Re: TTML2 and questionnaire for Security and Privacy; for review. from Glenn Adams on 2016-10-21 (public-tt@w3.org from October 2016)

From: Glenn Adams <glenn@skynav.com>
Date: Fri, 21 Oct 2016 08:10:42 -0600
To: Thierry MICHEL <tmichel@w3.org>
Cc: W3C Public TTWG <public-tt@w3.org>, Nigel Megitt <nigel.megitt@bbc.co.uk>
Message-ID: <CACQ=j+fFUJ9EUKgGWC_iTvZVPUbYjY7Y=Es3MFnSAoYBKEAM5A@mail.gmail.com>
On Mon, Oct 17, 2016 at 10:00 AM, Thierry MICHEL <tmichel@w3.org> wrote:

>
> Hi,
>
> Bellow are latest updated responses for review regarding TTML2, to answer
> the Self-Review Questionnaire: Security and Privacy
> https://www.w3.org/TR/security-privacy-questionnaire/
>
> I have incorporated Mike's comments and the discussion during our last
> telecon.
>
> I have look for security issue in SMIL
> https://www.w3.org/TR/2008/REC-SMIL3-20081201/
>
> I couln't find any security issues mentioned.
>
> Looking at SVG 1.1 (Second Edition)
> https://www.w3.org/TR/SVG/single-page.html
>
> There is a section about security issues
> https://www.w3.org/TR/SVG/single-page.html#chapter-mimereg
> Security considerations:
>
> [ ...
>  Several SVG elements may cause arbitrary URIs to be referenced. In this
> case, the security issues of [RFC3986], section 7, should be considered.
>
> In common with HTML, SVG documents may reference external media such as
> images, audio, video, style sheets, and scripting languages. Scripting
> languages are executable content. In this case, the security considerations
> in the Media Type registrations for those formats shall apply.
>
> ..]
>
> Should we consider someting similar  for 3.6 question ?


Sounds reasonable. But we would limit the external resources to images,
audio, and fonts.


>
>
>
>
> Thierry
>
> ----------------------------------------
>
> Questions to Consider:
> 3.1 Does this specification deal with personally-identifiable information?
> --> NO it doesn't.
>
> 3.2 Does this specification deal with high-value data?
> --> NO it doesn't.
>
> 3.3 Does this specification introduce new state for an origin that
> persists across browsing sessions?
> --> NO it doesn't.
>
> 3.4 Does this specification expose persistent, cross-origin state to the
> web?
> --> NO it doesn't.
>
> 3.5 Does this specification expose any other data to an origin that it
> doesn’t currently have access to?
> --> NO it doesn't.
>
> 3.6 Does this specification enable new script execution/loading
> mechanisms?
> -->  This question as worded is ambiguous to us; is it only about script
> loading and script execution ?
> In our case, a TTML2 document in which a change in the value of an
> externally passed in parameter or a media query (for example) may cause a
> modification of behavior, and this may lead to the loading of external
> resources including audio, images etc, though excluding scripts. We do not
> consider "condition" mechanism to be a scripting language.
> TTML2 allows loading of resources, just not scripts, and has fetch
> semantics by the introduction of external resource loading. It also allows
> the addition of links on spans that can have hyperlinks.
>
> Futhermore <set> is arguably a (very specialized) script?
> Tthe animation vocabulary is declarative rather than procedural, it has
> generally been considered non-script (in SMIL, SVG, etc).
> @@@@@@@@@@@@@ to be finalized @@@@
>
> 3.7 Does this specification allow an origin access to a user’s location?
> --> NO it doesn't.
>
> 3.8 Does this specification allow an origin access to sensors on a
> user’s device?
> --> NO it doesn't.
>
> 3.9 Does this specification allow an origin access to aspects of a
> user’s local computing environment?
> --> NO it doesn't.
>
> 3.10 Does this specification allow an origin access to other devices?
> --> NO it doesn't.
>
> 3.11 Does this specification allow an origin some measure of control
> over a user agent’s native UI?
> --> NO it doesn't.
>
> 3.12 Does this specification expose temporary identifiers to the web?
> --> NO it doesn't.
>
> 3.13 Does this specification distinguish between behavior in first-party
> and third-party contexts?
> --> NO it doesn't.
>
> 3.14 How should this specification work in the context of a user agent’s
> "incognito" mode?
> --> This specification has no impact on any incognito mode since the
> answer to all the questions about exposing details to origins are "No".
>
> 3.15 Does this specification persist data to a user’s local device?
> --> User agents may choose to cache referenced external resources; this
> implementation detail is not covered by this specification and the
> specification makes no explicit requirement for caching or non-caching of
> any external resource.
>
> 3.16 Does this specification have a "Security Considerations" and
> "Privacy Considerations" section?
> --> YES it does. See the media type registration which is an integral part
> of it.
>
>
> http://www.iana.org/assignments/media-types/application/ttml+xml
>
> @@@@
> https://www.w3.org/TR/ttml-profile-registry/
>
>
>
> 3.17 Does this specification allow downgrading default security
> characteristics?
> --> NO it doesn't.
>
> --------------------------------------------
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
Received on Friday, 21 October 2016 14:11:32 UTC