From f5aafa9832b37166d809b084e2b4292e02252f91 Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Mon, 6 May 2019 17:23:53 -0700
Subject: [PATCH 01/18] Created privacy-design.md

This is a privacy design for the WebXR Device API, designed to inform text for the specification. It draws upon work in the Privacy and Security repo.

Please see the Background section for an explanation of threat vectors and mitigations that informed this design.

A few notes about this revision:
* At time of writing, this revision matches the currently published spec at https://immersive-web.github.io/webxr ... it does not incorporate issues still in discussion.
* It is assumed that inline and immersive sessions can be fulfilled by the same privacy requirements. For example, the 'focused' and 'visible' requirements for viewer pose data are the same for both immersive and inline sessions, though the implications for user experience and privacy are different.
* User consent - when required - is designed as part of session creation. This is done to avoid user fatigue or confusion of having multiple consent prompts during a session, and to address UX concerns surrounding consent prompts after don flows.
* There are several unaddressed threats listed at the end of the Background section.
---
 designdocs/privacy-design.md | 156 +++++++++++++++++++++++++++++++++++
 1 file changed, 156 insertions(+)
 create mode 100644 designdocs/privacy-design.md

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
new file mode 100644
index 00000000..098c3ae0
--- /dev/null
+++ b/designdocs/privacy-design.md
@@ -0,0 +1,156 @@
+## Privacy Requirements
+### Conditions to create objects and expose data
+#### XRSession Creation
+
+The user agent must verify that all mandatory conditions are satisfied to ensure it can create an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) and expose [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) data in response to a call to [XRRequestSession](https://immersive-web.github.io/webxr/#dom-xr-requestsession) within a given [active document](https://html.spec.whatwg.org/multipage/browsers.html#active-document).
+
+The **_mandatory conditions_** for [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) creation are the following:
+*   The document is a [responsible document](https://html.spec.whatwg.org/multipage/webappapis.html#responsible-document) of a [secure context](https://w3c.github.io/webappsec-secure-contexts/#secure-contexts).
+*   [Currently focused area](https://html.spec.whatwg.org/multipage/interaction.html#currently-focused-area-of-a-top-level-browsing-context) belongs to a document whose origin is [same origin-domain](https://html.spec.whatwg.org/multipage/origin.html#same-origin-domain) with the origin of the given [active document](https://html.spec.whatwg.org/multipage/browsers.html#active-document).
+*   The document is [allowed to use](https://wicg.github.io/feature-policy/#allowed-to-use) all the [policy-controlled features](https://wicg.github.io/feature-policy/#policy-controlled-feature) associated with the given [sensor types](https://www.w3.org/TR/2018/CR-generic-sensor-20180320/#sensor-type) of sensors used to generate data available in the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface). This includes sensors used to generate [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose), [XRPose](https://immersive-web.github.io/webxr/#xrpose-interface) and [XRBoundedReferenceSpace](https://immersive-web.github.io/webxr/#xrboundedreferencespace-interface) data, and any other data generated by sensors.
+*   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) when the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) will support the creation and use of [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded) or [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference space types.
+*   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) when the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) will support the creation and use of a [floor level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) reference space type, and the floor level will reflect the real-world location of the user’s floor.
+*   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) on a device with configurable interpupillary distance, if subsequent calls to [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) could return an [XRView](https://immersive-web.github.io/webxr/#xrview) for each eye.
+*   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) if the user agent does not otherwise mitigate sensor fingerprinting threats through data access to [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface).
+
+If user consent is required, it must be obtained as part of the [XRRequestSession](https://immersive-web.github.io/webxr/#dom-xr-requestsession) algorithm before the new [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) object is created. If consent is not obtained, the user agent MUST [reject](https://www.w3.org/2001/tag/doc/promises-guide/#reject-promise) the promise with a "[SecurityError](https://heycam.github.io/webidl/#securityerror)" [DOMException](https://heycam.github.io/webidl/#idl-DOMException).
+
+```
+Editor Note: The paragraph above suggests specific changes to the XRSession algorithm language.
+```
+
+#### Providing XRViewerPose data
+The user agent must verify that all mandatory conditions are satisfied to ensure it can expose [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) data in response to each call to [getViewerPose](https://immersive-web.github.io/webxr/#dom-xrframe-getviewerpose) within a given [active document](https://html.spec.whatwg.org/multipage/browsers.html#active-document).
+
+The **_mandatory conditions_** for exposing XRViewerPose data are the following:
+*   [Visibility state](https://www.w3.org/TR/page-visibility-2/#dom-visibilitystate) of the document is "visible".
+*   [Currently focused area](https://html.spec.whatwg.org/multipage/interaction.html#currently-focused-area-of-a-top-level-browsing-context) belongs to a document whose origin is [same origin-domain](https://html.spec.whatwg.org/multipage/origin.html#same-origin-domain) with the origin of the given [active document](https://html.spec.whatwg.org/multipage/browsers.html#active-document).
+*   The document is [allowed to use](https://wicg.github.io/feature-policy/#allowed-to-use) all the [policy-controlled features](https://wicg.github.io/feature-policy/#policy-controlled-feature) associated with the given [sensor types](https://www.w3.org/TR/2018/CR-generic-sensor-20180320/#sensor-type) of sensors used to generate [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) data.
+*   If the reference space is of type [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded), [floor-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) or [eye-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-eye-level), the [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) data must be limited to a region approximately the size of a large room, to prevent such data from being used to [determine the user’s real-world location](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location). Specific bounds are at the discretion of the user agent, but 30m x 30m is suggested as a reasonable limit. These bounds may be affected by previously created reference spaces.
+*   If [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) data is generated by sensors, at least one of the following conditions must be met; the user agent may choose the approach that provides the best user experience:
+    *   User consent must have been obtained, _or_
+    *   Any [XRView](https://immersive-web.github.io/webxr/#xrview) transform data generated by sensors must be [quantized](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) to prevent sensor fingerprinting, _or_
+    *   The user agent must otherwise ensure that the underlying device sensors are not susceptible to sensor fingerprinting.
+*   User consent must have been obtained on devices with configurable interpupillary distance before creating an [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) that will return an [XRView](https://immersive-web.github.io/webxr/#xrview) for each eye.
+*   If the device supports configurable or factory-calibrated interpupillary distance that may vary from device to device, then the [XRView](https://immersive-web.github.io/webxr/#xrview) transform data must be rounded to prevent fingerprinting.
+*   If the [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) will include multiple [XRView](https://immersive-web.github.io/webxr/#xrview)s for displays whose positions and orientations have been configured by the user (e.g. in a CAVE) then the [XRView](https://immersive-web.github.io/webxr/#xrview) transform data must be rounded to prevent fingerprinting.
+
+#### Providing XRPose data
+The user agent must verify that all mandatory conditions are satisfied to ensure it can expose [XRPose](https://immersive-web.github.io/webxr/#xrpose) data in response to each call to [getPose](https://immersive-web.github.io/webxr/#dom-xrframe-getpose) within a given [active document](https://html.spec.whatwg.org/multipage/browsers.html#active-document).
+
+The **_mandatory conditions_** for exposing [XRPose](https://immersive-web.github.io/webxr/#xrpose) data are the following:
+*   [Visibility state](https://www.w3.org/TR/page-visibility-2/#dom-visibilitystate) of the document is "visible".
+*   [Currently focused area](https://html.spec.whatwg.org/multipage/interaction.html#currently-focused-area-of-a-top-level-browsing-context) belongs to a document whose origin is [same origin-domain](https://html.spec.whatwg.org/multipage/origin.html#same-origin-domain) with the origin of the given [active document](https://html.spec.whatwg.org/multipage/browsers.html#active-document).
+*   The document is [allowed to use](https://wicg.github.io/feature-policy/#allowed-to-use) all the [policy-controlled features](https://wicg.github.io/feature-policy/#policy-controlled-feature) associated with the given [sensor types](https://www.w3.org/TR/2018/CR-generic-sensor-20180320/#sensor-type) of sensors used to generate the inputs [getPose](https://immersive-web.github.io/webxr/#dom-xrframe-getpose).
+*   If an input to [getPose](https://immersive-web.github.io/webxr/#dom-xrframe-getpose) is a reference space of type [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded), [floor-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) or [eye-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-eye-level), the resulting [XRPose](https://immersive-web.github.io/webxr/#xrpose) data must be bounded by the same [position limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) for that reference space as [getViewerPose](https://immersive-web.github.io/webxr/#dom-xrframe-getviewerpose), to prevent such data from being used to [determine the user’s real-world location](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location). _See: [Providing XRViewerPose data](#xrviewerpose)._
+*   If an input to [getPose](https://immersive-web.github.io/webxr/#dom-xrframe-getpose) includes data generated by sensors, at least one of the following conditions must be met; the user agent may choose the approach that provides the best user experience:
+    *   User consent must have been obtained, _or_
+    *   Any transform data generated by sensors must be [quantized](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) to prevent sensor fingerprinting, _or_
+    *   The user agent must otherwise ensure that the underlying device sensors are not susceptible to sensor fingerprinting.
+
+#### Creating XRReferenceSpace
+The user agent must verify that all mandatory conditions are satisfied to ensure it can create an [XRReferenceSpace](https://immersive-web.github.io/webxr/#xrreferencespace-interface) and expose [XRReferenceSpace](https://immersive-web.github.io/webxr/#xrreferencespace-interface) data within a given [active document](https://html.spec.whatwg.org/multipage/browsers.html#active-document).
+
+The **_mandatory conditions_** for creating an XRReferenceSpace are the following:
+*   User consent must have been obtained before creating a [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded) or [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference space. 
+*   User consent is required before creating a [floor-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) reference space type, if the floor level will reflect the real-world location of the user’s floor.
+*   When creating a [floor-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) or [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded) reference space type, if the origin of the reference space reflects the real-world location of the user’s floor, or if the floor level is emulated and set by the user to a non-default value, then the coordinates of the origin must be [rounded sufficiently](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) to prevent fingerprinting using floor level. Rounding to the nearest 1cm is suggested.
