W3C home > Mailing lists > Public > public-dxwg-wg@w3.org > December 2018

Re: [dxwg] Profiles Guide doc Security and Privacy (#478)

From: Nicholas Car via GitHub <sysbot+gh@w3.org>
Date: Sat, 15 Dec 2018 20:08:21 +0000
To: public-dxwg-wg@w3.org
Message-ID: <issue_comment.created-447594547-1544904500-sysbot+gh@w3.org>
Questions from https://w3ctag.github.io/security-questionnaire/ with answers:  

**4.1 What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?**  
Guidance document - no code/system exposing anything directly.  

**4.2 Is this specification exposing the minimum amount of information necessary to power the feature?**  
N/A  

**4.3 How does this specification deal with personal information or personally-identifiable information or information derived thereof?**  
It does not.  

**4.4 How does this specification deal with sensitive information?**  
It does not.  

**4.5 Does this specification introduce new state for an origin that persists across browsing sessions?**  
No.  

**4.6 What information from the underlying platform, e.g. configuration data, is exposed by this specification to an origin?**  
N/A  

**4.7 Does this specification allow an origin access to sensors on a user’s device?**  
No.  

**4.8 What data does this specification expose to an origin? Please also document what data is identical to data exposed by other features, in the same or different contexts.**  
N/A  

**4.9 Does this specification enable new script execution/loading mechanisms?**  
No.  

**4.10 Does this specification allow an origin to access other devices?**  
No.  

**4.11 Does this specification allow an origin some measure of control over a user agent’s native UI?**  
No.  

**4.12 What temporary identifiers might this this specification create or expose to the web?**  
No temporary identifiers. Use of it will ultimately generate persistent identifiers (URIs) for documents (profiles).  

**4.13 How does this specification distinguish between behavior in first-party and third-party contexts?**  
It does not.  

**4.14 How does this specification work in the context of a user agent’s Private \ Browsing or "incognito" mode?**  
N/A  

**4.15 Does this specification have a "Security Considerations" and "Privacy Considerations" section?**  
Yes but a trivial one for now. To be updated.  

**4.16 Does this specification allow downgrading default security characteristics?**  
No or N/A.  

**4.17 What should this questionaire have asked?**  
I can't think of what it could ask to better probe potential privacy issues for this kind of Guidance document.  



-- 
GitHub Notification of comment by nicholascar
Please view or discuss this issue at https://github.com/w3c/dxwg/issues/478#issuecomment-447594547 using your GitHub account
Received on Saturday, 15 December 2018 20:08:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 April 2019 13:45:05 UTC