Requesting wide review of Screen Orientation API

Hello WebAppsSec,

The WebPlat WG would like to request a security review of the Screen 
Orientation API [1].

We have completed the privacy and security questionnaire [3. Answers can 
be found at the end of this email.

Please could you file your comments as Github issues [2]. An email 
summary to
  is welcome, but the editors of this spec do not monitor that email.

Thank you.
Léonie on behalf of the WebPlat chairs and Screen Orientation API editors


Questionnaire answers:

3.1 Does this specification deal with personally-identifiable information?

3.2 Does this specification deal with high-value data?

3.3 Does this specification introduce new state for an origin that 
persists across browsing sessions?

3.4 Does this specification expose persistent, cross-origin state to the 
The screen orientation state. Also already available in most browsers 
via window.orientation.

3.5 Does this specification expose any other data to an origin that it 
doesn’t currently have access to?

3.6 Does this specification enable new script execution/loading mechanisms?

3.7 Does this specification allow an origin access to a user’s location?

3.8 Does this specification allow an origin access to sensors on a 
user’s device?
The screen orientation state is a result of sensors. However, it has 
only 4 values.

3.9 Does this specification allow an origin access to aspects of a 
user’s local computing environment?
Screen orientation is one, yes.

3.10 Does this specification allow an origin access to other devices?

3.11 Does this specification allow an origin some measure of control 
over a user agent’s native UI?
Not really. It can lock the screen orientation but it is not really 
"controlling" the UA UI.

3.12 Does this specification expose temporary identifiers to the web?

3.13 Does this specification distinguish between behavior in first-party 
and third-party contexts?

3.14 How should this specification work in the context of a user agent’s 
"incognito" mode?
Should not be different.

3.15 Does this specification persist data to a user’s local device?

3.16 Does this specification have a "Security Considerations" and 
"Privacy Considerations" section?
No, but we'll add one with information about the points answered "yes".

3.17 Does this specification allow downgrading default security 

@LeonieWatson Carpe diem

Received on Monday, 7 November 2016 12:21:58 UTC