+*   When creating a [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded) reference space the [boundsGeometry](https://immersive-web.github.io/webxr/#dom-xrboundedreferencespace-boundsgeometry) must be rounded sufficiently to prevent fingerprinting the user’s bounds. The region represented by the rounded bounds geometry must be a subset of the original bounds. Rounding to the nearest 5cm is suggested.
+*   Creating multiple [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded), [floor-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) or [eye-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-eye-level) reference spaces during the same session that have different [effective origins](https://immersive-web.github.io/webxr/#xrspace-effective-origin) can expose the same threat vectors present in an [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference space. User agents must either:
+    *   Require the same user consent as for [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference spaces, before allowing creation of multiple reference spaces with different [effective origins](https://immersive-web.github.io/webxr/#xrspace-effective-origin) in the same session, _or_
+    *   Enforce the same [position limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) bounds for [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) data within all those sessions, and require that all [effective origins](https://immersive-web.github.io/webxr/#xrspace-effective-origin) fall within those bounds.
+
+### Obtaining User Consent
+The implementation of user consent is a mandatory condition for some types of object creation and data access. In addition to general [considerations](https://github.com/immersive-web/privacy-and-security/blob/master/EXPLAINER.md#considerations) for obtaining user consent, the following considerations are specific to the WebXR Device API.
+
+#### Lifetime of Consent
+The following guidelines are suggested:
+*   User consent should only be considered valid for the [browsing context](https://www.w3.org/TR/2009/WD-html5-20090423/browsers.html#browsing-context) within which it was obtained.
+*   Once a specific consent is obtained for a specific [origin](https://www.w3.org/TR/2009/WD-html5-20090423/browsers.html#origin-0) in a [browsing context](https://www.w3.org/TR/2009/WD-html5-20090423/browsers.html#browsing-context), that [origin](https://www.w3.org/TR/2009/WD-html5-20090423/browsers.html#origin-0) does not need to obtain that specific consent again during the lifetime of that [browsing context](https://www.w3.org/TR/2009/WD-html5-20090423/browsers.html#browsing-context). Specifically, if multiple same-origin [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) objects are created in a [browsing context](https://www.w3.org/TR/2009/WD-html5-20090423/browsers.html#browsing-context), and all require the same user consent, then consent should only need to be obtained once.
+*   The user agent must ensure that all mandatory conditions for user consent are met before creating any [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) object. As a result, the user agent may be required to ask for user consent multiple times in a [browsing context](https://www.w3.org/TR/2009/WD-html5-20090423/browsers.html#browsing-context) if it is creating multiple [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) objects each with different mandatory conditions for user consent.
+
+#### User Communication
+The judgement on how to communicate to the user the known threats is up to the implementer. It is suggested that the following threat vectors be communicated to the user at the time of session creation:
+
+<table>
+  <tr>
+   <td><strong>Scenario</strong>
+   </td>
+   <td><strong>Threat Vector</strong>
+   </td>
+  </tr>
+  <tr>
+   <td>XRSession can create an <a href="https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded">unbounded</a> reference space.
+   </td>
+   <td>Site may be able to determine user’s specific geographic <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location">location</a>, and may be able to perform gait analysis, allowing user <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-profiling">profiling</a> and <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting">fingerprinting</a>.
+   </td>
+  </tr>
+  <tr>
+   <td>XRSession can create a <a href="https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level">floor-level</a> or <a href="https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded">bounded</a> reference space, and the origin of the reference space will reflect the real-world location of the user’s floor.
+   </td>
+   <td>Site may be able to infer the user’s height and may be able to perform gait analysis, allowing user <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-profiling">profiling</a> and <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting">fingerprinting</a>.
+   </td>
+  </tr>
+  <tr>
+   <td>XRSession may provide <a href="https://immersive-web.github.io/webxr/#xrviewerpose">XRViewerPose</a> data that is not quantized, and underlying device sensors may be susceptible to fingerprinting.
+   </td>
+   <td>Site may be able to perform user <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting">fingerprinting</a>.
+   </td>
+  </tr>
+  <tr>
+   <td>On a device with configurable interpupillary distance, XRSession may create an <a href="https://immersive-web.github.io/webxr/#xrviewerpose-interface">XRViewerPose</a> that will return an <a href="https://immersive-web.github.io/webxr/#xrview">XRView</a> for each eye
+   </td>
+   <td>Site access to IPD data may allow user <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-profiling">profiling</a> and <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting">fingerprinting</a>.
+   </td>
+  </tr>
+</table>
+
+#### Camera Data and XRSession Data
+The combination of camera data (e.g. using [getUserMedia](https://www.w3.org/TR/mediacapture-streams/#dom-mediadevices-getusermedia())) with [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) data that is based on real-world viewer position and orientation may expose threat vectors related to [real-world geometry](https://github.com/immersive-web/privacy-and-security/blob/master/EXPLAINER.md#real-world-geometry) that are not present when only camera data is available.
+
+Such threat vectors assume that both types of data are available within a sufficiently short time interval that, given a camera frame, the viewer pose can be known at the time the frame was captured.
+
+It is suggested that the user agent either prevent access to both types of data on the same [origin](https://www.w3.org/TR/2009/WD-html5-20090423/browsers.html#origin-0) within a short time interval (e.g. 2 seconds), or inform the user of the threat vectors and obtain user consent before making both types of data available.
+
+### Private Browsing Modes
+User agents may support a mode (e.g., private browsing) of operation intended to preserve user anonymity and/or ensure records of browsing activity are not persisted on the client.
+
+There are <span style="text-decoration:underline;">no</span> additional requirements for such modes, as there is no persistent data or unique user identifier data generated by the WebXR Device API.
+
+## Background
+### Threats and Mitigations
+The following threats, and associated mitigations, are the basis of the above privacy requirements.
+
+#### Pose Data
+[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) might be used for [input sniffing](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#reading-inputs-or-input-sniffing). [Same Origin](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#same-origin-or-single-origin-only) and [Focused and Visible](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#focused-and-visible) mitigations address this threat.
+
+[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) might be used to [identify the user’s location](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location). [Position Limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) addresses this threat for [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded), [floor-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) or [eye-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-eye-level) reference spaces. User consent is required for [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference spaces, or if the user agent allows the creation of multiple reference spaces in the same session that have different [position limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) bounds.
+
+[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) might be used for [gaze tracking](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#gaze-tracking). [Same Origin](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#same-origin-or-single-origin-only) and [Focused and Visible](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#focused-and-visible) mitigations address this threat.
+
+[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) may allow [user fingerprinting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting) when based on sensor data. The user agent may use [quantization](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) to address this threat, where data quantization will not affect the user experience. Otherwise, user consent is required.
+
+[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) may allow [user fingerprinting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting) or [user profiling](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-profiling) on devices with configurable interpupillary distance. In this case, user consent is required.
+
+[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) may allow [user fingerprinting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting) in situations where the user has configured several display orientations and positions that are represented as multiple [XRView](https://immersive-web.github.io/webxr/#xrview)s (for example, a CAVE system). [Rounding](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) helps alleviate this threat.
+
+[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) may allow [user fingerprinting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting) through gait or height analysis. [Position Limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) helps alleviate this threat.
+
+#### Reference Space Data
+Viewer height may be used for [user profiling](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-profiling). User consent is required in situations where this may be determined by real-world floor level.
+
+Viewer height may be used for [user fingerprinting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting), particularly in situations where viewer height is emulated and set by the user. [Rounding](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) addresses this threat.
+
+Within a [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded) reference space, [boundsGeometry](https://immersive-web.github.io/webxr/#dom-xrboundedreferencespace-boundsgeometry) may be used for [user fingerprinting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting). [Rounding](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) addresses this threat.
+
+#### User Consent
+Users may become [confused or fatigued](https://github.com/immersive-web/privacy-and-security/blob/master/EXPLAINER.md#permissions) if prompted excessively for user consent during a session. This is addressed by requiring user consent once, at time of session creation.
+
+### Unaddressed
+If the active document has access to the camera on a passthrough device, [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) may allow [gaze tracking](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#gaze-tracking) of the real world. This potential threat is not addressed by these requirements.
+
+If the active document can read back pixels outside its own rendering context (e.g. during a screen recording), then [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) may allow [gaze tracking](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#gaze-tracking). This potential threat is not addressed by these requirements.
+
+Within a [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded) reference space, [boundsGeometry](https://immersive-web.github.io/webxr/#dom-xrboundedreferencespace-boundsgeometry) might in theory be used for [user profiling](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-profiling). This potential threat is not addressed by these requirements.
+
+Data generated by [XRInputSource](https://immersive-web.github.io/webxr/#xrinputsource-interface) might in theory be used for [user profiling](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-profiling), for example measuring the length of a user’s arm. This potential threat is not addressed by these requirements.

