- From: Thierry MICHEL <tmichel@w3.org>
- Date: Thu, 3 Nov 2016 10:03:28 +0100
- To: Nigel Megitt <nigel.megitt@bbc.co.uk>
- Cc: W3C Public TTWG <public-tt@w3.org>
I approuved today during our call, I will send it to Security and Privacy. Thierry Le 03/11/2016 à 10:00, Nigel Megitt a écrit : > Looks good to me - thanks Thierry. > > Nigel > > > On 03/11/2016, 07:22, "Thierry MICHEL" <tmichel@w3.org> wrote: > >> I guess the following should be the final version for review regarding >> TTML2, to answer the Self-Review Questionnaire: Security and Privacy >> https://www.w3.org/TR/security-privacy-questionnaire/ >> >> Thierry >> >> >> ----------------------------------------------------------------------- >> >> Questions to Consider: >> 3.1 Does this specification deal with personally-identifiable >> information? >> --> NO it doesn't. >> >> 3.2 Does this specification deal with high-value data? >> --> NO it doesn't. >> >> 3.3 Does this specification introduce new state for an origin that >> persists across browsing sessions? >> --> NO it doesn't. >> >> 3.4 Does this specification expose persistent, cross-origin state to the >> web? >> --> NO it doesn't. >> >> 3.5 Does this specification expose any other data to an origin that it >> doesnt currently have access to? >> --> NO it doesn't. >> >> 3.6 Does this specification enable new script execution/loading >> mechanisms? >> --> This question as worded is ambiguous to us; is it only about script >> loading and script execution ? >> In our case, a TTML2 document in which a change in the value of an >> externally passed in parameter or a media query (for example) may cause >> a modification of behavior, and this may lead to the loading of external >> resources including audio, images etc, though excluding scripts. We do >> not consider "condition" mechanism to be a scripting language. >> TTML2 allows loading of resources, just not scripts, and has fetch >> semantics by the introduction of external resource loading. It also >> allows the addition of links on spans that can have hyperlinks. >> >> 3.7 Does this specification allow an origin access to a user¹s location? >> --> NO it doesn't. >> >> 3.8 Does this specification allow an origin access to sensors on a >> users device? >> --> NO it doesn't. >> >> 3.9 Does this specification allow an origin access to aspects of a >> user¹s local computing environment? >> --> NO it doesn't. >> >> 3.10 Does this specification allow an origin access to other devices? >> --> NO it doesn't. >> >> 3.11 Does this specification allow an origin some measure of control >> over a user agent¹s native UI? >> --> NO it doesn't. >> >> 3.12 Does this specification expose temporary identifiers to the web? >> --> NO it doesn't. >> >> 3.13 Does this specification distinguish between behavior in first-party >> and third-party contexts? >> --> NO it doesn't. >> >> 3.14 How should this specification work in the context of a user agent's >> "incognito" mode? >> --> This specification has no impact on any incognito mode since the >> answer to all the questions about exposing details to origins are "No". >> >> 3.15 Does this specification persist data to a user¹s local device? >> --> User agents may choose to cache referenced external resources; this >> implementation detail is not covered by this specification and the >> specification makes no explicit requirement for caching or non-caching >> of any external resource. >> >> 3.16 Does this specification have a "Security Considerations" and >> "Privacy Considerations" section? >> --> YES it does. See the media type registration which is an integral >> part of it. >> >> http://www.iana.org/assignments/media-types/application/ttml+xml >> >> 3.17 Does this specification allow downgrading default security >> characteristics? >> --> NO it doesn't. >> >> _______________________________ > > > > ----------------------------- > http://www.bbc.co.uk > This e-mail (and any attachments) is confidential and > may contain personal views which are not the views of the BBC unless specifically stated. > If you have received it in > error, please delete it from your system. > Do not use, copy or disclose the > information in any way nor act in reliance on it and notify the sender > immediately. > Please note that the BBC monitors e-mails > sent or received. > Further communication will signify your consent to > this. > ----------------------------- >
Received on Thursday, 3 November 2016 09:03:22 UTC