W3C home > Mailing lists > Public > public-secondscreen@w3.org > November 2016

Re: [remote-playback] Evaluate Security and Privacy impacts

From: Anton Vayvod via GitHub <sysbot+gh@w3.org>
Date: Wed, 30 Nov 2016 20:09:59 +0000
To: public-secondscreen@w3.org
Message-ID: <issue_comment.created-263981189-1480536596-sysbot+gh@w3.org>
My answers to the questionnaire are below:

1. Does this specification deal with personally-identifiable 

The API generally exposes one bit of information about whether there's
 a remote
playback device available to the user agent for a particular media 
Depending on the implementation it is possible to get more information
 about a
particular device by getting the availability bit for different media 
The devices would be discovered on the user's local network.

2. Does this specification deal with high-value data?

Generally no. Depending on the remote playback device and the way the 
media is
remoted, the remote playback device may send a request to fetch the 
media to the
media server which might contain extra headers with extra data 
authentication cookie, etc).

3. Does this specification introduce new state for an origin that 
     across browsing sessions?


4. Does this specification expose persistent, cross-origin state to 
the web?

The availability bit exposed would be the same for any origin and 
might not
change much for a particular user.

5. Does this specification expose any other data to an origin that it 
     currently have access to?


6. Does this specification enable new script execution/loading 


7. Does this specification allow an origin access to a user’s 


8. Does this specification allow an origin access to sensors on a 
user’s device?


9. Does this specification allow an origin access to aspects of a 
user’s local
     computing environment?

It does tell the origin if the user has a remote playback device 
likely on the local network. It doesn't reveal any specific 
information about
the device (like it's network IP address or MAC).

10. Does this specification allow an origin access to other devices?

Yes. Any remote playback device that the user agent supports and 
compatible with the media element's resource. The spec requires a user
permission to use the device, typically via some UI.

11. Does this specification allow an origin some measure of control 
over a
      user agent’s native UI? (showing, hiding, or modifying certain 
      especially if those details are relevant to security)?

The page can request the user agent to show some UI to select or 
control the
selected remote playback device.

12. Does this specification expose temporary identifiers to the web?


13. Does this specification distinguish between behavior in 
first-party and
      third-party contexts?


14. How should this specification work in the context of a user 
      "incognito" mode?

There's no state that would allow the origin to identify the 
"incognito" mode.

15. Does this specification persist data to a user’s local device?


16. Does this specification have a "Security Considerations" and 
"Privacy Considerations" section?


17. Does this specification allow downgrading default security 

It's not restricted in any relevant way so the answer is probably yes.

GitHub Notification of comment by avayvod
Please view or discuss this issue at 
 using your GitHub account
Received on Wednesday, 30 November 2016 20:10:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:19:02 UTC