TTML2 horizontal review (Self-Review Questionnaire: Security and Privacy)

Colleagues,

The Timed Text Working Group (TTWG) published yesterday an ordinary 
Working Draft of Timed Text Markup Language 2 (TTML2)
W3C Working Draft 17 November 2016
https://www.w3.org/TR/2016/WD-ttml2-20161117/

FYI, this publication is not the last publication before requesting 
transition to Candidate Recommendation. The TTWG plans to publish a 
final WD soon. We will let you know.

Meanwhile, the TTWG invites you to review this TTML2 WD.

The horizontal review should focus only on the new features
introduced in TTML2.
Please refer to the section for changes between Timed Text Markup 
Language (TTML) Version 1 (TTML1) and Version 2 (TTML2).
https://www.w3.org/TR/2016/WD-ttml2-20161117/#changes-from-ttml1-vocabulary

The TTWG has also answered the Self-Review Questionnaire: Security and 
Privacy available at
https://www.w3.org/TR/security-privacy-questionnaire/

The TTWG answer are as follows:

Questions to Consider:
3.1 Does this specification deal with personally-identifiable
information?
--> NO it doesn't.

3.2 Does this specification deal with high-value data?
--> NO it doesn't.

3.3 Does this specification introduce new state for an origin that
persists across browsing sessions?
--> NO it doesn't.

3.4 Does this specification expose persistent, cross-origin state to the
web?
--> NO it doesn't.

3.5 Does this specification expose any other data to an origin that it
doesnt currently have access to?
--> NO it doesn't.

3.6 Does this specification enable new script execution/loading
mechanisms?
-->  This question as worded is ambiguous to us; is it only about script 
loading and script execution ?
In our case, a TTML2 document in which a change in the value of an 
externally passed in parameter or a media query (for example) may cause 
a modification of behavior, and this may lead to the loading of external 
resources including audio, images etc, though excluding scripts. We do 
not consider "condition" mechanism to be a scripting language.
TTML2 allows loading of resources, just not scripts, and has fetch 
semantics by the introduction of external resource loading. It also 
allows the addition of links on spans that can have hyperlinks.

3.7 Does this specification allow an origin access to a user¹s location?
--> NO it doesn't.

3.8 Does this specification allow an origin access to sensors on a
users device?
--> NO it doesn't.

3.9 Does this specification allow an origin access to aspects of a
user¹s local computing environment?
--> NO it doesn't.

3.10 Does this specification allow an origin access to other devices?
--> NO it doesn't.

3.11 Does this specification allow an origin some measure of control
over a user agent¹s native UI?
--> NO it doesn't.

3.12 Does this specification expose temporary identifiers to the web?
--> NO it doesn't.

3.13 Does this specification distinguish between behavior in first-party
and third-party contexts?
--> NO it doesn't.

3.14 How should this specification work in the context of a user agent's
"incognito" mode?
--> This specification has no impact on any incognito mode since the
answer to all the questions about exposing details to origins are "No".

3.15 Does this specification persist data to a user¹s local device?
--> User agents may choose to cache referenced external resources; this
implementation detail is not covered by this specification and the
specification makes no explicit requirement for caching or non-caching
of any external resource.

3.16 Does this specification have a "Security Considerations" and
"Privacy Considerations" section?
--> YES it does. See the media type registration which is an integral
part of it.

http://www.iana.org/assignments/media-types/application/ttml+xml

3.17 Does this specification allow downgrading default security
characteristics?
--> NO it doesn't.

_______________________________

The TAG document [1] does not say where to send the self questionnaire 
answers. Therefore I am sending it to <www-tag@w3.org>.

Please send your comments to TTWG Public mailing list <public-tt@w3.org>.

Looking forward to your review,

Best,

Thierry Michel
TTWG Team contact.

[1]
https://www.w3.org/TR/security-privacy-questionnaire/

Received on Friday, 18 November 2016 16:42:55 UTC