W3C home > Mailing lists > Public > public-device-apis@w3.org > October 2017

Re: RfC: wide review of Sensor APIs Pre-CR WDs

From: Kostiainen, Anssi <anssi.kostiainen@intel.com>
Date: Mon, 23 Oct 2017 11:50:27 +0000
To: Jochen Eisinger <eisinger@google.com>, Dominique Hazael-Massieux <dom@w3.org>, Wendy Seltzer <wseltzer@w3.org>
CC: W3C Devices and Sensors WG <public-device-apis@w3.org>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <77622F8B-18D1-4932-9E27-2288D9505807@intel.com>
[+W3C Team contacts Dom & Wendy to clarify wide review expectations.]

Hi Jochen,

> On 21 Oct 2017, at 10.11, Jochen Eisinger <eisinger@google.com> wrote:
> 
> Hi!
> 
> The WebAppSec WG doesn't review other WGs specs.

Is that the WebAppSec WG's official position?

I'm asking, since that's in conflict with the Document Review best practices (and advise I got from W3C Staff):

[[

Which group(s) should be asked to review a document?

All group charters should include information about the groups and external liaisons that are interested in particular documents. At a minimum, those groups should be included in all review request for their related document(s).

https://www.w3.org/wiki/DocumentReview#Who_to_ask_for_review.3F

]]

The Device and Sensors WG has WebAppSec WG as a dependency in its charter, since practically all of its specs depend on WebAppSec specs:

https://www.w3.org/2016/03/device-sensors-wg-charter.html#coordination

Device and Sensors WG's expectation was WebAppSec WG would be interested in reviewing the use of these dependencies as noted in the wide review request to WebAppSec WG:

[[

In particular the group requests review of the use of Permissions, Feature Policy, and Secure Contexts specifications.

]]

(Granted, the Feature Policy spec is still in WICG, but should still be of interest to this group. We reach out to WICG separately on that one.)

> Please reach out to the 
> https://www.w3.org/Security/wiki/IG

We reached out to the Security IG too as part of the wide review:

https://lists.w3.org/Archives/Public/public-web-security/2017Oct/0001.html

... and asked them to focus their review on security considerations in general.

(That said, we have observed the IG has not been very responsive recently and wide review requests have fallen through the cracks -- but that's an issue of its own.)

> and work with the browser vendors involved in your WG to have their respective security teams support you.

The Chrome Security team has been closely involved throughout the implementation of these specs, and the APIs in scope for this wide review have passed their scrutiny and are now shipping as an Origin Trial starting in Chrome 63 Beta.

Hopefully this clears up some confusion around expectations for wide review.

All that said, the Device and Sensors WG is welcoming any feedback from WebAppSec WG.

We're not asking you to do a full-blown review unless you really want to, all we want is get feedback on the use of Permissions and Secure Contexts (and as a bonus Feature Policy). My apologies, if the expected scope of the review was not clear enough in the wide review request.

Thanks,

-Anssi (Device and Sensors WG Chair)


> Best
> Jochen
> 
> Kostiainen, Anssi <anssi.kostiainen@intel.com> schrieb am Fr., 20. Okt. 2017, 10:28:
> Hi WebAppSec WG,
> 
> The Device and Sensors Working Group requests review of the following
> specification before 2017-12-31:
> 
>    Generic Sensor API
>    https://www.w3.org/TR/generic-sensor/
> 
> Including the following concrete sensor specifications that extend
> the Generic Sensor API:
> 
>    Ambient Light Sensor
>    https://www.w3.org/TR/ambient-light/
> 
>    Accelerometer
>    https://www.w3.org/TR/accelerometer/
> 
>    Gyroscope
>    https://www.w3.org/TR/gyroscope/
> 
>    Magnetometer
>    https://www.w3.org/TR/magnetometer/
> 
>    Orientation Sensor
>    https://www.w3.org/TR/orientation-sensor/
> 
> Informative background material (not in scope of the wide review):
> 
>    Motion Sensors Explainer
>    https://w3c.github.io/motion-sensors/
> 
>    Sensor Use Cases
>    https://w3c.github.io/sensors/usecases
> 
> In particular the group requests review of the use of Permissions,
> Feature Policy, and Secure Contexts specifications.
> 
> The group requests feedback via the respective specifications' GitHub
> repositories, or via email to public-device-apis@w3.org.
> 
> These publications are Pre-Candidate Recommendation Drafts under the
> 2017 Process [1]. Therefore, the group is looking for confirmation
> that it has satisfied its relevant technical requirements and
> dependencies with other groups.
> 
> Thanks,
> 
> -Anssi (Device and Sensors WG Chair)
> 
> [1] https://www.w3.org/wiki/DocumentReview
> 
Received on Monday, 23 October 2017 11:51:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC