From 7ae6844f7a19a7087d6f5b5d167a19aa58623e05 Mon Sep 17 00:00:00 2001 From: Chris Needham Date: Thu, 20 Jun 2024 14:51:59 +0100 Subject: [PATCH 1/6] Added TAG security and privacy questionnaire --- security-privacy-questionnaire.md | 148 ++++++++++++++++++++++++++++++ 1 file changed, 148 insertions(+) create mode 100644 security-privacy-questionnaire.md diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md new file mode 100644 index 0000000..0fffb55 --- /dev/null +++ b/security-privacy-questionnaire.md @@ -0,0 +1,148 @@ +# Encrypted Media Exensions v2 Self-Review Questionnaire: Security and Privacy + +Questionnare: https://w3ctag.github.io/security-questionnaire/ (as at 24 May 2024) + +## 2.1 What information does this feature expose, and for what purposes? + +**Handling hardware context reset:** Information about certain device state changes will be exposed indirectly to Web sites, e.g. session closed due to "hardware context reset", which could be caused by using setting the device to sleep/resume, or switching monitors. Sites will not be able to know the exact reason. This exposure is necessary for sites to provide the best user experience. + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.2 Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? + +**Handling hardware context reset:** Yes. It only expose an enum summarizing the reason. + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.3 Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? + +**Handling hardware context reset:** No such info is exposed. + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.4 How do the features in your specification deal with sensitive information? + +**Handling hardware context reset:** No sensitive information. + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.5 Do the features in your specification introduce state that persists across browsing sessions? + +**Handling hardware context reset:** No. + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + + +## 2.6 Do the features in your specification expose information about the underlying platform to origins? + +**Handling hardware context reset:** Currently "hardware context reset" only happens on Windows. So the site could guess it's an Windows OS if it happens. + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.7 Does this specification allow an origin to send data to the underlying platform? + +**Handling hardware context reset:** No. + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.8 Do features in this specification enable access to device sensors? + +**Handling hardware context reset:** No. + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.9 Do features in this specification enable new script execution/loading mechanisms? + +**Handling hardware context reset:** No. + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.10 Do features in this specification allow an origin to access other devices? + +**Handling hardware context reset:** No. + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.11 Do features in this specification allow an origin some measure of control over a user agent’s native UI? + +**Handling hardware context reset:** No. + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.12 What temporary identifiers do the features in this specification create or expose to the web? + +**Handling hardware context reset:** No temporary identifiers. + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.13 How does this specification distinguish between behavior in first-party and third-party contexts? + +**Handling hardware context reset:** Not distinguished. But EME usage in general is controlled by permission policy. https://w3c.github.io/encrypted-media/#permissions-policy-integration + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.14 How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode? + +**Handling hardware context reset:** No difference. + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.15 Does this specification have both "Security Considerations" and "Privacy Considerations" sections? + +Yes, see the [Security](https://w3c.github.io/encrypted-media/#security) and [Privacy](https://w3c.github.io/encrypted-media/#privacy) sections. + +## 2.16 Do features in your specification enable origins to downgrade default security protections? + +**Handling hardware context reset:** No. + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.17 What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document? + +**Handling hardware context reset:** TODO + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.18 What happens when a document that uses your feature gets disconnected? + +**Handling hardware context reset:** TODO + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.19 What should this questionnaire have asked? + +N/A From 950d10d4c1cf28e925639ff41b1c8dec9fb30298 Mon Sep 17 00:00:00 2001 From: Chris Needham Date: Thu, 8 Aug 2024 20:18:19 +0100 Subject: [PATCH 2/6] Update security and privacy questionnaire --- security-privacy-questionnaire.md | 59 +++++++++++++++---------------- 1 file changed, 29 insertions(+), 30 deletions(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index 0fffb55..c44077b 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -12,7 +12,7 @@ Questionnare: https://w3ctag.github.io/security-questionnaire/ (as at 24 May 202 ## 2.2 Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? -**Handling hardware context reset:** Yes. It only expose an enum summarizing the reason. +**Handling hardware context reset:** Yes. It