From f37017bc08373b949923a526120ea310b83eb634 Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Mon, 13 May 2019 14:45:12 -0700
Subject: [PATCH 02/18] Added note

Added note to clarify the structure of the document and address questions about different types of modes.
---
 designdocs/privacy-design.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index 098c3ae0..4925c38f 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -1,3 +1,10 @@
+## Note
+The goal of this design is to protect user privacy when data from the WebXR Device API is made available to web sites.
+To accomplish this, mitigations (including but not limited to user consent) are outlined as either requirements or recommendations before allowing sites to access different types of data. An explanation of the mitigations and corresponding threat vectors can be found in the Background section.
+
+There is no distinction between different WebXR modes in this document. Data access requirements are the same whether the session is inline, immersive, or otherwise. If a user agent wants to avoid user consent for a particular type of session, the user agent should meet the requirements for all data available in that session. _For example, user agents that limit inline sessions to identity reference spaces only or apply necessary mitigations (such as data quantization) to eye-level and floor-level reference spaces may still offer them without first obtaining user consent._
+
+
 ## Privacy Requirements
 ### Conditions to create objects and expose data
 #### XRSession Creation

From 9aacf77e2baba941c68817e9300999931f18d1fd Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Wed, 15 May 2019 17:42:34 -0700
Subject: [PATCH 03/18] Tweaked IPD language per Nell's suggestion

Co-Authored-By: Nell Waliczek <nhw@amazon.com>
---
 designdocs/privacy-design.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index 4925c38f..39e25f7e 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -17,7 +17,7 @@ The **_mandatory conditions_** for [XRSession](https://immersive-web.github.io/w
 *   The document is [allowed to use](https://wicg.github.io/feature-policy/#allowed-to-use) all the [policy-controlled features](https://wicg.github.io/feature-policy/#policy-controlled-feature) associated with the given [sensor types](https://www.w3.org/TR/2018/CR-generic-sensor-20180320/#sensor-type) of sensors used to generate data available in the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface). This includes sensors used to generate [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose), [XRPose](https://immersive-web.github.io/webxr/#xrpose-interface) and [XRBoundedReferenceSpace](https://immersive-web.github.io/webxr/#xrboundedreferencespace-interface) data, and any other data generated by sensors.
 *   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) when the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) will support the creation and use of [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded) or [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference space types.
 *   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) when the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) will support the creation and use of a [floor level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) reference space type, and the floor level will reflect the real-world location of the user’s floor.
-*   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) on a device with configurable interpupillary distance, if subsequent calls to [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) could return an [XRView](https://immersive-web.github.io/webxr/#xrview) for each eye.
+*   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) on a device with configurable interpupillary distance (IPD), if subsequent calls to [XRFrame.getViewerPose()](https://immersive-web.github.io/webxr/#dom-xrframe-getviewerpose) will return [XRView.transform](https://immersive-web.github.io/webxr/#dom-xrview-transform)s that can be used to compute the configured IPD.
 *   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) if the user agent does not otherwise mitigate sensor fingerprinting threats through data access to [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface).
 
 If user consent is required, it must be obtained as part of the [XRRequestSession](https://immersive-web.github.io/webxr/#dom-xr-requestsession) algorithm before the new [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) object is created. If consent is not obtained, the user agent MUST [reject](https://www.w3.org/2001/tag/doc/promises-guide/#reject-promise) the promise with a "[SecurityError](https://heycam.github.io/webidl/#securityerror)" [DOMException](https://heycam.github.io/webidl/#idl-DOMException).

From ab55c3ab8fde1917b6af11b940ce44860b6d64e3 Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Mon, 20 May 2019 18:07:07 -0700
Subject: [PATCH 04/18] Clarified mitigations for fingerprinting

Added links to fingerprinting section in privacy repo, also linked from session creation down to mitigations
---
 designdocs/privacy-design.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index 39e25f7e..5c44f856 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -18,7 +18,7 @@ The **_mandatory conditions_** for [XRSession](https://immersive-web.github.io/w
 *   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) when the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) will support the creation and use of [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded) or [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference space types.
 *   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) when the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) will support the creation and use of a [floor level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) reference space type, and the floor level will reflect the real-world location of the user’s floor.
 *   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) on a device with configurable interpupillary distance (IPD), if subsequent calls to [XRFrame.getViewerPose()](https://immersive-web.github.io/webxr/#dom-xrframe-getviewerpose) will return [XRView.transform](https://immersive-web.github.io/webxr/#dom-xrview-transform)s that can be used to compute the configured IPD.
-*   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) if the user agent does not otherwise mitigate sensor fingerprinting threats through data access to [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface).
+*   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) if the user agent does not otherwise [mitigate](#providing-xrviewerpose-data) [sensor fingerprinting threats](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting) through data access to [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface).
 
 If user consent is required, it must be obtained as part of the [XRRequestSession](https://immersive-web.github.io/webxr/#dom-xr-requestsession) algorithm before the new [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) object is created. If consent is not obtained, the user agent MUST [reject](https://www.w3.org/2001/tag/doc/promises-guide/#reject-promise) the promise with a "[SecurityError](https://heycam.github.io/webidl/#securityerror)" [DOMException](https://heycam.github.io/webidl/#idl-DOMException).
 
@@ -34,7 +34,7 @@ The **_mandatory conditions_** for exposing XRViewerPose data are the following:
 *   [Currently focused area](https://html.spec.whatwg.org/multipage/interaction.html#currently-focused-area-of-a-top-level-browsing-context) belongs to a document whose origin is [same origin-domain](https://html.spec.whatwg.org/multipage/origin.html#same-origin-domain) with the origin of the given [active document](https://html.spec.whatwg.org/multipage/browsers.html#active-document).
 *   The document is [allowed to use](https://wicg.github.io/feature-policy/#allowed-to-use) all the [policy-controlled features](https://wicg.github.io/feature-policy/#policy-controlled-feature) associated with the given [sensor types](https://www.w3.org/TR/2018/CR-generic-sensor-20180320/#sensor-type) of sensors used to generate [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) data.
 *   If the reference space is of type [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded), [floor-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) or [eye-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-eye-level), the [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) data must be limited to a region approximately the size of a large room, to prevent such data from being used to [determine the user’s real-world location](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location). Specific bounds are at the discretion of the user agent, but 30m x 30m is suggested as a reasonable limit. These bounds may be affected by previously created reference spaces.
-*   If [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) data is generated by sensors, at least one of the following conditions must be met; the user agent may choose the approach that provides the best user experience:
+*   If [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) data is generated by sensors, at least one of the following conditions must be met to mitigate [sensor fingerprinting threats](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting); the user agent may choose the approach that provides the best user experience:
     *   User consent must have been obtained, _or_
     *   Any [XRView](https://immersive-web.github.io/webxr/#xrview) transform data generated by sensors must be [quantized](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) to prevent sensor fingerprinting, _or_
     *   The user agent must otherwise ensure that the underlying device sensors are not susceptible to sensor fingerprinting.
@@ -50,7 +50,7 @@ The **_mandatory conditions_** for exposing [XRPose](https://immersive-web.githu
 *   [Currently focused area](https://html.spec.whatwg.org/multipage/interaction.html#currently-focused-area-of-a-top-level-browsing-context) belongs to a document whose origin is [same origin-domain](https://html.spec.whatwg.org/multipage/origin.html#same-origin-domain) with the origin of the given [active document](https://html.spec.whatwg.org/multipage/browsers.html#active-document).
 *   The document is [allowed to use](https://wicg.github.io/feature-policy/#allowed-to-use) all the [policy-controlled features](https://wicg.github.io/feature-policy/#policy-controlled-feature) associated with the given [sensor types](https://www.w3.org/TR/2018/CR-generic-sensor-20180320/#sensor-type) of sensors used to generate the inputs [getPose](https://immersive-web.github.io/webxr/#dom-xrframe-getpose).
 *   If an input to [getPose](https://immersive-web.github.io/webxr/#dom-xrframe-getpose) is a reference space of type [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded), [floor-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) or [eye-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-eye-level), the resulting [XRPose](https://immersive-web.github.io/webxr/#xrpose) data must be bounded by the same [position limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) for that reference space as [getViewerPose](https://immersive-web.github.io/webxr/#dom-xrframe-getviewerpose), to prevent such data from being used to [determine the user’s real-world location](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location). _See: [Providing XRViewerPose data](#xrviewerpose)._
-*   If an input to [getPose](https://immersive-web.github.io/webxr/#dom-xrframe-getpose) includes data generated by sensors, at least one of the following conditions must be met; the user agent may choose the approach that provides the best user experience:
+*   If an input to [getPose](https://immersive-web.github.io/webxr/#dom-xrframe-getpose) includes data generated by sensors, at least one of the following conditions must be met to mitigate [sensor fingerprinting threats](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting); the user agent may choose the approach that provides the best user experience:
     *   User consent must have been obtained, _or_
     *   Any transform data generated by sensors must be [quantized](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) to prevent sensor fingerprinting, _or_
     *   The user agent must otherwise ensure that the underlying device sensors are not susceptible to sensor fingerprinting.

From 14f7b9fbac0667e5243b2e1abbe0fb2f5a9b885e Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Mon, 20 May 2019 18:35:05 -0700
Subject: [PATCH 05/18] Changed text re: acquisition of user consent

---
 designdocs/privacy-design.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index 5c44f856..b7104ea2 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -68,7 +68,7 @@ The **_mandatory conditions_** for creating an XRReferenceSpace are the followin
     *   Enforce the same [position limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) bounds for [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) data within all those sessions, and require that all [effective origins](https://immersive-web.github.io/webxr/#xrspace-effective-origin) fall within those bounds.
 
