W3C home > Mailing lists > Public > www-style@w3.org > October 2022

[css-values-4] Privacy and Security Questionnaire

From: fantasai <fantasai.lists@inkedblade.net>
Date: Wed, 19 Oct 2022 15:43:41 -0400
Message-ID: <861c93c0-5c0a-3803-5a40-f2ca21486e56@inkedblade.net>
To: W3C style mailing list <www-style@w3.org>
 > 2.1 What information does this feature expose, and for what purposes?

* User's window size
* Metrics of user's default font and any other font the page is able to load
* In conjunction with other features, whether or not the user has access to 
certain URLs
* In conjunction with other features, information about the resources at other 
URLs

 > 2.2 Do features in your specification expose the minimum amount of 
information necessary to implement the intended functionality?

As far as we can tell.

 > 2.3 Do the features in your specification expose personal information, 
personally-identifiable information (PII), or information derived from either?

No

 > 2.4 How do the features in your specification deal with sensitive information?

N/A

 > 2.5 Do the features in your specification introduce state that persists 
across browsing sessions?

No

 > 2.6 Do the features in your specification expose information about the 
underlying platform to origins?

Yes, via window size and font metrics.

 > 2.7 Does this specification allow an origin to send data to the underlying 
platform?

Not by itself, no.

 > 2.8 Do features in this specification enable access to device sensors?

No

 > 2.9 Do features in this specification enable new script execution/loading 
mechanisms?

No

 > 2.10 Do features in this specification allow an origin to access other devices?

No

 > 2.11 Do features in this specification allow an origin some measure of 
control over a user agent’s native UI?

No

 > 2.12 What temporary identifiers do the features in this specification 
create or expose to the web?

None

 > 2.13 How does this specification distinguish between behavior in 
first-party and third-party contexts?

No differences except (potentially, depending on the feature in which it's 
used) in how url()s are loaded, see
   https://www.w3.org/TR/css-values-4/#url-processing

 > 2.14 How do the features in this specification work in the context of a 
browser’s Private Browsing or Incognito mode?

Same as usual

 > 2.15 Does this specification have both "Security Considerations" and 
"Privacy Considerations" sections?

Yes, with a lot of duplicated text. :(

 > 2.16 Do features in your specification enable origins to downgrade default 
security protections?

No

 > 2.17 How does your feature handle non-"fully active" documents?

No special handling

 > 2.18 What should this questionnaire have asked?

It might ask itself whether its copy on w3.org/TR is up to date. ;)

~fantasai
Received on Wednesday, 19 October 2022 19:44:07 UTC

This archive was generated by hypermail 2.4.0 : Monday, 23 January 2023 02:15:21 UTC