- From: Mike West <mkwst@google.com>
- Date: Wed, 8 Feb 2017 09:53:01 +0100
- To: Wendy Seltzer <wseltzer@w3.org>, Jochen Eisinger <eisinger@google.com>, Emily Stark <estark@google.com>, Tanvi Vyas <tanvi@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Philippe Le Hegaret <plh@w3.org>
- Message-ID: <CAKXHy=fdj0z0RjJ3U1sPRgTSzHvFprGYEN472e3E7Otd0uAVMA@mail.gmail.com>
With the caveat that we have never, ever hit a target milestone date (and I think that's both normal and fine (and honestly don't think there's much value in putting dates on things in the first place :) )), here are some suggestions for the specs I'm most familiar with: CSP3 => Q3 2017; There's not a ton of outstanding work here, but the things that are left are going to take some time to get interoperable implementation. I think we'll finish the spec in early Q2, and aim for interop in Q3. CSP:EE => Q4/Q1; Spec should be solid in Q2, Chrome plans to ship an implementation around the same time. No one else has expressed interest, so I kinda expect this to stall at CR until we're more successful at gaining interest. (It's cool, really. Y'all should try it out!) Mixed Content => Q2. We're basically done with this. Boris had some suggestions for clarifications on a separate thread ( https://github.com/w3c/resource-hints/issues/70#issuecomment-275686626, which I'm woefully behind on responding to), but I don't think the behavior will change. We have pretty solid interop, REC should be within reach, assuming the director doesn't renew his principled objections raised in the CR period. Upgrade Insecure Requests => Q2. We're done with this. I think calling for PR ~now is a good idea. Secure Contexts => Q2. Ditto. Clear Site Data => Q4/Q1; Same as CSP:EE. Chrome's implementation is solidifying, spec is solidifying (GitHub is using it already), but I haven't heard anything from other folks recently. I expect it to stall at CR for a while. (This is also cool. Y'all should also try it out!) Referrer Policy => Q2?. This hit CR, and we can/should ask to move to PR on the 26th. (Can we do a CfC now, ending on that date? CCing Jochen and Emily to get it on their calendars.) Credential Management => Q4/Q1. Chrome is shipping this, and folks are iterating a bit on the details. WebKit has started an implementation, and I look forward to iterating a bit more on the details with their feedback. Depending on how that goes, CR in Q3 seems reasonable once we're sure the details are baked. SRI2: Joel has, unfortunately, left Google, and I don't think his new role is going to allow him much time to work on this document. It's not clear to me if the other editors of SRI are planning to push forward on this, but my intuition is that it's not on anyone's roadmap for 2017. Suborigins => Q1. Chrome is planning on shipping an experimental trial in the very near future, and the spec seems pretty solid. That said, Joel (again, unfortunately) left Google, and it's not clear whether he'll be as active on the spec as he'd like to be. It's also unclear if any other browser is as interested in it as we are, so I expect this to stall for a bit while we look for interop. Site-Wide Policy => Q2 2018. I suspect that this is going to take some time to get right, but folks on the Chrome team are pretty interested. We could also add "Something Something Isolation" that Emily, Tanvi, et al are working through. It seems more like a 2018 thing to me than a 2017 thing, but I'll let them weigh in on that. (CCing Emily and Tanvi to weigh in) -mike On Tue, Feb 7, 2017 at 11:13 PM, Wendy Seltzer <wseltzer@w3.org> wrote: > Hi WebAppSec, > > Philippe raised some questions about the milestones for deliverables > listed in the revised charter. The timing is quite optimistic -- can > chairs and editors take a look at the specs and timelines to propose > realistic milestones? > > https://rawgit.com/w3c/webappsec/master/admin/webappsec-charter-2017.html# > deliverables > > Thanks! > --Wendy > > -------- Forwarded Message -------- > Subject: Review for the WebAppSec WG Recharter > Date: Tue, 7 Feb 2017 15:59:32 -0500 > From: Philippe Le Hégaret <plh@w3.org> > > > Looking at > https://rawgit.com/w3c/webappsec/master/admin/webappsec-charter-2017.html > > ---- > > Overall, the charter is way too ambitious or way too optimistic in terms > of milestones. As written, the Group is planning to release 13 > Recommendations in 2017. If that is really the case, they would reach a > record! > > * Several milestones are "Q1 2017" and aren't yet Proposed > Recommendations. I have serious doubt those milestones can be achieved > at this point: Mixed Content, Upgrade Insecure Requests, Secure > Contexts, Referrer Policy. > * Several milestones are "Q2 2017" and aren't yet Candidate > Recommendations: CSP3, CSP: Embedded Enforcement, Clear Site Data, > Credential Management API. Are we sure the Group can achieve CR for > those by the end of April? > * Suborigins isn't a FPWD yet and still the Group believes they can ship > to REC within 11 months. It's possible but ambitious. > * Side-Wide Policy is still discussed in WICG and already appears in the > charter? > > I believe we should push back on those milestones and ask them to > provide more realistic ones. I don't think we should associate > milestones to deliverables that are still under discussion within WICG. > I also don't think all of the deliverables are such high on their lists > that they all need to have milestones btw. > > > >
Received on Wednesday, 8 February 2017 08:53:54 UTC