TPAC topics -- please contribute to this list from Daniel Veditz on 2022-08-18 (public-webappsec@w3.org from August 2022)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 18 Aug 2022 00:14:09 -0700
To: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CADYDTCDTVvyKaAjRVNrg6zg-uRHCJ6GT0boRL_Mzbs=7L+y1Og@mail.gmail.com>
In the working group meeting earlier today we started a list of topics and
issues that we could discuss at TPAC. Please contribute, especially if you
will be attending! Once we have a more complete list we can winnow it down
to the topics that will most benefit from face-to-face discussions. Our
group is scheduled into three two-hour blocks for formal meetings, and in
between those we'll have the opportunity to attend groups working on
related topics like the Privacy CG, PATCG, and others.

Please respond with any of
* additional topics
* letting us know which topics are most important to you
* whether you're attending in person, remotely, or not at all
* suggestions for improving the topic groupings
* anything else that comes to mind...
XSLeaks

   - cross-site leaks (XSLeaks) (Giorgio requests Europe-friendly time)

<https://github.com/w3c/webappsec/blob/main/meetings/2022/2022-08-17-minutes.md#injection-stuff>Injection
Stuff

   - related to XSLeaks: CSP directives that cause leaks (e.g. form-action)
   - related to the above: CSP as confinement; what's missing, what could
   make this a robust defense?
   - CSP: webrtc controls
   - CSP: WASM source control rather than just on/off?
   - Updates on the deployments of injection defenses & isolation features
   (CSP, TT, Fetch Metadata, COOP)
   - Sanitizer & Trusted Types

<https://github.com/w3c/webappsec/blob/main/meetings/2022/2022-08-17-minutes.md#isolation>
ISOLATION

   - "Isolation by default"
   - site isolation
   - New features related to cross-origin isolation: COOP
   restrict-properties, anonymous iframes, COEP credentialless. (Giorgio
   requests Europe-friendly time)

<https://github.com/w3c/webappsec/blob/main/meetings/2022/2022-08-17-minutes.md#permissions>
Permissions

   - status of Permission Policy/Registry/API
   - Permissions Workshop

<https://github.com/w3c/webappsec/blob/main/meetings/2022/2022-08-17-minutes.md#partitioning>
Partitioning

   - storage partitioning (privacy/performance/security tradeoffs) **
   network state / cache partitioning designs/experiments
   - Can we finally kill^Wpartition :visited? kthx

<https://github.com/w3c/webappsec/blob/main/meetings/2022/2022-08-17-minutes.md#ads-and-stuff>Ads
and Stuff

   - Private Advertising work (in CGs, potential WG), security
   considerations or features that belong here ** fenced frames (wicg) **
   private ad attribution (PATCG) ** privacy vs anti-fraud tradeoffs
   - Cookies (Improving Web Ads BG meets Tuesday morning in the same slot)

<https://github.com/w3c/webappsec/blob/main/meetings/2022/2022-08-17-minutes.md#web-crypto-stuff-now-included-in-this-wgs-charter>Web
Crypto stuff (now included in this WG's charter)

   - Curve25519 and Curve448
   <https://wicg.github.io/webcrypto-secure-curves/>
   - Other more modern algorithms (OCB, Argon2, SHA-3, ...)
   - Feature detection (of those algorithms)?
   - Streaming

(Daniel Huigens: I might be in Europe, not 100% sure yet whether I can
attend in person)
<https://github.com/w3c/webappsec/blob/main/meetings/2022/2022-08-17-minutes.md#process--wg--other>Process
+ WG + Other

   - spec issues that need decisions
   - Meeting times.

<https://github.com/w3c/webappsec/blob/main/meetings/2022/2022-08-17-minutes.md#new-stuff>New
Stuff

   - arcsjs
   <https://github.com/project-oak/arcsjs-chromium/tree/main/doc/explainer>
   and the related WICG proposal
   <https://github.com/WICG/proposals/issues/62>
   - Exposing "public static resource" metadata: whatwg/html#8143
   <https://github.com/whatwg/html/issues/8143> (the role of CORP & TAO)

(Small proposal: maybe merge XS-Leaks & Isolation sections? Similarly
Partitioning could be under Ads + Stuff.)
Received on Thursday, 18 August 2022 07:14:49 UTC