From 39970864784bb3c695391a9734262e913455c841 Mon Sep 17 00:00:00 2001 From: Matt Garrish Date: Wed, 18 May 2022 12:55:23 -0300 Subject: [PATCH 1/5] Make security recommendations normative and add text about not trusting unsigned publications --- epub33/rs/index.html | 41 +++++++++++++++++++++++++---------------- 1 file changed, 25 insertions(+), 16 deletions(-) diff --git a/epub33/rs/index.html b/epub33/rs/index.html index e90ccfc53..66d954826 100644 --- a/epub33/rs/index.html +++ b/epub33/rs/index.html @@ -1152,8 +1152,8 @@

Cascading Style Sheets (CSS)

  • MUST support [[truetype]], - [[opentype]], [[woff]], and [[woff2]] font resources referenced from - @font-face rules + [[opentype]], [[woff]], and [[woff2]] font resources referenced from @font-face rules [[css-fonts-4]].

  • @@ -2183,10 +2183,10 @@

    Accessibility

    The DAISY Consortium maintains an accessibility test suite to aid in evaluating these issues and more.

    -
    +

    Security and privacy

    -
    +

    Overview

    The particularity of an [=EPUB publication=] is its structure. The EPUB format provides a means of @@ -2208,13 +2208,14 @@

    Overview

    -
    +

    Threat model

    The greatest threats to users come from the content they read [[epub-33]], and the first line of defense against these attacks is the reading systems they use. Users expect that reading systems act as safeguards against malicious content and are - often unaware that EPUB publications are susceptible to the same security risks as web sites.

    + often unaware that [=EPUB publications=] are susceptible to the same security risks as web + sites.

    But although reading systems are relied on to provide security and privacy, they can also pose unintended threats to users depending on how information is handled. Tracking user information to @@ -2238,6 +2239,9 @@

    Threat model

    EPUB publications may contain resources designed to exploit security flaws in reading systems or the operating systems they run on.

    +

    The lack of a standard method of signing EPUB publications means that reading systems cannot + always verify whether the content has been tampered with between authoring and loading in + the device.

    Remote resources
    @@ -2300,28 +2304,32 @@

    Recommendations

    The strongest measure that reading system developers can take for privacy is to specify the data they intend to collect and use about the user and/or their reading behavior and seek the consent of users - to obtain it. They should also allow personalization and control over this information.

    + to obtain it. They SHOULD also allow personalization and control over this information.

    If a reading system allows users to store persistent data, especially personally identifiable - information, it must treat that data as sensitive.

    + information, it SHOULD treat that data as sensitive and not allow access to it by third parties.

    It is understood that the collection of some user data may be required for the sale, delivery, and operation of an EPUB publication, particularly on platforms where the sale of an EPUB publication - and the method of reading it are connected. In these cases, it is recommended that the reading - system or retailer be clear about the data being collected, how it is used, and allow for user - opt-outs where possible. Anonymization of data is strongly recommended for the privacy and the - security of the user and reading system.

    + and the method of reading it are connected. In these cases, the reading system SHOULD identify the + data being collected, how it is used, and allow for user opt-outs (retailers may choose to inform + users by other means, however, such as when a user creates an account on their web site). + Anonymization of any collected data is strongly RECOMMENDED for the privacy and the security of the + user and reading system.

    It is also understood that user data may be required or helpful for some reading system affordances. - In these cases, anonymization is strongly recommended. It is also recommended that reading systems - inform users of what data is needed, what it is to be used for, and to provide methods to - opt-out.

    + In these cases, anonymization is also strongly RECOMMENDED. Reading systems also SHOULD inform users + of what data is needed, what it is to be used for, and to provide methods to opt-out.

    Content processors — defined as entities that handle the ingestion of EPUB content for - distribution, display, or sale — should also be aware of the potential risks in ingestion. It + distribution, display, or sale — also need to be aware of the potential risks in ingestion. It is advised that content processors check content for malicious content on ingestion, in addition to the validation steps that usually occur. This could include running virus scans, validating external links and remote resources, and other precautions.

    + +

    Reading systems that allow users to load untrustworthy EPUB publications (e.g., unsigned EPUB + publications through the process of "sideloading") SHOULD treat such content as insecure (e.g., + prompt users to allow scripting and network access).

