Re: Security Review request: HTML 5.2

Hey folks,

I spent a bit of time this week reviewing the changes for 5.2 and put
together some notes in [1].

The changes since 5.1 are generally low risk, with many dealing with
non-security aspects of the spec, such as adding attributes or making other
minor changes in element behavior, or -- even better -- removing obsolete
features. Of the more interesting changes, I took a closer look at a dozen
or so of those which seemed more likely to have a security impact.

In general, I didn't find anything particularly problematic; there are a
few opportunities for clarifying the text around some security-relevant
features and I filed a couple of minor issues (#951, #952, and
webappsec-secure-contexts/#49).

I was also happy to see several security-positive hardening changes such as
treating data: as separate origin [2], restricting navigation of sandbox
frames [3], and various integrations with CSP.

As a meta-note, one thing that struck me as a reviewer without much
background with the spec is that there is a fairly wide variety when it
comes to Security sections for individual features. In some cases, the
security discussion is extensive [4], but in others important security
checks seem to be defined without much explanation. Similarly, some commits
introduce potentially security-sensitive changes without any relevant
discussion in the Github issue. I assume this is not a surprise to anyone
here, but perhaps this is something that could be improved in the future.

Good luck getting to CR!

Cheers,
-Artur

[1]
https://docs.google.com/document/d/1y0Jqe7I9w9VTzOGabeSIowQYqdTA0TSCn3ePQBnZe_0/edit
[2]
https://github.com/w3c/html/commit/1f582bb098666f82b53e0a338d5709a320088ac9
[3]
https://github.com/w3c/html/commit/54a634c3bbe37f216b9b6ff232381aacc7e82772
[4] https://www.w3.org/TR/html52/single-page.html#security-and-privacy


On Fri, Jun 2, 2017 at 12:40 PM, Léonie Watson <tink@tink.uk> wrote:

> + public-html@w3.org
>
> Thank you all for helping with this.
>
> Would it be possible for the review to be completed next week? We had
> originally put the 5.2 spec out for wide review by 26th May, with a view to
> being in CR (Candidate Recommendation) by 20th June [1]. That meant
> freezing the spec today so we could go to the WG to ask for their consent
> to make the transition.
>
> We want a security review, but we also want to minimise the impact to our
> timeline. Even if the review is completed next week, we're still looking at
> a two week delay (plus any time needed to respond to any issues you might
> file).
>
> Anything you can do to help us would be greatly appreciated.
>
> Thanks
> Léonie
> --
> @LeonieWatson tink.uk Carpe diem

Received on Friday, 9 June 2017 21:48:35 UTC