Add security privacy section to the spec

majido · majido · commit e27634314501 · 2017-09-07T09:26:03.000-04:00
diff --git a/index.bs b/index.bs
@@ -57,7 +57,7 @@ Scroll chaining and boundary default actions {#scroll-chaining-and-boundary-defa
 
 A <dfn>scroll chain</dfn> is the order in which scrolling is propagated from one <a>scroll container</a> to another.
 
-<dfn>Scroll boundary</dfn> refers to when the scroll position of a <a>scroll container</a> reaches the edge of the <a>scrollport<a>. If a scroll container has no potential to scroll, because it does not <a>overflow</a> in the direction of the scroll, the element is always considered to be at the scroll boundary. 
+<dfn>Scroll boundary</dfn> refers to when the scroll position of a <a>scroll container</a> reaches the edge of the <a>scrollport<a>. If a scroll container has no potential to scroll, because it does not <a>overflow</a> in the direction of the scroll, the element is always considered to be at the scroll boundary.
 
 <dfn>Boundary default action</dfn> refers to the user-agent-defined <a>default action</a> performed when scrolling against the edge of the <a>scrollport</a>. A <a>boundary default action</a> is said to be <dfn>local</dfn>, for example overscroll, if it is performed on the <a>scroll container</a> without interacting with the page. Conversely, a <dfn>non-local boundary default action</dfn> will interact with the page such as scroll chaining or a navigation action.
 
@@ -105,7 +105,7 @@ Values have the following meanings:
 <dl dfn-for="scroll-boundary-behavior, scroll-boundary-behavior-x, scroll-boundary-behavior-y" dfn-type="value">
   <dt><dfn>contain</dfn>
   <dd>
-    This value indicates that the element must not perform <a>non-local boundary default actions</a>. The user agent must not perform scholl chaining to any ancestors along the <a>scroll chain</a> regardless of whether the scroll originated at this element or one of its descendants. This value must not modify the behavior of how <a>local boundary default actions</a> should behave, such as overscroll behavior and navigation guestures. 
+    This value indicates that the element must not perform <a>non-local boundary default actions</a>. The user agent must not perform scholl chaining to any ancestors along the <a>scroll chain</a> regardless of whether the scroll originated at this element or one of its descendants. This value must not modify the behavior of how <a>local boundary default actions</a> should behave, such as overscroll behavior and navigation guestures.
   <dt><dfn>none</dfn>
   <dd>
     This value implies the same behavior as <a>contain</a> and in addition this element must also not perform <a>local boundary default actions</a> such as showing any overscroll affordances or performing any navigation guestures.
@@ -117,3 +117,14 @@ Values have the following meanings:
 Note: In the case where a user agent does not implement scroll chaining and overscroll affordances, these values will have no side effects for a compliant implementation.
 
 Note: Programmatic scrolling is clamped and can not trigger any <a>boundary default actions</a>.
+
+
+Security and Privacy Considerations
+===================================
+There are no known security or privacy impacts of this feature. The feature may be used to prevent
+certain native UI features such as overscroll affordances and overscroll navigations (e.g., pull-
+to-refresh, swipe navigations). However, this does not expose any additional abilities beyond what
+is already possible in the platform e.g., by preventing the default action of the event that would
+cause a scroll.
+
+
diff --git a/index.html b/index.html
@@ -470,7 +470,7 @@
 		font-style: normal;
 	}
 	dt dfn code, code.idl {
-		font-size: normal;
+		font-size: medium;
 	}
 	dfn var {
 		font-style: normal;
@@ -1176,7 +1176,7 @@
 		}
 	}
 </style>
-  <meta content="Bikeshed version 5bd73bb15eb04ad9f7d1a57f012e9ee6eca5a765" name="generator">
+  <meta content="Bikeshed version 872fb1bbb75c7b4e192209b354c34f634da3ac0d" name="generator">
   <link href="https://wicg.github.io/scroll-boundary-behavior/" rel="canonical">
 <style>/* style-md-lists */
 
