W3C home > Mailing lists > Public > public-css-archive@w3.org > October 2020

[csswg-drafts] [css-text-3] Security review answers (#5574)

From: Florian Rivoal via GitHub <sysbot+gh@w3.org>
Date: Fri, 02 Oct 2020 06:02:10 +0000
To: public-css-archive@w3.org
Message-ID: <issues.opened-713370517-1601618529-sysbot+gh@w3.org>
frivoal has just created a new issue for https://github.com/w3c/csswg-drafts:

== [css-text-3] Security review answers ==
This issue contains the answers to the [Self-Review Questionnaire: Security and Privacy](https://www.w3.org/TR/security-privacy-questionnaire/) for [CSS Text 3](https://drafts.csswg.org/css-text-3/)

**2.1 What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?** 

In order to support correct typography, this specification relies on language-specific hyphenation dictionaries and line-breaking dictionaries. As these can vary across browser and browser version, they contribute to fingerprinting. They are nonetheless necessary to display various languages correctly.

**2.2 Is this specification exposing the minimum amount of information necessary to power the feature?** 

Yes

**2.3 How does this specification deal with personal information or personally-identifiable information or information derived thereof?** 

Not applicable

**2.4 How does this specification deal with sensitive information?** 

Not applicable

**2.5 Does this specification introduce new state for an origin that persists across browsing sessions?** 

No

**2.6 What information from the underlying platform, e.g. configuration data, is exposed by this specification to an origin?** 

Same asnwer as 2.1.

**2.7 Does this specification allow an origin access to sensors on a user’s device** 

No

**2.8 What data does this specification expose to an origin? Please also document what data is identical to data exposed by other features, in the same or different contexts.** 

None

**2.9 Does this specification enable new script execution/loading mechanisms?** 

No

**2.10 Does this specification allow an origin to access other devices?** 

No

**2.11 Does this specification allow an origin some measure of control over a user agent’s native UI?** 

No

**2.12 What temporary identifiers might this this specification create or expose to the web?** 

None

**2.13 How does this specification distinguish between behavior in first-party and third-party contexts?** 

Not applicable

**2.14 How does this specification work in the context of a user agent’s Private Browsing or "incognito" mode?** 

No difference

**2.15 Does this specification have a "Security Considerations" and "Privacy Considerations" section?** 

[Yes](https://drafts.csswg.org/css-text-3/#priv-sec)

**2.16 Does this specification allow downgrading default security characteristics?** 

No

**2.17 What should this questionnaire have asked?** 

Nothing springs to mind.

Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5574 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 2 October 2020 06:02:13 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:42:20 UTC