Skip to content

Security self-review answers for 9 July 2024 WD of IFT #194

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Security self-review answers for 9 July 2024 WD of IFT#194
Labels
Priority: EventuallyLong-term issue, not outside SLOprivacy-trackerGroup bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.security-trackerGroup bringing to attention of security, or tracked by the security Group but not needing response.
@svgeesus

Description

@svgeesus
svgeesus
opened on Jul 24, 2024

Self-Review Questionnaire: Security and Privacy

This questionnaire has moved.

For your convenience, a copy of the questionnaire's questions is quoted here in Markdown, so you can easily include your answers in an explainer.

  1. What information might this feature expose to Web sites or other parties,
    and for what purposes is that exposure necessary?

None

  1. Do features in your specification expose the minimum amount of information
    necessary to enable their intended uses?

Yes, we believe that they do.

  1. How do the features in your specification deal with personal information,
    personally-identifiable information (PII), or information derived from
    them?

No personal information is transferred

  1. How do the features in your specification deal with sensitive information?

No sensitive information is transferred

  1. Do the features in your specification introduce new state for an origin
    that persists across browsing sessions?

No

  1. Do the features in your specification expose information about the
    underlying platform to origins?

No

  1. Does this specification allow an origin to send data to the underlying
    platform?

No. Web fonts are never installed on the underlying system; they are used without installation.

  1. Do features in this specification enable access to device sensors?

No.

  1. What data do the features in this specification expose to an origin? Please
    also document what data is identical to data exposed by other features, in the
    same or different contexts.

None

  1. Do features in this specification enable new script execution/loading
    mechanisms?

No

  1. Do features in this specification allow an origin to access other devices?

No

  1. Do features in this specification allow an origin some measure of control over
    a user agent's native UI?

No

  1. What temporary identifiers do the features in this specification create or
    expose to the web?

None

  1. How does this specification distinguish between behavior in first-party and
    third-party contexts?

No difference.

  1. How do the features in this specification work in the context of a browser’s
    Private Browsing or Incognito mode?

Such modes may elect to not request any WebFonts, in which case they will not use this specification.

  1. Does this specification have both "Security Considerations" and "Privacy
    Considerations" sections?

Yes

  1. Do features in your specification enable origins to downgrade default
    security protections?

No

  1. How does your feature handle non-"fully active" documents?

Non-"fully active" documents will not trigger font subset extension requests.

  1. What should this questionnaire have asked?

Nothing springs to mind.

Metadata

Assignees

No one assigned

    Labels

    Priority: EventuallyLong-term issue, not outside SLOprivacy-trackerGroup bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.security-trackerGroup bringing to attention of security, or tracked by the security Group but not needing response.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions