[css-houdini-drafts] [css-animationworklet] security and privacy questionnare (#868) from Majid Valipour via GitHub on 2019-03-08 (public-houdini-archive@w3.org from March 2019)

From: Majid Valipour via GitHub <sysbot+gh@w3.org>
Date: Fri, 08 Mar 2019 14:27:39 +0000
To: public-houdini-archive@w3.org
Message-ID: <issues.opened-418808993-1552055258-sysbot+gh@w3.org>

majido has just created a new issue for https://github.com/w3c/css-houdini-drafts:

== [css-animationworklet] security and privacy questionnare ==
This is an attempt to answer W3C Security and [Privacy Self-Review Questionnaire](https://www.w3.org/TR/security-privacy-questionnaire/).

3.1. Does this specification deal with personally-identifiable information?
No. The target for this feature are animations which in general are not expected to have PII.

3.2. Does this specification deal with high-value data?
No.

3.3. Does this specification introduce new state for an origin that persists across browsing sessions?
No.

3.4. Does this specification expose persistent, cross-origin state to the web?
No.

3.5. Does this specification expose any other data to an origin that it doesn’t currently have access to?
No.

3.6. Does this specification enable new script execution/loading mechanisms?
This specification uses [Worklets](https://drafts.css-houdini.org/worklets) which is an existing but
fairly new execution context. It is worth noting that at the moment, worklets are limited to secure
contexts ([detail](https://drafts.css-houdini.org/worklets/#security-considerations)).

3.7. Does this specification allow an origin access to a user’s location?
No.

3.8. Does this specification allow an origin access to sensors on a user’s device?
No.

3.9. Does this specification allow an origin access to aspects of a user’s local computing environment?
(e.g. screen sizes, installed fonts, installed plugins, bluetooth or network interface identifiers)?

Nothing beyond what is already available through existing web animations.

3.10. Does this specification allow an origin access to other devices?
No.

3.11. Does this specification allow an origin some measure of control over a user agent’s native UI?
No.

3.12. Does this specification expose temporary identifiers to the web?
No.

3.13. Does this specification distinguish between behavior in first-party and third-party contexts?
No.

3.14. How should this specification work in the context of a user agent’s "incognito" mode?
Incognito mode does not make a difference.

3.15. Does this specification persist data to a user’s local device?
No.

3.16. Does this specification have a "Security Considerations" and "Privacy Considerations" section?
Yes but currently there is nothing of interest in there.

3.17. Does this specification allow downgrading default security characteristics?
No.

Please view or discuss this issue at https://github.com/w3c/css-houdini-drafts/issues/868 using your GitHub account

Received on Friday, 8 March 2019 14:27:41 UTC