 ### Obtaining User Consent
-The implementation of user consent is a mandatory condition for some types of object creation and data access. In addition to general [considerations](https://github.com/immersive-web/privacy-and-security/blob/master/EXPLAINER.md#considerations) for obtaining user consent, the following considerations are specific to the WebXR Device API.
+Acquiring user consent is a mandatory condition for some types of object creation and data access. In addition to general [considerations](https://github.com/immersive-web/privacy-and-security/blob/master/EXPLAINER.md#considerations) for obtaining user consent, the following considerations are specific to the WebXR Device API.
 
 #### Lifetime of Consent
 The following guidelines are suggested:

From c0f830071353a30473302ce9a1d2675b9d41239e Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Tue, 21 May 2019 17:05:21 -0700
Subject: [PATCH 06/18] Updated to new reference space types

Updated to address changes in reference space type names
---
 designdocs/privacy-design.md | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index b7104ea2..bfc611c4 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -2,7 +2,7 @@
 The goal of this design is to protect user privacy when data from the WebXR Device API is made available to web sites.
 To accomplish this, mitigations (including but not limited to user consent) are outlined as either requirements or recommendations before allowing sites to access different types of data. An explanation of the mitigations and corresponding threat vectors can be found in the Background section.
 
-There is no distinction between different WebXR modes in this document. Data access requirements are the same whether the session is inline, immersive, or otherwise. If a user agent wants to avoid user consent for a particular type of session, the user agent should meet the requirements for all data available in that session. _For example, user agents that limit inline sessions to identity reference spaces only or apply necessary mitigations (such as data quantization) to eye-level and floor-level reference spaces may still offer them without first obtaining user consent._
+There is no distinction between different WebXR modes in this document. Data access requirements are the same whether the session is inline, immersive, or otherwise. If a user agent wants to avoid user consent for a particular type of session, the user agent should meet the requirements for all data available in that session. _For example, if in an inline session a user agent only supports the [viewer](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-viewer) reference space, does not support other forms of sensor-based spaces (e.g. from a 6DOF controller), and does not support multiple views, then all privacy requirements below have been met and user consent is not required for that session._
 
 
 ## Privacy Requirements
@@ -15,8 +15,8 @@ The **_mandatory conditions_** for [XRSession](https://immersive-web.github.io/w
 *   The document is a [responsible document](https://html.spec.whatwg.org/multipage/webappapis.html#responsible-document) of a [secure context](https://w3c.github.io/webappsec-secure-contexts/#secure-contexts).
 *   [Currently focused area](https://html.spec.whatwg.org/multipage/interaction.html#currently-focused-area-of-a-top-level-browsing-context) belongs to a document whose origin is [same origin-domain](https://html.spec.whatwg.org/multipage/origin.html#same-origin-domain) with the origin of the given [active document](https://html.spec.whatwg.org/multipage/browsers.html#active-document).
 *   The document is [allowed to use](https://wicg.github.io/feature-policy/#allowed-to-use) all the [policy-controlled features](https://wicg.github.io/feature-policy/#policy-controlled-feature) associated with the given [sensor types](https://www.w3.org/TR/2018/CR-generic-sensor-20180320/#sensor-type) of sensors used to generate data available in the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface). This includes sensors used to generate [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose), [XRPose](https://immersive-web.github.io/webxr/#xrpose-interface) and [XRBoundedReferenceSpace](https://immersive-web.github.io/webxr/#xrboundedreferencespace-interface) data, and any other data generated by sensors.
-*   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) when the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) will support the creation and use of [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded) or [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference space types.
-*   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) when the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) will support the creation and use of a [floor level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) reference space type, and the floor level will reflect the real-world location of the user’s floor.
+*   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) when the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) will support the creation and use of [bounded-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor) or [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference space types.
+*   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) when the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) will support the creation and use of a [local-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local-floor) reference space type, and the floor level will reflect the real-world location of the user’s floor.
 *   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) on a device with configurable interpupillary distance (IPD), if subsequent calls to [XRFrame.getViewerPose()](https://immersive-web.github.io/webxr/#dom-xrframe-getviewerpose) will return [XRView.transform](https://immersive-web.github.io/webxr/#dom-xrview-transform)s that can be used to compute the configured IPD.
 *   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) if the user agent does not otherwise [mitigate](#providing-xrviewerpose-data) [sensor fingerprinting threats](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting) through data access to [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface).
 
@@ -33,7 +33,7 @@ The **_mandatory conditions_** for exposing XRViewerPose data are the following:
 *   [Visibility state](https://www.w3.org/TR/page-visibility-2/#dom-visibilitystate) of the document is "visible".
 *   [Currently focused area](https://html.spec.whatwg.org/multipage/interaction.html#currently-focused-area-of-a-top-level-browsing-context) belongs to a document whose origin is [same origin-domain](https://html.spec.whatwg.org/multipage/origin.html#same-origin-domain) with the origin of the given [active document](https://html.spec.whatwg.org/multipage/browsers.html#active-document).
 *   The document is [allowed to use](https://wicg.github.io/feature-policy/#allowed-to-use) all the [policy-controlled features](https://wicg.github.io/feature-policy/#policy-controlled-feature) associated with the given [sensor types](https://www.w3.org/TR/2018/CR-generic-sensor-20180320/#sensor-type) of sensors used to generate [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) data.
-*   If the reference space is of type [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded), [floor-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) or [eye-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-eye-level), the [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) data must be limited to a region approximately the size of a large room, to prevent such data from being used to [determine the user’s real-world location](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location). Specific bounds are at the discretion of the user agent, but 30m x 30m is suggested as a reasonable limit. These bounds may be affected by previously created reference spaces.
+*   If the reference space is of type [local](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local), [local-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local-floor), or [bounded-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor), then the [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) data must be limited to a region approximately the size of a large room, to prevent such data from being used to [determine the user’s real-world location](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location). Specific bounds are at the discretion of the user agent, but 30m x 30m is suggested as a reasonable limit. These bounds may be affected by previously created reference spaces.
 *   If [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) data is generated by sensors, at least one of the following conditions must be met to mitigate [sensor fingerprinting threats](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting); the user agent may choose the approach that provides the best user experience:
     *   User consent must have been obtained, _or_
     *   Any [XRView](https://immersive-web.github.io/webxr/#xrview) transform data generated by sensors must be [quantized](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) to prevent sensor fingerprinting, _or_
@@ -49,7 +49,7 @@ The **_mandatory conditions_** for exposing [XRPose](https://immersive-web.githu
 *   [Visibility state](https://www.w3.org/TR/page-visibility-2/#dom-visibilitystate) of the document is "visible".
 *   [Currently focused area](https://html.spec.whatwg.org/multipage/interaction.html#currently-focused-area-of-a-top-level-browsing-context) belongs to a document whose origin is [same origin-domain](https://html.spec.whatwg.org/multipage/origin.html#same-origin-domain) with the origin of the given [active document](https://html.spec.whatwg.org/multipage/browsers.html#active-document).
 *   The document is [allowed to use](https://wicg.github.io/feature-policy/#allowed-to-use) all the [policy-controlled features](https://wicg.github.io/feature-policy/#policy-controlled-feature) associated with the given [sensor types](https://www.w3.org/TR/2018/CR-generic-sensor-20180320/#sensor-type) of sensors used to generate the inputs [getPose](https://immersive-web.github.io/webxr/#dom-xrframe-getpose).
-*   If an input to [getPose](https://immersive-web.github.io/webxr/#dom-xrframe-getpose) is a reference space of type [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded), [floor-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) or [eye-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-eye-level), the resulting [XRPose](https://immersive-web.github.io/webxr/#xrpose) data must be bounded by the same [position limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) for that reference space as [getViewerPose](https://immersive-web.github.io/webxr/#dom-xrframe-getviewerpose), to prevent such data from being used to [determine the user’s real-world location](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location). _See: [Providing XRViewerPose data](#xrviewerpose)._
+*   If an input to [getPose](https://immersive-web.github.io/webxr/#dom-xrframe-getpose) is a reference space of type [local](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local), [local-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local-floor), or [bounded-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor), then the resulting [XRPose](https://immersive-web.github.io/webxr/#xrpose) data must be bounded by the same [position limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) for that reference space as [getViewerPose](https://immersive-web.github.io/webxr/#dom-xrframe-getviewerpose), to prevent such data from being used to [determine the user’s real-world location](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location). _See: [Providing XRViewerPose data](#xrviewerpose)._
 *   If an input to [getPose](https://immersive-web.github.io/webxr/#dom-xrframe-getpose) includes data generated by sensors, at least one of the following conditions must be met to mitigate [sensor fingerprinting threats](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting); the user agent may choose the approach that provides the best user experience:
     *   User consent must have been obtained, _or_
     *   Any transform data generated by sensors must be [quantized](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) to prevent sensor fingerprinting, _or_
@@ -59,11 +59,11 @@ The **_mandatory conditions_** for exposing [XRPose](https://immersive-web.githu
 The user agent must verify that all mandatory conditions are satisfied to ensure it can create an [XRReferenceSpace](https://immersive-web.github.io/webxr/#xrreferencespace-interface) and expose [XRReferenceSpace](https://immersive-web.github.io/webxr/#xrreferencespace-interface) data within a given [active document](https://html.spec.whatwg.org/multipage/browsers.html#active-document).
 
