102102 The above statement is designed to permit feature detection. If
103103 < a for ="Navigator "> < code > share</ code > </ a > is present, there is a
104104 reasonable expectation that it will work and present the user with at
105- least one < a > share target</ a > . Clients should be able to use the
106- presence or absence of this method to determine whether to show UI
107- that triggers its use.
105+ least one < a > share target</ a > . Clients can use the presence or
106+ absence of this method to determine whether to show UI that triggers
107+ its use.
108108 </ div >
109109 < section >
110110 < h4 >
@@ -115,18 +115,24 @@ <h4>
115115 < var > data</ var > , run the following steps:
116116 </ p >
117117 < ol >
118- < li > Let < var > p</ var > be a newly created promise.
118+ < li > Let < var > p</ var > be < a data-cite =
119+ "!promises-guide#a-new-promise "> a new promise</ a > .
119120 </ li >
120121 < li > If < var > data</ var > 's < a for ="ShareData "> url</ a > member is
121122 < a data-cite ="!WEBIDL#dfn-present "> present</ a > :
122123 < ol >
124+ < li > Let < var > base</ var > be the < b > this</ b > value's
125+ < a data-cite ="!HTML#relevant-settings-object "> relevant
126+ settings object</ a > 's < a data-cite ="!HTML#api-base-url "> API
127+ base URL</ a > .
128+ </ li >
123129 < li > Let < var > url</ var > be the result of running the
124130 < a data-cite ="!URL#concept-url-parser "> URL parser</ a > on < var >
125- data</ var > 's < a for ="ShareData "> url</ a > , with the document's
126- < a data-cite ="!HTML#document-base-url "> base URL</ a > , and no
127- < var > encoding override</ var > .
131+ data</ var > 's < a for ="ShareData "> url</ a > , with
132+ < var > base</ var > , and no < var > encoding override</ var > .
128133 </ li >
129- < li > If < var > url</ var > is failure, reject < var > p</ var > with
134+ < li > If < var > url</ var > is failure, < a data-cite =
135+ "!promises-guide#reject-promise "> reject</ a > < var > p</ var > with
130136 < a data-cite =
131137 "!WEBIDL#exceptiondef-typeerror "> < code > TypeError</ code > </ a > ,
132138 and abort these steps.
@@ -140,52 +146,63 @@ <h4>
140146 </ li >
141147 < li > If the method call was not < a data-cite =
142148 "!HTML#triggered-by-user-activation "> triggered by user
143- activation</ a > , reject < var > p</ var > with < a data-cite =
149+ activation</ a > , < a data-cite =
150+ "!promises-guide#reject-promise "> reject</ a > < var > p</ var > with
151+ < a data-cite =
144152 "!WEBIDL#securityerror "> < code > SecurityError</ code > </ a > , and abort
145153 these steps.
146154 </ li >
147155 < li >
148156 < a data-cite ="!HTML#in-parallel "> In parallel</ a > :
149157 < ol >
150- < li > If there are no < a > share targets</ a > available, reject
151- < var > p</ var > with < a data-cite =
152- "!WEBIDL#aborterror "> < code > AbortError</ code > </ a > , and abort
153- these steps.
158+ < li > If there are no < a > share targets</ a > available,
159+ < a data-cite ="!promises-guide#reject-promise "> reject</ a > < var >
160+ p</ var > with < a data-cite =
161+ "!WEBIDL#aborterror "> < code > AbortError</ code > </ a > , and abort
162+ these steps.
154163 </ li >
155164 < li > Present the user with a choice of one or more < a > share
156165 targets</ a > , selected at the user agent's discretion. The user
157166 MUST be given the option to cancel rather than choosing any of
158167 the share targets. Wait for the user's choice.
159168 </ li >
160- < li > If the user chose to cancel the share operation, reject
161- < var > p</ var > with < a data-cite =
162- "!WEBIDL#aborterror "> < code > AbortError</ code > </ a > , and abort
163- these steps.
169+ < li > If the user chose to cancel the share operation,
170+ < a data-cite ="!promises-guide#reject-promise "> reject</ a > < var >
171+ p</ var > with < a data-cite =
172+ "!WEBIDL#aborterror "> < code > AbortError</ code > </ a > , and abort
173+ these steps.
