- From: Marcos Cáceres <notifications@github.com>
- Date: Mon, 24 Oct 2022 21:52:13 -0700
- To: w3c/screen-orientation <screen-orientation@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/screen-orientation/issues/201/1289977250@github.com>
## Privacy and Security self-review questionnaire for Screen Orientation API > What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary? The feature exposes the orientation type and angle of the screen to the web page, and when the screen orientation changes. This is necessary for web pages adapt to the orientation of the screen. > Do features in your specification expose the minimum amount of information necessary to enable their intended uses? Yes. > How do the features in your specification deal with personal information, personally-identifiable information (PII), or information derived from them? It provides guidance on how and whe to lie about the screen orientation type and angle. > How do the features in your specification deal with sensitive information? As above. > Do the features in your specification introduce new state for an origin that persists across browsing sessions? No. > Do the features in your specification expose information about the underlying platform to origins? Yes, the orientation type and angle of the screen. > Does this specification allow an origin to send data to the underlying platform? Yes. A site can request the screen orientation to be locked to a specific "type" through and enum value. > Do features in this specification enable access to device sensors? No. > Do features in this specification enable new script execution/loading mechanisms? No. > Do features in this specification allow an origin to access other devices? No. > Do features in this specification allow an origin some measure of control over a user agent’s native UI? Yes. Through rotating the screen orientation, it can affect where the UI is shown to the user. > What temporary identifiers do the features in this specification create or expose to the web? The type and angle of the screen orientation. > How does this specification distinguish between behavior in first-party and third-party contexts? By default, it does not. However, sandboxed iframes can be prevented from using the API via "allow-orientation-lock". > How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode? The spec allows the user agent to lie about the screen orientation type and angle as to not reveal the "natural" orientation to the web page. > Does this specification have both "Security Considerations" and "Privacy Considerations" sections? It has a Privacy Considerations section. Security is built into the spec's algorithms. > Do features in your specification enable origins to downgrade default security protections? No. > How does your feature handle non-"fully active" documents? It treats them as `InvalidStateError`s. -- Reply to this email directly or view it on GitHub: https://github.com/w3c/screen-orientation/issues/201#issuecomment-1289977250 You are receiving this because you are subscribed to this thread. Message ID: <w3c/screen-orientation/issues/201/1289977250@github.com>
Received on Tuesday, 25 October 2022 04:52:25 UTC