    @@ -2552,6 +2560,7 @@

    Change log

    >Working Group's issue tracker.

      +
    • 18-May-2022: Updated privacy and security recommendations to use normative language.
    • 17-May-2022: Added an index of terms. See issue 2260.
    • 31-Mar-2022: Moved custom attribute authoring requirements to the authoring specification. Added From c6e3d77b9af509da57b210074307a795a2caa107 Mon Sep 17 00:00:00 2001 From: Matt Garrish Date: Wed, 18 May 2022 13:27:45 -0300 Subject: [PATCH 2/5] make privacy and security recommendations normative in core and a11y specs --- epub33/core/index.html | 33 +++++++++++++++++---------------- epub33/rs/index.html | 3 +++ 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/epub33/core/index.html b/epub33/core/index.html index bba8a6b05..c286c7697 100644 --- a/epub33/core/index.html +++ b/epub33/core/index.html @@ -9232,10 +9232,10 @@

      Accessibility

      reference the latest accessibility requirements).

    -
    +

    Security and privacy

    -
    +

    Overview

    The particularity of an [=EPUB publication=] is its structure. The EPUB format provides a means of @@ -9257,7 +9257,7 @@

    Overview

    -
    +

    Threat model

    EPUB publications pose a variety of privacy and security threats to unsuspecting users. Many of these @@ -9392,7 +9392,7 @@

    EPUB-specific features

    Recommendations

    Although EPUB creators cannot prevent every method of exploiting users, they are ultimately - responsible for the secure construction of their content. That means that they should take + responsible for the secure construction of their content. That means that they need to take precautions to limit the exposure of their EPUB publications to the types of malicious exploits described in the previous section.

    @@ -9414,27 +9414,27 @@

    Recommendations

    EPUB creators also need to consider the privacy rights of users and avoid situations where they are - intentionally collecting data. Ideally, EPUB creators should not track their users, but this is not + intentionally collecting data. Ideally, EPUB creators SHOULD NOT track their users, but this is not realistic for all types of publishing.

    -

    When tracking must occur, EPUB creators should obtain the approval of the user to collect information - prior to opening the EPUB publication (e.g., in educational course work). If this is not possible, - they should obtain permission when users access the EPUB publication for the first time. EPUB - creators should also allow users to opt out of tracking, when feasible, and provide users the - ability to manage and delete any data that is collected about them.

    +

    When EPUB creators have to track users, they SHOULD obtain the approval of the user to collect + information prior to opening the EPUB publication (e.g., in educational course work). If this is not + possible, they SHOULD obtain permission when users access the EPUB publication for the first time. + EPUB creators SHOULD also allow users to opt out of tracking, and provide users the ability to + manage and delete any data that is collected about them.

    -

    Content authors also need to consider the inadvertent collection of information about users. Linking - to content on a publisher's web site, or remotely hosting resources on their servers, can lead to +

    Content authors also SHOULD avoid inadvertent collection of information about users. Linking to + content on a publisher's web site, or remotely hosting resources on their servers, can lead to profiling users, especially if unique tracking identifiers are added to the URLs.

    -

    When publishers and vendors must use digital rights management schemes, they should prefer schemes +

    When publishers and vendors have to use digital rights management schemes, they SHOULD prefer schemes that do not utilize or transmit information about the user or their content to external parties to perform encryption or decryption.

    EPUB creators who want to maximally limit the privacy and security issues in their EPUB publications - should work to make the content as self-contained as possible. An EPUB publication that comes with - all its needed resources and has no dependencies on network access or links to external content not - only benefits users but reduces future maintenance and improves archivability.

    + SHOULD make the content as self-contained as possible. An EPUB publication that comes with all its + needed resources and has no dependencies on network access or links to external content not only + benefits users but reduces future maintenance and improves archivability.

    @@ -11503,6 +11503,7 @@

    Change log

    >Working Group's issue tracker.

      +
    • 18-May-2022: Updated privacy and security recommendations to use normative language.
    • 17-May-2022: Added an index of terms. See issue 2260.
    • 12-Apr-2022: Added note about complexities of escaping from nested escapable structures and updated diff --git a/epub33/rs/index.html b/epub33/rs/index.html index 66d954826..65aad8b0f 100644 --- a/epub33/rs/index.html +++ b/epub33/rs/index.html @@ -2560,6 +2560,9 @@

      Change log

      >Working Group's issue tracker.