164174 </ li >
165175 < li > Activate the chosen < a > share target</ a > , < a > convert
166176 < var > data</ var > to a format suitable for ingestion into the
167177 target</ a > , and transmit the converted data to the target. If
168178 an error occurs starting the target or transmitting the data,
169- reject < var > p</ var > with < a data-cite =
170- "!WEBIDL#aborterror "> < code > AbortError</ code > </ a > , and abort
171- these steps.
179+ < a data-cite ="!promises-guide#reject-promise "> reject</ a > < var >
180+ p</ var > with < a data-cite =
181+ "!WEBIDL#aborterror "> < code > AbortError</ code > </ a > , and abort
182+ these steps.
172183 </ li >
173184 < li > Once the data has been successfully transmitted to the
174- target, resolve < var > p</ var > .
185+ target, < a data-cite =
186+ "!promises-guide#resolve-promise "> resolve</ a > < var > p</ var > with
187+ < b > undefined</ b > .
175188 </ li >
176189 </ ol >
177190 </ li >
178191 < li > Return < var > p</ var > .
179192 </ li >
180193 </ ol >
194+ < p >
195+ The user agent MUST NOT allow the website to learn which share
196+ targets are available, or the identity of the chosen target.
197+ </ p >
181198 < div class ="note ">
182199 < a for ="Navigator "> < code > share</ code > </ a > always shows some form of
183200 UI, to give the user a choice of application and get their approval
184201 to invoke and send data to a potentially native application (which
185- carries a security risk). For this reason, user agents MUST still
186- show UI even if there is only a single share target, and MUST NOT
187- perform any kind of "always use this target" to bypass the UI in
188- subsequent share operations .
202+ carries a security risk). For this reason, user agents are
203+ prohibited from showing any kind of "always use this target in the
204+ future" option, or bypassing the UI if there is only a single share
205+ target .
189206 </ div >
190207 </ section >
191208 </ section >
@@ -222,13 +239,13 @@ <h3>
222239 These fields are < a data-cite =
223240 "!WEBIDL#idl-USVString "> < code > USVString</ code > </ a > (as opposed to
224241 < a data-cite ="!WEBIDL#idl-DOMString "> < code > DOMString</ code > </ a > )
225- because they must not contain invalid < a data-cite =
242+ because they are not allowed to contain invalid < a data-cite =
226243 "rfc2781#section-2 "> UTF-16</ a > surrogates. This means the user agent
227244 is free to re-encode them in any Unicode encoding (e.g.,
228245 < a data-cite ="rfc3629#section-3 "> UTF-8</ a > ).
229246 </ div >
230247 < div class ="note ">
231- The < a for ="ShareData "> url</ a > field may contain a < a data-cite =
248+ The < a for ="ShareData "> url</ a > field can contain a < a data-cite =
232249 "!URL#relative-url-with-fragment-string "> relative URL</ a > . In this
233250 case, it will be automatically resolved relative to the current page
234251 location, just like a < a data-cite =
249266 user agent.
250267 </ p >
251268 < p >
252- A share target may not be directly able to accept a < a > ShareData</ a >
269+ A share target might not be directly able to accept a < a > ShareData</ a >
253270 (due to not having been written with this API in mind). However, it
254271 MUST have the ability to receive data that matches some or all of the
255272 concepts exposed in < a > ShareData</ a > . To < dfn > convert data to a format
@@ -259,18 +276,17 @@ <h2>
259276 payload is at the discretion of the share target.
260277 </ p >
261278 < p >
262- Each share target may be made conditionally available depending on the
279+ Each share target MAY be made conditionally available depending on the
263280 < a > ShareData</ a > payload delivered to the < a for ="Navigator "> share</ a >
264281 method.
265282 </ p >
266283 < div class ="note ">
267284 Once a share target has been given the payload, the share is considered
268285 successful. If the target considers the data unacceptable or an error
269- occurs, the target should either recover gracefully, or show an error
270- message to the end-user, because the sender is not going to know that
271- an error occurred. In other words, the < a for ="Navigator "> share</ a >
272- method is "fire and forget"; it does not wait for the target to approve
273- or reject the payload.
286+ occurs, it can either recover gracefully, or show an error message to
287+ the end-user; it cannot rely on the sender to handle errors. In other
288+ words, the < a for ="Navigator "> share</ a > method is "fire and forget"; it
289+ does not wait for the target to approve or reject the payload.
274290 </ div >
275291 < section class ="informative ">
276292 < h3 >
@@ -301,16 +317,16 @@ <h3>
301317 < p >
302318 In some cases, the host operating system will provide a sharing or
303319 intent system similar to Web Share. In these cases, the user agent
304- may simply forward the share data to the operating system and not
320+ can simply forward the share data to the operating system and not
305321 talk directly to native applications.
