Address review comments from the CR request. (#168)

darktears · web-flow · commit d1766c15cbe1 · 2024-11-20T08:52:38.000-05:00
Reference the privacy section from the security section. Add another threat vector in the privacy section. Fixes #167
diff --git a/index.html b/index.html
@@ -562,7 +562,8 @@ <h2>
       </h2>
       <p>
         No new security considerations have been reported on this
-        specification.
+        specification. However it is encouraged to look at the
+        potential [[[#privacy-considerations]]] listed in this document.
       </p>
     </section>
     <section>
@@ -608,6 +609,18 @@ <h4>
           as mentioned in [[[#identifying-users-across-contexts]]]. The same
           mitigations apply.
         </p>
+        <h4>
+          Malicious script injection (for advertising or exploitation)
+        </h4>
+        <p>
+          Through iframes, a malicious actor could inject its own code to
+          access the posture information and potentially use it to track users.
+        </p>
+        <p>
+          This theoretical attack is mitigated by [[[#data-minimization]]]
+          as well as the fact that the posture value itself carry little
+          valuable information and stays stable for long period of time.
+        </p>
       </section>
       <section>
         <h3>
