Hey Artur, all,
 
09.06.2017, 23:49, "Artur Janc" <aaj@google.com>:
Hey folks,
 
I spent a bit of time this week reviewing the changes for 5.2 and put together some notes in [1].
 
Thank you for this review. I did an initial triage, and essentially I agree with your comments. Hopefully tonight, following our teleconf, we can assign people to do the work needed...
 
In particular, I have also noted that the security information is inconsistent - it would be helpful in the "main" security considerations section to provide pointers to all the security issues, even if only to note that specific-topic security issues are discussed in the relevant part of the spec.
 
cheers
 
Chaals
 
 
The changes since 5.1 are generally low risk, with many dealing with non-security aspects of the spec, such as adding attributes or making other minor changes in element behavior, or -- even better -- removing obsolete features. Of the more interesting changes, I took a closer look at a dozen or so of those which seemed more likely to have a security impact.
 
In general, I didn't find anything particularly problematic; there are a few opportunities for clarifying the text around some security-relevant features and I filed a couple of minor issues (#951, #952, and webappsec-secure-contexts/#49).  
 
I was also happy to see several security-positive hardening changes such as treating data: as separate origin [2], restricting navigation of sandbox frames [3], and various integrations with CSP.
 
As a meta-note, one thing that struck me as a reviewer without much background with the spec is that there is a fairly wide variety when it comes to Security sections for individual features. In some cases, the security discussion is extensive [4], but in others important security checks seem to be defined without much explanation. Similarly, some commits introduce potentially security-sensitive changes without any relevant discussion in the Github issue. I assume this is not a surprise to anyone here, but perhaps this is something that could be improved in the future.
 
Good luck getting to CR!
 
Cheers,
-Artur
 
[1] https://docs.google.com/document/d/1y0Jqe7I9w9VTzOGabeSIowQYqdTA0TSCn3ePQBnZe_0/edit
[2] https://github.com/w3c/html/commit/1f582bb098666f82b53e0a338d5709a320088ac9
[3] https://github.com/w3c/html/commit/54a634c3bbe37f216b9b6ff232381aacc7e82772
[4] https://www.w3.org/TR/html52/single-page.html#security-and-privacy
 
 
On Fri, Jun 2, 2017 at 12:40 PM, Léonie Watson <tink@tink.uk> wrote:
+ public-html@w3.org

Thank you all for helping with this.

Would it be possible for the review to be completed next week? We had originally put the 5.2 spec out for wide review by 26th May, with a view to being in CR (Candidate Recommendation) by 20th June [1]. That meant freezing the spec today so we could go to the WG to ask for their consent to make the transition.

We want a security review, but we also want to minimise the impact to our timeline. Even if the review is completed next week, we're still looking at a two week delay (plus any time needed to respond to any issues you might file).

Anything you can do to help us would be greatly appreciated.

Thanks
Léonie
--
@LeonieWatson tink.uk Carpe diem
 
 
-- 
Chaals is Charles McCathie Nevile
find more at http://yandex.com