EPUB 3 Working Group Telco — Minutes

Date: 2021-02-26

See also the Agenda and the IRC Log

Attendees

Present: Deborah Kaplan, Masakazu Kitahara, Ivan Herman, Matthew Chan, Wendy Reid, Laura Brady, Avneesh Singh, George Kerscher, Toshiaki Koike, Bill Kasdorf, Charles LaPierre, Will Awad, Ben Schroeter, Gregorio Pellegrino, Matt Garrish, Brady Duga, Juliette McShane, Teenya Franklin, Garth Conboy, Hadrien Gardeur

Regrets: Tzviya Siegman

Guests: Dave Cramer

Chair: Wendy Reid

Scribe(s): Matthew Chan, Wendy Reid

Content:

• 1. TAG Explainer, Privacy/Security Questionnaire
• 2. WCAG 3.0
• 3. Open issues
  • 3.1. Is rendition:align-x-center allowed as a manifest meta?
  • 3.2. Trimming leading and following whitespace in package metadata
• 4. AOB

1. TAG Explainer, Privacy/Security Questionnaire

Dave Cramer: we have lots of horizontal review to do
… re. the security and privacy self-questionnaire
… eventually we need TAG review of our spec
… i’m hoping to get advice from them esp. question of origin and how epub security fits into web security model

Dave Cramer: See Draft EPUB 3.3 explainer

Dave Cramer: i started answering the questionnaire
… getting some feedback from you all would be REALLY helpful
… Ivan has already made some helpful comments

Brady Duga: what is our timeline for review of this doc?

Dave Cramer: not clear
… i just wanted to get started, get a handle on the extent of potential work required

Ivan Herman: we are always asked to come in as early as possible
… there is normally a problem with groups coming in close to CR and only realizing that they have issues there
… that is why I started i18n so quickly
… if we can submit a first round to them for review within 1 mth or 6 wks that would be good

Dave Cramer: and we’re talking about CR in November, and its already feb
… ivan does it make sense to go thru the questions on this call?
… okay, let’s try to get through a few of these
… Q1 1. What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?
… questionnaire seems to be kind of web-centric
… but we try to work around that
… i tried to mention some of the kinds of info that RSes seem to collect
… e.g. reading position
… highlights, notes, bookmarks
… which books are finished
… what else?

Matt Garrish: i don’t know that anything is missing, but is this really in scope? The spec doesn’t really define this behaviour
… what are we supposed to be listing for this question?
… do we have to be able to point to where in the spec we are mandating each of these things?
… or just list whatever a RS could possibly do?

Dave Cramer: this is our first interaction with W3C as formal WG
… i think we need to cast as wide a net as possible
… don’t want to draw narrow boundaries
… want to give TAG as much info as possible to make an informed decision
… then if TAG says not to worry about something, then okay
… rather than to have them caught off guard

Brady Duga: listing all the things that a web browser could do in a specific spec (e.g. flexbox) would seem odd
… similarly, listing everything RSes can do seems like it would be similar
… a lot of these features we don’t require
… publishers are also users
… the metadata that they put in, they intend to be made available on the net
… it seems obvious that this would be the case

Ben Schroeter: when we talk about the info that can be collected and other users who may be interested in said info, one of the most important is educational market
… they like student engagement info
… so we might think about including schools in the category of interested users

Ivan Herman: at the end of the day, we will have to add a privacy and security section
… look at other specs, these sections are not normally normative
… they say, you have this technology, and hopefully you’ve done everything in your power to avoid security and privacy issues, but implementers should be aware that certain issues exist
… but this kind of info that any reasonable person authoring an epub should realize that these are things that can happen when their publication gets to an RS
… these are the sorts of things we should keep in mind
… the TAG may ask us whether we’ve done what we can to avoid certain problems
… e.g. discussion we had last week about origin, that is a step in the right direction
… but the final outcome is a section that contains informal warnings

George Kerscher: for AT, dyslexic students will also want to track how quickly they are reading, how much read aloud features are being used
… one library tracks the books i’ve downloaded and reports back to me what books i’ve read
… great feature, as long as it stays private

Bill Kasdorf: i just want to be clear, when the TAG does this review of spec, are they critiquing what is in the spec, or suggesting additions that need to be made to spec?

Ivan Herman: it will be both

Matt Garrish: maybe it would help to separate what we know are features of the spec, vs things that RSes do that are not in spec
… so people don’t think that everything is being dictated by spec
… e.g. give them a list of things to consider that are not directly in our control, just FYI

Brady Duga: +1 to Matt G

Avneesh Singh: as an example, re. geopositioning info, one can say this is a security hole, but many things that an RS does cannot be controlled by the spec
… so I second Matt G’s idea

Charles LaPierre: See TAG explainer template

Charles LaPierre: in the personalization tf, we went through TAG review, but they want it in a very specific format
… this link is to the template that they want for explainers
… important that we use their format
… saying this from experience

Dave Cramer: right, good point
… right now this is a very work in progress attempt to think through the relevant points
… “Is this spec exposing the minimum amount of info…?”
… probably
… “How do we deal with sensitive info?”
… there was a comment that the fact you are reading a particular book can be highly sensitive info
… we should be clear about that, but again, the spec doesn’t discuss sharing of this sort of info

Bill Kasdorf: it occurs to me that we’re actually working on 2 specs? Update of epub core, and epub RS?
… how does this affect that RS? Maybe that’s where a lot of stuff comes to surface

Dave Cramer: epub is currently described in 2 specs, but i don’t want to have a separate security and privacy questionnaire for each of them
… there are so many ways that they interact
… it feels like it would be more of an artificial distinction to me

Ben Schroeter: i don’t think the question of what books i’m reading has anything to do with the format of the book etc.
… that’s more down to what company i’ve go through to get the book
… the formatting of the book itself doesn’t add vulnerability

Brady Duga: one thing, the unique identifier is an interesting tracking mechanism
… the other thing is, about portrait and landscape
… we do that by just looking at the aspect ratio
… but if you have scripting in the book, you could examine the book to figure out things indirectly
… e.g. examining the book to deduce what the device orientation is
… e.g. if someone has extremely large font size, then an inference could be made that user is low vision

Ivan Herman: to pick on the last one, in every script which is like an HTML script, can it find out what font is used, or what size, without any further ado?

