- From: Léonie Watson <tink@tink.uk>
- Date: Wed, 5 Jul 2017 14:42:52 +0100
- To: Artur Janc <aaj@google.com>
- Cc: Michal Zalewski <lcamtuf@google.com>, Samuel Weiler <weiler@w3.org>, "public-html@w3.org" <public-html@w3.org>
Artur, We've just merged some changes into HTML5.2 relating to Referrer Policy [1]. I wonder if I could trouble you for a little more of your time to look through these changes from a security point of view? Léonie. [1] https://github.com/w3c/html/pull/954#event-1150804822 On 09/06/2017 22:47, Artur Janc wrote: > Hey folks, > > I spent a bit of time this week reviewing the changes for 5.2 and put > together some notes in [1]. > > The changes since 5.1 are generally low risk, with many dealing with > non-security aspects of the spec, such as adding attributes or making > other minor changes in element behavior, or -- even better -- removing > obsolete features. Of the more interesting changes, I took a closer look > at a dozen or so of those which seemed more likely to have a security > impact. > In general, I didn't find anything particularly problematic; there are a > few opportunities for clarifying the text around some security-relevant > features and I filed a couple of minor issues (#951, #952, and > webappsec-secure-contexts/#49). > I was also happy to see several security-positive hardening changes such > as treating data: as separate origin [2], restricting navigation of > sandbox frames [3], and various integrations with CSP. > As a meta-note, one thing that struck me as a reviewer without much > background with the spec is that there is a fairly wide variety when it > comes to Security sections for individual features. In some cases, the > security discussion is extensive [4], but in others important security > checks seem to be defined without much explanation. Similarly, some > commits introduce potentially security-sensitive changes without any > relevant discussion in the Github issue. I assume this is not a surprise > to anyone here, but perhaps this is something that could be improved in > the future. > Good luck getting to CR! > Cheers, > -Artur > > [1] > https://docs.google.com/document/d/1y0Jqe7I9w9VTzOGabeSIowQYqdTA0TSCn3ePQBnZe_0/edit > [2] > https://github.com/w3c/html/commit/1f582bb098666f82b53e0a338d5709a320088ac9 > [3] > https://github.com/w3c/html/commit/54a634c3bbe37f216b9b6ff232381aacc7e82772 > [4] https://www.w3.org/TR/html52/single-page.html#security-and-privacy > > > On Fri, Jun 2, 2017 at 12:40 PM, Léonie Watson <tink@tink.uk > <mailto:tink@tink.uk>> wrote: > > + public-html@w3.org <mailto:public-html@w3.org> > > Thank you all for helping with this. > > Would it be possible for the review to be completed next week? We > had originally put the 5.2 spec out for wide review by 26th May, > with a view to being in CR (Candidate Recommendation) by 20th June > [1]. That meant freezing the spec today so we could go to the WG to > ask for their consent to make the transition. > > We want a security review, but we also want to minimise the impact > to our timeline. Even if the review is completed next week, we're > still looking at a two week delay (plus any time needed to respond > to any issues you might file). > > Anything you can do to help us would be greatly appreciated. > > Thanks > Léonie > -- > @LeonieWatson tink.uk <http://tink.uk> Carpe diem > -- @LeonieWatson @tink@toot.cafe tink.uk Carpe diem
Received on Wednesday, 5 July 2017 13:43:27 UTC