W3C home > Mailing lists > Public > public-device-apis-log@w3.org > February 2017

Re: [wake-lock] Review the Privacy & Security section

From: Andrey Logvinov via GitHub <sysbot+gh@w3.org>
Date: Wed, 15 Feb 2017 10:37:40 +0000
To: public-device-apis-log@w3.org
Message-ID: <issue_comment.created-279975936-1487155059-sysbot+gh@w3.org>
I re-ran the self-review questionnaire: 
https://www.w3.org/TR/security-privacy-questionnaire/#questions

> 3.1. Does this specification deal with personally-identifiable 
information?

No.

> 3.2. Does this specification deal with high-value data?

No.

> 3.3. Does this specification introduce new state for an origin that 
persists across browsing sessions?

No.

> 3.4. Does this specification expose persistent, cross-origin state 
to the web?

No. The specification does expose cross-origin state (current wake 
lock status), but it is not persistent.

> 3.5. Does this specification expose any other data to an origin that
 it doesn’t currently have access to?

Yes. Origin A can listen to the global wake lock state, and origin B 
could request the wake lock, thereby modifying the global wake lock 
state. This way, origin A can observe actions of origin B.

> 3.6. Does this specification enable new script execution/loading 
mechanisms?

No.

> 3.7. Does this specification allow an origin access to a user’s 
location?

No.

> 3.8. Does this specification allow an origin access to sensors on a 
user’s device?

No.

> 3.9. Does this specification allow an origin access to aspects of a 
user’s local computing environment?

Yes, indirectly. The specification allows to check if a particular 
wake lock type is supported, thus providing some information about 
device capabilities.

> 3.10. Does this specification allow an origin access to other 
devices?

No.

> 3.11. Does this specification allow an origin some measure of 
control over a user agent’s native UI?

Yes, as it prevents the entire screen from going blank, including the 
native UI elements.

> 3.12. Does this specification expose temporary identifiers to the 
web?

No.

> 3.13. Does this specification distinguish between behavior in 
first-party and third-party contexts?

Yes, as it contains a provision that only same-origin frames can 
request wake locks.

> 3.14. How should this specification work in the context of a user 
agent’s "incognito" mode?

Exactly the same way as in non-incognito mode (matching the "ideally" 
option).

> 3.15. Does this specification persist data to a user’s local device?

No.

> 3.16. Does this specification have a "Security Considerations" and 
"Privacy Considerations" section?

Yes.

> 3.17. Does this specification allow downgrading default security 
characteristics?

No.



-- 
GitHub Notification of comment by andrey-logvinov
Please view or discuss this issue at 
https://github.com/w3c/wake-lock/issues/89#issuecomment-279975936 
using your GitHub account
Received on Wednesday, 15 February 2017 10:37:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:34:22 UTC