Add Security and Privacy section and questionnaire (fixes #48).

w3c · Nov 6, 2017 · f186e43 · f186e43
1 parent 027f780
commit f186e43
Show file tree

Hide file tree

Showing 2 changed files with 142 additions and 0 deletions.
diff --git a/index.bs b/index.bs
@@ -696,6 +696,57 @@ spec: webidl; urlPrefix: https://heycam.github.io/webidl/#
   </section>
 </section>
 
+<section class='non-normative'>
+  <h2 id='security-privacy-considerations'>
+    Security and Privacy Considerations
+  </h2>
+
+  <section>
+    <p>
+      This specification does not introduce any security-sensitive information
+      or APIs but is provides an easier access to some information that can be
+      used to fingerprint users.
+    </p>
+
+    <section>
+      <h3 id='decoding-encoding-fingerprinting'>
+        Decoding/Encoding and Fingerprinting
+      </h3>
+
+      <p>
+        The information exposed by the decoding/encoding capabilities can
+        already be discovered via experimentation with the exception that the
+        API will likely provide more accurate and consistent information. This
+        information is expected to have a high correlation with other
+        information already available to the web pages as a given class of
+        device is expected to have very similar decoding/encoding capabilities.
+        In other words, high end devices from a certain year are expected to
+        decode some type of videos while older devices may not. Therefore, it is
+        expected that the entropy added with this API isn't going to be
+        significant.
+      </p>
+
+      <p>
+        If an implementation wishes to implement a fingerprint-proof version of
+        this specification, it would be recommended to fake a given set of
+        capabilities (ie. decode up to 1080p VP9, etc.) instead of returning
+        always yes or always no as the latte approach could considerably degrade
+        the user's experience.
+      </p>
+    </section>
+
+    <section>
+      <h3 id='display-fingerprinting'>Display and Fingerprinting</h3>
+
+      <p>
+        The information exposed by the display capabilities can already be
+        accessed via CSS for the most part. The specification also provides
+        default values when the user agent does not which to expose the feature
+        for privacy reasons.
+      </p>
+    </section>
+  </section>
+</section>
 
 <section>
   <h2 id='examples'>Examples</h2>

diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md
@@ -0,0 +1,91 @@
+# Media Capabilities - Security and Privacy Questionnaire
+
+This document answers the [W3C Security and Privacy
+Questionnaire](https://www.w3.org/TR/security-privacy-questionnaire/)for the
+Media Capabilities specification.
+
+Last Update: 2017-11-06
+
+**Does this specification deal with personally-identifiable information?**
+
+No.
+
+**Does this specification deal with high-value data?**
+
+No.
+
+**Does this specification introduce new state for an origin that persists across
+browsing sessions?**
+
+No.
+
+**Does this specification expose persistent, cross-origin state to the web?**
+
+The Media Capabilities of a device are somewhat persistent user information that
+will be easier to access. Indeed, websites can guess this information by playng
+media and checking the dropped frames. Exposed information can also heavily
+correlate with other information such as device model.
+
+**Does this specification expose any other data to an origin that it doesn’t
+currently have access to?**
+
+No.
+
+**Does this specification enable new script execution/loading mechanisms?**
+
+No.
+
+**Does this specification allow an origin access to a user’s location?**
+
+No.
+
+**Does this specification allow an origin access to sensors on a user’s
+device?**
+
+No.
+
+**Does this specification allow an origin access to aspects of a user’s local
+computing environment?**
+
+Not directly. The exposed persistent information could be used to guess the
+local computing environment simalarly to what web pages can do today by running
+local benchmark.
+
+**Does this specification allow an origin access to other devices?**
+
+No.
+
+**Does this specification allow an origin some measure of control over a user
+agent’s native UI?**
+
+No.
+
+**Does this specification expose temporary identifiers to the web?**
+
+No.
+
+**Does this specification distinguish between behavior in first-party and
+third-party contexts?**
+
+No.
+
+**How should this specification work in the context of a user agent’s
+"incognito" mode?**
+
+The feature should not behave differently in incognito mode.
+
+**Does this specification persist data to a user’s local device?**
+
+One implementation strategy would be to store data about historical decoding
+information in order to provide better values to the querying API. When such an
+implementation strategy is used, the data should be cleared when users clear
+their browser information.
+
+**Does this specification have a "Security Considerations" and
+"Privacy Considerations" section?**
+
+[Yes](https://wicg.github.io/media-capabilities/#security-privacy-considerations).
+
+**Does this specification allow downgrading default security characteristics?**
+
+No.