Add 'Privacy and Security Considerations' section

[SebastianZ]

The following specifications are missing a section for privacy and security considerations:

• CSS Animations 1
• CSS Animations 2
• CSS Backgrounds 3
• CSS Backgrounds 4
• CSS Box 3
• CSS Fragmentation 3
• CSS Cascading 3
• CSS Cascading 4
• CSS Color 3
• CSS Color 4
• CSS Generated Content 3
• CSS Counter Styles 3
• CSS Display 3
• CSS Exclusions 1
• CSS Extensions 1
• CSS Font Loading 3
• CSS Fonts 3
• CSS Fonts 4
• CSS GCPM 3
• CSS GCPM 4
• CSS Images 4
• CSS Inline Layout 3
• CSS Line Grid 1
• CSS Lists 3
• CSS Logical Properties 1
• CSS Multicol 1
• CSS Multicol 2
• CSS Namespaces 3
• CSS Overflow 4
• CSS Paged Media 3
• CSS Paged Media 4 Unofficial Draft
• CSS Page Floats 3
• CSS Pagination Templates 1 Unofficial Draft
• CSS Positioned Layout 3
• CSS Regions 1
• CSS Round Display 1
• CSS Ruby 1
• CSS Shapes 1
• CSS Shapes 2
• CSS Size Adjustment 1
• CSS 2015 Superseded by CSS 2023
• CSS Speech 1
• CSS Style Attributes 1
• CSS Template Layout 1
• CSS Text 4
• CSS Text Decoration 3
• CSS Transforms 1
• CSS Transforms 2
• CSS Transitions 2
• CSS User Interface 3 (Bikeshed requires this to be named 'Privacy and Security Considerations')
• CSS User Interface 4 (Bikeshed requires this to be named 'Privacy and Security Considerations')
• CSS Will Change 1
• CSS Writing Modes 3
• CSS 2.1
• CSSOM 1
• CSSOM View Module 1
• Media Queries 3
• Selectors 3
• Non-element Selectors 1

Note that I didn't include WG Notes, CSS 2.1, CSS snapshots except the one from 2015, CSS Expressive Generalizations and Gadgetry 1 and the documents listed under 'Other Documents' at https://drafts.csswg.org/. If considered valuable, the section should be added there, too.

Side effect of is to make Bikeshed happy. 😃

Sebastian

[frivoal]

speced/bikeshed#730

[frivoal]

CSS-UI (3 & 4) solved thanks to the fix to speced/bikeshed#730

[frivoal]

CSS-2015 probably should not have such a section. It is not a spec by itself, merely a reference of other specs. Should we add such a section with "nothing to see here" content, or can bikeshed grow a new flag of somekind to let it know that it doesn't need to warn? ( @tabatkins )

[frivoal]

@tabatkins what are your thoughts about my previous comment?

[ao5357]

@tabatkins,

I figured it would be helpful to update the checklist, as well as to perhaps provide
additional information about Security and Privacy sections in CSS specs so far.

@tantek really hit the nail on the head with css-ui-3 and css-ui-4, imho. A good
security section should contain:

• A statement of the section as informative rather than normative
• Coverage of the questions from the questionnaire
• Citation to the TAG security questionnaire appropriately (puts it in a draft context)
• No indications that the section is an issue/todo, nor any verbiage like "Everything will be fine if you implement it correctly"

I'm a newbie to the spec-writing world, so my other opinion on the matter may be
incorrect, but... I also believe Tantek's placement of the section as an appendix
was ideal for the circumstance.

Following the table is a bikeshed partial for a section similar to the css-ui-3 one, albeit with
wording more boilerplate to accommodate the disparate specs. If the template is
acceptable to you [and the WG], I'd be happy to roll it into the specs that still
need it and tender a PR here.

