W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2017

Re: Requesting security review of ARIA in HTML

From: Léonie Watson <tink@tink.uk>
Date: Wed, 22 Feb 2017 10:31:32 +0100
To: Jochen Eisinger <eisinger@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Steven Faulkner <sfaulkner@paciellogroup.com>
Message-ID: <ebb89ba2-2538-3346-4eae-9352b2518be8@tink.uk>
Thanks for letting me know jochen. Looks like I received and/or 
misunderstood the advice I was given about pinging people for wide 
review. Please disregard any other requests I've sent through in recent 
months.


Léonie
-- 
@LeonieWatson tink.uk Carpe diem

On 22/02/2017 08:15, Jochen Eisinger wrote:
> Hey,
>
> thanks for answering the security questionnaire!
>
> The WebAppSec WG, however, is not conducting security reviews for other
> WGs - please contact the Web Security IG
> instead: https://www.w3.org/Security/wiki/IG
>
> best
> -jochen
>
> On Mon, Feb 13, 2017 at 1:00 PM Léonie Watson <tink@tink.uk
> <mailto:tink@tink.uk>> wrote:
>
>     Hello WebAppSec,
>
>     The WebPlat WG would welcome your review of the ARIA in HTML spec [1],
>     as we begin preparing for transition to CR.
>
>     We've completed the security/privacy questionnaire (answers below).
>
>     If possible we'd like your comments before 30th April. If this doesn't
>     look feasible though, let me know?
>
>     We prefer comments to be filed as issues on Github [1], but feel free to
>     send a summary and/or email pointing to the Github issues to
>     public-html@w3.org <mailto:public-html@w3.org> (especially if you
>     have no comments at all).
>
>     Thanks.
>     Léonie
>     [1] https://www.w3.org/TR/html-aria/
>     [2] https://github.com/w3c/html-aria/issues/
>
>     Answers to questionnaire:
>     • 3.1 Does this specification deal with personally-identifiable
>     information?
>     ◦ no
>
>     • 3.2 Does this specification deal with high-value data?
>     ◦ no
>
>     • 3.3 Does this specification introduce new state for an origin that
>     persists across browsing sessions?
>     ◦ no
>
>     • 3.4 Does this specification expose persistent, cross-origin state to
>     the web?
>     ◦ no
>
>     • 3.5 Does this specification expose any other data to an origin that it
>     doesn’t currently have access to?
>     ◦ no
>
>     • 3.6 Does this specification enable new script execution/loading
>     mechanisms?
>     ◦ no
>
>     • 3.7 Does this specification allow an origin access to a user’s
>     location?
>     ◦ no
>
>     • 3.8 Does this specification allow an origin access to sensors on a
>     user’s device?
>     ◦ no
>
>     • 3.9 Does this specification allow an origin access to aspects of a
>     user’s local computing environment?
>     ◦ no
>
>     • 3.10 Does this specification allow an origin access to other devices?
>     ◦ no
>
>     • 3.11 Does this specification allow an origin some measure of control
>     over a user agent’s native UI?
>     ◦ no
>
>     • 3.12 Does this specification expose temporary identifiers to the web?
>     ◦ no
>
>     • 3.13 Does this specification distinguish between behavior in
>     first-party and third-party contexts?
>     ◦ no
>
>     • 3.14 How should this specification work in the context of a user
>     agent’s "incognito" mode?
>     ◦ N/A
>
>     • 3.15 Does this specification persist data to a user’s local device?
>     ◦ no
>
>     • 3.16 Does this specification have a "Security Considerations" and
>     "Privacy Considerations" section?
>     ◦ no
>
>     • 3.17 Does this specification allow downgrading default security
>     characteristics?
>     ◦ no
>
>     --
>     @LeonieWatson tink.uk <http://tink.uk> Carpe diem
>
Received on Wednesday, 22 February 2017 09:32:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC