- From: Thierry MICHEL <tmichel@w3.org>
- Date: Fri, 21 Oct 2016 15:34:40 +0200
- To: Nigel Megitt <nigel.megitt@bbc.co.uk>
- CC: W3C Public TTWG <public-tt@w3.org>
- Message-ID: <b758c28d-5b82-425c-b973-b673127e7ba3@typeapp.com>
I will remove it and use previous version Thierry MICHEL. Le 21 oct. 2016 11:36, à 11:36, Nigel Megitt <nigel.megitt@bbc.co.uk> a écrit: >Thanks Thierry, I think that's going further than we need. The question >simply asks for the absence/presence of the section, which the previous >answer in the thread answered fully. I would stay with the previous >answer >unless you have a reason for being more expansive - maybe you've >discussed >this within the team? > >Nigel > >PS apologies this fell off my radar and I should have raised it on the >agenda for yesterday's meeting. > > >On 17/10/2016, 17:08, "Thierry MICHEL" <tmichel@w3.org> wrote: > >>I propose to add the following wording in section 3.16 (from the IANA >>registration.) >> >>As with other XML types and as noted in IETF RFC 7303, XML Media >Types, >>Section 10, repeated expansion of maliciously constructed XML entities >>can be used to consume large amounts of memory, which may cause XML >>processors in constrained environments to fail. >> >>In addition, because of the extensibility features for TTML and of XML >>in general, it is possible that "application/ttml+xml" may describe >>content that has security implications beyond those described here. >>However, TTML does not provide for any sort of active or executable >>content, and if the processor follows only the normative semantics of >>the published specification, this content will be outside TTML >>namespaces and may be ignored. Only in the case where the processor >>recognizes and processes the additional content, or where further >>processing of that content is dispatched to other processors, would >>security issues potentially arise. And in that case, they would fall >>outside the domain of this registration document. >> >>Thierry >> >>Le 17/10/2016 à 18:00, Thierry MICHEL a écrit : >>> >>> Hi, >>> >>> Bellow are latest updated responses for review regarding TTML2, to >>> answer the Self-Review Questionnaire: Security and Privacy >>> https://www.w3.org/TR/security-privacy-questionnaire/ >>> >>> I have incorporated Mike's comments and the discussion during our >last >>> telecon. >>> >>> I have look for security issue in SMIL >>> https://www.w3.org/TR/2008/REC-SMIL3-20081201/ >>> >>> I couln't find any security issues mentioned. >>> >>> Looking at SVG 1.1 (Second Edition) >>> https://www.w3.org/TR/SVG/single-page.html >>> >>> There is a section about security issues >>> https://www.w3.org/TR/SVG/single-page.html#chapter-mimereg >>> Security considerations: >>> >>> [ ... >>> Several SVG elements may cause arbitrary URIs to be referenced. In >this >>> case, the security issues of [RFC3986], section 7, should be >considered. >>> >>> In common with HTML, SVG documents may reference external media such >as >>> images, audio, video, style sheets, and scripting languages. >Scripting >>> languages are executable content. In this case, the security >>> considerations in the Media Type registrations for those formats >shall >>> apply. >>> >>> ..] >>> >>> Should we consider someting similar for 3.6 question ? >>> >>> >>> >>> Thierry >>> >>> ---------------------------------------- >>> >>> Questions to Consider: >>> 3.1 Does this specification deal with personally-identifiable >>>information? >>> --> NO it doesn't. >>> >>> 3.2 Does this specification deal with high-value data? >>> --> NO it doesn't. >>> >>> 3.3 Does this specification introduce new state for an origin that >>> persists across browsing sessions? >>> --> NO it doesn't. >>> >>> 3.4 Does this specification expose persistent, cross-origin state to >the >>> web? >>> --> NO it doesn't. >>> >>> 3.5 Does this specification expose any other data to an origin that >it >>> doesn¹t currently have access to? >>> --> NO it doesn't. >>> >>> 3.6 Does this specification enable new script execution/loading >>> mechanisms? >>> --> This question as worded is ambiguous to us; is it only about >script >>> loading and script execution ? >>> In our case, a TTML2 document in which a change in the value of an >>> externally passed in parameter or a media query (for example) may >cause >>> a modification of behavior, and this may lead to the loading of >external >>> resources including audio, images etc, though excluding scripts. We >do >>> not consider "condition" mechanism to be a scripting language. >>> TTML2 allows loading of resources, just not scripts, and has fetch >>> semantics by the introduction of external resource loading. It also >>> allows the addition of links on spans that can have hyperlinks. >>> >>> Futhermore <set> is arguably a (very specialized) script? >>> Tthe animation vocabulary is declarative rather than procedural, it >has >>> generally been considered non-script (in SMIL, SVG, etc). >>> @@@@@@@@@@@@@ to be finalized @@@@ >>> >>> 3.7 Does this specification allow an origin access to a user¹s >location? >>> --> NO it doesn't. >>> >>> 3.8 Does this specification allow an origin access to sensors on a >>> user¹s device? >>> --> NO it doesn't. >>> >>> 3.9 Does this specification allow an origin access to aspects of a >>> user¹s local computing environment? >>> --> NO it doesn't. >>> >>> 3.10 Does this specification allow an origin access to other >devices? >>> --> NO it doesn't. >>> >>> 3.11 Does this specification allow an origin some measure of control >>> over a user agent¹s native UI? >>> --> NO it doesn't. >>> >>> 3.12 Does this specification expose temporary identifiers to the >web? >>> --> NO it doesn't. >>> >>> 3.13 Does this specification distinguish between behavior in >first-party >>> and third-party contexts? >>> --> NO it doesn't. >>> >>> 3.14 How should this specification work in the context of a user >agent¹s >>> "incognito" mode? >>> --> This specification has no impact on any incognito mode since the >>> answer to all the questions about exposing details to origins are >"No". >>> >>> 3.15 Does this specification persist data to a user¹s local device? >>> --> User agents may choose to cache referenced external resources; >this >>> implementation detail is not covered by this specification and the >>> specification makes no explicit requirement for caching or >non-caching >>> of any external resource. >>> >>> 3.16 Does this specification have a "Security Considerations" and >>> "Privacy Considerations" section? >>> --> YES it does. See the media type registration which is an >integral >>> part of it. >>> >>> >>> http://www.iana.org/assignments/media-types/application/ttml+xml >>> >>> @@@@ >>> https://www.w3.org/TR/ttml-profile-registry/ >>> >>> >>> 3.17 Does this specification allow downgrading default security >>> characteristics? >>> --> NO it doesn't. >>> >>> -------------------------------------------- >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>>
Received on Friday, 21 October 2016 13:42:02 UTC