Re: Requesting wide review of Screen Orientation API from Léonie Watson on 2017-01-13 (public-privacy@w3.org from January to March 2017)

From: Léonie Watson <tink@tink.uk>
Date: Fri, 13 Jan 2017 14:30:16 +0000
To: public-privacy@w3.org
Cc: Marcos Caceres <marcos@marcosc.com>, Mounir Lamouri <mlamouri@google.com>
Message-ID: <5d7bdd82-101e-fd4f-c1da-ce5f629382f8@tink.uk>

On 07/11/2016 12:22, Léonie Watson wrote:
> Hello Privacy,
Hello again.

>
> The WebPlat WG would like to request a privacy review of the Screen
> Orientation API [1].
>
[...]

I'm sorry, I didn't include a timeline with my original request. Would 
it be possible for you to review this spec before 12th February? Thanks.

Léonie.


>
> Thank you.
> Léonie on behalf of the WebPlat chairs and Screen Orientation API editors
>
> [1] https://www.w3.org/TR/screen-orientation/
> [2] https://www.w3.org/TR/security-privacy-questionnaire/
> [3] https://github.com/w3c/screen-orientation/issues
>
> Questionnaire answers:
>
> 3.1 Does this specification deal with personally-identifiable information?
> No.
>
> 3.2 Does this specification deal with high-value data?
> No.
>
> 3.3 Does this specification introduce new state for an origin that
> persists across browsing sessions?
> No.
>
> 3.4 Does this specification expose persistent, cross-origin state to the
> web?
> The screen orientation state. Also already available in most browsers
> via window.orientation.
>
> 3.5 Does this specification expose any other data to an origin that it
> doesn’t currently have access to?
> No.
>
> 3.6 Does this specification enable new script execution/loading mechanisms?
> No.
>
> 3.7 Does this specification allow an origin access to a user’s location?
> No.
>
> 3.8 Does this specification allow an origin access to sensors on a
> user’s device?
> The screen orientation state is a result of sensors. However, it has
> only 4 values.
>
> 3.9 Does this specification allow an origin access to aspects of a
> user’s local computing environment?
> Screen orientation is one, yes.
>
> 3.10 Does this specification allow an origin access to other devices?
> No.
>
> 3.11 Does this specification allow an origin some measure of control
> over a user agent’s native UI?
> Not really. It can lock the screen orientation but it is not really
> "controlling" the UA UI.
>
> 3.12 Does this specification expose temporary identifiers to the web?
> No.
>
> 3.13 Does this specification distinguish between behavior in first-party
> and third-party contexts?
> No.
>
> 3.14 How should this specification work in the context of a user agent’s
> "incognito" mode?
> Should not be different.
>
> 3.15 Does this specification persist data to a user’s local device?
> No.
>
> 3.16 Does this specification have a "Security Considerations" and
> "Privacy Considerations" section?
> No, but we'll add one with information about the points answered "yes".
>
> 3.17 Does this specification allow downgrading default security
> characteristics?
> No.
>
>

Received on Friday, 13 January 2017 14:30:53 UTC