 The **_mandatory conditions_** for creating an XRReferenceSpace are the following:
-*   User consent must have been obtained before creating a [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded) or [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference space. 
-*   User consent is required before creating a [floor-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) reference space type, if the floor level will reflect the real-world location of the user’s floor.
-*   When creating a [floor-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) or [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded) reference space type, if the origin of the reference space reflects the real-world location of the user’s floor, or if the floor level is emulated and set by the user to a non-default value, then the coordinates of the origin must be [rounded sufficiently](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) to prevent fingerprinting using floor level. Rounding to the nearest 1cm is suggested.
-*   When creating a [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded) reference space the [boundsGeometry](https://immersive-web.github.io/webxr/#dom-xrboundedreferencespace-boundsgeometry) must be rounded sufficiently to prevent fingerprinting the user’s bounds. The region represented by the rounded bounds geometry must be a subset of the original bounds. Rounding to the nearest 5cm is suggested.
-*   Creating multiple [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded), [floor-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) or [eye-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-eye-level) reference spaces during the same session that have different [effective origins](https://immersive-web.github.io/webxr/#xrspace-effective-origin) can expose the same threat vectors present in an [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference space. User agents must either:
+*   User consent must have been obtained before creating a [bounded-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor) or [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference space. 
+*   User consent is required before creating a [local-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local-floor) reference space type, if the floor level will reflect the real-world location of the user’s floor.
+*   When creating a [local-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local-floor) or [bounded-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor) reference space type, if the origin of the reference space reflects the real-world location of the user’s floor, or if the floor level is emulated and set by the user to a non-default value, then the coordinates of the origin must be [rounded sufficiently](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) to prevent fingerprinting using floor level. Rounding to the nearest 1cm is suggested.
+*   When creating a [bounded-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor) reference space the [boundsGeometry](https://immersive-web.github.io/webxr/#dom-xrboundedreferencespace-boundsgeometry) must be rounded sufficiently to prevent fingerprinting the user’s bounds. The region represented by the rounded bounds geometry must be a subset of the original bounds. Rounding to the nearest 5cm is suggested.
+*   Creating multiple [bounded-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor), [local-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local-floor) or [local](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local) reference spaces during the same session that have different [effective origins](https://immersive-web.github.io/webxr/#xrspace-effective-origin) can expose the same threat vectors present in an [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference space. User agents must either:
     *   Require the same user consent as for [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference spaces, before allowing creation of multiple reference spaces with different [effective origins](https://immersive-web.github.io/webxr/#xrspace-effective-origin) in the same session, _or_
     *   Enforce the same [position limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) bounds for [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) data within all those sessions, and require that all [effective origins](https://immersive-web.github.io/webxr/#xrspace-effective-origin) fall within those bounds.
 
@@ -93,7 +93,7 @@ The judgement on how to communicate to the user the known threats is up to the i
    </td>
   </tr>
   <tr>
-   <td>XRSession can create a <a href="https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level">floor-level</a> or <a href="https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded">bounded</a> reference space, and the origin of the reference space will reflect the real-world location of the user’s floor.
+   <td>XRSession can create a <a href="https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local-floor">local-floor</a> or <a href="https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor">bounded-floor</a> reference space, and the origin of the reference space will reflect the real-world location of the user’s floor.
    </td>
    <td>Site may be able to infer the user’s height and may be able to perform gait analysis, allowing user <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-profiling">profiling</a> and <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting">fingerprinting</a>.
    </td>
@@ -131,7 +131,7 @@ The following threats, and associated mitigations, are the basis of the above pr
 #### Pose Data
 [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) might be used for [input sniffing](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#reading-inputs-or-input-sniffing). [Same Origin](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#same-origin-or-single-origin-only) and [Focused and Visible](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#focused-and-visible) mitigations address this threat.
 
-[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) might be used to [identify the user’s location](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location). [Position Limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) addresses this threat for [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded), [floor-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-floor-level) or [eye-level](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-eye-level) reference spaces. User consent is required for [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference spaces, or if the user agent allows the creation of multiple reference spaces in the same session that have different [position limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) bounds.
+[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) might be used to [identify the user’s location](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location). [Position Limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) addresses this threat for [bounded-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor), [local-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local-floor) or [local](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local) reference spaces. User consent is required for [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference spaces, or if the user agent allows the creation of multiple reference spaces in the same session that have different [position limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) bounds.
 
 [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) might be used for [gaze tracking](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#gaze-tracking). [Same Origin](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#same-origin-or-single-origin-only) and [Focused and Visible](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#focused-and-visible) mitigations address this threat.
 
@@ -148,7 +148,7 @@ Viewer height may be used for [user profiling](https://github.com/immersive-web/
 
 Viewer height may be used for [user fingerprinting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting), particularly in situations where viewer height is emulated and set by the user. [Rounding](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) addresses this threat.
 
-Within a [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded) reference space, [boundsGeometry](https://immersive-web.github.io/webxr/#dom-xrboundedreferencespace-boundsgeometry) may be used for [user fingerprinting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting). [Rounding](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) addresses this threat.
+Within a [bounded-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor) reference space, [boundsGeometry](https://immersive-web.github.io/webxr/#dom-xrboundedreferencespace-boundsgeometry) may be used for [user fingerprinting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting). [Rounding](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) addresses this threat.
 
 #### User Consent
 Users may become [confused or fatigued](https://github.com/immersive-web/privacy-and-security/blob/master/EXPLAINER.md#permissions) if prompted excessively for user consent during a session. This is addressed by requiring user consent once, at time of session creation.
@@ -158,6 +158,6 @@ If the active document has access to the camera on a passthrough device, [XRView
 
 If the active document can read back pixels outside its own rendering context (e.g. during a screen recording), then [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) may allow [gaze tracking](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#gaze-tracking). This potential threat is not addressed by these requirements.
 
-Within a [bounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded) reference space, [boundsGeometry](https://immersive-web.github.io/webxr/#dom-xrboundedreferencespace-boundsgeometry) might in theory be used for [user profiling](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-profiling). This potential threat is not addressed by these requirements.
+Within a [bounded-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor) reference space, [boundsGeometry](https://immersive-web.github.io/webxr/#dom-xrboundedreferencespace-boundsgeometry) might in theory be used for [user profiling](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-profiling). This potential threat is not addressed by these requirements.
 
 Data generated by [XRInputSource](https://immersive-web.github.io/webxr/#xrinputsource-interface) might in theory be used for [user profiling](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-profiling), for example measuring the length of a user’s arm. This potential threat is not addressed by these requirements.

From 1b27d15e95a9e156030e6f7c8276b704338af95a Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Tue, 21 May 2019 17:25:12 -0700
Subject: [PATCH 07/18] Updated background for XRPose

Added XRPose where applicable for background; also removed an old mitigation statement that no longer is true.
---
 designdocs/privacy-design.md | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index bfc611c4..9ee75080 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -129,20 +129,18 @@ There are <span style="text-decoration:underline;">no</span> additional requirem
 The following threats, and associated mitigations, are the basis of the above privacy requirements.
 
 #### Pose Data
-[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) might be used for [input sniffing](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#reading-inputs-or-input-sniffing). [Same Origin](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#same-origin-or-single-origin-only) and [Focused and Visible](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#focused-and-visible) mitigations address this threat.
+[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) or [XRPose](https://immersive-web.github.io/webxr/#xrpose-interface) might be used for [input sniffing](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#reading-inputs-or-input-sniffing). [Same Origin](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#same-origin-or-single-origin-only) and [Focused and Visible](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#focused-and-visible) mitigations address this threat.
 
-[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) might be used to [identify the user’s location](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location). [Position Limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) addresses this threat for [bounded-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor), [local-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local-floor) or [local](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local) reference spaces. User consent is required for [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference spaces, or if the user agent allows the creation of multiple reference spaces in the same session that have different [position limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) bounds.
+[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) or [XRPose](https://immersive-web.github.io/webxr/#xrpose-interface) might be used to [identify the user’s location](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location). [Position Limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) addresses this threat for [bounded-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor), [local-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local-floor) or [local](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local) reference spaces. User consent is required for [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference spaces, or if the user agent allows the creation of multiple reference spaces in the same session that have different [position limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) bounds.
 
-[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) might be used for [gaze tracking](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#gaze-tracking). [Same Origin](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#same-origin-or-single-origin-only) and [Focused and Visible](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#focused-and-visible) mitigations address this threat.
+[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) or [XRPose](https://immersive-web.github.io/webxr/#xrpose-interface) might be used for [gaze tracking](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#gaze-tracking). [Same Origin](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#same-origin-or-single-origin-only) and [Focused and Visible](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#focused-and-visible) mitigations address this threat.
 
-[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) may allow [user fingerprinting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting) when based on sensor data. The user agent may use [quantization](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) to address this threat, where data quantization will not affect the user experience. Otherwise, user consent is required.
+[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) or [XRPose](https://immersive-web.github.io/webxr/#xrpose-interface) may allow [user fingerprinting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting) when based on sensor data. The user agent may use [quantization](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) to address this threat, where data quantization will not affect the user experience. Otherwise, user consent is required.
 
