Re: [w3c/push-api] Add answers to the Security and Privacy self-review (#264) from Martin Thomson on 2017-06-21 (public-webapps-github@w3.org from June 2017)

From: Martin Thomson <notifications@github.com>
Date: Tue, 20 Jun 2017 22:01:32 -0700
To: w3c/push-api <push-api@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/push-api/pull/264/review/45328340@github.com>

martinthomson approved this pull request.

Not sure about the interpretation of the one question, but I'm sure that this will do.

> +in some cases, without depending on the browser to be running at all.
+
+## 3.7 Does this specification allow an origin access to a user’s location?
+
+Potentially, through IP-to-location mechanisms when the Service Worker issues a
+fetch.
+
+## 3.8 Does this specification allow an origin access to sensors on a user’s device?
+
+No.
+
+## 3.9 Does this specification allow an origin access to aspects of a user’s local computing environment?
+
+Yes, the push service selected by the device. In some cases, most commonly on
+desktop platforms, a user agent includes a push service client separate from the
+push service made available by the operating system.

I'm not sure what "access" means here.  The specification allows an origin to identify the push service.  I would say that the push service is selected by the user agent and that that might use the same push service as other applications.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/push-api/pull/264#pullrequestreview-45328340

Received on Wednesday, 21 June 2017 05:02:06 UTC