Expand the security considerations section

index.html

@@ -3047,7 +3047,37 @@ <h3>Audio format preference</h3>
     <h2>Security Considerations</h2>
 
     <p>
-      The security considerations of [[ttml2]] apply.
+      The security considerations of [[ttml2]] apply,
+      since DAPT is a profile of [[ttml2]];
+      every conformant DAPT document is a TTML <a>document instance</a>.
+    </p>
+
+    <p>Notwithstanding the XML-related considerations of [[ttml2]],
+      <a>DAPT documents</a> are required by the mandatory
+      <a href="#extension-serialization"><code>#serialization</code></a>
+      extension feature to avoid 
+      declaring or referencing a Document Type Declaration and to avoid using
+      the [[xml]] entity expansion mechanism.
+      Therefore implementations can protect against
+      potential denial of service attacks or external content
+      injection associated with those features of XML by not
+      supporting them when parsing DAPT documents.      
+    </p>
+
+    <p>DAPT documents permit referencing of external audio resources,
+      also described as &quot;subresources&quot;.
+      One potential threat associated with such references is that
+      the origin might return a different audio resource to the one
+      intended at authoring time. No scheme is currently provided for
+      verifying the integrity of such subresources.
+      Content providers that cannot ensure that the
+      appropriate audio resources are served, for example if some
+      part of the chain is outside their control,
+      can consider adding subresource integrity metadata,
+      for example an attribute including a hash of the
+      intended subresource, and implementing a client-side
+      check to use this to verify that the received subresource
+      is the intended one.
     </p>
 
   </section>
@@ -4193,8 +4223,12 @@ <h3 id="extension-serialization">#serialization</h3>
           extension is
           an XML 1.0 [[xml]] document encoded using
           UTF-8 character encoding as specified in [[UNICODE]],
-          that contains no entity declarations and
-          no entity references other than to predefined entities.</p>
+          that contains no byte order mark (BOM),
+          no <a data-cite="xml#dt-doctype">Document Type Declaration</a>,
+          no <a data-cite="xml#dt-entdecl">Entity Declarations</a> and
+          no <a data-cite="xml#dt-entref">entity references</a> other than to
+          <a data-cite="xml#sec-predefined-ent">predefined entities</a>.
+        </p>
 
         <p>A <a>transformation processor</a> or a <a>presentation processor</a> supports
           the <code>#serialization</code> extension if