Answer Security and Privacy self review questionnaire

[alexshalamov]

Fixes: #266

[alexshalamov]

Does anyone know how to make table wider? 😃

[pozdnyakov]

Doesn't it mean yes actually?

[alexshalamov]

I was thinking about it, 3.13 talks about Section 2.1 of FIRST-PARTY-ONLY. I would say no, since we don't check first / third party 'contexts' as specified in FIRST-PARTY-ONLY.

API is not checking whether SameSite is set, e.g.,:
Set-Cookie: SID=31d4d96e407aad42; SameSite=Strict

[alexshalamov]

I can remove misleading text:

Sensors are exposed only to top level browsing context.

wdyt?

[pozdnyakov]

yep, let's do so

[pozdnyakov]

lgtm

[alexshalamov]

@pozdnyakov @anssiko @dontcallmedom Do you think it would be better to keep answers for all GS related APIs in single place (like in this PR) or move concrete sensor's answers to corresponding repositories?

[dontcallmedom]

I personally prefer the latter (each repo with its review)

[rwaldron]

I just worked through the questionnaire independently as a means of cross checking and our answers have almost 100% agreement. For 3.10 I added an acknowledgement that's called out in the security risk section. Here are my answers:

---

Self-Review Questionnaire: Security and Privacy, Questions to Consider

3.1. Does this specification deal with personally-identifiable information?

Yes, but not directly. Concrete sensor specifications require user permissions to mitigate potential exposure issues. https://w3c.github.io/sensors/#security-and-privacy, https://w3c.github.io/sensors/#mitigation-strategies, https://w3c.github.io/sensors/#user-identifying

3.2. Does this specification deal with high-value data?

Yes, but not directly.

Sensor readings are explicitly flagged by the Secure Contexts specification [POWERFUL-FEATURES] as a high-value target for network attackers. Thus all interfaces defined by this specification or extension specifications are only available within a secure context.

See: https://w3c.github.io/sensors/#secure-context

3.3. Does this specification introduce new state for an origin that persists across browsing sessions?

No.

3.4. Does this specification expose persistent, cross-origin state to the web?

No.

3.5. Does this specification expose any other data to an origin that it doesn’t currently have access to?

No.

3.6. Does this specification enable new script execution/loading mechanisms?

No.

3.7. Does this specification allow an origin access to a user’s location?

Not directly; concrete sensor specifications, ie. "Geolocation Sensor" require user permissions to mitigate potential exposure issues. https://w3c.github.io/sensors/#security-and-privacy, https://w3c.github.io/sensors/#mitigation-strategies, https://w3c.github.io/sensors/#location-tracking

3.8. Does this specification allow an origin access to sensors on a user’s device?

Yes; concrete sensor specifications require user permissions to mitigate potential exposure and/or privacy issues. https://w3c.github.io/sensors/#security-and-privacy, https://w3c.github.io/sensors/#mitigation-strategies

3.9. Does this specification allow an origin access to aspects of a user’s local computing environment?

TODO

3.10. Does this specification allow an origin access to other devices?

No; however it is acknowledged that:

Sensors can potentially be used in cross-device linking and tracking of a user.

See: https://w3c.github.io/sensors/#security-and-privacy, https://w3c.github.io/sensors/#mitigation-strategies

(It is recognized that this isn't precisely what is meant by question 3.10, but worth mentioning)

3.11. Does this specification allow an origin some measure of control over a user agent’s native UI?

No.

3.12. Does this specification expose temporary identifiers to the web?

No.

3.13. Does this specification distinguish between behavior in first-party and third-party contexts?

No.

3.14. How should this specification work in the context of a user agent’s "incognito" mode?

TODO

3.15. Does this specification persist data to a user’s local device?

No.

3.16. Does this specification have a "Security Considerations" and "Privacy Considerations" section?

Yes https://w3c.github.io/sensors/#security-and-privacy

3.17. Does this specification allow downgrading default security characteristics?

No.

[alexshalamov]

@dontcallmedom I'll take action point to split answers into separate documents / repos and include Rick's comments. Thanks.