W3C home > Mailing lists > Public > public-tt@w3.org > November 2016

Re: TTML2 and questionnaire for Security and Privacy; for review.

From: Nigel Megitt <nigel.megitt@bbc.co.uk>
Date: Thu, 3 Nov 2016 09:08:48 +0000
To: Thierry MICHEL <tmichel@w3.org>
CC: W3C Public TTWG <public-tt@w3.org>
Message-ID: <D440AEF4.2EC29%nigel.megitt@bbc.co.uk>
If you mean "If approved… " then sounds like a good plan!

Nigel


On 03/11/2016, 09:03, "Thierry MICHEL" <tmichel@w3.org> wrote:

>I approuved today during our call, I will send it to Security and Privacy.
>
>Thierry
>
>Le 03/11/2016 à 10:00, Nigel Megitt a écrit :
>> Looks good to me - thanks Thierry.
>>
>> Nigel
>>
>>
>> On 03/11/2016, 07:22, "Thierry MICHEL" <tmichel@w3.org> wrote:
>>
>>> I guess the following should be the final version for review regarding
>>> TTML2, to answer the Self-Review Questionnaire: Security and Privacy
>>> https://www.w3.org/TR/security-privacy-questionnaire/
>>>
>>> Thierry
>>>
>>>
>>> -----------------------------------------------------------------------
>>>
>>> Questions to Consider:
>>> 3.1 Does this specification deal with personally-identifiable
>>> information?
>>> --> NO it doesn't.
>>>
>>> 3.2 Does this specification deal with high-value data?
>>> --> NO it doesn't.
>>>
>>> 3.3 Does this specification introduce new state for an origin that
>>> persists across browsing sessions?
>>> --> NO it doesn't.
>>>
>>> 3.4 Does this specification expose persistent, cross-origin state to
>>>the
>>> web?
>>> --> NO it doesn't.
>>>
>>> 3.5 Does this specification expose any other data to an origin that it
>>> doesnt currently have access to?
>>> --> NO it doesn't.
>>>
>>> 3.6 Does this specification enable new script execution/loading
>>> mechanisms?
>>> -->  This question as worded is ambiguous to us; is it only about
>>>script
>>> loading and script execution ?
>>> In our case, a TTML2 document in which a change in the value of an
>>> externally passed in parameter or a media query (for example) may cause
>>> a modification of behavior, and this may lead to the loading of
>>>external
>>> resources including audio, images etc, though excluding scripts. We do
>>> not consider "condition" mechanism to be a scripting language.
>>> TTML2 allows loading of resources, just not scripts, and has fetch
>>> semantics by the introduction of external resource loading. It also
>>> allows the addition of links on spans that can have hyperlinks.
>>>
>>> 3.7 Does this specification allow an origin access to a userıs
>>>location?
>>> --> NO it doesn't.
>>>
>>> 3.8 Does this specification allow an origin access to sensors on a
>>> users device?
>>> --> NO it doesn't.
>>>
>>> 3.9 Does this specification allow an origin access to aspects of a
>>> userıs local computing environment?
>>> --> NO it doesn't.
>>>
>>> 3.10 Does this specification allow an origin access to other devices?
>>> --> NO it doesn't.
>>>
>>> 3.11 Does this specification allow an origin some measure of control
>>> over a user agentıs native UI?
>>> --> NO it doesn't.
>>>
>>> 3.12 Does this specification expose temporary identifiers to the web?
>>> --> NO it doesn't.
>>>
>>> 3.13 Does this specification distinguish between behavior in
>>>first-party
>>> and third-party contexts?
>>> --> NO it doesn't.
>>>
>>> 3.14 How should this specification work in the context of a user
>>>agent's
>>> "incognito" mode?
>>> --> This specification has no impact on any incognito mode since the
>>> answer to all the questions about exposing details to origins are "No".
>>>
>>> 3.15 Does this specification persist data to a userıs local device?
>>> --> User agents may choose to cache referenced external resources; this
>>> implementation detail is not covered by this specification and the
>>> specification makes no explicit requirement for caching or non-caching
>>> of any external resource.
>>>
>>> 3.16 Does this specification have a "Security Considerations" and
>>> "Privacy Considerations" section?
>>> --> YES it does. See the media type registration which is an integral
>>> part of it.
>>>
>>> http://www.iana.org/assignments/media-types/application/ttml+xml
>>>
>>> 3.17 Does this specification allow downgrading default security
>>> characteristics?
>>> --> NO it doesn't.
>>>
>>> _______________________________
>>
>>
>>
>> -----------------------------
>> http://www.bbc.co.uk
>> This e-mail (and any attachments) is confidential and
>> may contain personal views which are not the views of the BBC unless
>>specifically stated.
>> If you have received it in
>> error, please delete it from your system.
>> Do not use, copy or disclose the
>> information in any way nor act in reliance on it and notify the sender
>> immediately.
>> Please note that the BBC monitors e-mails
>> sent or received.
>> Further communication will signify your consent to
>> this.
>> -----------------------------
>>
Received on Thursday, 3 November 2016 09:09:17 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 5 October 2017 18:24:32 UTC