Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Security and privacy considerations #47

Merged
merged 3 commits into from
Oct 28, 2024
Merged

Update Security and privacy considerations #47

merged 3 commits into from
Oct 28, 2024

Conversation

anssiko
Copy link
Member

@anssiko anssiko commented Oct 24, 2024
edited by pr-preview bot
Loading

Expand "Request User Consent" considerations, add "Limit API Usage" considerations and suggested mitigations per W3C Security review feedback:

w3c/security-request#71

Preview | Diff

@anssiko
Update Security and privacy considerations
7d644a2 
Expand "Request User Consent" considerations, add "Limit API Usage"
considerations and suggested mitigations per W3C Security
review feedback:

w3c/security-request#71
@anssiko anssiko mentioned this pull request Oct 24, 2024
Closed
reillyeon
reillyeon reviewed Oct 24, 2024
View reviewed changes
index.html Outdated
Comment on lines 243 to 244
are encouraged to complement the normatively defined sticky
activation-based user activation-gating mitigation with the
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Encouraging implementers to implement normatively-defined things is weird. If they are normative then implementations should be doing them. This section probably needs a larger rewrite given that implementations currently do not inform the user when the API is in use either, or provide a mechanism to disable it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, yes indeed. I think it is clearer to simply remove the sentence starting with "Implementers are encouraged to ...".

And, considering the intent of this specification update is to specify what is currently implemented, the appropriate RFC 2119 term to use in this context is MAY. If implementations agree to add these additional mitigations, we will adjust the term accordingly.

These fixes are at 1304787

@himorin himorin added the security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response. label Oct 28, 2024
@anssiko anssiko merged commit d055733 into gh-pages Oct 28, 2024
1 check passed
@anssiko anssiko deleted the security-review-considerations branch October 28, 2024 11:38
@w3cbot w3cbot mentioned this pull request Oct 28, 2024
Closed
@anssiko anssiko mentioned this pull request Nov 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reillyeon reillyeon reillyeon approved these changes

Assignees
No one assigned
Labels
security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@anssiko @reillyeon @himorin