Hello, WebAppSec!
We'll be having our fifth scheduled teleconference of the year on
Wednesday, May 16th at 9:00 PST, 12:00 EST, 18:00 CET, etc.
Dial-in details for the webex calls are posted member-only visible here:
https://www.w3.org/2011/webappsec/webex.html
Please join us on IRC and send "present+" for role-call: #webappsec on
irc.w3.org:6665 (https://irc.w3.org/?channels=webappsec)
TOPIC: Agenda Bashing
TOPIC: Minutes Approval
https://www.w3.org/2018/04/18-webappsec-minutes.html
TOPIC: News
* `SameSite` cookies shipping in Firefox 60, implemented in WebKit
<https://bugs.webkit.org/show_bug.cgi?id=159464> and in development in Edge
<https://developer.microsoft.com/en-us/microsoft-edge/platform/status/samesitecookies/?q=samesite>
.
* WebAuthn moved to CR: shipping in Firefox 60, Chrome 67, and Edge 17.
Dropbox added support.
TOPIC: CSP
* Hashed attributes, inline attributes, and versioning followup.
*
https://lists.w3.org/Archives/Public/public-webappsec/2018Apr/0017.html
* Explainer
<https://docs.google.com/document/d/1_nYS4gWYO2Oh8rYDyPglXIKNsgCRVhmjHqWlTAHst7c/edit>
TOPIC: Cross-origin data leakage
* Threat modeling.
* `from-origin`: https://github.com/whatwg/fetch/issues/687
* `sec-site`: https://github.com/whatwg/fetch/issues/700 / `sec-metadata`:
https://github.com/mikewest/sec-metadata
-mike