only exposes an enum summarizing the reason. **Querying encryption scheme support:** TODO @@ -20,100 +20,99 @@ Questionnare: https://w3ctag.github.io/security-questionnaire/ (as at 24 May 202 ## 2.3 Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? -**Handling hardware context reset:** No such info is exposed. +**Handling hardware context reset:** No such information is exposed. -**Querying encryption scheme support:** TODO +**Querying encryption scheme support:** No such information is exposed. -**HDCP policy detection:** TODO +**HDCP policy detection:** No such information is exposed. ## 2.4 How do the features in your specification deal with sensitive information? -**Handling hardware context reset:** No sensitive information. +**Handling hardware context reset:** The features do not deal with any sensitive information. -**Querying encryption scheme support:** TODO +**Querying encryption scheme support:** The features do not deal with any sensitive information. -**HDCP policy detection:** TODO +**HDCP policy detection:** The features do not deal with any sensitive information. ## 2.5 Do the features in your specification introduce state that persists across browsing sessions? **Handling hardware context reset:** No. -**Querying encryption scheme support:** TODO - -**HDCP policy detection:** TODO +**Querying encryption scheme support:** No. +**HDCP policy detection:** No. ## 2.6 Do the features in your specification expose information about the underlying platform to origins? **Handling hardware context reset:** Currently "hardware context reset" only happens on Windows. So the site could guess it's an Windows OS if it happens. -**Querying encryption scheme support:** TODO +**Querying encryption scheme support:** The `MediaKeySystemMediaCapability.encryptionScheme` attribute, returned from MediaKeySystemAccess.getConfiguration(), indicates the encryption scheme associated with the content type. This gives an indication of which encryption schemes the underlying platform supports. -**HDCP policy detection:** TODO +**HDCP policy detection:** The `MediaKeys.getStatusForPolicy()` method returns information about which HDCP policy versions the underlying platform supports. ## 2.7 Does this specification allow an origin to send data to the underlying platform? **Handling hardware context reset:** No. -**Querying encryption scheme support:** TODO +**Querying encryption scheme support:** No. -**HDCP policy detection:** TODO +**HDCP policy detection:** No. ## 2.8 Do features in this specification enable access to device sensors? **Handling hardware context reset:** No. -**Querying encryption scheme support:** TODO +**Querying encryption scheme support:** No. -**HDCP policy detection:** TODO +**HDCP policy detection:** No. ## 2.9 Do features in this specification enable new script execution/loading mechanisms? **Handling hardware context reset:** No. -**Querying encryption scheme support:** TODO +**Querying encryption scheme support:** No. -**HDCP policy detection:** TODO +**HDCP policy detection:** No. ## 2.10 Do features in this specification allow an origin to access other devices? **Handling hardware context reset:** No. -**Querying encryption scheme support:** TODO +**Querying encryption scheme support:** No. -**HDCP policy detection:** TODO +**HDCP policy detection:** No. ## 2.11 Do features in this specification allow an origin some measure of control over a user agent’s native UI? **Handling hardware context reset:** No. -**Querying encryption scheme support:** TODO +**Querying encryption scheme support:** No. -**HDCP policy detection:** TODO +**HDCP policy detection:** No. ## 2.12 What temporary identifiers do the features in this specification create or expose to the web? **Handling hardware context reset:** No temporary identifiers. -**Querying encryption scheme support:** TODO +**Querying encryption scheme support:** No temporary identifiers. -**HDCP policy detection:** TODO +**HDCP policy detection:** No temporary identifiers. ## 2.13 How does this specification distinguish between behavior in first-party and third-party contexts? **Handling hardware context reset:** Not distinguished. But EME usage in general is controlled by permission policy. https://w3c.github.io/encrypted-media/#permissions-policy-integration -**Querying encryption scheme support:** TODO +**Querying encryption scheme support:** As above. -**HDCP policy detection:** TODO +**HDCP policy detection:** As above. ## 2.14 How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode? **Handling hardware context reset:** No difference. -**Querying encryption scheme support:** TODO +**Querying encryption scheme support:** No difference. -**HDCP policy detection:** TODO +**HDCP policy detection:** No difference. ## 2.15 Does this specification have both "Security Considerations" and "Privacy Considerations" sections? @@ -123,9 +122,9 @@ Yes, see the [Security](https://w3c.github.io/encrypted-media/#security) and [Pr **Handling hardware context reset:** No. -**Querying encryption scheme support:** TODO +**Querying encryption scheme support:** No. -**HDCP policy detection:** TODO +**HDCP policy detection:** No. ## 2.17 What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document? From e6f54deb2f8ed2c3dd79dfa95de04592b2403e50 Mon Sep 17 00:00:00 2001 From: Chris Needham Date: Fri, 9 Aug 2024 15:48:51 +0100 Subject: [PATCH 3/6] Add more detail to security and privacy questionnaire --- security-privacy-questionnaire.