-
Notifications
You must be signed in to change notification settings - Fork 31
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
security questionnaire, first iteration (#67)
* security questionnaire, first iteration * add pretext and rewrap document * address review comments and wrap answers into new line
- Loading branch information
1 parent
d332c0c
commit 98c9de7
Showing
1 changed file
with
102 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,102 @@ | ||
| In terms of technical capabilities, the proposed API is a DOM-based API. | ||
| It turns a string or DOM fragment into another string or fragment. | ||
| In fact, it could be implemented with all existing DOM capabilities that the | ||
| platform already provides - and there are existing JavaScript implementations of | ||
| the algorithm we propose. We are proposing this API for the sake of increased | ||
| security in the light of attacks that those implementations have had to face | ||
| (e.g., DOM Clobbering and Mutated XSS). Given previous security issues, we | ||
| believe that a sanitizer working in unison with the browser’s parsing | ||
| implementation will be less prone to these attacks. | ||
|
|
||
| This API does not expose any new information to the web and it does not | ||
| introduce any new capabilities for an origin. | ||
|
|
||
|
|
||
| * What information might this feature expose to Web sites or other parties, and | ||
| for what purposes is that exposure necessary? | ||
|
|
||
| This feature does not expose any new information. | ||
|
|
||
| * Do features in your specification expose the minimum amount of information | ||
| necessary to enable their intended uses? | ||
|
|
||
| This feature does not expose any new information. | ||
|
|
||
| * How do the features in your specification deal with personal information, | ||
| personally-identifiable information (PII), or information derived from them? | ||
|
|
||
| This feature does not expose any new information. | ||
|
|
||
| * How do the features in your specification deal with sensitive information? | ||
|
|
||
| This feature does not submit or expose any information. It is merely operating | ||
| on existing HTML. | ||
|
|
||
| * Do the features in your specification introduce new state for an origin that | ||
| persists across browsing sessions? | ||
|
|
||
| This feature does not introduce new state. | ||
|
|
||
| * Do the features in your specification expose information about the underlying | ||
| platform to origins? | ||
|
|
||
| This feature does not expose any new information. | ||
|
|
||
| * Do features in this specification allow an origin access to sensors on a | ||
| user’s device? | ||
|
|
||
| This feature does not talk to devices or grant access to them. | ||
|
|
||
| * What data do the features in this specification expose to an origin? Please | ||
| also document what data is identical to data exposed by other features, in the | ||
| same or different contexts | ||
|
|
||
| The feature does not expose new data to an origin. | ||
| It operates solely on data structures that can already exists within the | ||
| origin, e.g. DOMStrings or DocumentFragments. | ||
|
|
||
| * Do feautres in this specification enable new script execution/loading | ||
| mechanisms? | ||
|
|
||
| No. | ||
|
|
||
| * Do features in this specification allow an origin to access other devices? | ||
|
|
||
| No. | ||
|
|
||
| * Do features in this specification allow an origin some measure of control over | ||
| a user agent's native UI? | ||
|
|
||
| No. | ||
|
|
||
| * What temporary identifiers do the feautures in this specification create or | ||
| expose to the web? | ||
|
|
||
| The API does not use any temporary identifiers. | ||
|
|
||
| * How does this specification distinguish between behavior in first-party and | ||
| third-party contexts? | ||
|
|
||
| The API does not operate on third-party contexts. | ||
|
|
||
| * How do the features in this specification work in the context of a browser’s | ||
| Private Browsing or Incognito mode? | ||
|
|
||
| The DOM operations we specify areoblivious of the browsing mode and do not | ||
| store any state in either. | ||
|
|
||
| * Does this specification have both "Security Considerations" and "Privacy | ||
| Considerations" sections? | ||
|
|
||
| Only a Security Considerations sections. See | ||
| https://wicg.github.io/sanitizer-api/#security-considerations | ||
|
|
||
| * Do features in your specification enable origins to downgrade default security | ||
| protections? | ||
|
|
||
| No. The feature requires a Secure Context. | ||
|
|
||
| * What should this questionnaire have asked? | ||
|
|
||
| We believe the Security Considerations section in the specification does a | ||
| fairly decent job of describing the security issues we are trying to tackle and which ones are out of scope. |