|
297 | 297 | </li> |
298 | 298 | <li>Present the user with a choice of one or more <a>share |
299 | 299 | targets</a>, selected at the user agent's discretion. The user |
300 | | - MUST be given the option to cancel rather than choosing any of |
301 | | - the share targets. Wait for the user's choice. |
| 300 | + agent MUST give the user the option to cancel rather than |
| 301 | + choosing any of the [=share targets=]. Wait for the user's |
| 302 | + choice. |
302 | 303 | </li> |
303 | 304 | <li>If the user chose to cancel the share operation, [=queue a |
304 | 305 | global task=] on the [=user interaction task source=] using |
@@ -356,18 +357,6 @@ <h4> |
356 | 357 | </ol> |
357 | 358 | </li> |
358 | 359 | </ol> |
359 | | - <p> |
360 | | - The user agent MUST NOT allow the website to learn which share |
361 | | - targets are available, or the identity of the chosen target. |
362 | | - </p> |
363 | | - <div class="note"> |
364 | | - {{Navigator/share()}} always shows some form of UI, to give the |
365 | | - user a choice of application and get their approval to invoke and |
366 | | - send data to a potentially native application (which carries a |
367 | | - security risk). For this reason, user agents are prohibited from |
368 | | - showing any kind of "always use this target in the future" option, |
369 | | - or bypassing the UI if there is only a single share target. |
370 | | - </div> |
371 | 360 | </section> |
372 | 361 | <section> |
373 | 362 | <h3> |
@@ -609,11 +598,17 @@ <h2> |
609 | 598 | (depending on the underlying platform). |
610 | 599 | </p> |
611 | 600 | <ul> |
612 | | - <li>There is a requirement to not allow the website to learn which apps |
613 | | - are installed, or which app was chosen from {{Navigator/share()}}, |
614 | | - because this information could be used for fingerprinting, as well as |
| 601 | + <li>The API does not expose to the website which [=share targets=] are |
| 602 | + available, or which share target was chosen by the user from |
| 603 | + {{Navigator/share()}}. Doing so could be used for fingerprinting by |
615 | 604 | leaking details about the user's device. |
616 | 605 | </li> |
| 606 | + <li>User agents are discouraged from showing any kind of "always use |
| 607 | + this target in the future" option, or bypassing the UI if there is only |
| 608 | + a single share target. Further, calls to {{Navigator.share()}} require |
| 609 | + [=transient activation=] (i.e., some kind of user activation) before |
| 610 | + any UI is presented to the user. |
| 611 | + </li> |
617 | 612 | <li>Implementors will want to carefully consider what information is |
618 | 613 | revealed in the error message when {{Navigator/share()}} is rejected. |
619 | 614 | Even distinguishing between the case where no targets are available and |
|
0 commit comments