Explainer explainer should more strongly encourage authors to surface security and privacy considerations

[hober]

@dway123 wrote, in w3ctag/design-reviews#406 (comment)_

I originally opted to exclude longer discussions of security and privacy from the explainer and TAG process as the TAG explainer explainer, which while very helpful, did omit a Security and Privacy section, and was clear that this document should be “brief and easy”, but after similar repeated questions, will soon release a more fleshed out security/privacy considerations document.

I think we should update the explainer explainer to encourage authors to include this sort of content.

[lknik]

Should I propose something concise and simple (with an obligatory link to the all-time famous questionnaire)?

[jyasskin]

Other things to consider including in this update for security/privacy considerations:

• Include "abuse cases": the worst things a hostile actor could do with the proposed solution(s).
• After receiving a security review from anywhere, incorporate the results into the documented sec/priv considerations.
• It's better to describe attacks you don't know how to mitigate than to omit them. Omitting them just makes it look like you didn't think hard enough.

I'll try to draft something.

[martinthomson]

Another one: don't "sugar coat" problems.

Some problems are hard and need to be. The feature might still be justified despite those problems, but trying to hide or minimize a genuine issue only makes it harder to deal with in the long run.