[w3ctag/design-reviews] MathML Core (#438) from Brian Kardell on 2019-10-30 (public-webapps-github@w3.org from October 2019)

From: Brian Kardell <notifications@github.com>
Date: Wed, 30 Oct 2019 11:37:41 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/438@github.com>
Hello TAG Friends!

I'm requesting a TAG review of:

  - Name: MathML Core
  - Specification URL: [https://mathml-refresh.github.io/mathml-core/](https://mathml-refresh.github.io/mathml-core/)
  - Explainer (containing user needs and example code)¹: [https://github.com/mathml-refresh/mathml-core/blob/master/docs/explainer.md](https://github.com/mathml-refresh/mathml-core/blob/master/docs/explainer.md)
  - GitHub issues (if you prefer feedback filed there): [https://github.com/mathml-refresh/mathml/issues](https://github.com/mathml-refresh/mathml/issues)
  - Tests:
   * [core](https://github.com/web-platform-tests/wpt/tree/master/mathml)
 * Proposed exposed CSS properties (not necessary to expose to authors initially, but we think good to)
    * [math-script-level and math-style](https://github.com/web-platform-tests/wpt/tree/master/css/css-fonts/math-script-level-and-math-style)
  * [text-transform values]( https://github.com/web-platform-tests/wpt/tree/master/css/text-transform/math)
  - Primary contacts (and their relationship to the specification):            
    * @fred-wang (author/implementer)
    * @rwlbuis (implementer)
    * @bkardell (advocate)

Further details:

  - Relevant time constraints or deadlines: None specifically beyond our goals to fully upstream an implementation by October 2020 We'd like to continue to progress this long-overdue work.
  - [X] I have read and filled out the [Self-Review Questionnaire on Security and Privacy](https://www.w3.org/TR/security-privacy-questionnaire/). (the assessment is below).
  - [X] I have reviewed the TAG's [API Design Principles](https://w3ctag.github.io/design-principles/)
  - The group where the work on this specification is: MathML Refresh CG
  - Links to major pieces of multi-stakeholder review or discussion of this specification: 
          * Much of this specification is clarifying with modern rigor a subset of what was both specified in MathML 3 and already shipping in two browsers.  Thus far, both WebKit and Firefox have participated, accepted patches and aligned with MathML Core.  Our issue tracker shows work and engagement from multiple vendors, including lots of advice and questions from Googlers.  Our Intent to Implement also includes encouraging responses.
  - Links to major unresolved issues or opposition with this specification:

You should also know that...

MathML Core comes from [previous TAG review of MathML specs/plans](https://github.com/w3ctag/design-reviews/issues/313).
Among our primary aims is to establish an interoperable and widely agreeable starting point for discussions that have been created by MathML's largely unique history.  We've taken very much history, commentary (including TAG's) and challenges into account.  We've taken great pains to balance many things: Making this as small as possible, align as directly as possible with the rest of the platform (including DOM and CSS), eliminate unknowns and surprises, apply learnings from actual implementations (firefox, webkit, office and TeX), rigorously specify and remain useful and compatibile, improving the many documents that already exist.   

We'd prefer the TAG provide feedback as (please select one):

  - [ ] open issues in our GitHub repo for each point of feedback
  - [ ] open a single issue in our GitHub repo for the entire review
  - [x] leave review feedback as a comment in this issue and @-notify @bkardell @fred-wang @rwlbuis

---------------------

# Security Questionnaire...

*  _What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?_
 * This feature allows some OpenType parameters from the MATH table to be tested via MathML constructions, similar to what is done in the corresponding WPT tests. These can allow a third-party to detect whether a known math font is installed. This is non-similar to any other non-sensible font data used for text layout, though.
 * The MathML href attribute can be a potential risk of third-party detecting visited websites. We expect that the same mitigation as SVG/HTML links will be performed by implementers.
                
* _Is this specification exposing the minimum amount of information necessary to power the feature?_
 * Yes, no information is exposed in new ways.
        
* _How does this specification deal with personal information or personally-identifiable information or information derived thereof?_
 * n/a - this is simply about the rendering of a kind of text in a tree and setting it inline with other DOM/CSS expectations.
        
* _How does this specification deal with sensitive information?_
 * It doesn't.
        
*  _Does this specification introduce new state for an origin that persists across browsing sessions?_
 * No
        

*  _What information from the underlying platform, e.g. configuration data, is exposed by this specification to an origin?_ 
 * Because it is based on integration with the rest of the platform, we believe nothing new, beyond what is mentioned in the first question.

* _Does this specification allow an origin access to sensors on a user’s device_
 * No
        
* _What data does this specification expose to an origin? Please also document what data is identical to data exposed by other features, in the same or different contexts._
       * Nothing
        
* _Does this specification enable new script execution/loading mechanisms?_
 * This specification adds new script execution mechanisms in event handler attributes (onclick, etc) or href="javascript:..." links, but these already exist for HTML or SVG. It does not add new script loading mechanisms.

*  _Does this specification allow an origin to access other devices?_
 * No
        
*  _Does this specification allow an origin some measure of control over a user agent’s native UI?_
 * No
        
* _What temporary identifiers might this this specification create or expose to the web?_
 * None.
        
* _How does this specification distinguish between behavior in first-party and third-party contexts?_
 * The specification itself does not make any distinction. MathML can be embedded into HTML and in SVG (via the foreignObject element) and it is expected that the same existing restrictions as HTML/SVG will apply for third-party contexts.

*  _How does this specification work in the context of a user agent’s Private Browsing or "incognito" mode?_
 * No differences.
        
*  _Does this specification have a "Security Considerations" and "Privacy Considerations" section?_
 * No, but we will be adding them, largely to reflect what we have listed here.
        
*  _Does this specification allow downgrading default security characteristics?_
 * No

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/438
Received on Wednesday, 30 October 2019 18:37:45 UTC