Describe navigation as a capability, not a goal.

This reduces the number of goal columns at the cost of increasing the number
and complexity of rows in the table. I hope it makes it easier to see what
abilities an attacker gains when they're willing to show the user a navigation.

capabilities.bsinc

@@ -4,6 +4,12 @@ These are things some attackers can do. The attackers can use them to achieve
 their <a href="#goals">goals</a>. All attackers are assumed to be able to buy
 domains and host sites on their domains.
 
+## Show the user a navigation ## {#cap-navigate}
+
+Users can notice a site navigating, and it disrupts the top-level site's state,
+so not all attackers will be willing to create an extra navigation in order to
+transfer a user ID.
+
 ## Load iframes ## {#cap-iframes}
 
 The attacker can convince a publisher to load an iframe from the attacker's site.

goals.bsinc

@@ -17,37 +17,25 @@ it occurred. A context is a set of resources that are controlled by the same
 party or jointly controlled by a set of parties. The following are building
 blocks that allow a tracker to build such a log of a user's activity.
 
-### Transfer user ID from publisher 1 to publisher 2 on navigation. ### {#goal-transfer-userid}
+### Transfer user ID from publisher 1 to publisher 2. ### {#goal-transfer-userid}
 
-When the user clicks a link from [=publisher=] 1 that navigates to [=publisher=]
-2, publisher 2's server learns that a [=user ID=] on publisher 2 and a [=user ID=] on
-publisher 1 represent the same [=user=].
+[=Publisher=] 2's server learns that a [=user ID=] on [=publisher=] 2 and a [=user ID=]
+on [=publisher=] 1 represent the same [=user=].
 
-### Transfer user ID from tracker to that tracker running within a publisher, on navigation. ### {#goal-userid-tracker-to-self-in-pub}
+### Transfer user ID from tracker to that tracker running within a publisher. ### {#goal-userid-tracker-to-self-in-pub}
 
-When the user clicks a link from `tracker.example` to `publisher.example`, that
-[=tracker's=] server learns that a [=user ID=] for either `publisher.example` or
-the tracker running within `publisher.example` and a [=user ID=] for
-`tracker.example` represent the same [=user=].
+<code>[=tracker=].example</code>'s server learns that a [=user ID=] for either
+`publisher.example` or the tracker running within `publisher.example` and a
+[=user ID=] for `tracker.example` represent the same [=user=].
 
-### Transfer user ID from tracker within publisher 1 to that tracker within publisher 2, on navigation. ### {#goal-userid-tracker-in-pub1-to-self-in-pub2}
+### Transfer user ID from tracker within publisher 1 to that tracker within publisher 2. ### {#goal-userid-tracker-in-pub1-to-self-in-pub2}
 
-When the user clicks a link from `publisher1.example` (where a tracker was
-embedded within that site) to `publisher2.example` (which has the same tracker
-embedded), that [=tracker's=] server learns that a [=user ID=] for either
+A [=tracker's=] server learns that a [=user ID=] for either
 `publisher1.example` or the tracker running within `publisher1.example` and a
 [=user ID=] for either `publisher2.example` or the tracker running within
 `publisher2.example` represent the same [=user=].
 
-### Probabilistically transfer user ID from publisher 1 to publisher 2 on navigation. ### {#goal-prob-transfer-userid}
+### Probabilistically transfer user ID from publisher 1 to publisher 2. ### {#goal-prob-transfer-userid}
 
-When the user clicks a link from [=publisher=] 1 that navigates to [=publisher=]
-2, publisher 2's server learns that a [=user ID=] on publisher 2 and a [=user ID=] on
-publisher 1 are more likely than chance to represent the same [=user=].
-
-### Probabilistically transfer user ID from publisher 1 to publisher 2 without navigation. ### {#goal-prob-transfer-userid-no-nav}
-
-While the user is visiting [=publisher=] 1, that publisher can tell
-[=publisher=] 2 that a [=user ID=] on publisher 2 and a [=user ID=] on publisher
-1 are more likely than chance to represent the same [=user=], without requiring
-the user to navigate from publisher 1 to publisher 2.
+[=Publisher=] 2's server learns that a [=user ID=] on [=publisher=] 2 and a [=user ID=] on
+[=publisher=] 1 are more likely than chance to represent the same [=user=].

