Security & Privacy Questionnaire: Mention Permissions Policy integration (#135)

Raphael Kubo da Costa · web-flow · commit e778bf8885d8 · 2024-01-31T10:39:41.000+01:00
Follow-up to #126. Rewrite the answer to question 2.13, "How does this specification distinguish between behavior in first-party and third-party contexts?" by mentioning that the integration with the Permissions Policy specification does cause this spec to distinguish between first-party and third-party context.
diff --git a/security-privacy-self-assessment.md b/security-privacy-self-assessment.md
@@ -61,7 +61,13 @@ None.
 
 ### 2.13 How does this specification distinguish between behavior in first-party and third-party contexts?
 
-It does not.
+The Permissions Policy integration controls whether third-party contexts are able to receive the events defined by this specification:
+
+- The "deviceorientation" event requires the "accelerometer" and "gyroscope" features when providing relative orientation data. For the implementation to fall back to absolute orientation data, the "magnetometer" feature is also required.
+- The "deviceorientationabsolute" event requires the "accelerometer", "gyroscope" and "magnetometer" features.
+- The "devicemotion" event requires the "accelerometer" and "gyroscope" features.
+
+The default allowlist for all policy-controlled features defined by this specification ("accelerometer", "gyroscope", and "magnetometer") is `"self"`, which does not allow third-party contexts to receive the events above and have access to the corresponding sensor readings.
 
 ### 2.14 How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?
 
@@ -81,4 +87,4 @@ Events are fired on active windows only.
 
 ### 2.18 What should this questionnaire have asked?
 
-That's all. Thank you for your review.
+That's all. Thank you for your review.
