Re: [csswg-drafts] [css-variables-1] Horizontal Review (#6808) from Chris Lilley via GitHub on 2022-02-08 (public-css-archive@w3.org from February 2022)

From: Chris Lilley via GitHub <sysbot+gh@w3.org>
Date: Tue, 08 Feb 2022 23:43:36 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-1033173803-1644363815-sysbot+gh@w3.org>

[Questions to Consider](https://w3ctag.github.io/security-questionnaire/#questions)

    _2.1 What information does this feature expose, and for what purposes?_
Whatever the stylesheet author wants to make available. So that it can be reused by name, instead of by hard-to-maintain copy and paste.
    _2.2 Do features in your specification expose the minimum amount of information necessary to implement the intended functionality?_
Yes, the minimum is zero.
    _2.3 Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either?_
No
    _2.4 How do the features in your specification deal with sensitive information?_
They don't
    _2.5 Do the features in your specification introduce state that persists across browsing sessions?_
No
    _2.6 Do the features in your specification expose information about the underlying platform to origins?_
No
    _2.7 Does this specification allow an origin to send data to the underlying platform?_
No
    _2.8 Do features in this specification enable access to device sensors?_
No
    _2.9 Do features in this specification enable new script execution/loading mechanisms?_
No
    _2.10 Do features in this specification allow an origin to access other devices?_
No
    _2.11 Do features in this specification allow an origin some measure of control over a user agent’s native UI?_
No
    _2.12 What temporary identifiers do the features in this specification create or expose to the web?_
None
    _2.13 How does this specification distinguish between behavior in first-party and third-party contexts?_
No difference
    _2.14 How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?_
No difference
    _2.15 Does this specification have both "Security Considerations" and "Privacy Considerations" sections?_
Yes
    _2.16 Do features in your specification enable origins to downgrade default security protections?_
No
    _2.17 How does your feature handle non-"fully active" documents?_
Not applicable
    _2.18 What should this questionnaire have asked?_
Nothing springs to mind

-- 
GitHub Notification of comment by svgeesus
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/6808#issuecomment-1033173803 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 8 February 2022 23:43:38 UTC