W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2017

Re: Review for the WebAppSec WG Recharter -- update milestones

From: Philippe Le Hégaret <plh@w3.org>
Date: Wed, 8 Feb 2017 10:31:28 -0500
To: Mike West <mkwst@google.com>, Wendy Seltzer <wseltzer@w3.org>, Jochen Eisinger <eisinger@google.com>, Emily Stark <estark@google.com>, Tanvi Vyas <tanvi@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <7258ee73-5156-955b-abc5-479e2d94b31c@w3.org>


On 2/8/2017 3:53 AM, Mike West wrote:
> With the caveat that we have never, ever hit a target milestone date
> (and I think that's both normal and fine (and honestly don't think
> there's much value in putting dates on things in the first place :) )),

We've been under pressure to make sure Working Groups are able to 
deliver in reasonable amount of time and in more predictable ways based 
on priorities. I do realize that putting milestones on items when we 
don't know the implementation schedules is difficult however. Keep in 
mind that this doesn't mean that every single spec must have a set of 
milestones (more below).

> here are some suggestions for the specs I'm most familiar with:

That's very useful input. Thank you.

> CSP:EE => Q4/Q1; Spec should be solid in Q2, Chrome plans to ship an
> implementation around the same time. No one else has expressed interest,
> so I kinda expect this to stall at CR until we're more successful at
> gaining interest. (It's cool, really. Y'all should try it out!)
>
> Clear Site Data => Q4/Q1; Same as CSP:EE. Chrome's implementation is
> solidifying, spec is solidifying (GitHub is using it already), but I
> haven't heard anything from other folks recently. I expect it to stall
> at CR for a while. (This is also cool. Y'all should also try it out!)
 >
 > Suborigins => Q1. Chrome is planning on shipping an experimental trial
 > in the very near future, and the spec seems pretty solid. That said,
 > Joel (again, unfortunately) left Google, and it's not clear whether
 > he'll be as active on the spec as he'd like to be. It's also unclear
 > if any other browser is as interested in it as we are, so I expect
 > this to stall for a bit while we look for interop.
 >
 > Site-Wide Policy => Q2 2018. I suspect that this is going to take some
 > time to get right, but folks on the Chrome team are pretty
 > interested.

My take for those is that, unless we think those items are high 
priorities, I'd rather not assign milestones to them. I would expect to 
get more information from other implementations before committing the Group.

Btw, on the Site-Wide Policy, I advise to not list it as a joint 
deliverable. We do get pushback on those nowadays and, unless we feel 
strongly, I'd rather keep things simple. In addition, if WebPerf or IETF 
are interested in the subject, they can always provide input to the spec.

> Mixed Content => Q2. We're basically done with this. Boris had some
> suggestions for clarifications on a separate thread
> (https://github.com/w3c/resource-hints/issues/70#issuecomment-275686626,
> which I'm woefully behind on responding to), but I don't think the
> behavior will change. We have pretty solid interop, REC should be within
> reach, assuming the director doesn't renew his principled objections
> raised in the CR period.

A few of us on the team have been working on the Director's aspect, in 
order to facilitate the transitions of the Working Groups. Still work in 
progress however but I understand that the ball is in our court to solve it.

> Upgrade Insecure Requests => Q2. We're done with this. I think calling
> for PR ~now is a good idea.
>
> Secure Contexts => Q2. Ditto.
>
> Referrer Policy => Q2?. This hit CR, and we can/should ask to move to PR
> on the 26th. (Can we do a CfC now, ending on that date? CCing Jochen and
> Emily to get it on their calendars.)
>
> Credential Management => Q4/Q1. Chrome is shipping this, and folks are
> iterating a bit on the details. WebKit has started an implementation,
> and I look forward to iterating a bit more on the details with their
> feedback. Depending on how that goes, CR in Q3 seems reasonable once
> we're sure the details are baked.
>
> SRI2: Joel has, unfortunately, left Google, and I don't think his new
> role is going to allow him much time to work on this document. It's not
> clear to me if the other editors of SRI are planning to push forward on
> this, but my intuition is that it's not on anyone's roadmap for 2017.

ok.

> We could also add "Something Something Isolation" that Emily, Tanvi, et
> al are working through. It seems more like a 2018 thing to me than a
> 2017 thing, but I'll let them weigh in on that. (CCing Emily and Tanvi
> to weigh in)

This sounds like incubation to me to be honest.

Philippe
Received on Wednesday, 8 February 2017 15:31:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC