Spec needs to define interaction with the web platform

[pes10k]

This issue is part of the PING privacy review w3cping/privacy-request#65

This spec currently says "Implementers of this specification should capture and meet privacy and security requirements for their intended application". I expect this to account for implementations other than in Web browsers. However, simply saying "browsers should implement in a private way" is insufficient to understand the privacy implications of the proposal. To give some examples:

1. the spec allows for specifying fonts that should be used when formatting text. Is this done according to CSS font-matching rules? Are web-fonts available here? System fonts? All of these have different privacy implicationsSS
2. The spec describes how images should be painted / presented, but its not clear where these images come from. Are they delivered inline with the text being described? Can they be fetched by URL (and if so, using the fetch() API)? What is the origin of the context for the request for images (the URL of the HTML document? The URL defined by the xml:base instruction? No origin?). etc.
3. How does this text interact with other text APIs in the browser. Is it query-able / inspectable using DOM APIs? Is it affected by CSS instructions in the containing page? Similar questions about the images, etc.

In general, more detail is needed to understand how this functionally interacts with other Web functionality, to understand if this functionality aligns with existing Web privacy protections, or if it defines new privacy boundaries, etc. Since non-web/non-browser are anticipated (I believe) it would be fine to have a subsection describing "implementation in browsers" or similar, to define behavior in browsers (even if non-browser implementations have undefined privacy boundaries)

[palemieux]

@pes10k I would say that the specification is unlikely to ever be implemented by a user agent.

[pes10k]

I see @palemieux , thank you for the clarification. Could you provide (both in spec and here) more detail about where the spec is expected to be implemented. We need to understand more about the execution environment before we can review the privacy properties of the proposal.

[samuelweiler]

I think I would also find it helpful if the spec explained a bit more about how/where this code will run. Maybe add an introduction section, aiming at a very general (tech) audience. Explain where this fits in the ecosystem. (This might even be an intro to the answer you gave at https://github.com/w3c/imsc-hrm/issues/29#issuecomment-1021419846)

[npdoty]

Absolutely I think providing some context on what this specification is for would help external reviewers. Currently the abstract includes a single sentence of explanation referring to another spec. All other sentences are about what the Hypothetical Render Model is not.

I also couldn't understand from the Overview section. Do implementers of this spec render subtitle documents in a certain way? Or does an implementation just process an IMSC document and provide timing estimates or validation results?

[palemieux]

@samuelweiler @npdoty See #43

[palemieux]

@npdoty Can we close this in light of the recently added introduction?

[himorin]

hi, @pes10k @samuelweiler @npdoty . Could you kindly take some time to look into this issue, and close if you are fine with changes?

[pes10k]

@himorin thanks this is helpful. The changes you pointed to help address the concerns, in that I understand the text to say "this document doesn't does not define any behavior or any kind" (which i assume means its impossible to say whether an implementation "implements" the abstract model). If that understanding is correct, then my concerns are addressed, and please feel free to close this issue. Thanks!

[himorin]

@pes10k Thank you for reading and comment. I believe your understanding on overall processing model is correct.

Let me close this now.