Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security self-review answers for 9 July 2024 WD of IFT #194

Open
svgeesus opened this issue Jul 24, 2024 · 0 comments
Open

Security self-review answers for 9 July 2024 WD of IFT #194

svgeesus opened this issue Jul 24, 2024 · 0 comments
Labels
Priority: Eventually Long-term issue, not outside SLO privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response. security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response.

Comments

@svgeesus
Copy link
Contributor

Self-Review Questionnaire: Security and Privacy

This questionnaire has moved.

For your convenience, a copy of the questionnaire's questions is quoted here in Markdown, so you can easily include your answers in an explainer.

  1. What information might this feature expose to Web sites or other parties,
    and for what purposes is that exposure necessary?

None

  1. Do features in your specification expose the minimum amount of information
    necessary to enable their intended uses?

Yes, we believe that they do.

  1. How do the features in your specification deal with personal information,
    personally-identifiable information (PII), or information derived from
    them?

No personal information is transferred

  1. How do the features in your specification deal with sensitive information?

No sensitive information is transferred

  1. Do the features in your specification introduce new state for an origin
    that persists across browsing sessions?

No

  1. Do the features in your specification expose information about the
    underlying platform to origins?

No

  1. Does this specification allow an origin to send data to the underlying
    platform?

No. Web fonts are never installed on the underlying system; they are used without installation.

  1. Do features in this specification enable access to device sensors?

No.

  1. What data do the features in this specification expose to an origin? Please
    also document what data is identical to data exposed by other features, in the
    same or different contexts.

None

  1. Do features in this specification enable new script execution/loading
    mechanisms?

No

  1. Do features in this specification allow an origin to access other devices?

No

  1. Do features in this specification allow an origin some measure of control over
    a user agent's native UI?

No

  1. What temporary identifiers do the features in this specification create or
    expose to the web?

None

  1. How does this specification distinguish between behavior in first-party and
    third-party contexts?

No difference.

  1. How do the features in this specification work in the context of a browser’s
    Private Browsing or Incognito mode?

Such modes may elect to not request any WebFonts, in which case they will not use this specification.

  1. Does this specification have both "Security Considerations" and "Privacy
    Considerations" sections?

Yes

  1. Do features in your specification enable origins to downgrade default
    security protections?

No

  1. How does your feature handle non-"fully active" documents?

Non-"fully active" documents will not trigger font subset extension requests.

  1. What should this questionnaire have asked?

Nothing springs to mind.
@svgeesus svgeesus added privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response. security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response. labels Jul 24, 2024
This was referenced Jul 24, 2024
Open
Open
This was referenced Jul 24, 2024
Open
Closed
@svgeesus svgeesus added the Priority: Eventually Long-term issue, not outside SLO label Aug 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority: Eventually Long-term issue, not outside SLO privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response. security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@svgeesus