[css-position-3] Add a Privacy and Security Considerations section.

Author: tabatkins

css-position-3/Overview.bs

@@ -1573,3 +1573,23 @@ Acknowledgments</h2>
 	<ul>
 		<li>Rewrote the whole spec for editorial clarity, technical precision, and compatibility with [[CSS-ALIGN-3]], [[CSS-WRITING-MODES-3]], [[CSS-BREAK-3]], and [[CSS-DISPLAY-3]].
 	</ul>
+
+<h2 class=no-num id=priv-sec>
+Privacy and Security Considerations</h2>
+
+This specification introduces no new privacy considerations.
+
+If an attacker is able to inject arbitrary CSS,
+positioned layout can make it easier to position elements the attacker has control of
+over arbitrary other elements of the page,
+potentially tricking users of the page.
+(There are many routes to this attack: negative 'margin', 'transform', etc.
+Don't let people apply arbitrary CSS to bits of your page.)
+
+''position: fixed'' can allow a page to emulate modal dialogs,
+potentially tricking a user into thinking they're interacting with the user agent
+and entering in sensitive information that they page can then capture.
+User agents must ensure that their native dialogs are positioned
+in ways that the page cannot emulate;
+in particular,
+that at least some of the dialog is outside the "poisoned pixels" that web content can paint to.