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index c44077b..7095e24 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -6,9 +6,9 @@ Questionnare: https://w3ctag.github.io/security-questionnaire/ (as at 24 May 202 **Handling hardware context reset:** Information about certain device state changes will be exposed indirectly to Web sites, e.g. session closed due to "hardware context reset", which could be caused by using setting the device to sleep/resume, or switching monitors. Sites will not be able to know the exact reason. This exposure is necessary for sites to provide the best user experience. -**Querying encryption scheme support:** TODO +**Querying encryption scheme support:** The API exposes whether the implementation supports CENC or CBCS encryption, or both. These two encryption schemes are incompatible, so the API allows websites to make intelligent choices about what content to serve to which user agents. -**HDCP policy detection:** TODO +**HDCP policy detection:** The API exposes whether a HDCP version is supported by the implementation. This allows websites to know before fetching content if HDCP (and what version) can be enforced, which allows them, for example, to start pre-fetching high resolution content rather than starting at a low resolution or waiting for the license exchange. ## 2.2 Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? @@ -52,11 +52,13 @@ Questionnare: https://w3ctag.github.io/security-questionnaire/ (as at 24 May 202 ## 2.7 Does this specification allow an origin to send data to the underlying platform? -**Handling hardware context reset:** No. +EME allows an origin to send encrypted media to a platform-level content decryption module (CDM) for playback, as well as a browser-intermediated negotiation of license keys between the origin and the CDM. -**Querying encryption scheme support:** No. +**Handling hardware context reset:** No additional data beyond the above. -**HDCP policy detection:** No. +**Querying encryption scheme support:** No additional data beyond the above. + +**HDCP policy detection:** No additional data beyond the above. ## 2.8 Do features in this specification enable access to device sensors? From 5952bc0d1bc3619828accb51d886b0d68c963827 Mon Sep 17 00:00:00 2001 From: Chris Needham Date: Thu, 21 Aug 2025 10:46:45 +0100 Subject: [PATCH 4/6] Update to latest S&P questionnaire --- security-privacy-questionnaire.md | 56 ++++++++++++++++++++++--------- 1 file changed, 40 insertions(+), 16 deletions(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index 7095e24..d6bd437 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -1,6 +1,6 @@ # Encrypted Media Exensions v2 Self-Review Questionnaire: Security and Privacy -Questionnare: https://w3ctag.github.io/security-questionnaire/ (as at 24 May 2024) +Questionnare: https://w3ctag.github.io/security-questionnaire/ (as at 18 April 2025) ## 2.1 What information does this feature expose, and for what purposes? @@ -34,7 +34,15 @@ Questionnare: https://w3ctag.github.io/security-questionnaire/ (as at 24 May 202 **HDCP policy detection:** The features do not deal with any sensitive information. -## 2.5 Do the features in your specification introduce state that persists across browsing sessions? +## 2.5 Does data exposed by your specification carry related but distinct information that may not be obvious to users? + +**Handling hardware context reset:** TODO + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.6 Do the features in your specification introduce state that persists across browsing sessions? **Handling hardware context reset:** No. @@ -42,7 +50,7 @@ Questionnare: https://w3ctag.github.io/security-questionnaire/ (as at 24 May 202 **HDCP policy detection:** No. -## 2.6 Do the features in your specification expose information about the underlying platform to origins? +## 2.7 Do the features in your specification expose information about the underlying platform to origins? **Handling hardware context reset:** Currently "hardware context reset" only happens on Windows. So the site could guess it's an Windows OS if it happens. @@ -50,7 +58,7 @@ Questionnare: https://w3ctag.github.io/security-questionnaire/ (as at 24 May 202 **HDCP policy detection:** The `MediaKeys.getStatusForPolicy()` method returns information about which HDCP policy versions the underlying platform supports. -## 2.7 Does this specification allow an origin to send data to the underlying platform? +## 2.8 Does this specification allow an origin to send data to the underlying platform? EME allows an origin to send encrypted media to a platform-level content decryption module (CDM) for playback, as well as a browser-intermediated negotiation of license keys between the origin and the CDM. @@ -60,7 +68,7 @@ EME allows an origin to send encrypted media to a platform-level content decrypt **HDCP policy detection:** No additional data beyond the above. -## 2.8 Do features in this specification enable access to device sensors? +## 2.9 Do features in this specification enable access to device sensors? **Handling hardware context reset:** No. @@ -68,7 +76,7 @@ EME allows an origin to send encrypted media to a platform-level content decrypt **HDCP policy detection:** No. -## 2.9 Do features in this specification enable new script execution/loading mechanisms? +## 2.10 Do features in this specification enable new script execution/loading mechanisms? **Handling hardware context reset:** No. @@ -76,7 +84,7 @@ EME allows an origin to send encrypted media to a platform-level content decrypt **HDCP policy detection:** No. -## 2.10 Do features in this