[css-link-params-1] Add priv/sec sections.

tabatkins · tabatkins · commit 216d4419638b · 2025-07-17T15:33:08.000-07:00
diff --git a/css-link-params-1/Overview.bs b/css-link-params-1/Overview.bs
@@ -282,3 +282,27 @@ accessible with the ''env()'' function in stylesheets.
 Note: When we define ''env(parent --color)'' to jump up a scope level,
 you won't need to do the rename;
 ''@env --color: env(parent --color);'' will work just fine.
+
+
+<h2 class="no-num no-ref" id=priv>
+Privacy Considerations</h2>
+
+This specification introduces no new privacy considerations.
+
+<h2 class="no-num no-ref" id=sec>
+Security Considerations</h2>
+
+This specification introduces a new way to pass information to a linked resource,
+potentially from a hostile source.
+
+While no explicit handshake is established for this channel,
+the use of ''env()'' to use the information
+minimizes the chance that the linked resource
+can be <em>surprised</em> by the information.
+The only way for the page to be vulnerable
+is to somehow be using an <em>unknown</em> ''env()'' in their styles,
+which will just result in invalid properties by default,
+and be visible in the developer's Dev Tools.
+
+Any hostile information can also only affect
+individual CSS properties that the resource explicitly opts itself into.
