- From: CSS Meeting Bot via GitHub <sysbot+gh@w3.org>
- Date: Tue, 18 Jul 2023 18:40:05 +0000
- To: public-css-archive@w3.org
The CSS Working Group just discussed `[css-view-transitions-2] security/privacy considerations with cross-origin css`, and agreed to the following: * `RESOLVED: Document security and privacy concerns into the spec, encourage more reviews.` <details><summary>The full IRC log of that discussion</summary> <fantasai> noamr: This goes back to ? and raised bigger question<br> <fantasai> noamr: basically allows a third-party CSS to ? opt into transitions<br> <fantasai> noamr: if we add MQ that decides things based on incoming URLs, which not proposed yet, but it's coking<br> <fantasai> noamr: it could allow the third-party CSS to know thigns about the incoming URL<br> <fantasai> noamr: and it was a general issue about how do we view third-party CSS in terms of security<br> <fantasai> noamr: it does seem it's not safe, but safety is not a boolean<br> <fantasai> noamr: I opened this issue to get some guidance on it<br> <fantasai> astearns: anyone with guidance to share?<br> <fantasai> khush: Fwiw we got a comment from security review which is that it's OK, since author is opting in to loading the third-party CSS<br> <fantasai> khush: already some amount of trust there<br> <fantasai> astearns: author of the page that you're navigating to is opting into loading third-party CSS by saying view transitions are OK?<br> <fantasai> khush: if opt-in is in CSS, and you're embedding a third-party stylesheet, could become an issue<br> <fantasai> khush: e.g. third-party transition could opt you into having transitions<br> <TabAtkins> I agree with the security person's comment - if we continue to respect existing Referer policy then what's left is fine<br> <astearns> fantasai: you probably have to trust a lot for a bunch of other things if you are loading third-party CSS<br> <fantasai> fantasai: e.g. third-party CSS can make you load fonts that you wouldn't otherwise load<br> <fantasai> noamr: allows third-party CSS to know things that they didn't know before<br> <TabAtkins> q+<br> <fantasai> khush: e.g. could load resources based on what page you were navigating from<br> <fantasai> khush: even if same-origin<br> <fantasai> khush: so I don't think you're going to learn new information<br> <fantasai> khush: Question was if you load third-party CSS, do you expose things that the third party wouldn't have been able to know.<br> <astearns> ack TabAtkins<br> <fantasai> TabAtkins: I agree with the security comment, as long as we respect existing referrer policy and don't expose to the new page<br> <fantasai> TabAtkins: then what's left is fine<br> <fantasai> TabAtkins: if you're allowing something that allows running @rules from third-party, already allowing them to p0wn your page<br> <TabAtkins> astearns: we should document this in the SEcurity section of VT spec<br> <fantasai> astearns: I think proposed resolution is to document security/privacy concerns and continue getting reviews<br> <fantasai> RESOLVED: Document security and privacy concerns into the spec, encourage more reviews.<br> </details> -- GitHub Notification of comment by css-meeting-bot Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/8889#issuecomment-1640752547 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 18 July 2023 18:40:07 UTC