Update Security and privacy considerations (#47)

anssiko · web-flow · commit d055733b8217 · 2024-10-28T13:37:53.000+02:00
Update "Request User Consent" considerations, add "Limit API Usage" considerations and suggested mitigations per W3C Security review feedback: w3c/security-request#71
diff --git a/index.html b/index.html
@@ -237,10 +237,15 @@ <h2>
         enable physical identification, and possibly tracking of the user.
       </p>
       <p>
-        For these reasons, the <a>user agent</a> SHOULD inform the user when
+        For these reasons, the <a>user agent</a> MAY inform the user when
         the API is being used and provide a mechanism to disable the API
         (effectively no-op), on a per-origin basis or globally.
       </p>
+      <p>
+        The <a>user agent</a> SHOULD employ global rate limiting to restrict
+        the number of vibration requests made within a certain period
+        (e.g., per minute or hour) to prevent excessive use.
+      </p>
     </section>
     <section class='informative'>
       <h2>
@@ -297,6 +302,7 @@ <h2>
         Changes since <a href="https://www.w3.org/TR/2016/REC-vibration-20161018/">W3C Recommendation 18 October 2016</a>:
       </p>
       <ul>
+        <li>Update Security and privacy considerations (<a href="https://github.com/w3c/vibration/pull/47/commits/7d644a2ffa518460fdbcdcd65cc9d4ffcb5e0e5e">7d644a2</a>, <a href="https://github.com/w3c/vibration/pull/47">#47</a>)</li>
         <li>Define "max length" and "max duration" normatively (<a href="https://github.com/w3c/vibration/pull/46/commits/23e6347c1cd19b50d9c356fefb6f1800330868f1">23e6347</a>, <a href="https://github.com/w3c/vibration/pull/46/commits/a3af007daf49001bb924a6d345e5dbc2a0c6d96f">a3af007</a>, <a href="https://github.com/w3c/vibration/pull/46">#46</a>)</li>
         <li>Require sticky activation to <a>perform vibration</a> to mitigate privacy concerns (<a href="https://github.com/w3c/vibration/pull/30/commits/41d039ece8a0cfb43ef7ec818dabf9156fc956d3">41d039e</a>, <a href="https://github.com/w3c/vibration/pull/30">#30</a>)</li>
         <li>Add <a>vibration pattern</a> definition for reuse in other specifications (<a href="https://github.com/w3c/vibration/pull/18/commits/b454da89ae954d4c5a6caa6c311441511349e639">b454da8</a>, <a href="https://github.com/w3c/vibration/pull/18">#18</a>)</li>
