W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2017

Re: Requesting security review of ARIA in HTML

From: Jochen Eisinger <eisinger@google.com>
Date: Wed, 22 Feb 2017 07:15:38 +0000
Message-ID: <CALjhuifA0szZMD8GjQdM9T63VpfWfNpAreT9A+0KWinCvkAyiQ@mail.gmail.com>
To: tink@tink.uk, "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Steven Faulkner <sfaulkner@paciellogroup.com>

thanks for answering the security questionnaire!

The WebAppSec WG, however, is not conducting security reviews for other WGs
- please contact the Web Security IG instead:


On Mon, Feb 13, 2017 at 1:00 PM Léonie Watson <tink@tink.uk> wrote:

Hello WebAppSec,

The WebPlat WG would welcome your review of the ARIA in HTML spec [1],
as we begin preparing for transition to CR.

We've completed the security/privacy questionnaire (answers below).

If possible we'd like your comments before 30th April. If this doesn't
look feasible though, let me know?

We prefer comments to be filed as issues on Github [1], but feel free to
send a summary and/or email pointing to the Github issues to
public-html@w3.org (especially if you have no comments at all).

[1] https://www.w3.org/TR/html-aria/
[2] https://github.com/w3c/html-aria/issues/

Answers to questionnaire:
• 3.1 Does this specification deal with personally-identifiable
◦ no

• 3.2 Does this specification deal with high-value data?
◦ no

• 3.3 Does this specification introduce new state for an origin that
persists across browsing sessions?
◦ no

• 3.4 Does this specification expose persistent, cross-origin state to
the web?
◦ no

• 3.5 Does this specification expose any other data to an origin that it
doesn’t currently have access to?
◦ no

• 3.6 Does this specification enable new script execution/loading
◦ no

• 3.7 Does this specification allow an origin access to a user’s location?
◦ no

• 3.8 Does this specification allow an origin access to sensors on a
user’s device?
◦ no

• 3.9 Does this specification allow an origin access to aspects of a
user’s local computing environment?
◦ no

• 3.10 Does this specification allow an origin access to other devices?
◦ no

• 3.11 Does this specification allow an origin some measure of control
over a user agent’s native UI?
◦ no

• 3.12 Does this specification expose temporary identifiers to the web?
◦ no

• 3.13 Does this specification distinguish between behavior in
first-party and third-party contexts?
◦ no

• 3.14 How should this specification work in the context of a user
agent’s "incognito" mode?
◦ N/A

• 3.15 Does this specification persist data to a user’s local device?
◦ no

• 3.16 Does this specification have a "Security Considerations" and
"Privacy Considerations" section?
◦ no

• 3.17 Does this specification allow downgrading default security
◦ no

@LeonieWatson tink.uk Carpe diem
Received on Wednesday, 22 February 2017 07:16:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:59 UTC