Skip to content

Commit

Permalink
[mediaqueries-5][editorial] Separate Security and Privacy sections
Browse files Browse the repository at this point in the history
  • Loading branch information
@svgeesus
svgeesus committed Nov 15, 2024
1 parent 4bc75b3 commit e59fec8
Showing 1 changed file with 23 additions and 12 deletions.
35 changes: 23 additions & 12 deletions mediaqueries-5/Overview.bs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3683,23 +3683,14 @@ device-aspect-ratio</h3>
</pre>
</div>

<h2 id=priv-sec class=no-num>
Appendix B: Privacy and Security Considerations</h2>
<h2 id=privacy class=no-num>
Appendix B: Privacy Considerations</h2>

<em>This section is not normative.</em>

<div class="non-normative">

Issue: this section is incomplete

The 'display-mode' media feature allows an origin
access to aspects of a user’s local computing environment and,
particularly when used together with an [=application manifest=] [=manifest/display=] member [[APPMANIFEST]],
allows an origin some measure of control over a user agent’s native UI.
Through a CSS media query, a script can know the display mode of a web application.
An attacker could, in such a case,
exploit the fact that an application is being displayed in fullscreen
to mimic the user interface of another application.
Issue: this section is <a href="https://github.com/w3c/csswg-drafts/issues?q=is%3Aopen+is%3Aissue+label%3Amediaqueries-5+label%3Aprivacy-tracker">incomplete</a>

The 'prefers-reduced-data' media feature
may be an undesired source of fingerprinting,
Expand All @@ -3715,6 +3706,26 @@ Appendix B: Privacy and Security Considerations</h2>

</div>

<h2 id=security class=no-num>
Appendix C: Security Considerations</h2>

<em>This section is not normative.</em>

<div class="non-normative">

Issue: this section is <a href="https://github.com/w3c/csswg-drafts/issues?q=is%3Aopen+is%3Aissue+label%3Amediaqueries-5+label%3Asecurity-tracker+">incomplete</a>

The 'display-mode' media feature allows an origin
access to aspects of a user’s local computing environment and,
particularly when used together with an [=application manifest=] [=manifest/display=] member [[APPMANIFEST]],
allows an origin some measure of control over a user agent’s native UI.
Through a CSS media query, a script can know the display mode of a web application.
An attacker could, in such a case,
exploit the fact that an application is being displayed in fullscreen
to mimic the user interface of another application.

</div>

<h2 id="changes" class="no-num">
Changes</h2>

Expand Down

0 comments on commit e59fec8

Please sign in to comment.