- From: Thierry MICHEL <tmichel@w3.org>
- Date: Fri, 24 Mar 2017 11:21:55 +0100
- To: W3C Public TTWG <public-tt@w3.org>
[resending from my W3 email adress] This is the horizontal review request to the TAG including the Self-Review Questionnaire: Security and Privacy [5] Please review this message. The TAG document [5] does not really say where to send the self questionnaire answers. Therefore I plan to send it to <www-tag@w3.org>. As it is a Self-Review Questionnaire, I am not even sure it needs to be sent ! Horizontal Groups like WAI, I18N TAG etc, should track new FPWD and review those specs, witout further notice. Thierry _______________________________ Dear Technical Architecture Group, The W3C Timed Text Working Group has recently published a new working draft of the TTML Text and Image Profiles for Internet Media Subtitles and Captions, currently known as IMSC 1.0.1. This specification contains two optional substantive features additional to the IMSC 1 Recommendation dated 21 April 2016 [2]: 1. activeArea allows the document author to indicate which area contains active editorial content in the presentation. 2. fillLineGap allows the document author to specify that the background areas of adjacent lines meet without an intervening gap. This minor revision of the specification is designed such that Processors and document instances that conform to the Recommendation [2] also conform to this revision. The TTWG invites you to review this draft, and requests comments to be received by 07th May 2017. These comments will be used to fulfil the W3C Process [3] requirement for Wide Review of drafts, and Horizontal Review [4] prior to publication as Candidate Recommendation. If you wish to make comments regarding this document, please send them to public-tt@w3.org <mailto:public-tt@w3.orgwith [imsc] at the start of your email's subject. All comments are welcome, however the scope of review will be focused on the two new features described above. The TTWG has also answered the Self-Review Questionnaire: Security and Privacy [5]. The TTWG answer are as follows: Questions to Consider: 3.1 Does this specification deal with personally-identifiable information? --> NO it doesn't. 3.2 Does this specification deal with high-value data? --> NO it doesn't. 3.3 Does this specification introduce new state for an origin that persists across browsing sessions? --> NO it doesn't. 3.4 Does this specification expose persistent, cross-origin state to the web? --> NO it doesn't. 3.5 Does this specification expose any other data to an origin that it doesnt currently have access to? --> NO it doesn't. 3.6 Does this specification enable new script execution/loading mechanisms? --> This question as worded is ambiguous to us; is it only about script loading and script execution ? In our case, an IMSC1.O.1 document in which a change in the value of an externally passed in parameter or a media query (for example) may cause a modification of behavior, and this may lead to the loading of external resources including audio, images etc, though excluding scripts. We do not consider "condition" mechanism to be a scripting language. IMSC1.0.1 allows loading of resources, just not scripts, and has fetch semantics by the introduction of external resource loading. It also allows the addition of links on spans that can have hyperlinks. 3.7 Does this specification allow an origin access to a user's location? --> NO it doesn't. 3.8 Does this specification allow an origin access to sensors on a users device? --> NO it doesn't. 3.9 Does this specification allow an origin access to aspects of a user¹s local computing environment? --> NO it doesn't. 3.10 Does this specification allow an origin access to other devices? --> NO it doesn't. 3.11 Does this specification allow an origin some measure of control over a user agent¹s native UI? --> NO it doesn't. 3.12 Does this specification expose temporary identifiers to the web? --> NO it doesn't. 3.13 Does this specification distinguish between behavior in first-party and third-party contexts? --> NO it doesn't. 3.14 How should this specification work in the context of a user agent's "incognito" mode? --> This specification has no impact on any incognito mode since the answer to all the questions about exposing details to origins are "No". 3.15 Does this specification persist data to a user's local device? --> User agents may choose to cache referenced external resources; this implementation detail is not covered by this specification and the specification makes no explicit requirement for caching or non-caching of any external resource. 3.16 Does this specification have a "Security Considerations" and "Privacy Considerations" section? --> YES it does, see https://www.w3.org/TR/2017/WD-ttml-imsc1.0.1-20170322/#privacy-and-security-considerations-non-normative 3.17 Does this specification allow downgrading default security characteristics? --> NO it doesn't. [1] IMSC 1.0.1 latest version https://www.w3.org/TR/ttml-imsc1.0.1/ [2] IMSC 1 Recommendation https://www.w3.org/TR/2016/REC-ttml-imsc1-20160421/ [3] W3C Process https://www.w3.org/2015/Process-20150901/ [4] Horizontal Review https://www.w3.org/Guide/Charter.html#horizontal-review [5] https://www.w3.org/TR/security-privacy-questionnaire Kind regards, On behalf of Nigel Megitt, co-Chair, W3C Timed Text Working Group Thierry Michel, Staff Contact for TTWG.
Received on Friday, 24 March 2017 10:22:07 UTC