- From: Nigel Megitt <nigel.megitt@bbc.co.uk>
- Date: Mon, 3 Oct 2016 09:22:32 +0000
- To: Thierry MICHEL <tmichel@w3.org>, W3C Public TTWG <public-tt@w3.org>
Thank you for starting this off Thierry. Some comments inline below: On 03/10/2016, 09:27, "Thierry MICHEL" <tmichel@w3.org> wrote: >Hi, > > >The TTWG needs to have an horizontal review for TTML2. >Nowdays, it needs review for Security and Privacy > >Bellow are my proposed responses for review regarding TTML2, to answer the >Self-Review Questionnaire: Security and Privacy >https://www.w3.org/TR/security-privacy-questionnaire/ > >I beleive we can answer "NO" to all the questions. > >Let me know if you have any concern. > >Thierry > > >---------------------------------------- > > >Questions to Consider: >3.1 Does this specification deal with personally-identifiable information? >--> NO it doesn't. >3.2 Does this specification deal with high-value data? >--> NO it doesn't. >3.3 Does this specification introduce new state for an origin that >persists across browsing sessions? >--> NO it doesn't. >3.4 Does this specification expose persistent, cross-origin state to the >web? >--> NO it doesn't. >3.5 Does this specification expose any other data to an origin that it >doesnıt currently have access to? >--> NO it doesn't. > 3.6 Does this specification enable new script execution/loading >mechanisms? >--> NO it doesn't. To the extent that the condition mechanism says nothing about evaluation time, it is possible to construct a TTML2 document in which a change in the value of an externally passed in parameter or a media query (for example) causes a modification of behaviour, and this may lead to the loading of external resources including audio, images etc though excluding scripts. >3.7 Does this specification allow an origin access to a userıs location? >--> NO it doesn't. >3.8 Does this specification allow an origin access to sensors on a >userıs device? --> NO it doesn't. >3.9 Does this specification allow an origin access to aspects of a >userıs local computing environment? >--> NO it doesn't. >3.10 Does this specification allow an origin access to other devices? >--> NO it doesn't. >3.11 Does this specification allow an origin some measure of control >over a user agentıs native UI? >--> NO it doesn't. >3.12 Does this specification expose temporary identifiers to the web? >--> NO it doesn't. >3.13 Does this specification distinguish between behavior in first-party >and third-party contexts? >--> NO it doesn't. >3.14 How should this specification work in the context of a user agentıs >"incognito" mode? This specification has no impact on any incognito mode since the answer to all the questions about exposing details to origins are "No". >--> NO it doesn't. >3.15 Does this specification persist data to a userıs local device? User agents may choose to cache referenced external resources; this implementation detail is not covered by this specification and the specification makes no explicit requirement for caching or non-caching of any external resource. >--> NO it doesn't. >3.16 Does this specification have a "Security Considerations" and >"Privacy Considerations" section? >--> NO it doesn't. >3.17 Does this specification allow downgrading default security >characteristics? >--> NO it doesn't. > >4 Mitigation Strategies > ----------------------------- http://www.bbc.co.uk This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -----------------------------
Received on Monday, 3 October 2016 09:22:57 UTC