29533 2016-03-15 16:05:25 +0000 Add 'Security Considerations' and 'Privacy Considerations' sections 2016-04-26 09:09:51 +0000 1 1 1 Unclassified CSS CSSOM View unspecified PC All NEW P2 normal --- 1 zcorpan zcorpan annevk w3bugs public-css-bugzilla oldest_to_newest 125506 0 zcorpan 2016-03-15 16:05:25 +0000 https://drafts.csswg.org/cssom-view/ Security: * Scrolling APIs might be used in e.g. for clickjacking. * Moving and resizing windows might be used e.g. to emulate a native platform dialog. * The "supported open() feature name" is more limited in the spec than it is in implementations; wider support to hide various parts of the UI might be used e.g. to emulate a native platform dialog. * Failure to implement same-origin restrictions for scrolling APIs ... * Failure to implement #allowed-to-resize-and-move restrictions for moving and resizing windows ... * ...? Privacy: * Fingerprinting. * Exposure to JS when the user's environment changes via e.g. MediaQueryList (c.f. 'orientation', 'light-level', etc.) * ...? 125507 1 annevk 2016-03-15 16:18:57 +0000 One thing you want to mention here is that APIs that allow observing things of stylesheets, e.g., subresource loading (service workers, resource timing), need to be aware that if a stylesheet itself was not loaded using "cors" and is cross-origin, leaking data of those subresources is a same-origin policy violation. That's really a generic issue for CSS, but it seems CSSOM is the grab bag for actually defining the model as to how CSS works. 125509 2 zcorpan 2016-03-15 17:35:04 +0000 Yes, that's for CSSOM though, not CSSOM View. Thanks! 126145 3 zcorpan 2016-04-26 09:09:51 +0000 Privacy: * https://www.w3.org/Bugs/Public/show_bug.cgi?id=29577