Brady Duga: it depends… would have to look at what we expose from the RS object
… WE don’t support scripting, so I don’t deal with this very often
… but it really depends on how the RS does font stuff

Ivan Herman: could you do the same in browser?

Charles LaPierre: dyslexic font could expose sensitive information?

Brady Duga: you can absolutely tell. E.g. by measuring a range with a known size,

Ivan Herman: so maybe there is a danger, but epub doesn’t exacerbate this

Brady Duga: not necessarily. There are ways that we handle things that are not necessarily the same as in a browser
… e.g. we allow users to choose font via CSS, not sure if this is a thing is browsers
… Ivan’s point is good, but it requires further study
… to make sure we’re not caught by any backdoor ways that user info could be revealed/deduced

George Kerscher: i’m wondering about Microsoft’s immersive reading experience in edge and office products
… are they encountering the same kinds of issues that we have
… where they may understand a lot more about the person that we would typically think
… so the issues we’re facing may not be unique to us

Dave Cramer: there are certainly a lot of surprising security vulnerabilities

Brady Duga: I just checked whether Chrome is reporting updated computed sizes when I control+plus, and we don’t
… but this is something an RS would do

Ivan Herman: we do say in the document that each epub instance should be viewed as having its own origin
… i am not sure that we also say that the same document read on two different occasions should have two different ones

Dave Cramer: we don’t say that, that would prevent many useful features

Ivan Herman: then we should specify that
… on the other hand, the point of each epub being its own origin is currently non-normative

Dave Cramer: good point

Matthew Chan: Scribe’s note: About was in relation to Q8 of the questionnaire

Dave Cramer: i propose we move on

2. WCAG 3.0

Wendy Reid: https://www.w3.org/2021/02/23-pbg-video.html

Wendy Reid: we had a meeting within the publishing BG
… the link above is to the video of the presentation

Bill Kasdorf: could you also provide a link to her slides?

Wendy Reid: the meeting covered an overview of changes in WCAG 3.0
… they are looking for first round of feedback by today end of day
… epub is specifically called out
… they are looking for assistance to make the parts concerning epub as consistent as possible

Dave Cramer: any questions or comments?

George Kerscher: when we provide feedback to them, does each individual person provide their comments?
… or do we as a group agree on comments?

Wendy Reid: its fine to offer comments as an individual

George Kerscher: i’m just afraid that my comments will be interpreted as representing the WG
… and I can just clarify that my comments are my own

Avneesh Singh: to provide a little bit of an overview, the current draft is not entirely settled
… a lot of discussion will still take place
… but a lot of the high level framework is in place
… so current comments about high level is most helpful right now
… as we get further on, we can work out more of the details with WCAG tf

3. Open issues

3.1. Is rendition:align-x-center allowed as a manifest meta?

See github issue #1380.

Dave Cramer: this is about rendition:align-x-center
… the intent was that this would be used to center title pages in Japanese books
… so that everything would be in center of viewport
… issue here is that this is a bit of metadata that does not make sense as global metadata
… but the spec seems to allow it
… should we fix this by prohibiting it as global?
… there does seem to be some interest in deprecating it entirely

Garth Conboy: we (Google) don’t implement it
… if you had a landscape image in fixed layout, it seems to me that there could be a use case for the global setting

Brady Duga: you said earlier that there have already been other ways to address the use case of Japanese title pages
… not sure that this is the case
… i’m currently dealing this an issue report about this right now
… the experts in Japanese rendering would currently say that there is not real CSS solution to this, but only after a great deal of specific research

Matt Garrish: its not possible for this to be a global property right now
… because there are no defined values for it currently

Dave Cramer: We do have the datapoint that a careful reader of the spec was unsure that this could be a global property
… that’s some evidence that an editorial note or tweak is needed

Matt Garrish: I have no issue sticking a note in
… we can’t actually have a global property, it’s impossible

Dave Cramer: Let’s close the issue and have a separate discussion about whether it should be deprecated
… we’re potentially running into not having 2 implementations
… making this an at-risk feature

Ivan Herman: Minutes are sufficient

3.2. Trimming leading and following whitespace in package metadata

See github issue #1295, #1528.

Dave Cramer: Let’s discuss 1295
… package metadata, according to the spec we need to trim leading and trailing whitespace
… the INFRA spec does have instructions on this
… it would be a step in the right direction to define the trimming as described in the INFRA spec
… this is separate to a discussion on whitespace within the strings
… there is a major RS that ignores this requirement

Garth Conboy: What is the proposed change?

Dave Cramer: Could it be as simple as linking the word “trim” to the INFRA spec?

Ivan Herman: We can normatively refer to the INFRA spec
… we can close by referring to it

Dave Cramer: Cool!
… that’s all for today

4. AOB

Will Awad: [Introduces himself]

Charles LaPierre: Will from Newgen is a GCA Benetech Approved Vendor as well!

Teenya Franklin: {shows off cute dog]