- From: Xiaoqian Wu <xiaoqian@w3.org>
- Date: Thu, 29 Jun 2017 01:57:32 +0800
- To: public-web-security@w3.org
- Cc: mail@johanneswilm.org
Hi Security group, This is a request to review [1] the WD of Input Events spec: https://www.w3.org/TR/input-events-2/#privacy-and-security-considerations The Input Events spec builds on the UI events spec, it defines additions to events for text and related input to allow for the monitoring and manipulation of default browser behavior in the context of text editor applications and other applications that deal with text input and text formatting. Please let us know if you have any security concern on this spec by GitHub issues [2] by 1 Sep 2017. All comments are welcome. Thanks. -xiaoqian [1] (1) PII? No (2) High value data? No (3) New state that persists across browsing sessions? No (4) Persistent, cross-origin state? No (5) Newly expose data to an origin? No (6) New script exe/loading? No (7) Access location? No (8) Access sensors? No (9) Access local computing environment? No. (10) Access other devices? No (11) Control over UA's UI? No (12) Expose temp IDs? No (13) 1st party vs. 3rd party contexts? No (14) What about "incognito"? No changes (15) Local data persist? No (16) "Security Considerations" and "Privacy Considerations"? There are no known security or privacy impacts of this feature beyond fingerprinting [ fingerprinting-guidance] techniques that already are available through existing events, such as the keydown and keypress [ UI-EVENTS] events. (17) Downgrade default security? N [2] https://github.com/w3c/input-events/issues
Received on Wednesday, 28 June 2017 17:57:39 UTC