[css-highlight-api] answers to the Security and privacy questionnaire from Florian Rivoal on 2020-12-08 (www-archive@w3.org from December 2020)

From: Florian Rivoal <florian@rivoal.net>
Date: Tue, 8 Dec 2020 17:19:50 +0900
To: www-archive@w3.org, www-style list <www-style@w3.org>
Message-Id: <D7FAF2DD-053C-4D0F-BDBC-13B82BDE13D0@rivoal.net>

These are answers to the "Self-Review Questionnaire: Security and Privacy" for CSS Custom Highlight API Module Level 1 as of 2020-12-08, sent to this mailing list for archival purposes.

The specification may be found at: https://www.w3.org/TR/css-highlight-api-1/

For further explanation see the full questionnaire (https://w3ctag.github.io/security-questionnaire/).

> 01. What information might this feature expose to Web sites or other parties,
>     and for what purposes is that exposure necessary?

This exposes no information. It creates facilities for interaction between JS and CSS, but nothing about the user or the environment is being exposed.

> 02. Is this specification exposing the minimum amount of information necessary
>     to power its features?

This exposes no information.

> 03. How does this specification deal with personal information,
>     personally-identifiable information (PII), or information derived from
>     them?

This exposes no such information.

> 04. How does this specification deal with sensitive information?

This exposes no sensitive information.

> 05. Does this specification introduce new state for an origin that persists
>     across browsing sessions?

No.

> 06. Does this specification expose information about the underlying
>     platform to origins?

No.

> 07. Does this specification allow an origin access to sensors on a user’s
>     device

No.

> 08. What data does this specification expose to an origin?  Please also
>     document what data is identical to data exposed by other features, in the
>     same or different contexts.

It does not expose any information other than the fact that JS is enabled.

> 09. Does this specification enable new script execution/loading mechanisms?

No.

> 10. Does this specification allow an origin to access other devices?

No.

> 11. Does this specification allow an origin some measure of control over a user
>     agent's native UI?

No.

> 12. What temporary identifiers might this specification create or expose
>     to the web?

None.

> 13. How does this specification distinguish between behavior in first-party and
>     third-party contexts?

It does not.

> 14. How does this specification work in the context of a user agent’s Private
>     Browsing or "incognito" mode?

No difference expected.

> 15. Does this specification have both "Security Considerations" and "Privacy
>     Considerations" sections?

Yes: https://www.w3.org/TR/css-highlight-api-1/#priv-sec

> 16. Does this specification allow downgrading default security characteristics?

No.

> 17. What should this questionnaire have asked?

Nothing springs to mind.

Received on Tuesday, 8 December 2020 08:20:12 UTC