        +
      • 18-May-2022: Noted that unsigned EPUB publications represent a security risk and added + recommendation to treat sideloaded unsigned publications as untrusted. See issue 2265.
      • 18-May-2022: Updated privacy and security recommendations to use normative language.
      • 17-May-2022: Added an index of terms. See issue 2260.
        • From 362f738fe81982f252e8de9ffe56fad673cf20aa Mon Sep 17 00:00:00 2001 From: Matt Garrish Date: Thu, 19 May 2022 08:03:41 -0300 Subject: [PATCH 3/5] make a11y privacy and security recommendations normative --- epub33/a11y/index.html | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/epub33/a11y/index.html b/epub33/a11y/index.html index 103e0e60e..492f14a81 100644 --- a/epub33/a11y/index.html +++ b/epub33/a11y/index.html @@ -1640,7 +1640,7 @@

        Distribution

        accessibility by activating a feature that would normally not be active.

    -
    +

    Privacy and security

    The authoring of accessible content does not introduce any new privacy or security considerations for @@ -1656,16 +1656,16 @@

    Privacy and security

    >reading systems, bookstores and any other interface that can build a profile of the user, on the other hand, has the potential to violate individual privacy laws. While it might seem helpful to store and anticipate the type of content a user is most likely to consume, for example, or how best to - initiate its playback, developers should not engage in such profiling unless explicit permission is + initiate its playback, developers SHOULD NOT engage in such profiling unless explicit permission is obtained from the user and a means of easily removing the profile is available.

    Even in the case where a user assents to the application maintaining information about their - accessibility needs, developers must ensure that this information is kept private (e.g., it must not be - shared with third party advertisers or even with the original publisher).

    + accessibility needs, developers SHOULD ensure that this information is kept private (e.g., not share the + information with third party advertisers or even with the original publisher).

    -

    Developers should also be mindful about storing or mining information about the types of searches a user - performs when searching for content based on its accessibility characteristics. This information can be - used to indirectly profile the abilities of users.

    +

    Developers SHOULD NOT store or mine information about the types of searches a user performs when + searching for content based on its accessibility characteristics. This information can be used to + indirectly profile the abilities of users.

    EPUB accessibility vocabulary

    @@ -1853,6 +1853,7 @@

    Change log

    >working group's issue tracker.

      +
    • 18-May-2022: Updated privacy and security recommendations to use normative language.
    • 17-May-2022: Added an index of terms. See issue 2260.
    • 12-Apr-2022: Restored recommendation to include links to all reproduced pages in the page list and From d13c4358b8500f6368b1413d37c07222a5e77927 Mon Sep 17 00:00:00 2001 From: Matt Garrish Date: Fri, 27 May 2022 10:48:23 -0300 Subject: [PATCH 4/5] remove "strongly" from a couple of more informative->normative translations --- epub33/rs/index.html | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/epub33/rs/index.html b/epub33/rs/index.html index 0a373fc6b..b3154ada7 100644 --- a/epub33/rs/index.html +++ b/epub33/rs/index.html @@ -354,7 +354,7 @@

      Network access

      are not vulnerable to attacks. More information about these risks is provided in .

      -

      If reading system developers allow network access, it is strongly RECOMMENDED both that they:

      +

      If reading system developers allow network access, it is RECOMMENDED both that they:

      • notify users when network activity occurs; and
        • @@ -1730,8 +1730,8 @@

        Loading the media overlay

        media overlays for [=EPUB content documents=].

        - Reading systems MUST support playback for - [=XHTML content documents=], and + Reading systems MUST support playback for [=XHTML + content documents=], and MAY support [=SVG content documents=].

        @@ -1764,12 +1764,12 @@

        Timing and synchronization

        Rendering audio
        -

        When presented with a media overlay - audio element, reading systems MUST play - the audio resource referenced by the src attribute, starting at the clip offset time - given by the clipBegin attribute and - ending at the clip offset time given by the - clipEnd attribute [[epub-33]].

        +

        When presented with a media overlay audio element, reading systems MUST + play the audio resource referenced by the src attribute, starting at the clip + offset time given by the clipBegin + attribute and ending at the clip offset time given by the clipEnd attribute [[epub-33]].

