The @w3ctag has been pushing for all specs it reviews to go through a self-assessment of their impact on security and privacy for Web users. The security & privacy questionnaire documents which questions spec authors need to consider w3.org/TR/security-privacy-q…
We're now debating additions/edits to the Security and Privacy Questionnaire, which should help spec authors/editors think through the implications of adding their new feature to the web platform.
Current draft:
w3.org/TR/security-privacy-q…
@w3ctag
1
e.g. Does the spec create new “fingerprinting” surface (i.e. ways to identify users across Web sites or across devices)?
Does the spec open ways to bypass the same-origin policy (which isolates user data from one site to another)?
Feb 1, 2018 · 2:07 PM UTC
1
For instance, the #WebRTC Working Group went through that exercise before going to Candidate Recommendation: github.com/w3c/webrtc-pc/iss… - this led to substantial additions to the WebRTC spec github.com/w3c/webrtc-pc/pul… with a detailed set of considerations w3.org/TR/webrtc/#privacy-an…
1
1
Self-assessment is rarely sufficient, but at least starting from the analysis of the people who know the technology the best hopefully helps others doing their own assessment.
1
That approach is now also being explored by @webi18n with w3.org/International/techniq… and by @w3c_wai with w3c.github.io/apa/fast/check…
1
2