Re: TTML2 and questionnaire for Security and Privacy; for review. from Thierry MICHEL on 2016-11-03 (public-tt@w3.org from November 2016)

From: Thierry MICHEL <tmichel@w3.org>
Date: Thu, 3 Nov 2016 10:36:39 +0100
To: Nigel Megitt <nigel.megitt@bbc.co.uk>
Cc: W3C Public TTWG <public-tt@w3.org>
Message-ID: <72c62b2b-5a22-7dd7-c0ac-522b50fa67aa@w3.org>
Le 03/11/2016 à 10:08, Nigel Megitt a écrit :
> If you mean "If approved… " then sounds like a good plan!

Right.


>
> Nigel
>
>
> On 03/11/2016, 09:03, "Thierry MICHEL" <tmichel@w3.org> wrote:
>
>> I approuved today during our call, I will send it to Security and Privacy.
>>
>> Thierry
>>
>> Le 03/11/2016 à 10:00, Nigel Megitt a écrit :
>>> Looks good to me - thanks Thierry.
>>>
>>> Nigel
>>>
>>>
>>> On 03/11/2016, 07:22, "Thierry MICHEL" <tmichel@w3.org> wrote:
>>>
>>>> I guess the following should be the final version for review regarding
>>>> TTML2, to answer the Self-Review Questionnaire: Security and Privacy
>>>> https://www.w3.org/TR/security-privacy-questionnaire/
>>>>
>>>> Thierry
>>>>
>>>>
>>>> -----------------------------------------------------------------------
>>>>
>>>> Questions to Consider:
>>>> 3.1 Does this specification deal with personally-identifiable
>>>> information?
>>>> --> NO it doesn't.
>>>>
>>>> 3.2 Does this specification deal with high-value data?
>>>> --> NO it doesn't.
>>>>
>>>> 3.3 Does this specification introduce new state for an origin that
>>>> persists across browsing sessions?
>>>> --> NO it doesn't.
>>>>
>>>> 3.4 Does this specification expose persistent, cross-origin state to
>>>> the
>>>> web?
>>>> --> NO it doesn't.
>>>>
>>>> 3.5 Does this specification expose any other data to an origin that it
>>>> doesnt currently have access to?
>>>> --> NO it doesn't.
>>>>
>>>> 3.6 Does this specification enable new script execution/loading
>>>> mechanisms?
>>>> -->  This question as worded is ambiguous to us; is it only about
>>>> script
>>>> loading and script execution ?
>>>> In our case, a TTML2 document in which a change in the value of an
>>>> externally passed in parameter or a media query (for example) may cause
>>>> a modification of behavior, and this may lead to the loading of
>>>> external
>>>> resources including audio, images etc, though excluding scripts. We do
>>>> not consider "condition" mechanism to be a scripting language.
>>>> TTML2 allows loading of resources, just not scripts, and has fetch
>>>> semantics by the introduction of external resource loading. It also
>>>> allows the addition of links on spans that can have hyperlinks.
>>>>
>>>> 3.7 Does this specification allow an origin access to a user¹s
>>>> location?
>>>> --> NO it doesn't.
>>>>
>>>> 3.8 Does this specification allow an origin access to sensors on a
>>>> users device?
>>>> --> NO it doesn't.
>>>>
>>>> 3.9 Does this specification allow an origin access to aspects of a
>>>> user¹s local computing environment?
>>>> --> NO it doesn't.
>>>>
>>>> 3.10 Does this specification allow an origin access to other devices?
>>>> --> NO it doesn't.
>>>>
>>>> 3.11 Does this specification allow an origin some measure of control
>>>> over a user agent¹s native UI?
>>>> --> NO it doesn't.
>>>>
>>>> 3.12 Does this specification expose temporary identifiers to the web?
>>>> --> NO it doesn't.
>>>>
>>>> 3.13 Does this specification distinguish between behavior in
>>>> first-party
>>>> and third-party contexts?
>>>> --> NO it doesn't.
>>>>
>>>> 3.14 How should this specification work in the context of a user
>>>> agent's
>>>> "incognito" mode?
>>>> --> This specification has no impact on any incognito mode since the
>>>> answer to all the questions about exposing details to origins are "No".
>>>>
>>>> 3.15 Does this specification persist data to a user¹s local device?
>>>> --> User agents may choose to cache referenced external resources; this
>>>> implementation detail is not covered by this specification and the
>>>> specification makes no explicit requirement for caching or non-caching
>>>> of any external resource.
>>>>
>>>> 3.16 Does this specification have a "Security Considerations" and
>>>> "Privacy Considerations" section?
>>>> --> YES it does. See the media type registration which is an integral
>>>> part of it.
>>>>
>>>> http://www.iana.org/assignments/media-types/application/ttml+xml
>>>>
>>>> 3.17 Does this specification allow downgrading default security
>>>> characteristics?
>>>> --> NO it doesn't.
>>>>
>>>> _______________________________
>>>
>>>
>>>
>>> -----------------------------
>>> http://www.bbc.co.uk
>>> This e-mail (and any attachments) is confidential and
>>> may contain personal views which are not the views of the BBC unless
>>> specifically stated.
>>> If you have received it in
>>> error, please delete it from your system.
>>> Do not use, copy or disclose the
>>> information in any way nor act in reliance on it and notify the sender
>>> immediately.
>>> Please note that the BBC monitors e-mails
>>> sent or received.
>>> Further communication will signify your consent to
>>> this.
>>> -----------------------------
>>>
>
Received on Thursday, 3 November 2016 09:36:32 UTC