Re: Security Review request: HTML 5.2

Hi Léonie,

Apologies for the very late response; I reviewed the changes related to the
Referrer Policy integration in https://github.com/w3c/html/pull/954/files
and they all look good to me (there's little risk on the HTML side and
Referrer Policy itself is obviously security/privacy positive).

Cheers,
-Artur

On Wed, Jul 5, 2017 at 3:42 PM, Léonie Watson <tink@tink.uk> wrote:

> Artur,
>
> We've just merged some changes into HTML5.2 relating to Referrer Policy
> [1]. I wonder if I could trouble you for a little more of your time to look
> through these changes from a security point of view?
>
> Léonie.
> [1] https://github.com/w3c/html/pull/954#event-1150804822
>
> On 09/06/2017 22:47, Artur Janc wrote:
>
>> Hey folks,
>>
>> I spent a bit of time this week reviewing the changes for 5.2 and put
>> together some notes in [1].
>>
>> The changes since 5.1 are generally low risk, with many dealing with
>> non-security aspects of the spec, such as adding attributes or making other
>> minor changes in element behavior, or -- even better -- removing obsolete
>> features. Of the more interesting changes, I took a closer look at a dozen
>> or so of those which seemed more likely to have a security impact.
>> In general, I didn't find anything particularly problematic; there are a
>> few opportunities for clarifying the text around some security-relevant
>> features and I filed a couple of minor issues (#951, #952, and
>> webappsec-secure-contexts/#49).
>> I was also happy to see several security-positive hardening changes such
>> as treating data: as separate origin [2], restricting navigation of sandbox
>> frames [3], and various integrations with CSP.
>> As a meta-note, one thing that struck me as a reviewer without much
>> background with the spec is that there is a fairly wide variety when it
>> comes to Security sections for individual features. In some cases, the
>> security discussion is extensive [4], but in others important security
>> checks seem to be defined without much explanation. Similarly, some commits
>> introduce potentially security-sensitive changes without any relevant
>> discussion in the Github issue. I assume this is not a surprise to anyone
>> here, but perhaps this is something that could be improved in the future.
>> Good luck getting to CR!
>> Cheers,
>> -Artur
>>
>> [1] https://docs.google.com/document/d/1y0Jqe7I9w9VTzOGabeSIowQY
>> qdTA0TSCn3ePQBnZe_0/edit
>> [2] https://github.com/w3c/html/commit/1f582bb098666f82b53e0a338
>> d5709a320088ac9
>> [3] https://github.com/w3c/html/commit/54a634c3bbe37f216b9b6ff23
>> 2381aacc7e82772
>> [4] https://www.w3.org/TR/html52/single-page.html#security-and-privacy
>>
>>
>> On Fri, Jun 2, 2017 at 12:40 PM, Léonie Watson <tink@tink.uk <mailto:
>> tink@tink.uk>> wrote:
>>
>>     + public-html@w3.org <mailto:public-html@w3.org>
>>
>>     Thank you all for helping with this.
>>
>>     Would it be possible for the review to be completed next week? We
>>     had originally put the 5.2 spec out for wide review by 26th May,
>>     with a view to being in CR (Candidate Recommendation) by 20th June
>>     [1]. That meant freezing the spec today so we could go to the WG to
>>     ask for their consent to make the transition.
>>
>>     We want a security review, but we also want to minimise the impact
>>     to our timeline. Even if the review is completed next week, we're
>>     still looking at a two week delay (plus any time needed to respond
>>     to any issues you might file).
>>
>>     Anything you can do to help us would be greatly appreciated.
>>
>>     Thanks
>>     Léonie
>>     --     @LeonieWatson tink.uk <http://tink.uk> Carpe diem
>>
>>
> --
> @LeonieWatson @tink@toot.cafe tink.uk Carpe diem
>