Horizontal Review preparation

[wseltzer]

Per the W3C Process, we are required to get horizontal review: Accessibility, Architecture, Internationalization, Privacy, and Security. W3C Guidance: How to Get Horizontal Review.

This issue is meant to help us track overall progress.

Accessibility

• Work through this questionnaire then request a review via GitHub from APA

Architecture

• Ask the TAG for review; see how to work with the TAG. If you are developing javascript APIs you may also want to ask [email protected], a technical discussion list shared by W3C and ECMA's TC 39.

Internationalization

• Read the Request a review page, then work through the Short Checklist, then request a review via GitHub.

Privacy

• Write a "Privacy Considerations" section for your document, taking into account the Self-Review Questionnaire: Security and Privacy, Mitigating Browser Fingerprinting in Web Specifications, and RFC6973 then request a review via GitHub from the Privacy Interest Group.

Security

• Write a "Security Considerations" section for your document, taking into account the Self-Review Questionnaire: Security and Privacy, then request a review via GitHub

[wseltzer]

For each review area, I suggest the group find an internal champion to work with the relevant questionnaires and github issues to coordinate with the horizontal review group.

[wseltzer]

Thanks for volunteering!

• i18n: @hlflanagan
• privacy: @npm1
• security: @philsmart

[hlflanagan]

The i18n review request has been submitted. Results will be posted here: w3c/i18n-request#246

[philsmart]

@npm1 and I are going to take a pass at the existing security and privacy questionnaire answers which I put into a Google Doc for easy editing: https://docs.google.com/document/d/1f-PUqW2uwxC4XQLtebhOixeRx3XShf5BzZ1ll3jLAOI/edit?usp=sharing

[philsmart]

@npm1 and I are now happy with the answers in that Google Docs. @wseltzer I guess the next steps are to check through the Security section of the spec, and then we can request a review on GitHub.

[philsmart]

I've not had a chance to look at the security review for 3 weeks. I will go back to coordinating #685 (or finalising that security section of the spec) with @npm1 .

[npm1]

I've not had a chance to look at the security review for 3 weeks. I will go back to coordinating #685 (or finalising that security section of the spec) with @npm1 .

Do you want to take a stab at sending a spec PR to do these changes and I can review it? Or should we do the other way around: I can send a spec PR and you can provide feedback.

[philsmart]

@npm1 I am happy to provide a PR that helps define the structure as suggested by @simoneonofri (which we can take from w3c/vibration#49) and adds a starter for the 'Credential Leakage' threat. But really it would need your expertise to define/finalise the content anyway, so maybe it is best for me to review your PR.

*But still happy to do some of the early work in a branch if you thought useful.

[npm1]

Wrote #692 for security

[philsmart]

Wrote #692 for security

Thank you. I will hopefully review by next Tuesday's FedID call.

[philsmart]

Thanks to @npm1, there has been significant progress on the Security Considerations of the specification, see #692. I would also like to thank @TallTed and @simoneonofri for their comments and suggestions for improvement. After addressing @simoneonofri's's comments and merging the PR, we can proceed to a broader review.

[philsmart]

The changes to the Security Considerations section have been merged. I will go figure out the next steps.

[simoneonofri]

The changes to the Security Considerations section have been merged. I will go figure out the next steps.

@philsmart next step is to compile this https://www.w3.org/TR/security-privacy-questionnaire/ and request the review via GitHub

[npm1]

We already did that questionnaire https://github.com/w3c-fedid/FedCM/blob/main/privacy_questionnaire.md. It appears slightly updated though, shouldn't it have some indication about which questions are new?

[simoneonofri]

We already did that questionnaire https://github.com/w3c-fedid/FedCM/blob/main/privacy_questionnaire.md. It appears slightly updated though, shouldn't it have some indication about which questions are new?

Good! I think at least the "15. Due to the new commits, does this specification have both "Security Considerations" and "Privacy Considerations" sections.

[philsmart]

@npm1 I've taken a look through the Google Docs version and updated the section/question titles (where appropriate) based on the latest Security And Privacy Questionnaire from the 12th of Feb 2025. There are 5 new questions, arguably an answer to one of the previous questions (18) works for 2 of them (18 and 19). These are highlighted in the document (and are listed below):

5. Does data exposed by your specification carry related but distinct information that may not be obvious to users?
18. What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document?
19. What happens when a document that uses your feature gets disconnected?
20. Does your spec define when and how new kinds of errors should be raised?
21. Does your feature allow sites to learn about the user’s use of assistive technology?

[npm1]

Thanks Phil, I updated the doc. What's next?

[philsmart]

Many thanks. I think we are in a position to request a review. I'll go through that process tomorrow and let you know.

[wseltzer]

Discussed in 11 March meeting.
Still looking for an internal champion to lead the accessibility self-review.

[philsmart]

Sorry, @npm1. I forgot that https://github.com/w3c-fedid/FedCM/blob/main/privacy_questionnaire.md needed updating. I've created a markdown gist from the Google docs so you can hopefully just cut and paste that in. (I did not create a PR as it is not my work). I'll delete the Gist when done.

I will request a review on Tuesday of next week.

[philsmart]

Thanks for updating @npm1, I've now requested a review: w3c/security-request#84.

[wseltzer]

Discussed March 11. Thanks @kedruff for offering to help with a11y self-review!