[webvtt] Add Security and Privacy Considerations section from David Singer via GitHub on 2017-01-24 (public-texttracks@w3.org from January 2017)

From: David Singer via GitHub <sysbot+gh@w3.org>
Date: Tue, 24 Jan 2017 12:51:55 +0000
To: public-texttracks@w3.org
Message-ID: <issues.opened-202809895-1485262314-sysbot+gh@w3.org>

dwsinger has just created a new issue for 
https://github.com/w3c/webvtt:

== Add Security and Privacy Considerations section ==
add the following section:


X Security and Privacy Considerations

X.1 Text-based format security

As with any text-based format, it is possible to construct malicious 
content that might cause buffer over-runs, value overflows (e.g. 
string representations of integers that overflow a given word length),
 and the like. Implementers should take care that over-long lines,  
field values, or encoded values do not cause security problems.

X.2 Styling

VTT can embed style ‘snippets’, and they in turn can cause the loading
 of external style sheets through the use of a CSS “@import” rule, in 
user-agents that support CSS.  Under these circumstances, the security
 and privacy considerations of CSS apply.  In addition, it is possible
 for a user-agent to offer user style-sheets, and their presence and 
nature might be detectable by scripts running in the same user-agent 
(e.g. browser). This might enable fingerprinting of the user or reveal
 aspects of the user’s preferences (e.g. the choice of a large font 
size and/or high-contrast colors might indicate a user with visual 
impairments).

X.3 Scripting

VTT does not include or enable scripting. However, it is possible to 
construct and deliver a file that is designed not to present captions 
or subtitles, but instead to provide timed input (‘triggers’) to a 
script system. A poorly-written script or script system might then 
cause security or other problems; however, this consideration really 
applies to the script system.  Because VTT supplies these triggers at 
their timestamps, a malicious file might present such triggers very 
rapidly, perhaps causing undue resource consumption.

X.4 Privacy of preference

A user-agent that selects, and causes to download or interpret a VTT 
file, might indicate to the origin server that the user has a need for
 captions or subtitles. That is a (small) piece of information about 
the user. However, the offering of a caption file, and the choice 
whether to retrieve and consume it, are better viewed as 
characteristics of the format or protocol which does the offer (e.g. 
the HTML <source> element), rather than of the caption format itself.



Please view or discuss this issue at 
https://github.com/w3c/webvtt/issues/323 using your GitHub account

Received on Tuesday, 24 January 2017 12:52:01 UTC