Merge pull request #87 from cabanier/security-update

Manishearth · web-flow · commit d28eb78e8782 · 2021-03-02T12:47:30.000-08:00
Added additional clarification in security section
diff --git a/index.bs b/index.bs
@@ -106,6 +106,8 @@ spec:webidl;
 </pre>
 
 <pre class="anchors">
+spec:html; urlPrefix: https://html.spec.whatwg.org/multipage/
+    type: dfn; text: browsing context; url: browsers.html#browsing-context
 </pre>
 
 
@@ -421,13 +423,25 @@ The user-agent MUST set {{XRJointPose/radius}} to an emulated value if the [=/XR
 
 Privacy & Security Considerations {#privacy-security}
 =================================
-The WebXR Hand Input API is a powerful feature with that carries significant privacy risks.
+The WebXR Hand Input API is a powerful feature that carries significant privacy risks.
 
 Since this feature returns new sensor data, the User Agent MUST ask for [=explicit consent=] from the user at session creation time.
 
 Data returned from this API, MUST NOT be so specific that one can detect individual users.
 If the underlying hardware returns data that is too precise, the User Agent MUST anonymize this data
-(ie by adding noise or rounding) before revealing it through the WebXR Hand Input API.
+before revealing it through the WebXR Hand Input API.
 
-This API is only supported in XRSessions created with XRSessionMode of {{XRSessionMode/"immersive-vr"}}
+This API MUST only be supported in XRSessions created with XRSessionMode of {{XRSessionMode/"immersive-vr"}}
 or {{XRSessionMode/"immersive-ar"}}. {{XRSessionMode/"inline"}} sessions MUST not support this API.
+
+<div class="note">
+When anonymizing the hands data, the UA can follow these guidelines:
+ * Noising is discouraged in favour of rounding.
+ * If the UA uses rounding, each joint must not be rounded independently. Instead the correct way to round is to map each hand to a static hand-model.
+ * If noising, the noised data must not reveal any information over time:
+    - Each new WebXR session in the same [=browsing context=] must use the same noise to make sure that the data cannot be de-noised by creating multiple sessions.
+    - Each new [=browsing context=] must use a different noise vector.
+    - Any seed used to initialize the noise must not be predictable.
+ * Anonymization must be done in a trusted environment.
+
+</div>
