Merge remote-tracking branch 'wicg/master' into add-usecases

majido · majido · commit 580325279495 · 2017-09-07T20:02:11.000-04:00
diff --git a/README.md b/README.md
@@ -1,5 +1,7 @@
-# Boundary Scroll Action
+# Scroll Boundary Behavior
 ---
+# Draft Specification
+https://wicg.github.io/scroll-boundary-behavior
 
 # Problem
 
@@ -33,11 +35,3 @@ where:
 * none - Same as contain but also hint that no overscroll affordance should be triggered.
 
 This should apply to all, non-programatic, user scroll actions.
-
-# Issues to file
-
-* Should the property disable scroll chaining through itself to an ancestor if scrolling is initiated from a child element?
-
-* What if the property is attached to a potentially scrollable element without a scrollbox?
-
-* What if the property is attached to an element which is not scrollable?
diff --git a/index.bs b/index.bs
@@ -209,3 +209,15 @@ Note: In the case where a user agent does not implement scroll chaining and over
 these values will have no side effects for a compliant implementation.
 
 Note: Programmatic scrolling is clamped and can not trigger any <a>boundary default actions</a>.
+
+
+
+Security and Privacy Considerations {#security-and-privacy}
+===================================
+There are no known security or privacy impacts of this feature. The feature may be used to prevent
+certain native UI features such as overscroll affordances and overscroll navigations (e.g., pull-
+to-refresh, swipe navigations). However, this does not expose any additional abilities beyond what
+is already possible in the platform e.g., by preventing the default action of the event that would
+cause a scroll.
+
+
diff --git a/index.html b/index.html
@@ -1467,6 +1467,7 @@ <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
     <li><a href="#scroll-chaining-and-boundary-default-actions"><span class="secno">3</span> <span class="content">Scroll chaining and boundary default actions</span></a>
     <li><a href="#overview"><span class="secno">4</span> <span class="content">Overview</span></a>
     <li><a href="#scroll-boundary-behavior-properties"><span class="secno">5</span> <span class="content">Scroll Boundary Behavior Properties</span></a>
+    <li><a href="#security-and-privacy"><span class="secno">6</span> <span class="content">Security and Privacy Considerations</span></a>
     <li><a href="#conformance"><span class="secno"></span> <span class="content"> Conformance</span></a>
     <li>
      <a href="#index"><span class="secno"></span> <span class="content">Index</span></a>
@@ -1658,6 +1659,12 @@ <h2 class="heading settled" data-level="5" id="scroll-boundary-behavior-properti
    <p class="note" role="note"><span>Note:</span> In the case where a user agent does not implement scroll chaining and overscroll affordances,
 these values will have no side effects for a compliant implementation.</p>
    <p class="note" role="note"><span>Note:</span> Programmatic scrolling is clamped and can not trigger any <a data-link-type="dfn" href="#boundary-default-action" id="ref-for-boundary-default-action⑤">boundary default actions</a>.</p>
+   <h2 class="heading settled" data-level="6" id="security-and-privacy"><span class="secno">6. </span><span class="content">Security and Privacy Considerations</span><a class="self-link" href="#security-and-privacy"></a></h2>
+    There are no known security or privacy impacts of this feature. The feature may be used to prevent
+certain native UI features such as overscroll affordances and overscroll navigations (e.g., pull-
+to-refresh, swipe navigations). However, this does not expose any additional abilities beyond what
+is already possible in the platform e.g., by preventing the default action of the event that would
+cause a scroll. 
   </main>
   <div data-fill-with="conformance">
    <h2 class="no-ref no-num heading settled" id="conformance"><span class="content"> Conformance</span><a class="self-link" href="#conformance"></a></h2>
diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md
@@ -0,0 +1,40 @@
+## Summary
+
+Scroll Boundary Behavior introduces a new method to control over the behavior of a scroll container
+element when its scrollport reaches the boundary of its scroll box. It allows the content author to
+specify that a scroll container element must prevent scroll chaining and/or overscroll affordances.
+
+To our knowledge it poses no known security or privacy risks.
+
+## Questionnaire
+
+Source: https://www.w3.org/TR/security-privacy-questionnaire/
+
+
+|Question | Answer|
+|---------|-------|
+|3.1 Does this specification deal with personally-identifiable information?| NO |
+|3.2 Does this specification deal with high-value data?| NO |
+|3.3 Does this specification introduce new state for an origin that persists across browsing sessions?| NO |
+|3.4 Does this specification expose persistent, cross-origin state to the web?| NO |
+|3.5 Does this specification expose any other data to an origin that it doesn’t currently have access to?| NO |
+|3.6 Does this specification enable new script execution/loading mechanisms?| NO |
+|3.7 Does this specification allow an origin access to a user’s location?| NO |
+|3.8 Does this specification allow an origin access to sensors on a user’s device?| NO |
+|3.9 Does this specification allow an origin access to aspects of a user’s local computing environment?| NO |
+|3.10 Does this specification allow an origin access to other devices?| NO |
+|3.11 Does this specification allow an origin some measure of control over a user agent’s native UI?| YES|
+|3.12 Does this specification expose temporary identifiers to the web?| NO |
+|3.13 Does this specification distinguish between behavior in first-party and third-party contexts?| NO |
+|3.14 How should this specification work in the context of a user agent’s "incognito" mode?| SAME|
+|3.15 Does this specification persist data to a user’s local device?| NO |
+|3.16 Does this specification have a "Security Considerations" and "Privacy Considerations" section?| YES |
+|3.17 Does this specification allow downgrading default security characteristics?| NO |
+
+## Additional Clarifications
+
+3.11 Does this specification allow an origin some measure of control over a user agent’s native UI?
+
+Yes. The feature may be used to prevent overscroll affordances and overscroll navigations (pull-to-refresh, swipe navigations).
+However this power is not new and may be achieve by prevent defaulting the event that causes the scroll to begin with.
+
