New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Answer Security and Privacy self review questionnaire #270
Conversation
Does anyone know how to make table wider? 😃 |
security-questionnaire.md
Outdated
| [3.10 Does this specification allow an origin access to other devices?] | No | No | No | No | No | No | No | | ||
| [3.11 Does this specification allow an origin some measure of control over a user agent’s native UI?] | No | No | No | No | No | No | No | | ||
| [3.12 Does this specification expose temporary identifiers to the web?] | No | No | No | No | No | No | No | | ||
| [3.13 Does this specification distinguish between behavior in first-party and third-party contexts?] | No. Sensors are exposed only to top level browsing context. | No | No | No | No | No | No | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't it mean yes
actually?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking about it, 3.13 talks about Section 2.1 of FIRST-PARTY-ONLY. I would say no, since we don't check first / third party 'contexts' as specified in FIRST-PARTY-ONLY.
API is not checking whether SameSite is set, e.g.,:
Set-Cookie: SID=31d4d96e407aad42; SameSite=Strict
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can remove misleading text:
Sensors are exposed only to top level browsing context.
wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep, let's do so
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
75721dd
to
6dec185
Compare
@pozdnyakov @anssiko @dontcallmedom Do you think it would be better to keep answers for all GS related APIs in single place (like in this PR) or move concrete sensor's answers to corresponding repositories? |
I personally prefer the latter (each repo with its review) |
@dontcallmedom I'll take action point to split answers into separate documents / repos and include Rick's comments. Thanks. |
Fixes: #266