11532889bce7d72d2dfbfc52e8c664e995c53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= <marcos@marcosc.com>
Date: Mon, 21 Sep 2020 19:19:15 +1000
Subject: [PATCH 5/5] Disable linking to Wylecial article

---
 index.html | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/index.html b/index.html
index 289f098..bfa443f 100644
--- a/index.html
+++ b/index.html
@@ -35,14 +35,15 @@
           browsers: ["chrome", "firefox", "safari", "edge", "and_chr", "and_ff", "ios_saf"],
         },
         xref: "web-platform",
-        localBiblio: {
-          "Wylecial": {
-            "date": "2020-08-25",
-            "title": "Stealing local files using Safari Web Share API",
-            "Author": "Pawel Wylecial",
-            "href": "https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html"
-          }
-        }
+        // The Wylecial breaks the link checker with bad HTTP code response, so disabling this for now.
+        // localBiblio: {
+        //   "Wylecial": {
+        //     "date": "2020-08-25",
+        //     "title": "Stealing local files using Safari Web Share API",
+        //     "Author": "Pawel Wylecial",
+        //     "href": "https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html"
+        //   }
+        // }
       };
     </script>
   </head>
@@ -507,8 +508,11 @@ <h2>
             when information should be confidential, so forwarding any content
             presents a risk. In particular, the {{ShareData/title}} might be
             used by an attacker to trick a user into misinterpreting the nature
-            of the content, as demonstrated in the [[Wylecial]] <a data-cite=
-            "Wylecial#">proof of concept attack</a>.
+            of the content.
+            <!--
+              , as demonstrated in the [[Wylecial]] <a data-cite=
+              "Wylecial#">proof of concept attack</a>
+            -->
           </p>
         </li>
       </ul>