Re: TPAC topics -- please contribute to this list from Johann Hofmann on 2022-08-31 (public-webappsec@w3.org from September 2022)

From: Johann Hofmann <johannhof@chromium.org>
Date: Wed, 31 Aug 2022 12:46:54 +0200
To: Giorgio Maone <giorgio@maone.net>
Cc: Daniel Veditz <dveditz@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAD_OO4gjgFAoGcsvXbumfqubKhgUp1D5HbMTC=LJbAxhfUD4sw@mail.gmail.com>
Hi folks, I wanted to note that we'll also have a breakout session
<https://www.w3.org/wiki/TPAC/2022/SessionIdeas#The_Future_of_Cookies>
discussing
recent and upcoming changes to cookies (SameSite, Partitioned/CHIPS, 3PC
blocking) and how we can (better) specify the new behavior in web standards.

I should be able to attend some of the WebAppSec meeting slots so I'm
always happy to chat about that + other privacy related topics (there's
some natural overlap with Privacy CG so it might be a good opportunity to
sync up).

Thanks!

Johann

On Thu, Aug 25, 2022 at 10:05 PM Giorgio Maone <giorgio@maone.net> wrote:

> Hi,
>
> I can only attend remotely and I'm mainly interested in XSLeaks, Injection
> Stuff & Isolation.
>
> Also, would it be possible / on topic  for the XSLeaks / Isolation session
> inviting the Leakuidator+ researchers
> <https://www.usenix.org/conference/usenixsecurity22/presentation/zaheri>
> (remotely) to hear about their mitigation proposals for standard bodies (in
> their paper they mention extending CORB to any cross-site navigation)?
>
> Thanks
> -- G
>
> On 18/08/22 09:14, Daniel Veditz wrote:
>
> In the working group meeting earlier today we started a list of topics and
> issues that we could discuss at TPAC. Please contribute, especially if you
> will be attending! Once we have a more complete list we can winnow it down
> to the topics that will most benefit from face-to-face discussions. Our
> group is scheduled into three two-hour blocks for formal meetings, and in
> between those we'll have the opportunity to attend groups working on
> related topics like the Privacy CG, PATCG, and others.
>
> Please respond with any of
> * additional topics
> * letting us know which topics are most important to you
> * whether you're attending in person, remotely, or not at all
> * suggestions for improving the topic groupings
> * anything else that comes to mind...
> XSLeaks
>
>    - cross-site leaks (XSLeaks) (Giorgio requests Europe-friendly time)
>
> Injection Stuff
>
>    - related to XSLeaks: CSP directives that cause leaks (e.g.
>    form-action)
>    - related to the above: CSP as confinement; what's missing, what could
>    make this a robust defense?
>    - CSP: webrtc controls
>    - CSP: WASM source control rather than just on/off?
>    - Updates on the deployments of injection defenses & isolation
>    features (CSP, TT, Fetch Metadata, COOP)
>    - Sanitizer & Trusted Types
>
> ISOLATION
>
>    - "Isolation by default"
>    - site isolation
>    - New features related to cross-origin isolation: COOP
>    restrict-properties, anonymous iframes, COEP credentialless. (Giorgio
>    requests Europe-friendly time)
>
> Permissions
>
>    - status of Permission Policy/Registry/API
>    - Permissions Workshop
>
> Partitioning
>
>    - storage partitioning (privacy/performance/security tradeoffs) **
>    network state / cache partitioning designs/experiments
>    - Can we finally kill^Wpartition :visited? kthx
>
> Ads and Stuff
>
>    - Private Advertising work (in CGs, potential WG), security
>    considerations or features that belong here ** fenced frames (wicg) **
>    private ad attribution (PATCG) ** privacy vs anti-fraud tradeoffs
>    - Cookies (Improving Web Ads BG meets Tuesday morning in the same slot)
>
> Web Crypto stuff (now included in this WG's charter)
>
>    - Curve25519 and Curve448
>    <https://wicg.github.io/webcrypto-secure-curves/>
>    - Other more modern algorithms (OCB, Argon2, SHA-3, ...)
>    - Feature detection (of those algorithms)?
>    - Streaming
>
> (Daniel Huigens: I might be in Europe, not 100% sure yet whether I can
> attend in person)
> Process + WG + Other
>
>    - spec issues that need decisions
>    - Meeting times.
>
> New Stuff
>
>    - arcsjs
>    <https://github.com/project-oak/arcsjs-chromium/tree/main/doc/explainer>
>    and the related WICG proposal
>    <https://github.com/WICG/proposals/issues/62>
>    - Exposing "public static resource" metadata: whatwg/html#8143
>    <https://github.com/whatwg/html/issues/8143> (the role of CORP & TAO)
>
> (Small proposal: maybe merge XS-Leaks & Isolation sections? Similarly
> Partitioning could be under Ads + Stuff.)
>
>
> --
> Giorgio Maonehttps://maone.net
>
>
Received on Friday, 2 September 2022 15:10:13 UTC