TTML2 and questionnaire for Security and Privacy; for review. from Thierry MICHEL on 2016-10-03 (public-tt@w3.org from October 2016)

From: Thierry MICHEL <tmichel@w3.org>
Date: Mon, 3 Oct 2016 10:27:22 +0200
To: W3C Public TTWG <public-tt@w3.org>
Message-ID: <29d19f34-473d-8f3c-6bd2-244c389312c6@w3.org>

Hi,


The TTWG needs to have an horizontal review for TTML2.
Nowdays, it needs review for Security and Privacy

Bellow are my proposed responses for review regarding TTML2, to answer the
Self-Review Questionnaire: Security and Privacy
https://www.w3.org/TR/security-privacy-questionnaire/

I beleive we can answer "NO" to all the questions.

Let me know if you have any concern.

Thierry


----------------------------------------


Questions to Consider:
3.1 Does this specification deal with personally-identifiable information?
--> NO it doesn't.
3.2 Does this specification deal with high-value data?
--> NO it doesn't.
3.3 Does this specification introduce new state for an origin that 
persists across browsing sessions?
--> NO it doesn't.
3.4 Does this specification expose persistent, cross-origin state to the 
web?
--> NO it doesn't.
3.5 Does this specification expose any other data to an origin that it 
doesn’t currently have access to?
--> NO it doesn't.
     3.6 Does this specification enable new script execution/loading 
mechanisms?
--> NO it doesn't.
3.7 Does this specification allow an origin access to a user’s location?
--> NO it doesn't.
3.8 Does this specification allow an origin access to sensors on a 
user’s device?
3.9 Does this specification allow an origin access to aspects of a 
user’s local computing environment?
--> NO it doesn't.
3.10 Does this specification allow an origin access to other devices?
--> NO it doesn't.
3.11 Does this specification allow an origin some measure of control 
over a user agent’s native UI?
--> NO it doesn't.
3.12 Does this specification expose temporary identifiers to the web?
--> NO it doesn't.
3.13 Does this specification distinguish between behavior in first-party 
and third-party contexts?
--> NO it doesn't.
3.14 How should this specification work in the context of a user agent’s 
"incognito" mode?
--> NO it doesn't.
3.15 Does this specification persist data to a user’s local device?
--> NO it doesn't.
3.16 Does this specification have a "Security Considerations" and 
"Privacy Considerations" section?
--> NO it doesn't.
3.17 Does this specification allow downgrading default security 
characteristics?
--> NO it doesn't.

4 Mitigation Strategies

Received on Monday, 3 October 2016 08:27:32 UTC