Issue #45: Security and Privacy Considerations

[mfoltzgoogle]

This PR drafts the Security and Privacy Considerations following discussion in #45. @tidoust and others, please review.

[tidoust]

Please find a few comments below. The rest looks good. I would merge the pull request in any case, the text provides a very good basis for that section!

Cross-origin access

• "the URL that started the presentation": couldn't this mean the URL of the opening context? Change to "the URL of the presentation session", perhaps?
• I would drop the paragraph starting from "We could further restrict...". We're not going to do that in practice, so I don't see what it brings. Perhaps rephrase the whole paragraph as: "This design allows controlling contexts from different domains to connect to a shared presentation resource. The security of the presentation ID prevents arbitrary pages from connecting to an existing presentation.".
• I would drop "the charter envisions", or use "the group envisions" instead (most readers won't know what a charter is and that's not a useful concept in a spec)

Temporary identifiers and browser state

I would drop "Again, one possible solution would be to restrict the API to secure contexts" since my understanding is that we would prefer not to do that, and replace with an open issue such as:

<p class="open-issue">
  Should we restrict the API to some extent in non secure contexts?
</p>

[mfoltzgoogle]

All good suggestions @tidoust. I have incorporated them into the updated PR and will now merge.