Address review comments from the CR request.

Reference the privacy section from the security section. Add another threat vector in the privacy section. Fixes #167
w3c · Nov 18, 2024 · 4df0e20 · 4df0e20
1 parent 8ab75b2
commit 4df0e20
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/index.html b/index.html
@@ -557,7 +557,8 @@ <h2>
       </h2>
       <p>
         No new security considerations have been reported on this
-        specification.
+        specification. However it is encouraged to look at the
+        potential [[[#privacy-considerations]]] listed in this document.
       </p>
     </section>
     <section>
@@ -603,6 +604,18 @@ <h4>
           as mentioned in [[[#identifying-users-across-contexts]]]. The same
           mitigations apply.
         </p>
+        <h4>
+          Malicious script injection (for advertising or exploitation)
+        </h4>
+        <p>
+          Through iframes, a malicious actor could inject its own code to
+          access the posture information and potentially use it to track users.
+        </p>
+        <p>
+          This theoretical attack is mitigated by [[[#data-minimization]]]
+          as well as the fact that the posture value itself carry little
+          valuable information and stays stable for long period of time.
+        </p>
       </section>
       <section>
         <h3>