[ttml2] security and privacy risks of insecure transport / mixed content (#1201) from Nick Doty via GitHub on 2020-03-19 (public-tt@w3.org from March 2020)

From: Nick Doty via GitHub <sysbot+gh@w3.org>
Date: Thu, 19 Mar 2020 15:00:05 +0000
To: public-tt@w3.org
Message-ID: <issues.opened-584475509-1584630003-sysbot+gh@w3.org>

npdoty has just created a new issue for https://github.com/w3c/ttml2:

== security and privacy risks of insecure transport / mixed content ==
Using insecure transports threatens the integrity of the content displayed to the user: even if the video and the TTML file are both delivered over HTTPS, loading a font over HTTP could lead to corruption or insertion of a misleading translation of the content. This would presumably also apply to image captions and subtitles loaded from external resources. 

We should note secure transport as a security and privacy issue in TTML 2 and TTML 2 (2nd Edition) and reference that from IMSC 1.2. That change could be: 1) requiring secure transport; 2) prohibiting mixed content; or 3) non-normatively noting the risks to confidentiality and integrity. 

It would be a good practice to use HTTPS as the scheme in examples throughout the specs.

From email: https://lists.w3.org/Archives/Public/public-privacy/2020JanMar/0055.html
Issue noted while reviewing IMSC 1.2 for privacy and security, as raised in PING.

Please view or discuss this issue at https://github.com/w3c/ttml2/issues/1201 using your GitHub account

Received on Thursday, 19 March 2020 15:00:07 UTC