 [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) may allow [user fingerprinting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting) or [user profiling](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-profiling) on devices with configurable interpupillary distance. In this case, user consent is required.
 
 [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) may allow [user fingerprinting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting) in situations where the user has configured several display orientations and positions that are represented as multiple [XRView](https://immersive-web.github.io/webxr/#xrview)s (for example, a CAVE system). [Rounding](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) helps alleviate this threat.
 
-[XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose) may allow [user fingerprinting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting) through gait or height analysis. [Position Limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) helps alleviate this threat.
-
 #### Reference Space Data
 Viewer height may be used for [user profiling](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-profiling). User consent is required in situations where this may be determined by real-world floor level.
 

From 0a93e43b1f3f673510941c5d03cf464e3d0e5095 Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Tue, 21 May 2019 17:39:38 -0700
Subject: [PATCH 08/18] Updated for controllers

Updated position limiting and quantization requirements to reflect the use of controllers to generate pose data
---
 designdocs/privacy-design.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index 9ee75080..d72ba9ff 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -18,7 +18,7 @@ The **_mandatory conditions_** for [XRSession](https://immersive-web.github.io/w
 *   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) when the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) will support the creation and use of [bounded-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor) or [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference space types.
 *   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) when the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) will support the creation and use of a [local-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local-floor) reference space type, and the floor level will reflect the real-world location of the user’s floor.
 *   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) on a device with configurable interpupillary distance (IPD), if subsequent calls to [XRFrame.getViewerPose()](https://immersive-web.github.io/webxr/#dom-xrframe-getviewerpose) will return [XRView.transform](https://immersive-web.github.io/webxr/#dom-xrview-transform)s that can be used to compute the configured IPD.
-*   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) if the user agent does not otherwise [mitigate](#providing-xrviewerpose-data) [sensor fingerprinting threats](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting) through data access to [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface).
+*   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) if the user agent does not otherwise [mitigate](#providing-xrviewerpose-data) [sensor fingerprinting threats](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting) through data access to [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) or [XRPose](https://immersive-web.github.io/webxr/#xrpose-interface).
 
 If user consent is required, it must be obtained as part of the [XRRequestSession](https://immersive-web.github.io/webxr/#dom-xr-requestsession) algorithm before the new [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) object is created. If consent is not obtained, the user agent MUST [reject](https://www.w3.org/2001/tag/doc/promises-guide/#reject-promise) the promise with a "[SecurityError](https://heycam.github.io/webidl/#securityerror)" [DOMException](https://heycam.github.io/webidl/#idl-DOMException).
 
@@ -49,6 +49,7 @@ The **_mandatory conditions_** for exposing [XRPose](https://immersive-web.githu
 *   [Visibility state](https://www.w3.org/TR/page-visibility-2/#dom-visibilitystate) of the document is "visible".
 *   [Currently focused area](https://html.spec.whatwg.org/multipage/interaction.html#currently-focused-area-of-a-top-level-browsing-context) belongs to a document whose origin is [same origin-domain](https://html.spec.whatwg.org/multipage/origin.html#same-origin-domain) with the origin of the given [active document](https://html.spec.whatwg.org/multipage/browsers.html#active-document).
 *   The document is [allowed to use](https://wicg.github.io/feature-policy/#allowed-to-use) all the [policy-controlled features](https://wicg.github.io/feature-policy/#policy-controlled-feature) associated with the given [sensor types](https://www.w3.org/TR/2018/CR-generic-sensor-20180320/#sensor-type) of sensors used to generate the inputs [getPose](https://immersive-web.github.io/webxr/#dom-xrframe-getpose).
+*   If an input to [getPose](https://immersive-web.github.io/webxr/#dom-xrframe-getpose) has a native origin that tracks a real-world location (e.g. a 6DOF controller) then the resulting [XRPose](https://immersive-web.github.io/webxr/#xrpose) data must be bounded by the same [position limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) as for [getViewerPose](https://immersive-web.github.io/webxr/#dom-xrframe-getviewerpose), to prevent such data from being used to [determine the user’s real-world location](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location). _Note: If [getViewerPose](https://immersive-web.github.io/webxr/#dom-xrframe-getviewerpose) is performed from a [viewer](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-viewer) reference space, then this position limiting requirement *does* still apply._
 *   If an input to [getPose](https://immersive-web.github.io/webxr/#dom-xrframe-getpose) is a reference space of type [local](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local), [local-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local-floor), or [bounded-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor), then the resulting [XRPose](https://immersive-web.github.io/webxr/#xrpose) data must be bounded by the same [position limiting](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting) for that reference space as [getViewerPose](https://immersive-web.github.io/webxr/#dom-xrframe-getviewerpose), to prevent such data from being used to [determine the user’s real-world location](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location). _See: [Providing XRViewerPose data](#xrviewerpose)._
 *   If an input to [getPose](https://immersive-web.github.io/webxr/#dom-xrframe-getpose) includes data generated by sensors, at least one of the following conditions must be met to mitigate [sensor fingerprinting threats](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting); the user agent may choose the approach that provides the best user experience:
     *   User consent must have been obtained, _or_

From 37cfd2c8117101fa5e2ad13d65d73ca6517ce335 Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Fri, 31 May 2019 17:19:46 -0700
Subject: [PATCH 09/18] Clarified IPD rounding

---
 designdocs/privacy-design.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index d72ba9ff..da07b524 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -39,7 +39,7 @@ The **_mandatory conditions_** for exposing XRViewerPose data are the following:
     *   Any [XRView](https://immersive-web.github.io/webxr/#xrview) transform data generated by sensors must be [quantized](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#rounding-quantization-or-fuzzing) to prevent sensor fingerprinting, _or_
     *   The user agent must otherwise ensure that the underlying device sensors are not susceptible to sensor fingerprinting.
 *   User consent must have been obtained on devices with configurable interpupillary distance before creating an [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) that will return an [XRView](https://immersive-web.github.io/webxr/#xrview) for each eye.
-*   If the device supports configurable or factory-calibrated interpupillary distance that may vary from device to device, then the [XRView](https://immersive-web.github.io/webxr/#xrview) transform data must be rounded to prevent fingerprinting.
+*   If the device supports configurable or factory-calibrated interpupillary distance that may vary from device to device, then the [XRView](https://immersive-web.github.io/webxr/#xrview) transform data must be rounded to prevent fingerprinting. Specific precision for rounding is at the discretion of the user agent.
 *   If the [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) will include multiple [XRView](https://immersive-web.github.io/webxr/#xrview)s for displays whose positions and orientations have been configured by the user (e.g. in a CAVE) then the [XRView](https://immersive-web.github.io/webxr/#xrview) transform data must be rounded to prevent fingerprinting.
 
 #### Providing XRPose data

From 1b9238b7713462ec55c777e50fc3527d6b5cd315 Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Sun, 2 Jun 2019 21:22:21 -0700
Subject: [PATCH 10/18] Added summary

Added a summary of the key design aspects to the start of the document.
---
 designdocs/privacy-design.md | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index da07b524..968d0caf 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -1,8 +1,23 @@
-## Note
-The goal of this design is to protect user privacy when data from the WebXR Device API is made available to web sites.
-To accomplish this, mitigations (including but not limited to user consent) are outlined as either requirements or recommendations before allowing sites to access different types of data. An explanation of the mitigations and corresponding threat vectors can be found in the Background section.
+## Summary
+This design adopts the [requirements of the Generic Sensors API](https://www.w3.org/TR/generic-sensor/#concepts-can-expose-sensor-readings) when exposing data based on sensors.
+
+Further, before allowing access to any sensor-based data (ex. poses) or user configurable data (ex. IPD, bounds), the user agent must either apply all necessary mitigations to ensure user privacy, or obtain user consent at session creation in response to requestSession().
+
+In some scenarios, mitigations may not be sufficient to ensure user privacy. In those situations, user consent is required. For example, user consent is always required when exposing data that might allow a site to profile the user.
+
+User consent must be requested only in response to requestSession(). It is recommended that consent last as long as the browsing context. User consent cannot be obtained during an active session, as there is no known approach for a trusted user interface that works consistently across all platforms during an active session.
 
-There is no distinction between different WebXR modes in this document. Data access requirements are the same whether the session is inline, immersive, or otherwise. If a user agent wants to avoid user consent for a particular type of session, the user agent should meet the requirements for all data available in that session. _For example, if in an inline session a user agent only supports the [viewer](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-viewer) reference space, does not support other forms of sensor-based spaces (e.g. from a 6DOF controller), and does not support multiple views, then all privacy requirements below have been met and user consent is not required for that session._
+When creating a session, all privacy-sensitive data that could be exposed during that session must be considered when determining whether or not user consent is required. If user consent is not granted for a particular data type, then either:
+*   Other mitigations for that data type must be applied to ensure user privacy, or
+*   Any feature that would expose that data type must be disabled, or
+*   The session request must be rejected.
+
+Not all sessions require user consent, such as:
+*   Sessions that do not include any sensor-based or user-configured data;
+*   Sessions that fully mitigate sensor-based privacy concerns (ex. pose quantization and position bounds) and which do not include user-configured data that could be used for profiling.
+
+## Note
+There is no distinction between different WebXR modes in this document. Data access requirements are the same whether the session is inline, immersive, or otherwise. If a user agent wants to avoid user consent for a particular type of session, the user agent should meet the requirements for all data available in that session. _For example, if in an inline session a user agent only supports the [viewer](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-viewer) reference space, does not support other forms of sensor-based data (e.g. from a 6DOF controller), and does not support multiple views, then all privacy requirements below have been met and user consent is not required for that session._
 
 
 ## Privacy Requirements

From 0c598e6b3e8323432ad9e7eb4069abc270733c22 Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Sun, 2 Jun 2019 21:37:47 -0700
Subject: [PATCH 11/18] Clarified Note

Clarified the example of why 'modes' are not listed but how requirements may vary by mode.
---
 designdocs/privacy-design.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index 968d0caf..dbdf9065 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -1,7 +1,7 @@
 ## Summary
 This design adopts the [requirements of the Generic Sensors API](https://www.w3.org/TR/generic-sensor/#concepts-can-expose-sensor-readings) when exposing data based on sensors.
 
