security and privacy self review check list

[himorin]

• What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?
  • This module extends WebXR Device API with AR feature. Three new attributes are exposed to Web sites, to tell how application provided pixel images are composed into real world image. There are wide variety types of AR devices, like camera to capture real world and screen to eye, transmission type display, and it is important for application to build their AR contents.
• Do features in your specification expose the minimum amount of information necessary to enable their intended uses?
  • Yes
• How do the features in your specification deal with personal information, personally-identifiable information (PII), or information derived from them?
  • Rely on permission model of WebXR Device API
• How do the features in your specification deal with sensitive information?
  • Rely on permission model of WebXR Device API
• Do the features in your specification introduce new state for an origin that persists across browsing sessions?
  • no across sessions
• Do the features in your specification expose information about the underlying platform to origins?
  • no information to origin
• Does this specification allow an origin to send data to the underlying platform?
  • no, spec just exposes necessity information for application
• Do features in this specification enable access to device sensors?
  • spec may enable access to camera image as a part of View, but not an access to camera directly. Also permission model of WebXR Device API is applied.
• Do features in this specification enable new script execution/loading mechanisms?
  • no
• Do features in this specification allow an origin to access other devices?
  • no
• Do features in this specification allow an origin some measure of control over a user agent’s native UI?
  • no control
• What temporary identifiers do the features in this specification create or expose to the web?
  • no
• How does this specification distinguish between behavior in first-party and third-party contexts?
  • no third-party context
• How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?
  • restrictions on information exposure are the same, following permission model of WebXR Device API
• Does this specification have both "Security Considerations" and "Privacy Considerations" sections?
  • yes
• Do features in your specification enable origins to downgrade default security protections?
  • no downgrading
• How does your feature handle non-"fully active" documents?
  • no "fully active" document

3 Threat Models

[himorin]

@toji please cross check this.

[AdaRoseCannon]

Fantastic thanks so much @himorin and @toji !

[Manishearth]

+1

[toji]

LGTM, thanks for handling all of these! Especially when so much of it is simply "We rely on the base WebXR API to handle that."