Questions from https://www.w3.org/TR/security-privacy-questionnaire/
2.1. What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?
Just like the existing UI key events, EditContext exposes text that has been typed by the user. This data helps text input services to perform operations such as suggestions, IME compositions, VK shape-writing etc.
This is the same data that is exposed when an origin has a contenteditable="" DOM element or another type of editable field.
2.2. Is this specification exposing the minimum amount of information necessary to power the feature?
Yes.
2.3. How does this specification deal with personal information or personally-identifiable information or information derived thereof?
EditContext does not expose any PII. It works just like the UI key events.
EditContext does not provide any sensitive data.
2.5. Does this specification introduce new state for an origin that persists across browsing sessions?
No.
2.6. What information from the underlying platform, e.g. configuration data, is exposed by this specification to an origin?
EditContext does not expose any data related to the underlying platform.
EditContext allows pages to provide coordinates at which text input related UI should be displayed. This offers a similar level of control compared to what the author can do by positioning an input element in the page. No new data is exposed, only new APIs to communicate the coordinates in a more direct way.
No.
No.
No.
2.11. Does this specification allow an origin some measure of control over a user agent’s native UI?
It isn't the user agent UI, but is platform native UI (candidate window during IME compositions) used for input text. The EditContext provides coordinates at which text input related UI should be displayed. It offers a similar level of control compared to what the author can do by positioning an input element in the page. No new behavior is exposed to authors for controlling UI, only new APIs to communicate the coordinates in a more direct way.
EditContext does not create any temporary identifiers.
2.13. How does this specification distinguish between behavior in first-party and third-party contexts?
Use of the EditContext is limited to the active document.
2.14. How does this specification work in the context of a user agent’s Private Browsing or "incognito" mode?
EditContext does not provide any information that would allow to correlate a single user's activity across normal and private/incognito modes.
2.15. Does this specification have a "Security Considerations" and "Privacy Considerations" section?
No. A security or privacy section doesn't currently seem warranted given the answers above.
No.
EditContext cannot receive input in non-"fully active" documents. No explicit state change is needed for EditContext when a document becomes not "fully active".
N/A
No network activity is associated with EditContext usage.
No network activity is associated with EditContext usage.
Existing SOP restrictions prevent accessing an EditContext in one realm from another with a different origin. No special considerations are needed.
Not applicable (no network requests are made by the EditContext).
Not applicable as no new information is being made available to authors. The purpose of the EditContext is to expose the functionality bundled into editable elements in a way that is decoupled from the HTML DOM view.