npdoty
commented
4 years ago Should the definitions of restricted/not restricted explain in more detail what that means and why they're restricted? Possible text:
This threat model defines a kind of information as restricted sensitive information if the web platform currently blocks access to it by default or if we plan to evolve the web platform to block access to it by default because of the potential privacy harms from disclosure of that kind of information.
Other information is described as "not restricted sensitive information" even if some users in some situations would find it sensitive. Information in this category may have a lower risk of privacy harm to users or may not currently be restricted because of incompatibility with functionality of the Web. These categories are not static and it may become feasible to block access by default to more kinds of information as the platform develops.
Does this look like a reasonable way to express the threat model for sensitive information? Attackers don't seem to have varying capabilities for this high-level threat, and their only goal is to get the piece of information. I think the variance and disagreement between user agents comes in the choice of how to infer user intent and the choice of what information is sensitive.
Preview | Diff