See explainer.md for the API's main explainer.
These questions are taken from this questionnaire.
- Takumi Fujimoto @takumif | takumif@google.com
2.1 What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?
The Presentation API allows a website to query whether a user has any devices
that support launching presentations on the local network by creating a
PresentationAvailability object. Websites that want to initiate mirroring can
use this object to decide whether to show a button to users when a compatible
device is available.
Today, all presentation receiver devices support site-initiated mirroring, so websites cannot gain any new information by requesting the availability of presentation receiver devices for site-initiated mirroring.
2.2 Do features in your specification expose the minimum amount of information necessary to enable their intended uses?
Yes. We don't expose the number or the name of the available devices.
2.3 How do the features in your specification deal with personal information, personally-identifiable information (PII), or information derived from them?
Existing Presentation API reduces PII exposure by showing the available list of devices (device names could contain people's names) in native UI and not exposing them to the website. Site-initiated mirroring, which extends the Presentation API, uses the same mechanism.
By having the user agent provide the receiver picker UI, it limits the set of receivers that can show the mirrored contents (which can potentially contain sensitive information) to those that it trusts.
See section 2.3 above.
2.5 Do the features in your specification introduce new state for an origin that persists across browsing sessions?
No.
2.6 Do the features in your specification expose information about the underlying platform to origins?
No.
No.
No.
No.
Yes, the feature allows an origin to choose to mirror its top-level browsing context to a device on the local network chosen by the user in a native device picker UI.
2.11 Do features in this specification allow an origin some measure of control over a user agent’s native UI?
Yes, the proposed feature uses an existing flow of PresentationRequest#start()
triggering a native device picker UI, which can only be triggered with user
activation.
Starting a mirroring session creates a PresentationConnection object with
a presentation identifier,
but the ID can be obtained only at creation and the user agent can create an ID
that does not reveal any information about the user or the browsing state.
2.13 How does this specification distinguish between behavior in first-party and third-party contexts?
The existing Presentation API spec requires the user agent's native device picker UI to show the origin that is requesting to present (link), so that the user would know what origin is requesting. The content that is mirrored is the top-level browsing context regarding of which browsing context is requesting.
2.14 How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?
It behaves the same way as it does for the regular browsing mode. A site-initiated mirroring session is terminated when a browsing context is terminated.
2.15 Does this specification have both "Security Considerations" and "Privacy Considerations" sections?
See the security and privacy considerations section of the explainer.
No.
A non-"fully active" document cannot initiate or maintain a site-initiated mirroring session:
-
Initiating mirroring requires user activation, so it cannot be done by a non-"fully active" document.
-
When the user navigates away from a document (i.e. when the document is no longer fully active) the mirroring session is terminated.
N/A