Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MathML Core #438

Open
bkardell opened this issue Oct 30, 2019 · 4 comments
Open

MathML Core #438

bkardell opened this issue Oct 30, 2019 · 4 comments

Comments

@bkardell
Copy link

@bkardell bkardell commented Oct 30, 2019

Hello TAG Friends!

I'm requesting a TAG review of:

Further details:

  • Relevant time constraints or deadlines: None specifically beyond our goals to fully upstream an implementation by October 2020 We'd like to continue to progress this long-overdue work.
  • I have read and filled out the Self-Review Questionnaire on Security and Privacy. (the assessment is below).
  • I have reviewed the TAG's API Design Principles
  • The group where the work on this specification is: MathML Refresh CG
  • Links to major pieces of multi-stakeholder review or discussion of this specification:
    * Much of this specification is clarifying with modern rigor a subset of what was both specified in MathML 3 and already shipping in two browsers. Thus far, both WebKit and Firefox have participated, accepted patches and aligned with MathML Core. Our issue tracker shows work and engagement from multiple vendors, including lots of advice and questions from Googlers. Our Intent to Implement also includes encouraging responses.
  • Links to major unresolved issues or opposition with this specification:

You should also know that...

MathML Core comes from previous TAG review of MathML specs/plans.
Among our primary aims is to establish an interoperable and widely agreeable starting point for discussions that have been created by MathML's largely unique history. We've taken very much history, commentary (including TAG's) and challenges into account. We've taken great pains to balance many things: Making this as small as possible, align as directly as possible with the rest of the platform (including DOM and CSS), eliminate unknowns and surprises, apply learnings from actual implementations (firefox, webkit, office and TeX), rigorously specify and remain useful and compatibile, improving the many documents that already exist.

We'd prefer the TAG provide feedback as (please select one):

  • open issues in our GitHub repo for each point of feedback
  • open a single issue in our GitHub repo for the entire review
  • leave review feedback as a comment in this issue and @-notify @bkardell @fred-wang @rwlbuis

Security Questionnaire...

  • What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?

    • This feature allows some OpenType parameters from the MATH table to be tested via MathML constructions, similar to what is done in the corresponding WPT tests. These can allow a third-party to detect whether a known math font is installed. This is non-similar to any other non-sensible font data used for text layout, though.
    • The MathML href attribute can be a potential risk of third-party detecting visited websites. We expect that the same mitigation as SVG/HTML links will be performed by implementers.
  • Is this specification exposing the minimum amount of information necessary to power the feature?

    • Yes, no information is exposed in new ways.
  • How does this specification deal with personal information or personally-identifiable information or information derived thereof?

    • n/a - this is simply about the rendering of a kind of text in a tree and setting it inline with other DOM/CSS expectations.
  • How does this specification deal with sensitive information?

    • It doesn't.
  • Does this specification introduce new state for an origin that persists across browsing sessions?

    • No
  • What information from the underlying platform, e.g. configuration data, is exposed by this specification to an origin?

    • Because it is based on integration with the rest of the platform, we believe nothing new, beyond what is mentioned in the first question.
  • Does this specification allow an origin access to sensors on a user’s device

    • No
  • What data does this specification expose to an origin? Please also document what data is identical to data exposed by other features, in the same or different contexts.
    * Nothing

  • Does this specification enable new script execution/loading mechanisms?

    • This specification adds new (for MathML) script execution mechanisms in event handler attributes (onclick, etc) or href="javascript:..." links in order to align with normal platform expectations - these already exist for HTML or SVG. It does not add new script loading mechanisms.
  • Does this specification allow an origin to access other devices?

    • No
  • Does this specification allow an origin some measure of control over a user agent’s native UI?

    • No
  • What temporary identifiers might this this specification create or expose to the web?

    • None.
  • How does this specification distinguish between behavior in first-party and third-party contexts?

    • The specification itself does not make any distinction. MathML can be embedded into HTML and in SVG (via the foreignObject element) and it is expected that the same existing restrictions as HTML/SVG will apply for third-party contexts.
  • How does this specification work in the context of a user agent’s Private Browsing or "incognito" mode?

    • No differences.
  • Does this specification have a "Security Considerations" and "Privacy Considerations" section?

    • No, but we will be adding them, largely to reflect what we have listed here.
  • Does this specification allow downgrading default security characteristics?

    • No
@bkardell

This comment has been minimized.

Copy link
Author

@bkardell bkardell commented Oct 31, 2019

Note: For anyone who feels like they'd like more information that they can consume pretty easily, we have a ~30 min presentation from our recent hackfest where @fred-wang breaks a lot of this down in pretty complete and understandable ways (https://www.youtube.com/watch?time_continue=79&v=Q8Z1D2i61j8)

@torgo

This comment has been minimized.

Copy link
Member

@torgo torgo commented Nov 19, 2019

We will try to schedule some breakout time on this for this week. If not, this will have to get bumped to the f2f.

@torgo

This comment has been minimized.

Copy link
Member

@torgo torgo commented Dec 3, 2019

Discussed at our f2f with @bkardell. The hypothesis is that MathML core addreesses many of the issues raised by the previous TAG review. We need to do further work to confirm this.

@hadleybeeman

This comment has been minimized.

Copy link

@hadleybeeman hadleybeeman commented Dec 3, 2019

Also, looking at this explainer -- it does a good job of explaining how you got to where you are, and how you've decided on the approach you took. It doesn't though explain concisely how MathML core works. It might be useful to add that in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.