Design Review #685

#685: Feature policy for Keyboard API

Opened Oct 27, 2021

Braw mornin' TAG!

I'm requesting a TAG review of adding a feature policy for Keyboard API.

The Keyboard API has been shipped, and this change just adds a new feature policy so web authors can access it from same/cross origin iframes. We wanted to get TAG's opinion on this change. Here is a brief summary: getLayoutMap() used in conjunction with code solves the problem of identifying the actual key pressed in keyboard with different layout maps such as English vs French keyboards, but since getLayoutMap() isn't available in all contexts (can't be used inside iframes), Office web apps like Excel, Word, PowerPoint, etc. that show up as embedded experiences in Outlook Web, Teams, etc. and are running in iframes, can't use this API. Adding keyboard-map to the allow attribute list solves this problem.

Explainer¹ (minimally containing user needs and example code): (https://wicg.github.io/keyboard-map/#permissions-policy).
User research: N/A
Security and Privacy self-review²: [https://wicg.github.io/keyboard-map/#security]
GitHub repo (if you prefer feedback filed there): https://github.com/wicg/keyboard-map/issues/
Primary contacts (and their relationship to the specification):
- Anupam Snigdha, Microsoft
Organization/project driving the design: Microsoft
External status/issue trackers for this feature (publicly visible, e.g. Chrome Status): https://www.chromestatus.com/feature/5657965899022336

Further details:

I have reviewed the TAG's Web Platform Design Principles
The group where the incubation/design work on this is being done (or is intended to be done in the future): Editing WG
The group where standardization of this work is intended to be done ("unknown" if not known): Editing WG
Existing major pieces of multi-stakeholder review or discussion of this design:
Major unresolved issues with or opposition to this design:
This work is being funded by: Microsoft

You should also know that... Here is an existing issue describing the problem: https://github.com/WICG/keyboard-map/issues/38

We'd prefer the TAG provide feedback as (please delete all but the desired option):

💬 leave review feedback as a comment in this issue and @-notify [snianu]

Discussions

Comment by @chrishtr Oct 28, 2021 (See Github)

Hi, just noting that the keyboard API feature is in #238. But it seems to have been closed without any comments, not sure what that meant?

Comment by @torgo Nov 10, 2021 (See Github)

Hi @chrishtr I dug back through the relevant minutes and seems we were happy. I've updated the issue appropriately.

Discussed Dec 1, 2021 (See Github)

Dan: fingerprinting issue

Yves: yes but less intrusive than the font list

Lea: I think this feature adds a lot of value

Sangwhan: this increases risk for outliers - people who use minority keyboards.

Yves: accessibility devices as well?

Sangwhan: A small subset of users who rely on AT can be fingerprinted... So if your IP is french, your language is french, and keyboard is us-english then that fingerprints you... However the gains outweigh the risks. So many other ways to detect these kinds of outliers.

Yves: I agree.

Dan: Someone want to leave a closing comment?

Sangwhan: good idea.

Comment by @torgo Dec 9, 2021 (See Github)

We've reviewed in today's session at our TAG virtual f2f. Although it looks like there may be additional fingerprinting surface area exposed (as noted under privacy concerns) we agree the utility outweighs the risks. We're happy with this and are therefore closing the review. Thanks for sending this our way.