Re: Privacy review request for Accessible Rich Internet Applications (WAI-ARIA) 1.2 from Pete Snyder on 2020-12-16 (public-privacy@w3.org from October to December 2020)

From: Pete Snyder <psnyder@brave.com>
Date: Wed, 16 Dec 2020 15:46:40 -0600
To: James Nurthen <nurthen@adobe.com>
Cc: Shivan Kaul Sahib <shivankaulsahib@gmail.com>, Christine Runnegar <runnegar@isoc.org>, "public-privacy@w3.org" <public-privacy@w3.org>
Message-Id: <15F0CCF9-ABB7-4B70-B5B0-DC5B43DD692E@brave.com>
Hi James,

In general, we try to identify all privacy issues in specs, whether they were just added or legacy. This is in part because of the (welcome) increased focus on privacy on the platform; something that was typical (privacy wise) in a previous version of the spec might be the new “weakest link” as we try to address privacy leaks across the board.

If you think thats not correct or appropriate here, I suggest continuing the conversation in the issue Shivan opened.

Best,
Pete

> On Dec 16, 2020, at 1:34 PM, James Nurthen <nurthen@adobe.com> wrote:
> 
> Thanks.
> As this is not a new issue in ARIA 1.2 can we address this in the ARIA 1.3 timeframe which is currently under active development? The plan is currently for a first public working draft early in the new year and a wide review draft in the first half of next year.
>  
> Regards,
> James
>  
> James Nurthen (he/him)  |  Accessibility Engineer  |  Adobe  |  T 415 832 2734  |  nurthen@adobe.com
>  
>  
>  
> From: Shivan Kaul Sahib <shivankaulsahib@gmail.com>
> Date: Wednesday, December 16, 2020 at 9:53 AM
> To: Christine Runnegar <runnegar@isoc.org>
> Cc: James Nurthen <nurthen@adobe.com>, public-privacy@w3.org <public-privacy@w3.org>
> Subject: Re: Privacy review request for Accessible Rich Internet Applications (WAI-ARIA) 1.2
> 
> Hi James, thanks for bringing this to PING! I looked at the spec and filed https://github.com/w3c/aria/issues/1371
>  
> On Mon, Nov 2, 2020 at 3:23 PM Christine Runnegar <runnegar@isoc.org> wrote:
> Thanks for sending in this request James. We will assign the review at our next PING meeting on 5 November 2020.
> 
> Christine
> 
> > On Oct 27, 2020, at 3:08 PM, James Nurthen <nurthen@adobe.com> wrote:
> > 
> > The ARIA WG requests formal review of the Accessible Rich Internet Applications (WAI-ARIA) 1.2 CR:
> >    https://raw.githack.com/w3c/aria/2020-09_CR/index.html
> >  
> >  
> > This specification provides a framework to improve the accessibility and interoperability of web content and applications. 
> > Changes since ARIA 1.1 can be found at https://raw.githack.com/w3c/aria/2020-09_CR/index.html#substantive-changes-since-the-last-public-working-draft and consist mostly of the addition of roles to get closer to parity with HTML in order to allow the creation of accessible web components.
> >  
> >  
> > This specification is in the “almost CR” stage of development, so we expect it 
> > to transition, in more or less its current form, after completing horizontal 
> > review.
> >  
> > We do not have a privacy and security section as there was no content to add.
> >  
> > Please raise any issues in the ARIA GitHub repo:
> >     https://github.com/w3c/aria/issues
> > and let us know when you have completed your review.
> >  
> >  
> > = Self-Review Questionnaire: Security and Privacy =
> >  
> > 2.1 What information might this feature expose to Web sites or other parties, 
> > and for what purposes is that exposure necessary?
> >  
> > None. The specification enables authors to create information to be exposed to the accessibility APIs.  
> >  
> > 2.2 Is this specification exposing the minimum amount of information necessary 
> > to power the feature?
> >  
> > Yes
> >  
> > 2.3 How does this specification deal with personal information or 
> > personally-identifiable information or information derived thereof?
> >  
> > Not applicable
> >  
> > 2.4 How does this specification deal with sensitive information?
> >  
> > Not applicable
> >  
> > 2.5 Does this specification introduce new state for an origin that persists 
> > across browsing sessions?
> >  
> > No
> >  
> > 2.6 What information from the underlying platform, e.g. configuration data, is 
> > exposed by this specification to an origin?
> >  
> > None
> >  
> > 2.7 Does this specification allow an origin access to sensors on a user’s device
> >  
> > No
> >  
> > 2.8 What data does this specification expose to an origin? Please also 
> > document what data is identical to data exposed by other features, in the same 
> > or different contexts.
> >  
> > None
> >  
> > 2.9 Does this specification enable new script execution/loading mechanisms?
> >  
> > No
> >  
> > 2.10 Does this specification allow an origin to access other devices?
> >  
> > No
> >  
> > 2.11 Does this specification allow an origin some measure of control over a 
> > user agent’s native UI?
> >  
> > No
> >  
> > 2.12 What temporary identifiers might this this specification create or expose 
> > to the web?
> >  
> > None
> >  
> > 2.13 How does this specification distinguish between behavior in first-party 
> > and third-party contexts?
> >  
> > Not applicable
> >  
> > 2.14 How does this specification work in the context of a user agent’s Private 
> > Browsing or "incognito" mode?
> >  
> > No difference
> >  
> > 2.15 Does this specification have a "Security Considerations" and "Privacy 
> > Considerations" section?
> >  
> > No
> >  
> > 2.16 Does this specification allow downgrading default security characteristics?
> >  
> > No
> >  
> > 2.17 What should this questionnaire have asked?
> >  
> > Nothing springs to mind.
> >  
> > Regards,
> > James
>
Received on Wednesday, 16 December 2020 21:46:55 UTC