|
| 1 | +# OpaqueRange - Security and Privacy Review |
| 2 | + |
| 3 | +Answers to the [W3C Security and Privacy Self-Review Questionnaire](https://www.w3.org/TR/security-privacy-questionnaire/) for the [OpaqueRange](explainer.md) proposal. |
| 4 | + |
| 5 | +## 2.1. What information does this feature expose, and for what purposes? |
| 6 | +`OpaqueRange` exposes bounding rectangle geometry of text spans within `<textarea>` and text-supporting `<input>` elements via `getBoundingClientRect()` and `getClientRects()`. This enables popup positioning and custom highlights. Existing workarounds (e.g. cloning into a `<div>`) already approximate the same geometric data, so this doesn't expose new classes of information beyond existing layout/geometry APIs. |
| 7 | + |
| 8 | +## 2.2. Do features in your specification expose the minimum amount of information necessary to implement the intended functionality? |
| 9 | +Yes, only the minimum amount of information is exposed. `startContainer`/`endContainer` return `null`, no `toString()` is provided, and mutating methods are omitted. Only `getBoundingClientRect()`, `getClientRects()`, `startOffset`, `endOffset`, and `collapsed` are exposed. |
| 10 | + |
| 11 | +## 2.3. Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either? |
| 12 | +No. |
| 13 | + |
| 14 | +## 2.4. How do the features in your specification deal with sensitive information? |
| 15 | +`OpaqueRange` does not interact with or expose sensitive information. |
| 16 | + |
| 17 | +## 2.5. Does data exposed by your specification carry related but distinct information that may not be obvious to users? |
| 18 | +No. |
| 19 | + |
| 20 | +## 2.6. Do the features in your specification introduce state that persists across browsing sessions? |
| 21 | +No. |
| 22 | + |
| 23 | +## 2.7. Do the features in your specification expose information about the underlying platform to origins? |
| 24 | +No. |
| 25 | + |
| 26 | +## 2.8. Does this specification allow an origin to send data to the underlying platform? |
| 27 | +No. |
| 28 | + |
| 29 | +## 2.9. Do features in this specification enable access to device sensors? |
| 30 | +No. |
| 31 | + |
| 32 | +## 2.10. Do features in this specification enable new script execution/loading mechanisms? |
| 33 | +No. |
| 34 | + |
| 35 | +## 2.11. Do features in this specification allow an origin to access other devices? |
| 36 | +No. |
| 37 | + |
| 38 | +## 2.12. Do features in this specification allow an origin some measure of control over a user agent's native UI? |
| 39 | +No. |
| 40 | + |
| 41 | +## 2.13. What temporary identifiers do the features in this specification create or expose to the web? |
| 42 | +None. |
| 43 | + |
| 44 | +## 2.14. How does this specification distinguish between behavior in first-party and third-party contexts? |
| 45 | +No distinction. |
| 46 | + |
| 47 | +## 2.15. How do the features in this specification work in the context of a browser's Private Browsing or Incognito mode? |
| 48 | +No difference. |
| 49 | + |
| 50 | +## 2.16. Does this specification have both "Security Considerations" and "Privacy Considerations" sections? |
| 51 | +Yes. The [OpaqueRange explainer](explainer.md) includes [Privacy](explainer.md#privacy) and [Security](explainer.md#security) sections. No privacy or security concerns are expected. |
| 52 | + |
| 53 | +## 2.17. Do features in your specification enable origins to downgrade default security protections? |
| 54 | +No. |
| 55 | + |
| 56 | +## 2.18. What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document? |
| 57 | +`OpaqueRange` objects are tied to the document and are preserved along with it in BFCache, consistent with how DOM `Range` and `StaticRange` behave. |
| 58 | + |
| 59 | +## 2.19. What happens when a document that uses your feature gets disconnected? |
| 60 | +`OpaqueRange` objects remain valid and retain their offsets, consistent with how DOM `Range` behaves when a document is disconnected. |
| 61 | + |
| 62 | +## 2.20. Does your spec define when and how new kinds of errors should be raised? |
| 63 | +Yes. `createValueRange()` throws `"NotSupportedError"` for unsupported `<input>` types and `"IndexSizeError"` for out-of-bounds offsets. These follow existing DOM error patterns (e.g. for Range) and do not expose new information. |
| 64 | + |
| 65 | +## 2.21. Does your feature allow sites to learn about the user's use of assistive technology? |
| 66 | +No. |
| 67 | + |
| 68 | +## 2.22. What should this questionnaire have asked? |
| 69 | +N/A |
0 commit comments