@@ -1366,11 +1366,13 @@
   <div class="head">
    <p data-fill-with="logo"></p>
    <h1 class="p-name no-ref" id="title">CSS Scroll Boundary Behavior Module Level 1</h1>
-   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Draft Community Group Report, <time class="dt-updated" datetime="2017-05-08">8 May 2017</time></span></h2>
+   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Draft Community Group Report, <time class="dt-updated" datetime="2017-09-07">7 September 2017</time></span></h2>
    <div data-fill-with="spec-metadata">
     <dl>
      <dt>This version:
      <dd><a class="u-url" href="https://wicg.github.io/scroll-boundary-behavior/">https://wicg.github.io/scroll-boundary-behavior/</a>
+     <dt>Issue Tracking:
+     <dd><a href="https://github.com/majido/scroll-boundary-behavior/issues/">GitHub</a>
      <dt class="editor">Editor:
      <dd class="editor p-author h-card vcard"><a class="p-name fn u-email email" href="mailto:bgirard@fb.com">Benoit Girard</a> (<span class="p-org org">Facebook</span>)
     </dl>
@@ -1406,6 +1408,7 @@ <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
     <li><a href="#scroll-chaining-and-boundary-default-actions"><span class="secno">2</span> <span class="content">Scroll chaining and boundary default actions</span></a>
     <li><a href="#overview"><span class="secno">3</span> <span class="content">Overview</span></a>
     <li><a href="#scroll-boundary-behavior-properties"><span class="secno">4</span> <span class="content">Scroll Boundary Behavior Properties</span></a>
+    <li><a href="#security-and-privacy-considerations"><span class="secno">5</span> <span class="content">Security and Privacy Considerations</span></a>
     <li><a href="#conformance"><span class="secno"></span> <span class="content"> Conformance</span></a>
     <li>
      <a href="#index"><span class="secno"></span> <span class="content">Index</span></a>
@@ -1520,14 +1523,20 @@ <h2 class="heading settled" data-level="4" id="scroll-boundary-behavior-properti
    <p>Values have the following meanings:</p>
    <dl>
     <dt><dfn class="css" data-dfn-for="scroll-boundary-behavior, scroll-boundary-behavior-x, scroll-boundary-behavior-y" data-dfn-type="value" data-export="" id="valdef-scroll-boundary-behavior-contain">contain<a class="self-link" href="#valdef-scroll-boundary-behavior-contain"></a></dfn> 
-    <dd> This value indicates that the element must not perform <a data-link-type="dfn" href="#non-local-boundary-default-action" id="ref-for-non-local-boundary-default-action-1">non-local boundary default actions</a>. The user agent must not perform scholl chaining to any ancestors along the scroll chain regardless of whether the scroll originated at this element or one of its descendants. This value must not modify the behavior of how <a data-link-type="dfn" href="#local" id="ref-for-local-1">local boundary default actions</a> should behave, such as overscroll behavior and navigation guestures. 
+    <dd> This value indicates that the element must not perform <a data-link-type="dfn" href="#non-local-boundary-default-action" id="ref-for-non-local-boundary-default-action-1">non-local boundary default actions</a>. The user agent must not perform scholl chaining to any ancestors along the <a data-link-type="dfn" href="#scroll-chain" id="ref-for-scroll-chain-3">scroll chain</a> regardless of whether the scroll originated at this element or one of its descendants. This value must not modify the behavior of how <a data-link-type="dfn" href="#local" id="ref-for-local-1">local boundary default actions</a> should behave, such as overscroll behavior and navigation guestures. 
     <dt><dfn class="css" data-dfn-for="scroll-boundary-behavior, scroll-boundary-behavior-x, scroll-boundary-behavior-y" data-dfn-type="value" data-export="" id="valdef-scroll-boundary-behavior-none">none<a class="self-link" href="#valdef-scroll-boundary-behavior-none"></a></dfn> 
     <dd> This value implies the same behavior as <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-contain">contain</a> and in addition this element must also not perform <a data-link-type="dfn" href="#local" id="ref-for-local-2">local boundary default actions</a> such as showing any overscroll affordances or performing any navigation guestures. 
     <dt><dfn class="dfn-paneled css" data-dfn-for="scroll-boundary-behavior, scroll-boundary-behavior-x, scroll-boundary-behavior-y" data-dfn-type="value" data-export="" id="valdef-scroll-boundary-behavior-auto">auto</dfn> 
     <dd> This value indicates that the user agent should perform the usual <a data-link-type="dfn" href="#boundary-default-action" id="ref-for-boundary-default-action-4">boundary default action</a> with respect to both <a data-link-type="dfn" href="#scroll-chaining" id="ref-for-scroll-chaining-3">scroll chaining</a>, overscroll and navigation guestures. 
    </dl>
    <p class="note" role="note"><span>Note:</span> In the case where a user agent does not implement scroll chaining and overscroll affordances, these values will have no side effects for a compliant implementation.</p>
    <p class="note" role="note"><span>Note:</span> Programmatic scrolling is clamped and can not trigger any <a data-link-type="dfn" href="#boundary-default-action" id="ref-for-boundary-default-action-5">boundary default actions</a>.</p>
