W3C home > Mailing lists > Public > public-css-archive@w3.org > February 2018

Re: [csswg-drafts] Add 'Privacy and Security Considerations' section

From: Brad Czerniak via GitHub <sysbot+gh@w3.org>
Date: Wed, 21 Feb 2018 01:18:08 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-367180378-1519175887-sysbot+gh@w3.org>
@tabatkins,

I figured it would be helpful to update the checklist, as well as to perhaps provide 
additional information about Security and Privacy sections in CSS specs so far.

@tantek really hit the nail on the head with css-ui-3 and css-ui-4, imho. A good 
security section should contain:

 * A statement of the section as informative rather than normative
 * Coverage of the questions from the questionnaire
 * Citation to the TAG security questionnaire appropriately (puts it in a draft context)
 * No indications that the section is an issue/todo, nor any verbiage like "Everything will be fine if you implement it correctly"

I'm a newbie to the spec-writing world, so my other opinion on the matter may be 
incorrect, but... I also believe Tantek's placement of the section as an _appendix_ 
was ideal for the circumstance.

Following the table is a bikeshed partial for a section similar to the css-ui-3 one, albeit with 
wording more boilerplate to accommodate the disparate specs. If the template is 
acceptable to you [and the WG], I'd be happy to roll it into the specs that still 
need it and tender a PR here.

| Spec | Status | § header | "-ative" | "...correctly" | Questions | Linked TAG |
| ---- | ------ | -------- | -------- | -------------- | --------- | ---------- |
| [CSS Animations 1](https://drafts.csswg.org/css-animations-1/) | N | | | | | |
| [CSS Animations 2](https://drafts.csswg.org/css-animations-2/) | N | | | | | |
| [CSS Backgrounds 3](https://drafts.csswg.org/css-backgrounds-3/) | N | | | | | |
| [CSS Backgrounds 4](https://drafts.csswg.org/css-backgrounds-4/) | N | | | | | |
| [CSS Box 3](https://drafts.csswg.org/css-box-3/) | N | | | | | |
| [CSS Fragmentation 3](https://drafts.csswg.org/css-break-3/) | N | | | | | |
| [CSS Cascading 3](https://drafts.csswg.org/css-cascade-3/) | [Y](https://drafts.csswg.org/css-cascade-3/#priv-sec) | (none) | N | N | N | N |
| [CSS Cascading 4](https://drafts.csswg.org/css-cascade-4/) | N | | | | | |
| [CSS Color 3](https://drafts.csswg.org/css-color-3/) | N | | | | | |
| [CSS Color 4](https://drafts.csswg.org/css-color-4/) | [Y](https://drafts.csswg.org/css-color-4/#priv-sec) | 19 | N | N | N | N |
| [CSS Generated Content 3](https://drafts.csswg.org/css-content-3/) | N | | | | | |
| [CSS Counter Styles 3](https://drafts.csswg.org/css-counter-styles-3/) | [Y](https://drafts.csswg.org/css-counter-styles-3/#priv-sec) | (none) | N | N | N | N |
| [CSS Device Adaptation 1](https://drafts.csswg.org/css-device-adapt-1/) | N | | | | | |
| [CSS Display 3](https://drafts.csswg.org/css-display-3/) | [Y](https://drafts.csswg.org/css-display-3/#priv-sec) | 4 | N | N | N | N |
| [CSS Exclusions 1](https://drafts.csswg.org/css-exclusions-1/) | N | | | | | |
| [CSS Extensions 1](https://drafts.csswg.org/css-extensions-1/) | N | | | | | |
| [CSS Font Loading 3](https://drafts.csswg.org/css-font-loading-3/) | [Y](https://drafts.csswg.org/css-font-loading-3/#priv-sec) | (none) | N | N | N | N |
| [CSS Fonts 3](https://drafts.csswg.org/css-fonts-3/) | N | | | | | |
| [CSS Fonts 4](https://drafts.csswg.org/css-fonts-4/) | N | | | | | |
| [CSS GCPM 3](https://drafts.csswg.org/css-gcpm-3/) | N | | | | | |
| [CSS GCPM 4](https://drafts.csswg.org/css-gcpm-4/) | N | | | | | |
| [CSS Images 4](https://drafts.csswg.org/css-images-4/) | [Y](https://drafts.csswg.org/css-images-4/#privsec) | 8 | N | N | N | N |
| [CSS Inline Layout 3](https://drafts.csswg.org/css-inline-3/) | N | | | | | |
| [CSS Line Grid 1](https://drafts.csswg.org/css-line-grid-1/) | N | | | | | |
| [CSS Lists 3](https://drafts.csswg.org/css-lists-3/) | N | | | | | |
| [CSS Logical Properties 1](https://drafts.csswg.org/css-logical-props-1/) | N | | | | | |
| [CSS Multicol 1](https://drafts.csswg.org/css-multicol-1/) | N | | | | | |
| [CSS Multicol 2](https://drafts.csswg.org/css-multicol-2/) | [Y](https://drafts.csswg.org/css-multicol-2/#priv-sec) | (none) | N | N | N | N |
| [CSS Namespaces 3](https://drafts.csswg.org/css-namespaces-3/) | N | | | | | |
| [CSS Overflow 4](https://drafts.csswg.org/css-overflow-4/) | [Y](https://drafts.csswg.org/css-overflow-4/#priv-sec) | 8 | N | N | Y | Y |
| [CSS Paged Media 3](https://drafts.csswg.org/css-page-3/) | [Y](https://drafts.csswg.org/css-page-3/#priv-sec) | (none) | N | N | N | N |
| [CSS Paged Media 4](https://drafts.csswg.org/css-page-4/) | N | | | | | |
| [CSS Page Floats 3](https://drafts.csswg.org/css-page-floats-3/) | N | | | | | |
| [CSS Pagination Templates 1](https://drafts.csswg.org/css-page-template/) | N | | | | | |
| [CSS Positioned Layout 3](https://drafts.csswg.org/css-position-3/) | N | | | | | |
| [CSS Regions 1](https://drafts.csswg.org/css-regions-1/) | N | | | | | |
| [CSS Round Display 1](https://drafts.csswg.org/css-round-display/) | [Y](https://drafts.csswg.org/css-round-display/#security-considerations) | 9&10 | N | N | N | N |
| [CSS Ruby 1](https://drafts.csswg.org/css-ruby-1/) | N | | | | | |
| [CSS Shapes 1](https://drafts.csswg.org/css-shapes-1/) | N | | | | | |
| [CSS Shapes 2](https://drafts.csswg.org/css-shapes-2/) | N | | | | | |
| [CSS Size Adjustment 1](https://drafts.csswg.org/css-size-adjust-1/) | N | | | | | |
| [CSS 2015](https://drafts.csswg.org/css-2015/) | N | | | | | |
| [CSS Speech 1](https://drafts.csswg.org/css-speech-1/) | N | | | | | |
| [CSS Style Attributes 1](https://drafts.csswg.org/css-style-attr-1/) | N | | | | | |
| [CSS Template Layout 1](https://drafts.csswg.org/css-template-1/) | N | | | | | |
| [CSS Text 4](https://drafts.csswg.org/css-text-4/) | N | | | | | |
| [CSS Text Decoration 3](https://drafts.csswg.org/css-text-decor-3/) | N | | | | | |
| [CSS Transforms 1](https://drafts.csswg.org/css-transforms-1/) | N | | | | | |
| [CSS Transforms 2](https://drafts.csswg.org/css-transforms-2/) | [Y](https://drafts.csswg.org/css-transforms-2/#priv-sec) | 19 | N | N | N | N |
| [CSS Transitions 2](https://drafts.csswg.org/css-transitions-2/) | N | | | | | |
| [CSS User Interface 3](https://drafts.csswg.org/css-ui-3/) | [Y](https://drafts.csswg.org/css-ui-3/#security-privacy-considerations) | Appendix C | Y | N | Y | Y |
| [CSS User Interface 4](https://drafts.csswg.org/css-ui-4/) | [Y](https://drafts.csswg.org/css-ui-4/#security-privacy-considerations) | Appendix C | Y | N | Y | Y |
| [CSS Will Change 1](https://drafts.csswg.org/css-will-change-1/) | N | | | | | |
| [CSS Writing Modes 3](https://drafts.csswg.org/css-writing-modes-3/) | [Y](https://drafts.csswg.org/css-writing-modes-3/#priv-sec) | 10 | N | Y | N | N |
| [CSS 2.1](https://drafts.csswg.org/css21/) | N | | | | | |
| [CSSOM 1](https://drafts.csswg.org/cssom-1/) | N | | | | | |
| [CSSOM View Module 1](https://drafts.csswg.org/cssom-view-1/) | N | | | | | |
| [Media Queries 3](https://drafts.csswg.org/mediaqueries-3/) | N | | | | | |
| [Selectors 3](https://drafts.csswg.org/selectors-3/) | N | | | | | |
| [Non-element Selectors 1](https://drafts.csswg.org/selectors-nonelement-1/) | N | | | | | |

