blink-dev@ intent thread triage report

[Emily Stark]

Triaged 2016-12-19 -> 2016-12-25 (up through #962 in in https://bit.ly/blinkintents):

block audible cross-origin autoplay: Requires user gesture for audible autoplay in cross-origin iframes. Already shipped for mobile. No concerns.

ongot/lostpointercaptures in GlobalEventHandlers: allows existing events to be listened to via on'event' attribute. No concerns.

BasicCardResponse.expiry{Month,Year} should be 2 digits: per the last comment in the thread, this intent might be no longer applicable? regardless, no concerns outside of the compat risk

Stop tainting canvases when drawing SVG with <foreignObject>: this change is consciously introducing a fingerprinting vector for the sake of interop and functionality. The fingerprinting vector (leaking information about the OS theme) seems acceptable given Chromium's stance on fingerprinting, but the risk of leaking other information e.g. visited links doesn't seem particularly well-understood, at least judging from the discussion on the bug. I left a comment on the thread.

ARIA 1.1: no concerns

Reporting API: I've previously reviewed this spec and filed several privacy-related issues at https://github.com/wicg/reporting/issues