W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2017

Re: Review for the WebAppSec WG Recharter -- update milestones

From: Mike West <mkwst@google.com>
Date: Wed, 8 Feb 2017 09:53:01 +0100
Message-ID: <CAKXHy=fdj0z0RjJ3U1sPRgTSzHvFprGYEN472e3E7Otd0uAVMA@mail.gmail.com>
To: Wendy Seltzer <wseltzer@w3.org>, Jochen Eisinger <eisinger@google.com>, Emily Stark <estark@google.com>, Tanvi Vyas <tanvi@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Philippe Le Hegaret <plh@w3.org>
With the caveat that we have never, ever hit a target milestone date (and I
think that's both normal and fine (and honestly don't think there's much
value in putting dates on things in the first place :) )), here are some
suggestions for the specs I'm most familiar with:

CSP3 => Q3 2017; There's not a ton of outstanding work here, but the things
that are left are going to take some time to get interoperable
implementation. I think we'll finish the spec in early Q2, and aim for
interop in Q3.

CSP:EE => Q4/Q1; Spec should be solid in Q2, Chrome plans to ship an
implementation around the same time. No one else has expressed interest, so
I kinda expect this to stall at CR until we're more successful at gaining
interest. (It's cool, really. Y'all should try it out!)

Mixed Content => Q2. We're basically done with this. Boris had some
suggestions for clarifications on a separate thread (
which I'm woefully behind on responding to), but I don't think the behavior
will change. We have pretty solid interop, REC should be within reach,
assuming the director doesn't renew his principled objections raised in the
CR period.

Upgrade Insecure Requests => Q2. We're done with this. I think calling for
PR ~now is a good idea.

Secure Contexts => Q2. Ditto.

Clear Site Data => Q4/Q1; Same as CSP:EE. Chrome's implementation is
solidifying, spec is solidifying (GitHub is using it already), but I
haven't heard anything from other folks recently. I expect it to stall at
CR for a while. (This is also cool. Y'all should also try it out!)

Referrer Policy => Q2?. This hit CR, and we can/should ask to move to PR on
the 26th. (Can we do a CfC now, ending on that date? CCing Jochen and Emily
to get it on their calendars.)

Credential Management => Q4/Q1. Chrome is shipping this, and folks are
iterating a bit on the details. WebKit has started an implementation, and I
look forward to iterating a bit more on the details with their feedback.
Depending on how that goes, CR in Q3 seems reasonable once we're sure the
details are baked.

SRI2: Joel has, unfortunately, left Google, and I don't think his new role
is going to allow him much time to work on this document. It's not clear to
me if the other editors of SRI are planning to push forward on this, but my
intuition is that it's not on anyone's roadmap for 2017.

Suborigins => Q1. Chrome is planning on shipping an experimental trial in
the very near future, and the spec seems pretty solid. That said, Joel
(again, unfortunately) left Google, and it's not clear whether he'll be as
active on the spec as he'd like to be. It's also unclear if any other
browser is as interested in it as we are, so I expect this to stall for a
bit while we look for interop.

Site-Wide Policy => Q2 2018. I suspect that this is going to take some time
to get right, but folks on the Chrome team are pretty interested.

We could also add "Something Something Isolation" that Emily, Tanvi, et al
are working through. It seems more like a 2018 thing to me than a 2017
thing, but I'll let them weigh in on that. (CCing Emily and Tanvi to weigh


On Tue, Feb 7, 2017 at 11:13 PM, Wendy Seltzer <wseltzer@w3.org> wrote:

> Hi WebAppSec,
> Philippe raised some questions about the milestones for deliverables
> listed in the revised charter. The timing is quite optimistic -- can
> chairs and editors take a look at the specs and timelines to propose
> realistic milestones?
> https://rawgit.com/w3c/webappsec/master/admin/webappsec-charter-2017.html#
> deliverables
> Thanks!
> --Wendy
> -------- Forwarded Message --------
> Subject: Review for the WebAppSec WG Recharter
> Date: Tue, 7 Feb 2017 15:59:32 -0500
> From: Philippe Le H├ęgaret <plh@w3.org>
> Looking at
>  https://rawgit.com/w3c/webappsec/master/admin/webappsec-charter-2017.html
> ----
> Overall, the charter is way too ambitious or way too optimistic in terms
> of milestones. As written, the Group is planning to release 13
> Recommendations in 2017. If that is really the case, they would reach a
> record!
> * Several milestones are "Q1 2017" and aren't yet Proposed
> Recommendations. I have serious doubt those milestones can be achieved
> at this point: Mixed Content, Upgrade Insecure Requests, Secure
> Contexts, Referrer Policy.
> * Several milestones are "Q2 2017" and aren't yet Candidate
> Recommendations: CSP3, CSP: Embedded Enforcement, Clear Site Data,
> Credential Management API. Are we sure the Group can achieve CR for
> those by the end of April?
> * Suborigins isn't a FPWD yet and still the Group believes they can ship
> to REC within 11 months. It's possible but ambitious.
> * Side-Wide Policy is still discussed in WICG and already appears in the
> charter?
> I believe we should push back on those milestones and ask them to
> provide more realistic ones. I don't think we should associate
> milestones to deliverables that are still under discussion within WICG.
> I also don't think all of the deliverables are such high on their lists
> that they all need to have milestones btw.
Received on Wednesday, 8 February 2017 08:53:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:59 UTC