306322 </ p >
307323 < p >
308324 Mapping the < a > ShareData</ a > to the share target (or operating
309325 system)'s native format can be tricky as some platforms will not have
310326 an equivalent set of fields. For example, if the target has a "text"
311- field but not a "URL" field, it may be necessary to concatenate both
312- the < a for ="ShareData "> text</ a > and < a for ="ShareData "> url</ a > fields
313- of < a > ShareData</ a > and pass the result in the "text" field of the
327+ field but not a "URL" field, one solution is to concatenate both the
328+ < a for ="ShareData "> text</ a > and < a for ="ShareData "> url</ a > fields of
329+ < a > ShareData</ a > and pass the result in the "text" field of the
314330 target.
315331 </ p >
316332 </ section >
@@ -319,33 +335,30 @@ <h3>
319335 < h2 >
320336 Security and privacy considerations
321337 </ h2 >
322- < p >
323- Implementations should observe the following security and privacy
324- advice.
325- </ p >
326338 < p >
327339 Web Share enables data to be sent from websites to native applications.
328340 While this ability is not unique to Web Share, it does come with a
329- number of potential security issues that may vary in severity
341+ number of potential security issues that can vary in severity
330342 (depending on the underlying platform).
331343 </ p >
332344 < ul >
333- < li > User agents MUST NOT allow the website to learn which apps are
334- installed, or which app was chosen from
335- < a > < code > navigator.share</ code > </ a > . This information could be used for
336- fingerprinting, as well as leaking details about the user's device.
345+ < li > There is a requirement to not allow the website to learn which apps
346+ are installed, or which app was chosen from
347+ < a > < code > navigator.share</ code > </ a > , because this information could be
348+ used for fingerprinting, as well as leaking details about the user's
349+ device.
337350 </ li >
338- < li > Implementors should carefully consider what information is revealed
339- in the error message when < a > < code > navigator.share</ code > </ a > is
340- rejected. Even distinguishing between the case where no targets are
341- available and user cancellation may reveal information about which apps
342- are installed on the user's device.
351+ < li > Implementors will want to carefully consider what information is
352+ revealed in the error message when < a > < code > navigator.share</ code > </ a >
353+ is rejected. Even distinguishing between the case where no targets are
354+ available and user cancellation could reveal information about which
355+ apps are installed on the user's device.
343356 </ li >
344- < li > On every call to < a > < code > navigator.share</ code > </ a > , the user MUST
345- be presented with a dialog asking them to select a target application
346- (even if there is only one possible target). This surface serves as a
347- security confirmation, ensuring that websites cannot silently send data
348- to native applications.
357+ < li > There is a requirement that < a > < code > navigator.share</ code > </ a >
358+ presents the user with a dialog asking them to select a target
359+ application (even if there is only one possible target). This surface
360+ serves as a security confirmation, ensuring that websites cannot
361+ silently send data to native applications.
349362 </ li >
350363 < li > Due to the capabilities of the API surface,
351364 < a > < code > navigator.share</ code > </ a > is < a data-cite =
@@ -354,16 +367,17 @@ <h2>
354367 </ li >
355368 < li > Use of < a > < code > navigator.share</ code > </ a > from a < a href =
356369 "https://en.wikipedia.org/wiki/Privacy_mode "> private browsing mode</ a >
357- may leak private data to a third-party application that does not
358- respect the user's privacy setting. User agents should consider
359- presenting additional warnings or disabling the feature entirely when
360- in a private browsing mode.
370+ might leak private data to a third-party application that does not
371+ respect the user's privacy setting. User agents could present
372+ additional warnings or disable the feature entirely when in a private
373+ browsing mode, but this is not mandated as the chooser UI could be
374+ considered sufficient warning.
361375 </ li >
362- < li > The data passed to < a > < code > navigator.share</ code > </ a > may be used
363- to exploit buffer overflow or other remote code execution
376+ < li > The data passed to < a > < code > navigator.share</ code > </ a > might be
377+ used to exploit buffer overflow or other remote code execution
364378 vulnerabilities in native applications that receive shares. There is no
365- general way to guard against this, but implementors should be aware
366- that it is a possibility.
379+ general way to guard against this, but implementors will want to be
380+ aware that it is a possibility.
367381 </ li >
368382 </ ul >
369383 </ section >
0 commit comments