+   <h2 class="heading settled" data-level="5" id="security-and-privacy-considerations"><span class="secno">5. </span><span class="content">Security and Privacy Considerations</span><a class="self-link" href="#security-and-privacy-considerations"></a></h2>
+    There are no known security or privacy impacts of this feature. The feature may be used to prevent
+certain native UI features such as overscroll affordances and overscroll navigations (e.g., pull-
+to-refresh, swipe navigations). However, this does not expose any additional abilities beyond what
+is already possible in the platform e.g., by preventing the default action of the event that would
+cause a scroll. 
   </main>
   <div data-fill-with="conformance">
    <h2 class="no-ref no-num heading settled" id="conformance"><span class="content"> Conformance</span><a class="self-link" href="#conformance"></a></h2>
@@ -1739,18 +1748,18 @@ <h2 class="no-num no-ref heading settled" id="property-index"><span class="conte
       <th scope="col">Com­puted value
     <tbody>
      <tr>
-      <th scope="row"><a class="css" data-link-type="property" href="#propdef-scroll-boundary-behavior-x">scroll-boundary-behavior-x</a>
+      <th scope="row"><a class="css" data-link-type="property" href="#propdef-scroll-boundary-behavior">scroll-boundary-behavior</a>
       <td>contain | none | auto
       <td>auto
       <td>scroll container elements
       <td>no
-      <td>N/A
+      <td>n/a
       <td>visual
       <td>no
       <td>per grammar
       <td>see individual properties
      <tr>
-      <th scope="row"><a class="css" data-link-type="property" href="#propdef-scroll-boundary-behavior-y">scroll-boundary-behavior-y</a>
+      <th scope="row"><a class="css" data-link-type="property" href="#propdef-scroll-boundary-behavior-x">scroll-boundary-behavior-x</a>
       <td>contain | none | auto
       <td>auto
       <td>scroll container elements
@@ -1761,12 +1770,12 @@ <h2 class="no-num no-ref heading settled" id="property-index"><span class="conte
       <td>per grammar
       <td>see individual properties
      <tr>
-      <th scope="row"><a class="css" data-link-type="property" href="#propdef-scroll-boundary-behavior">scroll-boundary-behavior</a>
+      <th scope="row"><a class="css" data-link-type="property" href="#propdef-scroll-boundary-behavior-y">scroll-boundary-behavior-y</a>
       <td>contain | none | auto
       <td>auto
       <td>scroll container elements
       <td>no
-      <td>n/a
+      <td>N/A
       <td>visual
       <td>no
       <td>per grammar
@@ -1785,6 +1794,7 @@ <h2 class="no-num no-ref heading settled" id="property-index"><span class="conte
    <ul>
     <li><a href="#ref-for-scroll-chain-1">1. Introduction</a>
     <li><a href="#ref-for-scroll-chain-2">2. Scroll chaining and boundary default actions</a>
+    <li><a href="#ref-for-scroll-chain-3">4. Scroll Boundary Behavior Properties</a>
    </ul>
   </aside>
   <aside class="dfn-panel" data-for="scroll-boundary">
diff --git a/security-privacy-questionare.md b/security-privacy-questionare.md
@@ -0,0 +1,40 @@
+## Summary
+
+Scroll Boundary Behavior introduces a new method to control over the behavior of a scroll container
+element when its scrollport reaches the boundary of its scroll box. It allows the content author to
+specify that a scroll container element must prevent scroll chaining and/or overscroll affordances.
+
+To our knowledge it poses no known security or privacy risks.
+
+## Questionnaire
+
+Source: https://www.w3.org/TR/security-privacy-questionnaire/
+
+
+|Question | Answer|
+|---------|-------|
+|3.1 Does this specification deal with personally-identifiable information?| NO |
+|3.2 Does this specification deal with high-value data?| NO |
+|3.3 Does this specification introduce new state for an origin that persists across browsing sessions?| NO |
+|3.4 Does this specification expose persistent, cross-origin state to the web?| NO |
+|3.5 Does this specification expose any other data to an origin that it doesn’t currently have access to?| NO |
+|3.6 Does this specification enable new script execution/loading mechanisms?| NO |
+|3.7 Does this specification allow an origin access to a user’s location?| NO |
+|3.8 Does this specification allow an origin access to sensors on a user’s device?| NO |
+|3.9 Does this specification allow an origin access to aspects of a user’s local computing environment?| NO |
+|3.10 Does this specification allow an origin access to other devices?| NO |
+|3.11 Does this specification allow an origin some measure of control over a user agent’s native UI?| YES|
+|3.12 Does this specification expose temporary identifiers to the web?| NO |
+|3.13 Does this specification distinguish between behavior in first-party and third-party contexts?| NO |
+|3.14 How should this specification work in the context of a user agent’s "incognito" mode?| SAME|
+|3.15 Does this specification persist data to a user’s local device?| NO |
+|3.16 Does this specification have a "Security Considerations" and "Privacy Considerations" section?| YES |
+|3.17 Does this specification allow downgrading default security characteristics?| NO |
+
+## Additional Clarifications
+
+3.11 Does this specification allow an origin some measure of control over a user agent’s native UI?
+
+Yes. The feature may be used to prevent overscroll affordances and overscroll navigations (pull-to-refresh, swipe navigations).
+However this power is not new and may be achieve by prevent defaulting the event that causes the scroll to begin with.
+
