- From: Giorgio Maone <giorgio@maone.net>
- Date: Thu, 25 Aug 2022 22:03:16 +0200
- To: Daniel Veditz <dveditz@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <1f2d3357-6c01-1a71-ba46-f2583432f120@maone.net>
Hi, I can only attend remotely and I'm mainly interested in XSLeaks, Injection Stuff & Isolation. Also, would it be possible / on topic for the XSLeaks / Isolation session inviting the Leakuidator+ researchers <https://www.usenix.org/conference/usenixsecurity22/presentation/zaheri> (remotely) to hear about their mitigation proposals for standard bodies (in their paper they mention extending CORB to any cross-site navigation)? Thanks -- G On 18/08/22 09:14, Daniel Veditz wrote: > In the working group meeting earlier today we started a list of topics > and issues that we could discuss at TPAC. Please contribute, > especially if you will be attending! Once we have a more complete list > we can winnow it down to the topics that will most benefit from > face-to-face discussions. Our group is scheduled into three two-hour > blocks for formal meetings, and in between those we'll have the > opportunity to attend groups working on related topics like the > Privacy CG, PATCG, and others. > > Please respond with any of > * additional topics > * letting us know which topics are most important to you > * whether you're attending in person, remotely, or not at all > * suggestions for improving the topic groupings > * anything else that comes to mind... > > > XSLeaks > > * cross-site leaks (XSLeaks) (Giorgio requests Europe-friendly time) > > > Injection Stuff > > * related to XSLeaks: CSP directives that cause leaks (e.g. form-action) > * related to the above: CSP as confinement; what's missing, what > could make this a robust defense? > * CSP: webrtc controls > * CSP: WASM source control rather than just on/off? > * Updates on the deployments of injection defenses & isolation > features (CSP, TT, Fetch Metadata, COOP) > * Sanitizer & Trusted Types > > > ISOLATION > > * "Isolation by default" > * site isolation > * New features related to cross-origin isolation: COOP > restrict-properties, anonymous iframes, COEP credentialless. > (Giorgio requests Europe-friendly time) > > > Permissions > > * status of Permission Policy/Registry/API > * Permissions Workshop > > > Partitioning > > * storage partitioning (privacy/performance/security tradeoffs) ** > network state / cache partitioning designs/experiments > * Can we finally kill^Wpartition :visited? kthx > > > Ads and Stuff > > * Private Advertising work (in CGs, potential WG), security > considerations or features that belong here ** fenced frames > (wicg) ** private ad attribution (PATCG) ** privacy vs anti-fraud > tradeoffs > * Cookies (Improving Web Ads BG meets Tuesday morning in the same slot) > > > Web Crypto stuff (now included in this WG's charter) > > * Curve25519 and Curve448 > <https://wicg.github.io/webcrypto-secure-curves/> > * Other more modern algorithms (OCB, Argon2, SHA-3, ...) > * Feature detection (of those algorithms)? > * Streaming > > (Daniel Huigens: I might be in Europe, not 100% sure yet whether I can > attend in person) > > > Process + WG + Other > > * spec issues that need decisions > * Meeting times. > > > New Stuff > > * arcsjs > <https://github.com/project-oak/arcsjs-chromium/tree/main/doc/explainer> > and the related WICG proposal > <https://github.com/WICG/proposals/issues/62> > * Exposing "public static resource" metadata: whatwg/html#8143 > <https://github.com/whatwg/html/issues/8143> (the role of CORP & TAO) > > (Small proposal: maybe merge XS-Leaks & Isolation sections? Similarly > Partitioning could be under Ads + Stuff.) > -- Giorgio Maone https://maone.net
Received on Thursday, 25 August 2022 20:03:32 UTC