TAG Review for InputEvent

[chong-z]

Blink's shipping process requires a TAG review for the spec and it seems that InputEvent doesn't already have one. I'm not so sure about the process but 1. Should I go ahead and file a request, or 2. The spec author @johanneswilm should be the person to file the request?

[johanneswilm]

I can do it. But I think we need to make sure that there are no security/privacy issues [1]. I cannot see any, but maybe we need to wait for feedback on the mailing list?

Also, if you ship the Input Events spec, you will automatically be shipping the Static Ranges spec -- which I believe isn't in any W3C repository yet, so it cannot go through neither FPWD nor Tag Review. @garykac Maybe we should try to get this going as well?

[1] https://www.w3.org/TR/security-privacy-questionnaire/

[johanneswilm]

I've added a statement about absence of known security/privacy issues in a way that seems to be close to what the security/privacy guidelines require AND what the respec system accepts. We can change this once/if someone can think of a security issue with this.

This way, I think we should be able to ask for the tag review now, and in the unlikely case that someone can come up with something anyway, we may have to change the spec then.

[chong-z]

I've went through the Security Privacy Questionnaire but cannot think of any substantial issues. The only possible one I could think of is the "Password Stealing Script". e.g. JS might inject 'beforeinput' to steal your password input.

However I don't think this is new as they can already do the same thing through keyboard events.

[johanneswilm]

I agree. I also thought of things like it could familiarize itself with your typing pattern and then recognize if you are typing on a different website, but also that is something they can do now. I don't think the addition of being able to react on input from the new Mac OS X superbar or other input that previosuly didn't trigegr any events will do any difference to that. I will send in now and mention both of us as principal contacts.

[siusin]

We should ask for wide review from the TAG, the Security IG, the Privacy IG, the accessibility groups, the internationalization group... before we head to CR.

Once you guys think the spec is stable enough to ask for a review, please ping @chaals , @LJWatson or me. We will send requests to those groups :)

[johanneswilm]

Hey, @siusin, we sent it to the TAG and have made changes based on their first review. They may have more feedback. I also attended a meeting of the privacy IG and made the additions they asked for. Also the accessibility group has reviewed it.

So what's missing is the Security IG, I believe, unless @chaals has spoken to them already?

[johanneswilm]

also internationalization. Could we contact them, @siusin?

[siusin]

Awesome, @johanneswilm !

I'll send a call for review to the Security IG and i18 IG.