Spec	Status	§ header	"-ative"	"...correctly"	Questions	Linked TAG
CSS Animations 1	N
CSS Animations 2	N
CSS Backgrounds 3	N
CSS Backgrounds 4	N
CSS Box 3	N
CSS Fragmentation 3	N
CSS Cascading 3	Y	(none)	N	N	N	N
CSS Cascading 4	N
CSS Color 3	N
CSS Color 4	Y	19	N	N	N	N
CSS Generated Content 3	N
CSS Counter Styles 3	Y	(none)	N	N	N	N
CSS Device Adaptation 1	N
CSS Display 3	Y	4	N	N	N	N
CSS Exclusions 1	N
CSS Extensions 1	N
CSS Font Loading 3	Y	(none)	N	N	N	N
CSS Fonts 3	N
CSS Fonts 4	N
CSS GCPM 3	N
CSS GCPM 4	N
CSS Images 4	Y	8	N	N	N	N
CSS Inline Layout 3	N
CSS Line Grid 1	N
CSS Lists 3	N
CSS Logical Properties 1	N
CSS Multicol 1	N
CSS Multicol 2	Y	(none)	N	N	N	N
CSS Namespaces 3	N
CSS Overflow 4	Y	8	N	N	Y	Y
CSS Paged Media 3	Y	(none)	N	N	N	N
CSS Paged Media 4	N
CSS Page Floats 3	N
CSS Pagination Templates 1	N
CSS Positioned Layout 3	N
CSS Regions 1	N
CSS Round Display 1	Y	9&10	N	N	N	N
CSS Ruby 1	N
CSS Shapes 1	N
CSS Shapes 2	N
CSS Size Adjustment 1	N
CSS 2015	N
CSS Speech 1	N
CSS Style Attributes 1	N
CSS Template Layout 1	N
CSS Text 4	N
CSS Text Decoration 3	N
CSS Transforms 1	N
CSS Transforms 2	Y	19	N	N	N	N
CSS Transitions 2	N
CSS User Interface 3	Y	Appendix C	Y	N	Y	Y
CSS User Interface 4	Y	Appendix C	Y	N	Y	Y
CSS Will Change 1	N
CSS Writing Modes 3	Y	10	N	Y	N	N
CSS 2.1	N
CSSOM 1	N
CSSOM View Module 1	N
Media Queries 3	N
Selectors 3	N
Non-element Selectors 1	N

207--priv-sec.partial.bs

<h2 class="no-num" id="security-privacy">Appendix. Considerations for Security and Privacy</h2>

This appendix is <em>informative</em> rather than normative.

The W3C TAG is developing a
<a href="https://www.w3.org/TR/security-privacy-questionnaire/">Self-Review Questionnaire: Security and Privacy</a>
for editors of specifications to informatively answer.

Per the <a href="https://www.w3.org/TR/security-privacy-questionnaire/#questions">Questions to Consider</a>:

<ol>
  <li>
    Does this specification deal with personally-identifiable information?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification deal with high-value data?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification introduce new state for an origin that persists across browsing sessions?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification expose persistent, cross-origin state to the web?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification expose any other data to an origin that it doesn’t currently have access to?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification enable new script execution/loading mechanisms?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification allow an origin access to a user’s location?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification allow an origin access to sensors on a user’s device?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification allow an origin access to aspects of a user’s local computing environment?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification allow an origin access to other devices?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification allow an origin some measure of control over a user agent’s native UI?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification expose temporary identifiers to the web?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification distinguish between behavior in first-party and third-party contexts?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    How should this specification work in the context of a user agent’s "incognito" mode?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification persist data to a user’s local device?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification have a "Security Considerations" and "Privacy Considerations" section?
    <p><em>Pending editorial review</em></p>
  </li>
  <li>
    Does this specification allow downgrading default security characteristics?
    <p><em>Pending editorial review</em></p>
  </li>
</ol>

[ao5357]

Related issues not previously referenced:

• [css-scrollbars][css-scrollbars-1] needs Security, Privacy section(s) #1988 "[css-scrollbars][css-scrollbars-1] needs Security, Privacy section(s)"
• [css-conditional] Add fingerprinting note to Security & Privacy considerations #1243 "[css-conditional] Add fingerprinting note to Security & Privacy considerations"

[svgeesus]

So I fixed 21 of our specs with this commit and the remaining ones are mostly old specs that still use the .src format; as the preprocessor for that is ancient history and does not generate a publishable spec, the way forward for those is to edit the generated html, sadly.

[svgeesus]

Remaining specs covered by 361add8