## 207--priv-sec.partial.bs

```html
<h2 class="no-num" id="security-privacy">Appendix. Considerations for Security and Privacy</h2>

This appendix is <em>informative</em> rather than normative.

The W3C TAG is developing a
<a href="https://www.w3.org/TR/security-privacy-questionnaire/">Self-Review Questionnaire: Security and Privacy</a>
for editors of specifications to informatively answer.

Per the <a href="https://www.w3.org/TR/security-privacy-questionnaire/#questions">Questions to Consider</a>:

<ol>
  <li>
    Does this specification deal with personally-identifiable information?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification deal with high-value data?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification introduce new state for an origin that persists across browsing sessions?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification expose persistent, cross-origin state to the web?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification expose any other data to an origin that it doesn’t currently have access to?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification enable new script execution/loading mechanisms?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification allow an origin access to a user’s location?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification allow an origin access to sensors on a user’s device?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification allow an origin access to aspects of a user’s local computing environment?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification allow an origin access to other devices?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification allow an origin some measure of control over a user agent’s native UI?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification expose temporary identifiers to the web?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification distinguish between behavior in first-party and third-party contexts?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    How should this specification work in the context of a user agent’s "incognito" mode?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification persist data to a user’s local device?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification have a "Security Considerations" and "Privacy Considerations" section?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification allow downgrading default security characteristics?
    <p><em>Pending editorial review</em></p>
  </li>
</ol>
```

-- 
GitHub Notification of comment by ao5357
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/207#issuecomment-367180378 using your GitHub account
Received on Wednesday, 21 February 2018 01:18:47 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:41:24 UTC