specification allow an origin to access other devices? +## 2.11 Do features in this specification allow an origin to access other devices? **Handling hardware context reset:** No. @@ -84,7 +92,7 @@ EME allows an origin to send encrypted media to a platform-level content decrypt **HDCP policy detection:** No. -## 2.11 Do features in this specification allow an origin some measure of control over a user agent’s native UI? +## 2.12 Do features in this specification allow an origin some measure of control over a user agent’s native UI? **Handling hardware context reset:** No. @@ -92,7 +100,7 @@ EME allows an origin to send encrypted media to a platform-level content decrypt **HDCP policy detection:** No. -## 2.12 What temporary identifiers do the features in this specification create or expose to the web? +## 2.13 What temporary identifiers do the features in this specification create or expose to the web? **Handling hardware context reset:** No temporary identifiers. @@ -100,7 +108,7 @@ EME allows an origin to send encrypted media to a platform-level content decrypt **HDCP policy detection:** No temporary identifiers. -## 2.13 How does this specification distinguish between behavior in first-party and third-party contexts? +## 2.14 How does this specification distinguish between behavior in first-party and third-party contexts? **Handling hardware context reset:** Not distinguished. But EME usage in general is controlled by permission policy. https://w3c.github.io/encrypted-media/#permissions-policy-integration @@ -108,7 +116,7 @@ EME allows an origin to send encrypted media to a platform-level content decrypt **HDCP policy detection:** As above. -## 2.14 How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode? +## 2.15 How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode? **Handling hardware context reset:** No difference. @@ -116,11 +124,11 @@ EME allows an origin to send encrypted media to a platform-level content decrypt **HDCP policy detection:** No difference. -## 2.15 Does this specification have both "Security Considerations" and "Privacy Considerations" sections? +## 2.16 Does this specification have both "Security Considerations" and "Privacy Considerations" sections? Yes, see the [Security](https://w3c.github.io/encrypted-media/#security) and [Privacy](https://w3c.github.io/encrypted-media/#privacy) sections. -## 2.16 Do features in your specification enable origins to downgrade default security protections? +## 2.17 Do features in your specification enable origins to downgrade default security protections? **Handling hardware context reset:** No. @@ -128,7 +136,23 @@ Yes, see the [Security](https://w3c.github.io/encrypted-media/#security) and [Pr **HDCP policy detection:** No. -## 2.17 What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document? +## 2.18 What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document? + +**Handling hardware context reset:** TODO + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.19 What happens when a document that uses your feature gets disconnected? + +**Handling hardware context reset:** TODO + +**Querying encryption scheme support:** TODO + +**HDCP policy detection:** TODO + +## 2.20 Does your spec define when and how new kinds of errors should be raised? **Handling hardware context reset:** TODO @@ -136,7 +160,7 @@ Yes, see the [Security](https://w3c.github.io/encrypted-media/#security) and [Pr **HDCP policy detection:** TODO -## 2.18 What happens when a document that uses your feature gets disconnected? +## 2.21 Does your feature allow sites to learn about the user’s use of assistive technology? **Handling hardware context reset:** TODO @@ -144,6 +168,6 @@ Yes, see the [Security](https://w3c.github.io/encrypted-media/#security) and [Pr **HDCP policy detection:** TODO -## 2.19 What should this questionnaire have asked? +## 2.22 What should this questionnaire have asked? N/A From fb0495559c50bf53402a89baafb57d73596d020d Mon Sep 17 00:00:00 2001 From: Chris Needham Date: Thu, 21 Aug 2025 10:50:23 +0100 Subject: [PATCH 5/6] Update to link to S&P questionnaire --- security-privacy-questionnaire.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index d6bd437..f09a33b 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -1,6 +1,6 @@ # Encrypted Media Exensions v2 Self-Review Questionnaire: Security and Privacy -Questionnare: https://w3ctag.github.io/security-questionnaire/ (as at 18 April 2025) +Questionnare: https://www.w3.org/TR/2025/NOTE-security-privacy-questionnaire-20250418/ (from 18 April 2025) ## 2.1 What information does this feature expose, and for what purposes? From 7d0bdb26cea0c1ebbedcce2b14fdf0743fd44126 Mon Sep 17 00:00:00 2001 From: Chris Needham Date: Thu, 21 Aug 2025 15:17:17 +0100 Subject: [PATCH 6/6] Added info to S&P questionnaire --- security-privacy-questionnaire.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security-privacy-questionnaire.md b/security-privacy-questionnaire.md index f09a33b..362c125 100644 --- a/security-privacy-questionnaire.md +++ b/security-privacy-questionnaire.md @@ -162,11 +162,11 @@ Yes, see the [Security](https://w3c.github.io/encrypted-media/#security) and [Pr ## 2.21 Does your feature allow sites to learn about the user’s use of assistive technology? -**Handling hardware context reset:** TODO +**Handling hardware context reset:** No. -**Querying encryption scheme support:** TODO +**Querying encryption scheme support:** No. -**HDCP policy detection:** TODO +**HDCP policy detection:** No. ## 2.22 What should this questionnaire have asked?