-Further, before allowing access to any sensor-based data (ex. poses) or user configurable data (ex. IPD, bounds), the user agent must either apply all necessary mitigations to ensure user privacy, or obtain user consent at session creation in response to requestSession().
+Further, when allowing access to any sensor-based data (ex. poses) or user configurable data (ex. IPD, bounds), the user agent must either apply all necessary mitigations to ensure user privacy, or obtain user consent at session creation in response to requestSession().
 
 In some scenarios, mitigations may not be sufficient to ensure user privacy. In those situations, user consent is required. For example, user consent is always required when exposing data that might allow a site to profile the user.
 
@@ -17,7 +17,9 @@ Not all sessions require user consent, such as:
 *   Sessions that fully mitigate sensor-based privacy concerns (ex. pose quantization and position bounds) and which do not include user-configured data that could be used for profiling.
 
 ## Note
-There is no distinction between different WebXR modes in this document. Data access requirements are the same whether the session is inline, immersive, or otherwise. If a user agent wants to avoid user consent for a particular type of session, the user agent should meet the requirements for all data available in that session. _For example, if in an inline session a user agent only supports the [viewer](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-viewer) reference space, does not support other forms of sensor-based data (e.g. from a 6DOF controller), and does not support multiple views, then all privacy requirements below have been met and user consent is not required for that session._
+There is no distinction between different WebXR modes in this document. The requirements to expose any given data type are the same whether the session is inline, immersive, or otherwise. If a user agent wants to avoid user consent for a particular type of session, the user agent must meet the mitigation requirements to expose all of the data types available in that session.
+
+However, not all modes and platforms support all types of data, and some mitigation strategies that work in one mode may not work in other modes or on other platforms. As a result, the actual requirements for each mode and platform will vary. For example, if in an inline session a user agent only supports the [viewer](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-viewer) reference space, does not support other forms of sensor-based data (e.g. from a 6DOF controller), and does not support multiple views, then all privacy requirements have been met and user consent is not required for that session. In contrast, an immersive session supporting the [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference space type with a native origin that is tracked using sensors would have different requirements for user consent and privacy mitigations. 
 
 
 ## Privacy Requirements

From b907bcf01d97bdd210f3557f42e8ee3a111ca87f Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Sun, 2 Jun 2019 21:44:03 -0700
Subject: [PATCH 12/18] Clarified feature policy requirement

Added note clarifying why underlying sensor feature policy requirement is in place
---
 designdocs/privacy-design.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index dbdf9065..5d44a3ab 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -31,7 +31,7 @@ The user agent must verify that all mandatory conditions are satisfied to ensure
 The **_mandatory conditions_** for [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) creation are the following:
 *   The document is a [responsible document](https://html.spec.whatwg.org/multipage/webappapis.html#responsible-document) of a [secure context](https://w3c.github.io/webappsec-secure-contexts/#secure-contexts).
 *   [Currently focused area](https://html.spec.whatwg.org/multipage/interaction.html#currently-focused-area-of-a-top-level-browsing-context) belongs to a document whose origin is [same origin-domain](https://html.spec.whatwg.org/multipage/origin.html#same-origin-domain) with the origin of the given [active document](https://html.spec.whatwg.org/multipage/browsers.html#active-document).
-*   The document is [allowed to use](https://wicg.github.io/feature-policy/#allowed-to-use) all the [policy-controlled features](https://wicg.github.io/feature-policy/#policy-controlled-feature) associated with the given [sensor types](https://www.w3.org/TR/2018/CR-generic-sensor-20180320/#sensor-type) of sensors used to generate data available in the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface). This includes sensors used to generate [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose), [XRPose](https://immersive-web.github.io/webxr/#xrpose-interface) and [XRBoundedReferenceSpace](https://immersive-web.github.io/webxr/#xrboundedreferencespace-interface) data, and any other data generated by sensors.
+*   The document is [allowed to use](https://wicg.github.io/feature-policy/#allowed-to-use) all the [policy-controlled features](https://wicg.github.io/feature-policy/#policy-controlled-feature) associated with the given [sensor types](https://www.w3.org/TR/2018/CR-generic-sensor-20180320/#sensor-type) of sensors used to generate data available in the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface). This includes sensors used to generate [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose), [XRPose](https://immersive-web.github.io/webxr/#xrpose-interface) and [XRBoundedReferenceSpace](https://immersive-web.github.io/webxr/#xrboundedreferencespace-interface) data, and any other data generated by sensors. _Note: The intent of this requirement is to ensure that WebXR does not allow a site to isolate and extract sensor data that would otherwise be blocked by feature policy._
 *   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) when the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) will support the creation and use of [bounded-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor) or [unbounded](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-unbounded) reference space types.
 *   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) when the [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) will support the creation and use of a [local-floor](https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local-floor) reference space type, and the floor level will reflect the real-world location of the user’s floor.
 *   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) on a device with configurable interpupillary distance (IPD), if subsequent calls to [XRFrame.getViewerPose()](https://immersive-web.github.io/webxr/#dom-xrframe-getviewerpose) will return [XRView.transform](https://immersive-web.github.io/webxr/#dom-xrview-transform)s that can be used to compute the configured IPD.

From 4214ade1430edcf79aca50ad2fad51962bce468d Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Sun, 2 Jun 2019 22:20:44 -0700
Subject: [PATCH 13/18] Filled out user consent scenarios

Filled out User Consent scenarios (to include situations where position limiting isn't applied). Added link to User Communication from summary.
---
 designdocs/privacy-design.md | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index 5d44a3ab..e82afb4e 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -3,7 +3,7 @@ This design adopts the [requirements of the Generic Sensors API](https://www.w3.
 
 Further, when allowing access to any sensor-based data (ex. poses) or user configurable data (ex. IPD, bounds), the user agent must either apply all necessary mitigations to ensure user privacy, or obtain user consent at session creation in response to requestSession().
 
-In some scenarios, mitigations may not be sufficient to ensure user privacy. In those situations, user consent is required. For example, user consent is always required when exposing data that might allow a site to profile the user.
+In some scenarios, mitigations may not be sufficient to ensure user privacy. In those situations, user consent is required. For example, user consent is always required when exposing data that might allow a site to profile the user. A summary of scenarios where user consent is required can be found under [User Communication](#user-communication).
 
 User consent must be requested only in response to requestSession(). It is recommended that consent last as long as the browsing context. User consent cannot be obtained during an active session, as there is no known approach for a trusted user interface that works consistently across all platforms during an active session.
 
@@ -99,9 +99,9 @@ The judgement on how to communicate to the user the known threats is up to the i
 
 <table>
   <tr>
-   <td><strong>Scenario</strong>
+   <td><strong>User consent is required if...</strong>
    </td>
-   <td><strong>Threat Vector</strong>
+   <td><strong>Why user consent is required</strong>
    </td>
   </tr>
   <tr>
@@ -110,14 +110,26 @@ The judgement on how to communicate to the user the known threats is up to the i
    <td>Site may be able to determine user’s specific geographic <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location">location</a>, and may be able to perform gait analysis, allowing user <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-profiling">profiling</a> and <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting">fingerprinting</a>.
    </td>
   </tr>
+   <tr>
+   <td>XRSession can create an <a href="https://immersive-web.github.io/webxr/#xrspace-interface">XRSpace</a> and <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting">position limiting</a> is not applied.
+   </td>
+   <td>Site may be able to determine user’s specific geographic <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location">location</a>.
+   </td>
+  </tr>
+ <tr>
+   <td>XRSession can create multiple <a href="https://immersive-web.github.io/webxr/#xrspace-interface">XRSpace</a> objects with different <a href="https://immersive-web.github.io/webxr/#xrspace-native-origin">native origins</a> and suitable <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#position-limiting">position limiting</a> is not applied.
+   </td>
+   <td>Site may be able to determine user’s specific geographic <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-location">location</a>.
+   </td>
+  </tr>  
   <tr>
-   <td>XRSession can create a <a href="https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local-floor">local-floor</a> or <a href="https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor">bounded-floor</a> reference space, and the origin of the reference space will reflect the real-world location of the user’s floor.
+   <td>XRSession can create a <a href="https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-local-floor">local-floor</a> or <a href="https://immersive-web.github.io/webxr/#dom-xrreferencespacetype-bounded-floor">bounded-floor</a> reference space, where the origin of the reference space reflects the real-world location of the user’s floor.
    </td>
    <td>Site may be able to infer the user’s height and may be able to perform gait analysis, allowing user <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-profiling">profiling</a> and <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting">fingerprinting</a>.
    </td>
   </tr>
   <tr>
-   <td>XRSession may provide <a href="https://immersive-web.github.io/webxr/#xrviewerpose">XRViewerPose</a> data that is not quantized, and underlying device sensors may be susceptible to fingerprinting.
+   <td>XRSession can provide <a href="https://immersive-web.github.io/webxr/#xrviewerpose">XRViewerPose</a> data that is not quantized, and underlying device sensors may be susceptible to fingerprinting.
    </td>
    <td>Site may be able to perform user <a href="https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting">fingerprinting</a>.
    </td>

From b96d24b52de298ac8d4f2abfa173baacbcc88cac Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Sun, 2 Jun 2019 22:28:50 -0700
Subject: [PATCH 14/18] Clarified consent is not an escape hatch

Added clarification to summary that user consent does not relieve the need to apply certain mitigations.
---
 designdocs/privacy-design.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index e82afb4e..9c297b43 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -5,6 +5,8 @@ Further, when allowing access to any sensor-based data (ex. poses) or user confi
 
 In some scenarios, mitigations may not be sufficient to ensure user privacy. In those situations, user consent is required. For example, user consent is always required when exposing data that might allow a site to profile the user. A summary of scenarios where user consent is required can be found under [User Communication](#user-communication).
 
