Re: TPAC topics -- please contribute to this list from Ian Clelland on 2022-09-01 (public-webappsec@w3.org from September 2022)

From: Ian Clelland <iclelland@google.com>
Date: Wed, 31 Aug 2022 22:57:19 -0400
To: Daniel Veditz <dveditz@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAK_TSXK7mU300QsFyjfuRihd2rrbZgvB+Ou-AhbrhLc5Qqjkuw@mail.gmail.com>
Re: Permissions + Permissions Policy --

I'd definitely like to discuss and hopefully resolve a couple of long
standing issues:
#208: How do I disable everything?
<https://github.com/w3c/webappsec-permissions-policy/issues/208>
#401: Permissions Policy JS API
<https://github.com/w3c/webappsec-permissions-policy/issues/401>

And a couple of new ones that I think could benefit from WG discussion:
#479: Client Hint delegation to multiple subdomains
<https://github.com/w3c/webappsec-permissions-policy/issues/479>
#480: Denying self while still allowing subframes
<https://github.com/w3c/webappsec-permissions-policy/issues/480>

On Thu, Aug 18, 2022 at 3:16 AM Daniel Veditz <dveditz@mozilla.com> wrote:

> In the working group meeting earlier today we started a list of topics and
> issues that we could discuss at TPAC. Please contribute, especially if you
> will be attending! Once we have a more complete list we can winnow it down
> to the topics that will most benefit from face-to-face discussions. Our
> group is scheduled into three two-hour blocks for formal meetings, and in
> between those we'll have the opportunity to attend groups working on
> related topics like the Privacy CG, PATCG, and others.
>
> Please respond with any of
> * additional topics
> * letting us know which topics are most important to you
> * whether you're attending in person, remotely, or not at all
> * suggestions for improving the topic groupings
> * anything else that comes to mind...
> XSLeaks
>
>    - cross-site leaks (XSLeaks) (Giorgio requests Europe-friendly time)
>
>
> <https://github.com/w3c/webappsec/blob/main/meetings/2022/2022-08-17-minutes.md#injection-stuff>Injection
> Stuff
>
>    - related to XSLeaks: CSP directives that cause leaks (e.g.
>    form-action)
>    - related to the above: CSP as confinement; what's missing, what could
>    make this a robust defense?
>    - CSP: webrtc controls
>    - CSP: WASM source control rather than just on/off?
>    - Updates on the deployments of injection defenses & isolation
>    features (CSP, TT, Fetch Metadata, COOP)
>    - Sanitizer & Trusted Types
>
>
> <https://github.com/w3c/webappsec/blob/main/meetings/2022/2022-08-17-minutes.md#isolation>
> ISOLATION
>
>    - "Isolation by default"
>    - site isolation
>    - New features related to cross-origin isolation: COOP
>    restrict-properties, anonymous iframes, COEP credentialless. (Giorgio
>    requests Europe-friendly time)
>
>
> <https://github.com/w3c/webappsec/blob/main/meetings/2022/2022-08-17-minutes.md#permissions>
> Permissions
>
>    - status of Permission Policy/Registry/API
>    - Permissions Workshop
>
>
> <https://github.com/w3c/webappsec/blob/main/meetings/2022/2022-08-17-minutes.md#partitioning>
> Partitioning
>
>    - storage partitioning (privacy/performance/security tradeoffs) **
>    network state / cache partitioning designs/experiments
>    - Can we finally kill^Wpartition :visited? kthx
>
>
> <https://github.com/w3c/webappsec/blob/main/meetings/2022/2022-08-17-minutes.md#ads-and-stuff>Ads
> and Stuff
>
>    - Private Advertising work (in CGs, potential WG), security
>    considerations or features that belong here ** fenced frames (wicg) **
>    private ad attribution (PATCG) ** privacy vs anti-fraud tradeoffs
>    - Cookies (Improving Web Ads BG meets Tuesday morning in the same slot)
>
>
> <https://github.com/w3c/webappsec/blob/main/meetings/2022/2022-08-17-minutes.md#web-crypto-stuff-now-included-in-this-wgs-charter>Web
> Crypto stuff (now included in this WG's charter)
>
>    - Curve25519 and Curve448
>    <https://wicg.github.io/webcrypto-secure-curves/>
>    - Other more modern algorithms (OCB, Argon2, SHA-3, ...)
>    - Feature detection (of those algorithms)?
>    - Streaming
>
> (Daniel Huigens: I might be in Europe, not 100% sure yet whether I can
> attend in person)
>
> <https://github.com/w3c/webappsec/blob/main/meetings/2022/2022-08-17-minutes.md#process--wg--other>Process
> + WG + Other
>
>    - spec issues that need decisions
>    - Meeting times.
>
>
> <https://github.com/w3c/webappsec/blob/main/meetings/2022/2022-08-17-minutes.md#new-stuff>New
> Stuff
>
>    - arcsjs
>    <https://github.com/project-oak/arcsjs-chromium/tree/main/doc/explainer>
>    and the related WICG proposal
>    <https://github.com/WICG/proposals/issues/62>
>    - Exposing "public static resource" metadata: whatwg/html#8143
>    <https://github.com/whatwg/html/issues/8143> (the role of CORP & TAO)
>
> (Small proposal: maybe merge XS-Leaks & Isolation sections? Similarly
> Partitioning could be under Ads + Stuff.)
>
Received on Thursday, 1 September 2022 02:57:45 UTC