From f877cb4fa563a3173bfbaa64f943428fbeac016e Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Thu, 18 Jul 2024 07:46:16 -0400 Subject: [PATCH 1/3] Preventing Issuer Exhaustion To ensure the issuers the top-level site wants are preserved for use, calling hasPrivateToken up to twice will reserve the two slots for allowed issuers. --- spec.bs | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/spec.bs b/spec.bs index f477528..3f775a2 100644 --- a/spec.bs +++ b/spec.bs @@ -1132,6 +1132,15 @@ operations. In the context of a given origin, two redemptions are allowed initia the third redemption is only allowed once more than an [=implementation-defined=] amount of time, usually 48 hours, have elapsed since the first redemption. +Preventing Issuer Exhaustion {#issuer-exhaustion} +----------------------------------------------- +Competing scripts might race to call hasRedemptionRecord(issuer) to ensure their |issuer| +enters the [=issuerAssociations=] [=map=] before the |issuer| of others given a limit of two per +[=environment/top-level origin=]. To control this process, the [=environment/top-level origin=] +could call hasRedemptionRecord(issuer) up to twice before any other JavaScript is included +to ensure their preferred |issuer|s are available. + + Preventing Double Spending {#preventing-double-spend} ----------------------------------------------------- From 0d909e951a64ecdadfbcaffd73439f1d89fb3536 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Thu, 18 Jul 2024 07:46:47 -0400 Subject: [PATCH 2/3] Update spec.bs --- spec.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec.bs b/spec.bs index 3f775a2..45e3b9a 100644 --- a/spec.bs +++ b/spec.bs @@ -1134,10 +1134,10 @@ usually 48 hours, have elapsed since the first redemption. Preventing Issuer Exhaustion {#issuer-exhaustion} ----------------------------------------------- -Competing scripts might race to call hasRedemptionRecord(issuer) to ensure their |issuer| +Competing scripts might race to call hasPrivateToken(issuer) to ensure their |issuer| enters the [=issuerAssociations=] [=map=] before the |issuer| of others given a limit of two per [=environment/top-level origin=]. To control this process, the [=environment/top-level origin=] -could call hasRedemptionRecord(issuer) up to twice before any other JavaScript is included +could call hasPrivateToken(issuer) up to twice before any other JavaScript is included to ensure their preferred |issuer|s are available. From 344d11f5679efea7ba512f0f562641b626bc3dc1 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Thu, 18 Jul 2024 07:51:14 -0400 Subject: [PATCH 3/3] Update README.md --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 41c8868..62e0803 100644 --- a/README.md +++ b/README.md @@ -235,6 +235,11 @@ We have a number of mitigations against this attack: When the issuer detects a site is attacking its token supply, it can fail redemption (before the token is revealed) based on the referring origin, and prevent browsers from spending tokens there. +### Issuer Exhaustion + +Given a cap on the issuers usable per top-level origin, there might be a race between third-party scripts to call `hasPrivateToken(issuer)` to ensure their preferred issuer is available. +The top-level document can control this process by calling `hasPrivateToken(issuer)` for its preferred issuers before any other scripts are loaded. +This would ensure the availability of the desired issuers and prevent a race to determine availability. ### Double-Spend Prevention