Address review comments from the CR request. (#168)

Reference the privacy section from the security section. Add another threat vector in the privacy section. Fixes #167
w3c · Nov 20, 2024 · d1766c1 · d1766c1
1 parent 255fe64
commit d1766c1
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/index.html b/index.html
@@ -562,7 +562,8 @@ <h2>
       </h2>
       <p>
         No new security considerations have been reported on this
-        specification.
+        specification. However it is encouraged to look at the
+        potential [[[#privacy-considerations]]] listed in this document.
       </p>
     </section>
     <section>
@@ -608,6 +609,18 @@ <h4>
           as mentioned in [[[#identifying-users-across-contexts]]]. The same
           mitigations apply.
         </p>
+        <h4>
+          Malicious script injection (for advertising or exploitation)
+        </h4>
+        <p>
+          Through iframes, a malicious actor could inject its own code to
+          access the posture information and potentially use it to track users.
+        </p>
+        <p>
+          This theoretical attack is mitigated by [[[#data-minimization]]]
+          as well as the fact that the posture value itself carry little
+          valuable information and stays stable for long period of time.
+        </p>
       </section>
       <section>
         <h3>