[css-values-3] Copy over Privacy and Security sections from L4

fantasai · fantasai · commit 08c1b6c92da5 · 2022-10-12T17:38:34.000-04:00
diff --git a/css-values-3/Overview.bs b/css-values-3/Overview.bs
@@ -2368,15 +2368,33 @@ Changes</h2>
 		<li>Specified that ''attr()'' with ''string'' or ''url'' types doesn't reparse the attribute contents, just takes the value literally as the value of a <<string>>.
 	</ul>
 
-<h2 class="no-num" id="sec-pri">
-Security and Privacy Considerations</h2>
-
-	This specification mostly just defines units that are common to CSS specifications,
-	and which present no security concerns.
-
-	Note: Does URL handling have a security concern?  Probably.
-
-	This specification defines units that expose the user's screen size
-	and default font size,
-	but both are trivially observable from JS,
-	so they do not constitute a new privacy risk.
+<h2 class="no-num" id="security">
+Security Considerations</h2>
+
+	This specification presents no new security considerations.
+
+	This specification defines the ''url()'' function (<<url>>),
+	which allows CSS to make network requests.
+	Depending on what features they are used in,
+	these can potentially expose whether or not the user has access to resources on a network,
+	and expose information about their contents
+	(such as the rules within a style sheet, the size of an image, the metrics of a font).
+	They can also allow exfiltrating data via URL.
+
+<h2 class="no-num" id="privacy">
+Privacy Considerations</h2>
+
+	This specification introduces units that expose the user's screen size
+	(the [=viewport-percentage lengths=]),
+	default font size,
+	and potentially some information about
+	which fonts are available on the user's system
+	(the [=font-relative lengths=]).
+
+	This specification defines the ''url()'' function (<<url>>),
+	which allows CSS to make network requests.
+	Depending on what features they are used in,
+	these can potentially expose whether or not the user has access to resources on a network,
+	and expose information about their contents
+	(such as the rules within a style sheet, the size of an image, the metrics of a font).
+	They can also allow exfiltrating data via URL.
diff --git a/css-values-4/Overview.bs b/css-values-4/Overview.bs
@@ -5085,7 +5085,6 @@ Security Considerations</h2>
 	(such as the rules within a style sheet, the size of an image, the metrics of a font).
 	They can also allow exfiltrating data via URL.
 
-
 <h2 class="no-num" id="privacy">
 Privacy Considerations</h2>
 
@@ -5102,4 +5101,4 @@ Privacy Considerations</h2>
 	these can potentially expose whether or not the user has access to resources on a network,
 	and expose information about their contents
 	(such as the rules within a style sheet, the size of an image, the metrics of a font).
-	They can also allow exfiltrating data via URL.
+	They can also allow exfiltrating data via URL.