+Further, some mitigations are always required even if user consent is obtained (ex. focused and visible is always required before exposing pose data).
+
 User consent must be requested only in response to requestSession(). It is recommended that consent last as long as the browsing context. User consent cannot be obtained during an active session, as there is no known approach for a trusted user interface that works consistently across all platforms during an active session.
 
 When creating a session, all privacy-sensitive data that could be exposed during that session must be considered when determining whether or not user consent is required. If user consent is not granted for a particular data type, then either:
@@ -37,7 +39,7 @@ The **_mandatory conditions_** for [XRSession](https://immersive-web.github.io/w
 *   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) on a device with configurable interpupillary distance (IPD), if subsequent calls to [XRFrame.getViewerPose()](https://immersive-web.github.io/webxr/#dom-xrframe-getviewerpose) will return [XRView.transform](https://immersive-web.github.io/webxr/#dom-xrview-transform)s that can be used to compute the configured IPD.
 *   User consent is required before creating an [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) if the user agent does not otherwise [mitigate](#providing-xrviewerpose-data) [sensor fingerprinting threats](https://github.com/immersive-web/privacy-and-security/blob/master/POSE-AND-ENVIRONMENT.md#user-fingerprinting) through data access to [XRViewerPose](https://immersive-web.github.io/webxr/#xrviewerpose-interface) or [XRPose](https://immersive-web.github.io/webxr/#xrpose-interface).
 
-If user consent is required, it must be obtained as part of the [XRRequestSession](https://immersive-web.github.io/webxr/#dom-xr-requestsession) algorithm before the new [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) object is created. If consent is not obtained, the user agent MUST [reject](https://www.w3.org/2001/tag/doc/promises-guide/#reject-promise) the promise with a "[SecurityError](https://heycam.github.io/webidl/#securityerror)" [DOMException](https://heycam.github.io/webidl/#idl-DOMException).
+If user consent is required, it must be obtained as part of the [XRRequestSession](https://immersive-web.github.io/webxr/#dom-xr-requestsession) algorithm before the new [XRSession](https://immersive-web.github.io/webxr/#xrsession-interface) object is created. If the required consent is not obtained, the user agent MUST [reject](https://www.w3.org/2001/tag/doc/promises-guide/#reject-promise) the promise with a "[SecurityError](https://heycam.github.io/webidl/#securityerror)" [DOMException](https://heycam.github.io/webidl/#idl-DOMException).
 
 ```
 Editor Note: The paragraph above suggests specific changes to the XRSession algorithm language.

From 67b0c0992e7d82c383d619900ef110a36c3bfade Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Mon, 3 Jun 2019 18:26:16 -0700
Subject: [PATCH 15/18] Added summary of features and requirements

Added a table that summarizes key WebXR features and the privacy requirements for each.
---
 designdocs/privacy-design.md | 93 ++++++++++++++++++++++++++++++++++++
 1 file changed, 93 insertions(+)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index 9c297b43..8a2b96e6 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -25,6 +25,99 @@ However, not all modes and platforms support all types of data, and some mitigat
 
 
 ## Privacy Requirements
+### Requirements by feature
+
+The user agent must ensure the following requirements are met before enabling the corresponding WebXR feature or allowing access to associated data. This table is intended as a summary, more detail on each requirement is available in subsequent sections.
+
+_Note: Some features have more than one requirement and appear in multiple rows._
+
+<table>
+   <tr>
+      <td><b>Feature</b></td>
+      <td><b>Requirements</b></td>
+      <td><b>Why</b></td>
+   </tr>
+   <tr>
+      <td>Any native origin or combination of native origins that allow calculation of real-world viewer movement.</td>
+      <td>
+Position Limiting for all pose data generated by all XRSpaces in the session
+<br/><br/>
+OR
+<br/><br/>
+User consent.
+      </td>
+   <td>The site may infer the user’s geographic location from unbounded pose data.</td>
+   </tr>
+   <tr>
+   <td>Pose data</td>
+   <td>
+Same Origin
+<br/><br/>
+AND
+<br/><br/>       
+Focused and Visible
+   </td>
+   <td>Prevents Input Sniffing</td>
+   </tr>
+   <tr>
+   <td>Access to data generated by sensors</td>
+   <td>
+Generic Sensor API requirements
+<br/><br/>
+AND
+<br/><br/>
+Feature policies for underlying sensors are respected.
+   </td>
+   <td>Prevents access to sensor data outside the scope of the requirements for the lower-level sensors.</td>
+   </tr>
+   <tr>
+      <td>Viewer Height based on real world height</td>
+      <td>User consent</td>
+      <td>Site may profile user</td>
+   </tr>
+   <tr>
+      <td>Emulated Viewer Height set by user</td>
+      <td>Rounding</td>
+      <td>Site may fingerprint device</td>
+   </tr>
+   <tr>
+     <td>boundsGeometry</td>
+     <td>Rounding</td>
+     <td>Site may fingerprint device</td>
+   </tr>
+   <tr>
+     <td>Configurable IPD as exposed by multiple Views</td>
+     <td>
+Rounding
+<br/><br/>
+AND
+<br/><br/>
+User consent
+     </td>
+     <td>
+Site may profile user.
+<br/><br/>
+Site may fingerprint device based upon specific IPD distance.
+     </td>
+   </tr>
+   <tr>
+   <td>Multiple displays whose positions and orientations have been configured by the user (e.g. a CAVE system)</td>
+   <td>Rounding</td>
+   <td>Site may fingerprint device</td>
+   </tr>
+   <tr>
+   <td>XRPose data generated by sensors</td>
+   <td>
+Quantization
+<br/><br/>
+OR
+<br/><br/>
+User consent
+   </td>
+   <td>Site may fingerprint device</td>
+   </tr>
+<table>
+   
 ### Conditions to create objects and expose data
 #### XRSession Creation
 

From 0214ef30bcca067838b283b890b55ea01ec91cbc Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Tue, 2 Jul 2019 12:41:59 -0700
Subject: [PATCH 16/18] Added deprecation note at the top

After #746 is merged, carry-forward work from this document into the privacy & security explainer is tracked at #748, #750, #753, #754
---
 designdocs/privacy-design.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index 8a2b96e6..8bafd1bd 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -1,3 +1,6 @@
+## Note
+This document was used as background for the [Privacy and Security Explainer](https://github.com/immersive-web/webxr/blob/master/privacy-security-explainer.md) and has been superseded by that explainer.
+
 ## Summary
 This design adopts the [requirements of the Generic Sensors API](https://www.w3.org/TR/generic-sensor/#concepts-can-expose-sensor-readings) when exposing data based on sensors.
 

From 125e41c593944cc6c31432f234b20e4141890731 Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Tue, 2 Jul 2019 14:24:21 -0700
Subject: [PATCH 17/18] Changed link to explainer to be relative

---
 designdocs/privacy-design.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index 8bafd1bd..7ce95c18 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -1,5 +1,5 @@
 ## Note
-This document was used as background for the [Privacy and Security Explainer](https://github.com/immersive-web/webxr/blob/master/privacy-security-explainer.md) and has been superseded by that explainer.
+This document was used as background for the [Privacy and Security Explainer](privacy-security-explainer.md) and has been superseded by that explainer.
 
 ## Summary
 This design adopts the [requirements of the Generic Sensors API](https://www.w3.org/TR/generic-sensor/#concepts-can-expose-sensor-readings) when exposing data based on sensors.

From f2972e7948874bef29f731e762c2cec47c70a149 Mon Sep 17 00:00:00 2001
From: johnpallett <johnpallett@google.com>
Date: Tue, 2 Jul 2019 14:30:03 -0700
Subject: [PATCH 18/18] Fixed relative path

---
 designdocs/privacy-design.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/designdocs/privacy-design.md b/designdocs/privacy-design.md
index 7ce95c18..e767d705 100644
--- a/designdocs/privacy-design.md
+++ b/designdocs/privacy-design.md
@@ -1,5 +1,5 @@
 ## Note
-This document was used as background for the [Privacy and Security Explainer](privacy-security-explainer.md) and has been superseded by that explainer.
+This document was used as background for the [Privacy and Security Explainer](../privacy-security-explainer.md) and has been superseded by that explainer.
 
 ## Summary
 This design adopts the [requirements of the Generic Sensors API](https://www.w3.org/TR/generic-sensor/#concepts-can-expose-sensor-readings) when exposing data based on sensors.