Add Privacy and Security Considerations

Author: zcorpan

geometry/Overview.bs

@@ -1711,6 +1711,29 @@ href="https://www.w3.org/TR/html5/infrastructure.html#safe-passing-of-structured
 of structured data”</a> definitions. [[!HTML5]]
 
 
+<h2 id="priv-sec">Privacy and Security Considerations</h2>
+
+<p>The {{DOMMatrix}} and {{DOMMatrixReadOnly}} interfaces have entry-points to parsing a string with
+CSS syntax. Therefore the <a href="https://drafts.csswg.org/css-syntax/#priv-sec">privacy and
+security considerations</a> of the CSS Syntax specification applies. [[CSS3-SYNTAX]]
+
+<div class=example>
+ <p>This could potentially be used to exploit bugs in the CSS parser in a user agent.
+</div>
+
+<p>There are no other known security or privacy impacts of the interfaces defined in this
+specification. However, other specifications that have APIs that use the interfaces defined in this
+specification could potentially introduce security or privacy issues.
+
+<div class=example>
+ <p>For example, the {{Element/getBoundingClientRect()}} API defined in CSSOM View returns a
+ {{DOMRect}} that could be used to measure the size of an inline element containing some text of a
+ particular font, which exposes information about whether the user has that font installed. That
+ information, if used to test many common fonts, can then be personally-identifiable information.
+ [[CSSOM-VIEW]]
+</div>
+
+
 <h2 class="no-num" id="changes">Changes since last publication</h2>
 
 <p>The following changes were made since the <a