Re: [dxwg] Profiles Guide doc Security and Privacy (#478) from Nicholas Car via GitHub on 2018-12-15 (public-dxwg-wg@w3.org from December 2018)

From: Nicholas Car via GitHub <sysbot+gh@w3.org>
Date: Sat, 15 Dec 2018 20:08:21 +0000
To: public-dxwg-wg@w3.org
Message-ID: <issue_comment.created-447594547-1544904500-sysbot+gh@w3.org>

Questions from https://w3ctag.github.io/security-questionnaire/ with answers:

**4.1 What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?**
Guidance document - no code/system exposing anything directly.

**4.2 Is this specification exposing the minimum amount of information necessary to power the feature?**
N/A

**4.3 How does this specification deal with personal information or personally-identifiable information or information derived thereof?**
It does not.

**4.4 How does this specification deal with sensitive information?**
It does not.

**4.5 Does this specification introduce new state for an origin that persists across browsing sessions?**
No.

**4.6 What information from the underlying platform, e.g. configuration data, is exposed by this specification to an origin?**
N/A

**4.7 Does this specification allow an origin access to sensors on a user’s device?**
No.

**4.8 What data does this specification expose to an origin? Please also document what data is identical to data exposed by other features, in the same or different contexts.**
N/A

**4.9 Does this specification enable new script execution/loading mechanisms?**
No.

**4.10 Does this specification allow an origin to access other devices?**
No.

**4.11 Does this specification allow an origin some measure of control over a user agent’s native UI?**
No.

**4.12 What temporary identifiers might this this specification create or expose to the web?**
No temporary identifiers. Use of it will ultimately generate persistent identifiers (URIs) for documents (profiles).

**4.13 How does this specification distinguish between behavior in first-party and third-party contexts?**
It does not.

**4.14 How does this specification work in the context of a user agent’s Private \ Browsing or "incognito" mode?**
N/A

**4.15 Does this specification have a "Security Considerations" and "Privacy Considerations" section?**
Yes but a trivial one for now. To be updated.

**4.16 Does this specification allow downgrading default security characteristics?**
No or N/A.

**4.17 What should this questionaire have asked?**
I can't think of what it could ask to better probe potential privacy issues for this kind of Guidance document.

--
GitHub Notification of comment by nicholascar
Please view or discuss this issue at https://github.com/w3c/dxwg/issues/478#issuecomment-447594547 using your GitHub account

Received on Saturday, 15 December 2018 20:08:23 UTC