xsite-tracking-model.bsinc

@@ -1,36 +1,43 @@
 ## Cross-site recognition ## {#model-cross-site-recognition}
 
 <table class="threatmodel">
+<thead>
 <tr class="goals">
-  <td></td>
+  <td colspan="2"></td>
   <th><div><div>[[#goal-transfer-userid]]</div></div></th>
   <th><div><div>[[#goal-userid-tracker-to-self-in-pub]]</div></div></th>
   <th><div><div>[[#goal-userid-tracker-in-pub1-to-self-in-pub2]]</div></div></th>
-  <th><div><div>[[#goal-prob-transfer-userid-no-nav]]</div></div></th>
   <th><div><div>[[#goal-prob-transfer-userid]]</div></div></th>
 </tr>
+<tbody>
+<tr>
+  <th colspan="2">[[#cap-iframes]] on both sides of a [[#cap-navigate|navigation]]</th>
+  <td data-goal="transfer-userid" style="color:green">✘</td>
+  <td data-goal="userid-tracker-to-self-in-pub" style="color:green">✘</td>
+  <td data-goal="userid-tracker-in-pub1-to-self-in-pub2" style="color:green">✘</td>
+  <td data-goal="prob-transfer-userid" style="color:green">✘</td>
+</tr>
 <tr>
-  <th>[[#cap-iframes]]</th>
+  <th colspan="2">[[#cap-first-party-js]] on both sides of a [[#cap-navigate|navigation]]</th>
   <td data-goal="transfer-userid" style="color:green">✘</td>
   <td data-goal="userid-tracker-to-self-in-pub" style="color:green">✘</td>
   <td data-goal="userid-tracker-in-pub1-to-self-in-pub2" style="color:green">✘</td>
-  <td data-goal="prob-transfer-userid-no-nav" style="color:green">✘</td>
   <td data-goal="prob-transfer-userid" style="color:green">✘</td>
 </tr>
+<tbody>
 <tr>
-  <th>[[#cap-first-party-js]]</th>
+  <th colspan="2" scope="rowgroup">[[#cap-read-logs]] on other publishers</th>
   <td data-goal="transfer-userid" style="color:green">✘</td>
   <td data-goal="userid-tracker-to-self-in-pub" style="color:green">✘</td>
   <td data-goal="userid-tracker-in-pub1-to-self-in-pub2" style="color:green">✘</td>
-  <td data-goal="prob-transfer-userid-no-nav" style="color:green">✘</td>
   <td data-goal="prob-transfer-userid" style="color:green">✘</td>
 </tr>
 <tr>
-  <th>[[#cap-read-logs]] on other publishers</th>
+  <td></td>
+  <th>if publisher 1 can [[#cap-navigate]]</th>
   <td data-goal="transfer-userid" style="color:green">✘</td>
   <td data-goal="userid-tracker-to-self-in-pub" style="color:green">✘</td>
   <td data-goal="userid-tracker-in-pub1-to-self-in-pub2" style="color:green">✘</td>
-  <td data-goal="prob-transfer-userid-no-nav" style="color:green">✘</td>
   <td data-goal="prob-transfer-userid">
   <details>
     <summary style="color:red">✓</summary>
@@ -40,8 +47,9 @@
   </details>
   </td>
 </tr>
+<tbody>
 <tr>
-  <th>[[#cap-run-on-server]] on the target publisher</th>
+  <th colspan="2">[[#cap-run-on-server]] on the post-[[#cap-navigate|navigation]] publisher</th>
   <td data-goal="transfer-userid">
     <span style="color:green">✘</span>
   </td>
@@ -60,15 +68,12 @@
   <td data-goal="userid-tracker-in-pub1-to-self-in-pub2" >
     <span style="color:green">✘</span>
   </td>
-  <td data-goal="prob-transfer-userid-no-nav" >
-    <span style="color:green">✘</span>
-  </td>
   <td data-goal="prob-transfer-userid">
     <span style="color:green">✘</span>
   </td>
 </tr>
 <tr>
-  <th>[[#cap-first-party-js]] or [[#cap-run-on-server]] on the source site and [[#cap-run-on-server]] on the target publisher</th>
+  <th colspan="2">[[#cap-first-party-js]] or [[#cap-run-on-server]] on the source site and [[#cap-run-on-server]] on the target publisher</th>
   <td data-goal="transfer-userid">
     <span style="color:green">✘</span>
   </td>
@@ -96,13 +101,11 @@
       tracker's server</a>.
     </details>
   </td>
-  <td data-goal="prob-transfer-userid-no-nav" >
-    <span style="color:red">✓</span>
-  </td>
   <td data-goal="prob-transfer-userid">
     <span style="color:red">✓</span>
   </td>
-</tr></table>
+</tr>
+</table>
 
 Further cross-site recognition is available by combining capabilities with the
 ability to [[#cap-first-party-js]] (or [[#cap-run-on-server]] to add
@@ -111,11 +114,11 @@ attacker-controlled javascript):
 <table class="threatmodel">
 <tr class="goals">
   <td></td>
-  <th><div><div>[[#goal-prob-transfer-userid-no-nav]]</div></div></th>
+  <th><div><div>[[#goal-prob-transfer-userid]]</div></div></th>
 </tr>
 <tr>
   <th>[[#cap-type-identifier]]</th>
-  <td data-goal="prob-transfer-userid-no-nav">
+  <td data-goal="prob-transfer-userid">
       <details>
         <summary style="color:red">✓</summary>
         The tracker gets a report of the identifiers typed in both publisher
@@ -129,7 +132,7 @@ attacker-controlled javascript):
 </tr>
 <tr>
   <th>[[#cap-same-device-same-time]]</th>
-  <td data-goal="prob-transfer-userid-no-nav">
+  <td data-goal="prob-transfer-userid">
       <details>
         <summary style="color:red">✓</summary>
         The tracker reads the two devices, and if they give the same output at
@@ -146,7 +149,7 @@ attacker-controlled javascript):
 </tr>
 <tr>
   <th>[[#cap-same-rw-device]]</th>
-  <td data-goal="prob-transfer-userid-no-nav">
+  <td data-goal="prob-transfer-userid">
       <details>
         <summary style="color:red">✓</summary>
         The tracker writes identifying content to the device and then reads it
@@ -162,13 +165,13 @@ attacker-controlled javascript):
 </tr>
 <tr>
   <th>[[#cap-open-for-browser-event]]</th>
-  <td data-goal="prob-transfer-userid-no-nav">
+  <td data-goal="prob-transfer-userid">
     <span style="color:green">✘</span>
   </td>
 </tr>
 <tr>
   <th>[[#cap-visible-for-browser-event]]</th>
-  <td data-goal="prob-transfer-userid-no-nav">
+  <td data-goal="prob-transfer-userid">
       <details>
         <summary style="color:red">✓</summary>
         Browser-wide events generally need to be visible immediately when a user