- From: Artur Janc <aaj@google.com>
- Date: Fri, 9 Jun 2017 23:47:40 +0200
- To: Léonie Watson <tink@tink.uk>
- Cc: Michal Zalewski <lcamtuf@google.com>, Samuel Weiler <weiler@w3.org>, "public-html@w3.org" <public-html@w3.org>
- Message-ID: <CAPYVjqpTpGwxDrQEHnNWUhe7pPuOF7M2f6NmgR=mQK=cwG=ohg@mail.gmail.com>
Hey folks, I spent a bit of time this week reviewing the changes for 5.2 and put together some notes in [1]. The changes since 5.1 are generally low risk, with many dealing with non-security aspects of the spec, such as adding attributes or making other minor changes in element behavior, or -- even better -- removing obsolete features. Of the more interesting changes, I took a closer look at a dozen or so of those which seemed more likely to have a security impact. In general, I didn't find anything particularly problematic; there are a few opportunities for clarifying the text around some security-relevant features and I filed a couple of minor issues (#951, #952, and webappsec-secure-contexts/#49). I was also happy to see several security-positive hardening changes such as treating data: as separate origin [2], restricting navigation of sandbox frames [3], and various integrations with CSP. As a meta-note, one thing that struck me as a reviewer without much background with the spec is that there is a fairly wide variety when it comes to Security sections for individual features. In some cases, the security discussion is extensive [4], but in others important security checks seem to be defined without much explanation. Similarly, some commits introduce potentially security-sensitive changes without any relevant discussion in the Github issue. I assume this is not a surprise to anyone here, but perhaps this is something that could be improved in the future. Good luck getting to CR! Cheers, -Artur [1] https://docs.google.com/document/d/1y0Jqe7I9w9VTzOGabeSIowQYqdTA0TSCn3ePQBnZe_0/edit [2] https://github.com/w3c/html/commit/1f582bb098666f82b53e0a338d5709a320088ac9 [3] https://github.com/w3c/html/commit/54a634c3bbe37f216b9b6ff232381aacc7e82772 [4] https://www.w3.org/TR/html52/single-page.html#security-and-privacy On Fri, Jun 2, 2017 at 12:40 PM, Léonie Watson <tink@tink.uk> wrote: > + public-html@w3.org > > Thank you all for helping with this. > > Would it be possible for the review to be completed next week? We had > originally put the 5.2 spec out for wide review by 26th May, with a view to > being in CR (Candidate Recommendation) by 20th June [1]. That meant > freezing the spec today so we could go to the WG to ask for their consent > to make the transition. > > We want a security review, but we also want to minimise the impact to our > timeline. Even if the review is completed next week, we're still looking at > a two week delay (plus any time needed to respond to any issues you might > file). > > Anything you can do to help us would be greatly appreciated. > > Thanks > Léonie > -- > @LeonieWatson tink.uk Carpe diem
Received on Friday, 9 June 2017 21:48:35 UTC