- From: Hadley Beeman <notifications@github.com>
- Date: Mon, 02 Mar 2020 06:58:20 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/440/593443206@github.com>
Hi, @jan-ivar, and thanks for sending this. @torgo and I have started looking at it at our [TAG face-to-face in Wellington](). We've seen that the Security and Privacy section has matured a lot since we last looked at this document. But we got lost a bit in the current wording. Specifically: 1. For sections 8.2.1. and 8.2.2., it's not clear to us what use cases you have in mind. It may be useful to spell them out explicitly. For 8.2.1., what is active user consent (perhaps it's asking for a permission?), and how is it different to the "novelty" mentioned in 8.2.3? And for 8.2.2., when do you foresee content crossing origins? With the sharing user, or somehow including the recipient? Also, what elevated permissions are you expecting here? Perhaps those in the OS, or on the specific origin? If it's the origin, then what permissions, and how are they different to what you're thinking of in 8.2.1? 2. On 5.5 device identifiers: we are pleased that you're concerned about enumerated devices revealing too much information. That's great! But we're a bit confused... how do you think that UAs will solve that problem? Are you expecting them to create temporary device IDs? Do you see any danger of them being preserved, and therefore causing the same problem? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/440#issuecomment-593443206
Received on Monday, 2 March 2020 14:58:32 UTC