From 3325ab33452aac6c259b13c3a1c88a363f84dd1d Mon Sep 17 00:00:00 2001
From: Noam Rosenthal <noamr@users.noreply.github.com>
Date: Tue, 12 Nov 2024 09:17:15 +0000
Subject: [PATCH 1/3] Update presentation-timestamps.md to include security &
 privacy

---
 presentation-timestamps.md | 80 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)

diff --git a/presentation-timestamps.md b/presentation-timestamps.md
index c57ba92..20d24cc 100644
--- a/presentation-timestamps.md
+++ b/presentation-timestamps.md
@@ -46,3 +46,83 @@ This would keep compatibility with what's out there today, allowing progressive
 
 When exposing paint timings, we look for the right trade-off between "UX-precise" and "interoperable".
 By exposing those as two timestamps, and making one of them optional, we give web developers the information that can help them optimize, without compromising on interoperability.
+
+## Security & privacy self review 
+
+See [Self-Review Questionnaire: Security and Privacy](https://w3ctag.github.io/security-questionnaire/)
+
+### 01. What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?
+
+It exposes timing information of a platform/OS operation, namely "VSync".
+
+#### 02. Do features in your specification expose the minimum amount of information necessary to enable their intended uses?
+
+Yes.
+
+#### 03. How do the features in your specification deal with personal information, personally-identifiable information (PII), or information derived from them?
+
+This feature does not deal with personal information.
+
+#### 04. How do the features in your specification deal with sensitive information?
+
+This feature does not deal with sensitive information.
+
+#### 05. Do the features in your specification introduce new state for an origin that persists across browsing sessions?
+
+No. This feature only applies to the current document.
+
+#### 06. Do the features in your specification expose information about the underlying platform to origins?
+
+To some extent, the timing of committing a frame is information about the underlying platform.
+However, this information is already exposed in other ways (the `requestAnimationFrame` callback timestamp),
+and in this specification it is over-coarsen to avoid exposing meaningful information in terms of security.
+
+#### 07. Does this specification allow an origin to send data to the underlying platform?
+
+No.
+
+#### 08. Do features in this specification allow an origin access to sensors on a user’s device?
+
+No.
+
+#### 09. What data do the features in this specification expose to an origin? Please also document what data is identical to data exposed by other features, in the same or different contexts.
+
+Timing information only.
+
+#### 10. Do feautres in this specification enable new script execution/loading mechanisms?
+
+No.
+
+#### 11. Do features in this specification allow an origin to access other devices?
+
+No.
+
+#### 12. Do features in this specification allow an origin some measure of control over a user agent's native UI?
+
+None.
+
+#### 13. What temporary identifiers do the features in this specification create or expose to the web?
+
+None.
+
+#### 14. How does this specification distinguish between behavior in first-party and third-party contexts?
+
+Timing information receives extra coarsening in documents that are not cross-origin isolated.
+Cross-origin isolation is more appropriate here than per-resource protections, as the same presentation timing is shared
+across all the resources presented in the same frame, be it cross-origin or same-origin resources.
+
+#### 15. How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?
+
+The feature is unaffected by these modes.
+
+#### 16. Does this specification have both "Security Considerations" and "Privacy Considerations" sections?
+
+Yes.
+
+#### 17. Do features in your specification enable origins to downgrade default security protections?
+
+Yes, using cross-origin isolation.
+
+#### 18. What should this questionnaire have asked?
+
+The questionnaire asked for sufficient information.

From 5eb6b1e2b634889d46f5295ad53af77217340266 Mon Sep 17 00:00:00 2001
From: Noam Rosenthal <noamr@users.noreply.github.com>
Date: Tue, 12 Nov 2024 14:55:33 +0000
Subject: [PATCH 2/3] Update presentation-timestamps.md

---
 presentation-timestamps.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/presentation-timestamps.md b/presentation-timestamps.md
index 20d24cc..330e562 100644
--- a/presentation-timestamps.md
+++ b/presentation-timestamps.md
@@ -53,7 +53,8 @@ See [Self-Review Questionnaire: Security and Privacy](https://w3ctag.github.io/s
 
 ### 01. What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?
 
-It exposes timing information of a platform/OS operation, namely "VSync".
+It exposes timing information of a platform/OS operation, namely "VSync". This is already exposed to some extend by the `requestAnimationFrame` callback timestamp.
+It is necessary in order to reflect to web developers the impact on user experience performance in practice, as other metrics offer approximations that lose too much information.
 
 #### 02. Do features in your specification expose the minimum amount of information necessary to enable their intended uses?
 
@@ -73,9 +74,9 @@ No. This feature only applies to the current document.
 
 #### 06. Do the features in your specification expose information about the underlying platform to origins?
 
-To some extent, the timing of committing a frame is information about the underlying platform.
+To some extent, the timing of committing a frame is information about the underlying platform, like the refresh rate.
 However, this information is already exposed in other ways (the `requestAnimationFrame` callback timestamp),
-and in this specification it is over-coarsen to avoid exposing meaningful information in terms of security.
+and in this specification it is coarsened on top of the usual coarsening, to avoid exposing meaningful information in terms of security/fingerprinting.
 
 #### 07. Does this specification allow an origin to send data to the underlying platform?
 

From 5f17e62a5a152f32e1bf107e8cf25b54db38156d Mon Sep 17 00:00:00 2001
From: Noam Rosenthal <noamr@users.noreply.github.com>
Date: Tue, 12 Nov 2024 14:57:07 +0000
Subject: [PATCH 3/3] Update presentation-timestamps.md

---
 presentation-timestamps.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/presentation-timestamps.md b/presentation-timestamps.md
index 330e562..be7c57e 100644
--- a/presentation-timestamps.md
+++ b/presentation-timestamps.md
@@ -53,7 +53,7 @@ See [Self-Review Questionnaire: Security and Privacy](https://w3ctag.github.io/s
 
 ### 01. What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?
 
-It exposes timing information of a platform/OS operation, namely "VSync". This is already exposed to some extend by the `requestAnimationFrame` callback timestamp.
+It exposes timing information of a platform/OS operation, a coarse approximation of "VSync". This is already exposed to some extend by the `requestAnimationFrame` callback timestamp.
 It is necessary in order to reflect to web developers the impact on user experience performance in practice, as other metrics offer approximations that lose too much information.
 
 #### 02. Do features in your specification expose the minimum amount of information necessary to enable their intended uses?