mathml-core 2024-03-01 > 2024-04-01

[bkardell]

• name of spec to be reviewed: mathml-core

• URL of spec: https://www.w3.org/TR/2023/WD-mathml-core-20231127/

• Does your document have an in-line Security Considerations section, ideally one separate from the Privacy Considerations? If not, corrrect that before proceeding further.

  • Yes

• What and when is your next expected transition?

  • We'd like to move to CR soon, March ideally.

• What has changed since any previous review?

  • Previously this had a TAG review while it wasn't yet even properly in a working group. MathML has a tricky history where MathML 3 was REC for many years, but was underspecified, not well integrated (similar to SVG at one point), lacking implementations, and indeed contained much that was not implemented in any browser at all. MathML-Core was an effort led by a CG (the WG was defunct) to create a new specification subset which would focus on browsers. Since then the WG has been rechartered, we have done minor but important spec changes, added more tests, an implementation has shipped in chromium, and some alignments have already started to ship in other browsers.

• Please point to the results of your own self-review (see https://w3ctag.github.io/security-questionnaire/)

  • contained in our TAG Review under the heading "Security Questionnaire..."

• Where and how to file issues arising?

  • The mathml-core repo issue tracker, please.

• Pointer to any explainer for the spec?

  • If helpful https://github.com/w3c/mathml-core/blob/main/docs/explainer.md

Other comments:

• This is my first attempt at navigating wide review requests as a chair, apologies in advance. If (very probably) I've failed somewhere, please help me to do better 🙏

[bkardell]

We're way way past this date, I don't recall any issues or reply. I know we're working with people on the Sanitizer API but I can't think of anything new I can add to this issue, should we assume there is no comment?

[simoneonofri]

Hi @bkardell, thank you for the reminder.

I have read the documentation, and there are no particular comments.

First of all, FYI, we are developing a generic Threat Model for the file format:

• PLS: Parsing/Loading/Serializing
• CD: Compression/Decompression
• EEC: Embed Executable Code (e.g., scripts)
• LER: Links and external resources
• MM: Metadata manipulation
• DI: Data Integrity

I think the various threats are covered, can you think of anything?

There could be some minor improvements:

1. From the Security Considerations, I can see that some of these threats present in MathML3 have been mitigated in MathML Core. Adding a note for the Sanitizer API or, in any case, a general note for those who develop third-party filters/regex might be useful.
2. I was also reading in the explainer about the issue of fingerprinting via OpenType parameters. Is this an element that still persists? Or is it an assumption related to the Web Platform?
3. If there is time before going to the CR, then consider reorganizing the section with Assumptions, Threats, and Mitigations (available in case) Improving: Does this specification have both "Security Considerations" and "Privacy Considerations" sections? security-questionnaire#181 for example how are in FedCM