        In addition:

        @@ -1829,13 +1829,13 @@

        Interacting with the EPUB content document

        Navigation
        -

        Because the media overlay is closely linked to the - [=EPUB content document=], it is very easy for reading systems to locate a position in the EPUB - content document based on the current position in the media overlay playback. If the user pauses - synchronized playback and navigates to a different part of the [=EPUB publication=], synchronized - playback MUST resume at that point. For example, if a specific page number in the EPUB content - document is the desired location, then this same point is located in the media overlay and playback - started there.

        +

        Because the media overlay is closely linked to + the [=EPUB content document=], it is very easy for reading systems to locate a position in the + EPUB content document based on the current position in the media overlay playback. If the user + pauses synchronized playback and navigates to a different part of the [=EPUB publication=], + synchronized playback MUST resume at that point. For example, if a specific page number in the + EPUB content document is the desired location, then this same point is located in the media + overlay and playback started there.

        This same approach allows for synchronizing the media overlay playback with user selection of a navigation point in the [=EPUB navigation document=]. The reading system loads the media overlay @@ -2300,12 +2300,12 @@

        Recommendations

        and the method of reading it are connected. In these cases, the reading system SHOULD identify the data being collected, how it is used, and allow for user opt-outs (retailers may choose to inform users by other means, however, such as when a user creates an account on their web site). - Anonymization of any collected data is strongly RECOMMENDED for the privacy and the security of the - user and reading system.

        + Anonymization of any collected data is RECOMMENDED for the privacy and the security of the user and + reading system.

        It is also understood that user data may be required or helpful for some reading system affordances. - In these cases, anonymization is also strongly RECOMMENDED. Reading systems also SHOULD inform users - of what data is needed, what it is to be used for, and to provide methods to opt-out.

        + In these cases, anonymization is also RECOMMENDED. Reading systems also SHOULD inform users of what + data is needed, what it is to be used for, and to provide methods to opt-out.

        Content processors — defined as entities that handle the ingestion of EPUB content for distribution, display, or sale — also need to be aware of the potential risks in ingestion. It From b87c8d74491f45614f9fc7c0e3f6714b2b231276 Mon Sep 17 00:00:00 2001 From: Ivan Herman Date: Mon, 6 Jun 2022 09:49:49 +0200 Subject: [PATCH 5/5] Added anchors to the change items introduced by this branch/PR --- epub33/a11y/index.html | 2 +- epub33/core/index.html | 2 +- epub33/rs/index.html | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/epub33/a11y/index.html b/epub33/a11y/index.html index 2bbecdefa..ac05b85b8 100644 --- a/epub33/a11y/index.html +++ b/epub33/a11y/index.html @@ -1854,7 +1854,7 @@

        Change log

        • 18-May-2022: Updated privacy and security recommendations to use normative language.
          • -
        • 17-May-2022: Added an index of terms. See 17-May-2022: Added an index of terms. See issue 2260.
        • 12-Apr-2022: Restored recommendation to include links to all reproduced pages in the page list and added a requirement to link to all page break markers to address concerns with the previous change. diff --git a/epub33/core/index.html b/epub33/core/index.html index 7deb01e17..124d9775f 100644 --- a/epub33/core/index.html +++ b/epub33/core/index.html @@ -11519,7 +11519,7 @@

          Change log

          >Working Group's issue tracker.

            -
          • 31-May-2022: Updated privacy and security recommendations to use normative language.
            • +
          • 31-May-2022: Updated privacy and security recommendations to use normative language.
          • 27-May-2022: Added recommendation to only reference remote resources via https. See issue 2263.
          • 20-May-2022: Add recommendation not to store sensitive user data in persistent storage, and to diff --git a/epub33/rs/index.html b/epub33/rs/index.html index b80a70e74..731580705 100644 --- a/epub33/rs/index.html +++ b/epub33/rs/index.html @@ -2575,7 +2575,7 @@

            Change log

          • 31-May-2022: Noted that unsigned EPUB publications represent a security risk and added recommendation to treat sideloaded unsigned publications as untrusted. See issue 2265.
            • -
          • 31-May-2022: Updated privacy and security recommendations to use normative language.
            • +
          • 31-May-2022: Updated privacy and security recommendations to use normative language.
          • 27-May-2022: Added reading system conformance section. See issue 2271.
          • 27-May-2022: Added recommendation to only load remote resources referenced via https. See