Re: [whatwg/webidl] Consider adding an `[InjectionMitigated]` extended attribute. (Issue #1440) from Rick Byers on 2024-10-07 (public-webapps-github@w3.org from October 2024)

From: Rick Byers <notifications@github.com>
Date: Mon, 07 Oct 2024 15:10:57 -0700
To: whatwg/webidl <webidl@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/webidl/issues/1440/2398010252@github.com>

I'd love to see a public UseCounter tracking the fraction of Chrome page loads and top sites (via HttpArchive crawls) which meet this criteria. We should totally be doing what we can to encourage that to grow. Like with [SecureContext] when it gets large enough to justify it as a credible best practice, then I would also support moving powerful APIs behind [InjectionMitigated]. I'm just skeptical that we're really anywhere near that today. Eg. for Digital Credentials, I'd worry that we'd mostly just drive people to the less secure approach of using [custom schemes](https://github.com/WICG/digital-credentials/blob/main/custom-schemes.md).

A likely good early partner might be Shopify, seems related to (but even harder than?) their [efforts for PCIv4 compliance](https://docs.google.com/document/d/1RcUpbpWPxXTyW0Qwczs9GCTLPD3-LcbbhL4ooBUevTM/edit). @yoavweiss 


-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/webidl/issues/1440#issuecomment-2398010252
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/webidl/issues/1440/2398010252@github.com>

Received on Monday, 7 October 2024 22:11:01 UTC