TAG Self-Review Questionnaire: Security and, Privacy

• From: Thierry MICHEL <tmichel@w3.org>
• Date: Mon, 3 Apr 2017 08:55:16 +0200
• To: TAG List <www-tag@w3.org>
• Cc: W3C Public TTWG <public-tt@w3.org>
• Message-ID: <04c54c37-82e6-5f12-f0a8-9f934ee8e8ae@w3.org>

  Dear Technical Architecture Group,

  The W3C Timed Text Working Group has recently published a new working
  draft of the TTML Text and Image Profiles for Internet Media Subtitles
  and Captions, currently known as IMSC 1.0.1.

  This specification contains two optional substantive features 
additional  to the IMSC 1 Recommendation dated 21 April 2016 [2]:


    1. activeArea allows the document author to indicate which area
       contains active editorial content in the presentation.

    2. fillLineGap allows the document author to specify that the
       background areas of adjacent lines meet without an intervening gap.

  This minor revision of the specification is designed such that
  Processors and document instances that conform to the Recommendation 
[2]  also conform to this revision.


  The TTWG invites you to review this draft, and requests comments to be
  received by 07th May 2017. These comments will be used to fulfil the

  W3C Process [3] requirement for Wide Review of drafts, and  Horizontal
  Review [4]  prior to publication as Candidate Recommendation.


  If you wish to make comments regarding this document, please send them
  to public-tt@w3.org <mailto:public-tt@w3.orgwith [imsc] at the start
  of your email's subject. All comments are welcome, however the scope of
  review will be focused on the two new features described above.


  The TTWG has also answered the Self-Review Questionnaire: Security and
  Privacy [5]. The TTWG answer are as follows:

  Questions to Consider:
  3.1 Does this specification deal with personally-identifiable
  information?
  --NO it doesn't.

  3.2 Does this specification deal with high-value data?
  --NO it doesn't.

  3.3 Does this specification introduce new state for an origin that
  persists across browsing sessions?
  --NO it doesn't.

  3.4 Does this specification expose persistent, cross-origin state to the
  web?
  --NO it doesn't.

  3.5 Does this specification expose any other data to an origin that it
  doesnt currently have access to?
  --NO it doesn't.

  3.6 Does this specification enable new script execution/loading
  mechanisms?
  -- This question as worded is ambiguous to us; is it only about script
  loading and script execution ?
  IMSC1.0.1 Image Profile allows loading of externally provide images,
  though not scripts, and therefore has fetch semantics by the 
introduction of external resource loading.

  3.7 Does this specification allow an origin access to a user's location?
  --NO it doesn't.

  3.8 Does this specification allow an origin access to sensors on a
  users device?
  --NO it doesn't.

  3.9 Does this specification allow an origin access to aspects of a
  user's local computing environment?
  --NO it doesn't.

  3.10 Does this specification allow an origin access to other devices?
  --NO it doesn't.

  3.11 Does this specification allow an origin some measure of control
  over a user agent's native UI?
  --NO it doesn't.

  3.12 Does this specification expose temporary identifiers to the web?
  --NO it doesn't.

  3.13 Does this specification distinguish between behavior in 
first-party and third-party contexts?
  --NO it doesn't.

  3.14 How should this specification work in the context of a user 
agent's "incognito" mode?
  --This specification has no impact on any incognito mode since the
  answer to all the questions about exposing details to origins are "No".

  3.15 Does this specification persist data to a user's local device?
  --User agents may choose to cache referenced external resources; this
  implementation detail is not covered by this specification and the
  specification makes no explicit requirement for caching or non-caching
  of any external resource.

  3.16 Does this specification have a "Security Considerations" and
  "Privacy Considerations" section?
  --YES it does, see

 
https://www.w3.org/TR/2017/WD-ttml-imsc1.0.1-20170322/#privacy-and-security-considerations-non-normative

  3.17 Does this specification allow downgrading default security
  characteristics?
  --NO it doesn't.



  [1] IMSC 1.0.1 latest version https://www.w3.org/TR/ttml-imsc1.0.1/

  [2] IMSC 1 Recommendation
  https://www.w3.org/TR/2016/REC-ttml-imsc1-20160421/

  [3] W3C Process https://www.w3.org/2015/Process-20150901/

  [4] Horizontal Review
  https://www.w3.org/Guide/Charter.html#horizontal-review

  [5] https://www.w3.org/TR/security-privacy-questionnaire


  Kind regards,

  On behalf of Nigel Megitt, co-Chair, W3C Timed Text Working Group
  Thierry Michel, Staff Contact for TTWG.

Received on Monday, 3 April 2017 06:55:24 UTC