- From: Chris Lilley via GitHub <sysbot+gh@w3.org>
- Date: Fri, 04 Sep 2020 16:59:33 +0000
- To: public-css-archive@w3.org
svgeesus has just created a new issue for https://github.com/w3c/csswg-drafts: == [css-color-4] Security Self-Review answers == This issue contains the answers to questions posed in [Self-Review Questionnaire: Security and Privacy](https://www.w3.org/TR/security-privacy-questionnaire/) as they relate to the current draft of [CSS Color 4](https://drafts.csswg.org/css-color-4/#priv-sec) which is used to set the colors of various items on a Web page.. **What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?** The [system colors](https://drafts.csswg.org/css-color-4/#css-system-colors) MAY expose user-chosen (in `forced colors mode) or OS-chosen colors, as discussed in the [Security and Privacy Considerations](https://drafts.csswg.org/css-color-4/#priv-sec). **Is this specification exposing the minimum amount of information necessary to power the feature?** Yes, we believe so. **How does this specification deal with personal information or personally-identifiable information or information derived thereof?** No personally-identifiable information. **How does this specification deal with sensitive information?** This specification does not deal with financial data, credentials, health information, location, or credentials. **Does this specification introduce new state for an origin that persists across browsing sessions?** No. **What information from the underlying platform, e.g. configuration data, is exposed by this specification to an origin?** See discussion of system colors in [Security and Privacy Considerations](https://drafts.csswg.org/css-color-4/#priv-sec) **Does this specification allow an origin access to sensors on a user’s device** No. **What data does this specification expose to an origin? Please also document what data is identical to data exposed by other features, in the same or different contexts.** None. **Does this specification enable new script execution/loading mechanisms?** No. It does allow linking to ICC profiles, but these are declarative and do not contain any scripting mechanism. **Does this specification allow an origin to access other devices?** No. **Does this specification allow an origin some measure of control over a user agent’s native UI?** Yes, to a limited extent the native UI could in theory be spoofed. See discussion of system colors in [Security and Privacy Considerations] (https://drafts.csswg.org/css-color-4/#priv-sec) **What temporary identifiers might this this specification create or expose to the web?** None. **How does this specification distinguish between behavior in first-party and third-party contexts?** No difference. **How does this specification work in the context of a user agent’s Private Browsing or "incognito" mode?** No difference. **Does this specification have a "Security Considerations" and "Privacy Considerations" section?** It has [one combined section](https://drafts.csswg.org/css-color-4/#priv-sec). Negative responses are not recorded, but are recorded in this issue. **Does this specification allow downgrading default security characteristics?** No. **What should this questionnaire have asked?** nothing else springs to mind which would be relevant to this specification. Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5499 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 4 September 2020 16:59:35 UTC