- From: Anton Vayvod via GitHub <sysbot+gh@w3.org>
- Date: Wed, 30 Nov 2016 20:09:59 +0000
- To: public-secondscreen@w3.org
My answers to the questionnaire are below:
1. Does this specification deal with personally-identifiable
information?
The API generally exposes one bit of information about whether there's
a remote
playback device available to the user agent for a particular media
element.
Depending on the implementation it is possible to get more information
about a
particular device by getting the availability bit for different media
resources.
The devices would be discovered on the user's local network.
2. Does this specification deal with high-value data?
Generally no. Depending on the remote playback device and the way the
media is
remoted, the remote playback device may send a request to fetch the
media to the
media server which might contain extra headers with extra data
(User-Agent,
authentication cookie, etc).
3. Does this specification introduce new state for an origin that
persists
across browsing sessions?
No.
4. Does this specification expose persistent, cross-origin state to
the web?
The availability bit exposed would be the same for any origin and
might not
change much for a particular user.
5. Does this specification expose any other data to an origin that it
doesn’t
currently have access to?
No.
6. Does this specification enable new script execution/loading
mechanisms?
No.
7. Does this specification allow an origin access to a user’s
location?
No.
8. Does this specification allow an origin access to sensors on a
user’s device?
No.
9. Does this specification allow an origin access to aspects of a
user’s local
computing environment?
It does tell the origin if the user has a remote playback device
available,
likely on the local network. It doesn't reveal any specific
information about
the device (like it's network IP address or MAC).
10. Does this specification allow an origin access to other devices?
Yes. Any remote playback device that the user agent supports and
that's
compatible with the media element's resource. The spec requires a user
granting
permission to use the device, typically via some UI.
11. Does this specification allow an origin some measure of control
over a
user agent’s native UI? (showing, hiding, or modifying certain
details,
especially if those details are relevant to security)?
The page can request the user agent to show some UI to select or
control the
selected remote playback device.
12. Does this specification expose temporary identifiers to the web?
No.
13. Does this specification distinguish between behavior in
first-party and
third-party contexts?
No.
14. How should this specification work in the context of a user
agent’s
"incognito" mode?
There's no state that would allow the origin to identify the
"incognito" mode.
15. Does this specification persist data to a user’s local device?
No.
16. Does this specification have a "Security Considerations" and
"Privacy Considerations" section?
No.
17. Does this specification allow downgrading default security
characteristics?
It's not restricted in any relevant way so the answer is probably yes.
--
GitHub Notification of comment by avayvod
Please view or discuss this issue at
https://github.com/w3c/remote-playback/issues/67#issuecomment-263981189
using your GitHub account
Received on Wednesday, 30 November 2016 20:10:06 UTC