W3C home > Mailing lists > Public > public-secondscreen@w3.org > June 2015

Re: [presentation-api] Issue #45: Security and Privacy Considerations

From: François Daoust via GitHub <sysbot+gh@w3.org>
Date: Wed, 03 Jun 2015 16:24:49 +0000
To: public-secondscreen@w3.org
Message-ID: <issue_comment.created-108510120-1433348687-sysbot+gh@w3.org>
Please find a few comments below. The rest looks good. I would merge 
the pull request in any case, the text provides a very good basis for 
that section!

### Cross-origin access
* "the URL that started the presentation": couldn't this mean the URL 
of the opening context? Change to "the URL of the presentation 
session", perhaps?
* I would drop the paragraph starting from "We could further 
restrict...". We're not going to do that in practice, so I don't see 
what it brings. Perhaps rephrase the whole paragraph as: "This design 
allows controlling contexts from different domains to connect to a 
shared presentation resource. The security of the presentation ID 
prevents arbitrary pages from connecting to an existing 
presentation.".
* I would drop "the charter envisions", or use "the group envisions" 
instead (most readers won't know what a charter is and that's not a 
useful concept in a spec)

### Temporary identifiers and browser state
I would drop "Again, one possible solution would be to restrict the 
API to secure contexts" since my understanding is that we would prefer
 not to do that, and replace with an open issue such as:
```html
<p class="open-issue">
  Should we restrict the API to some extent in non secure contexts?
</p>
```


-- 
GitHub Notif of comment by tidoust
See 
https://github.com/w3c/presentation-api/pull/104#issuecomment-108510120
Received on Wednesday, 3 June 2015 16:24:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:18:56 UTC