- From: Nigel Megitt <nigel.megitt@bbc.co.uk>
- Date: Thu, 3 Nov 2016 09:08:48 +0000
- To: Thierry MICHEL <tmichel@w3.org>
- CC: W3C Public TTWG <public-tt@w3.org>
If you mean "If approved " then sounds like a good plan! Nigel On 03/11/2016, 09:03, "Thierry MICHEL" <tmichel@w3.org> wrote: >I approuved today during our call, I will send it to Security and Privacy. > >Thierry > >Le 03/11/2016 à 10:00, Nigel Megitt a écrit : >> Looks good to me - thanks Thierry. >> >> Nigel >> >> >> On 03/11/2016, 07:22, "Thierry MICHEL" <tmichel@w3.org> wrote: >> >>> I guess the following should be the final version for review regarding >>> TTML2, to answer the Self-Review Questionnaire: Security and Privacy >>> https://www.w3.org/TR/security-privacy-questionnaire/ >>> >>> Thierry >>> >>> >>> ----------------------------------------------------------------------- >>> >>> Questions to Consider: >>> 3.1 Does this specification deal with personally-identifiable >>> information? >>> --> NO it doesn't. >>> >>> 3.2 Does this specification deal with high-value data? >>> --> NO it doesn't. >>> >>> 3.3 Does this specification introduce new state for an origin that >>> persists across browsing sessions? >>> --> NO it doesn't. >>> >>> 3.4 Does this specification expose persistent, cross-origin state to >>>the >>> web? >>> --> NO it doesn't. >>> >>> 3.5 Does this specification expose any other data to an origin that it >>> doesnt currently have access to? >>> --> NO it doesn't. >>> >>> 3.6 Does this specification enable new script execution/loading >>> mechanisms? >>> --> This question as worded is ambiguous to us; is it only about >>>script >>> loading and script execution ? >>> In our case, a TTML2 document in which a change in the value of an >>> externally passed in parameter or a media query (for example) may cause >>> a modification of behavior, and this may lead to the loading of >>>external >>> resources including audio, images etc, though excluding scripts. We do >>> not consider "condition" mechanism to be a scripting language. >>> TTML2 allows loading of resources, just not scripts, and has fetch >>> semantics by the introduction of external resource loading. It also >>> allows the addition of links on spans that can have hyperlinks. >>> >>> 3.7 Does this specification allow an origin access to a userıs >>>location? >>> --> NO it doesn't. >>> >>> 3.8 Does this specification allow an origin access to sensors on a >>> users device? >>> --> NO it doesn't. >>> >>> 3.9 Does this specification allow an origin access to aspects of a >>> userıs local computing environment? >>> --> NO it doesn't. >>> >>> 3.10 Does this specification allow an origin access to other devices? >>> --> NO it doesn't. >>> >>> 3.11 Does this specification allow an origin some measure of control >>> over a user agentıs native UI? >>> --> NO it doesn't. >>> >>> 3.12 Does this specification expose temporary identifiers to the web? >>> --> NO it doesn't. >>> >>> 3.13 Does this specification distinguish between behavior in >>>first-party >>> and third-party contexts? >>> --> NO it doesn't. >>> >>> 3.14 How should this specification work in the context of a user >>>agent's >>> "incognito" mode? >>> --> This specification has no impact on any incognito mode since the >>> answer to all the questions about exposing details to origins are "No". >>> >>> 3.15 Does this specification persist data to a userıs local device? >>> --> User agents may choose to cache referenced external resources; this >>> implementation detail is not covered by this specification and the >>> specification makes no explicit requirement for caching or non-caching >>> of any external resource. >>> >>> 3.16 Does this specification have a "Security Considerations" and >>> "Privacy Considerations" section? >>> --> YES it does. See the media type registration which is an integral >>> part of it. >>> >>> http://www.iana.org/assignments/media-types/application/ttml+xml >>> >>> 3.17 Does this specification allow downgrading default security >>> characteristics? >>> --> NO it doesn't. >>> >>> _______________________________ >> >> >> >> ----------------------------- >> http://www.bbc.co.uk >> This e-mail (and any attachments) is confidential and >> may contain personal views which are not the views of the BBC unless >>specifically stated. >> If you have received it in >> error, please delete it from your system. >> Do not use, copy or disclose the >> information in any way nor act in reliance on it and notify the sender >> immediately. >> Please note that the BBC monitors e-mails >> sent or received. >> Further communication will signify your consent to >> this. >> ----------------------------- >>
Received on Thursday, 3 November 2016 09:09:17 UTC