- From: Giorgio Maone <giorgio@maone.net>
- Date: Wed, 14 Sep 2022 15:22:24 +0200
- To: WebAppSec WG <public-webappsec@w3.org>
Sorry I didn't manage to attend after all because I was on a flight I had to reschedule last minute due to a problem with my passport :( Hope we'll have the chance to revisit these topics in a regular meeting, possibly with the aforementioned researchers whom I've meet last week. Best, -- G On 25/08/22 22:03, Giorgio Maone wrote: > Hi, > > I can only attend remotely and I'm mainly interested in XSLeaks, > Injection Stuff & Isolation. > > Also, would it be possible / on topic for the XSLeaks / Isolation > session inviting the Leakuidator+ researchers > <https://www.usenix.org/conference/usenixsecurity22/presentation/zaheri> > (remotely) to hear about their mitigation proposals for standard > bodies (in their paper they mention extending CORB to any cross-site > navigation)? > > Thanks > -- G > > On 18/08/22 09:14, Daniel Veditz wrote: >> In the working group meeting earlier today we started a list of >> topics and issues that we could discuss at TPAC. Please contribute, >> especially if you will be attending! Once we have a more complete >> list we can winnow it down to the topics that will most benefit from >> face-to-face discussions. Our group is scheduled into three two-hour >> blocks for formal meetings, and in between those we'll have the >> opportunity to attend groups working on related topics like the >> Privacy CG, PATCG, and others. >> >> Please respond with any of >> * additional topics >> * letting us know which topics are most important to you >> * whether you're attending in person, remotely, or not at all >> * suggestions for improving the topic groupings >> * anything else that comes to mind... >> >> >> XSLeaks >> >> * cross-site leaks (XSLeaks) (Giorgio requests Europe-friendly time) >> >> >> Injection Stuff >> >> * related to XSLeaks: CSP directives that cause leaks (e.g. >> form-action) >> * related to the above: CSP as confinement; what's missing, what >> could make this a robust defense? >> * CSP: webrtc controls >> * CSP: WASM source control rather than just on/off? >> * Updates on the deployments of injection defenses & isolation >> features (CSP, TT, Fetch Metadata, COOP) >> * Sanitizer & Trusted Types >> >> >> ISOLATION >> >> * "Isolation by default" >> * site isolation >> * New features related to cross-origin isolation: COOP >> restrict-properties, anonymous iframes, COEP credentialless. >> (Giorgio requests Europe-friendly time) >> >> >> Permissions >> >> * status of Permission Policy/Registry/API >> * Permissions Workshop >> >> >> Partitioning >> >> * storage partitioning (privacy/performance/security tradeoffs) ** >> network state / cache partitioning designs/experiments >> * Can we finally kill^Wpartition :visited? kthx >> >> >> Ads and Stuff >> >> * Private Advertising work (in CGs, potential WG), security >> considerations or features that belong here ** fenced frames >> (wicg) ** private ad attribution (PATCG) ** privacy vs anti-fraud >> tradeoffs >> * Cookies (Improving Web Ads BG meets Tuesday morning in the same slot) >> >> >> Web Crypto stuff (now included in this WG's charter) >> >> * Curve25519 and Curve448 >> <https://wicg.github.io/webcrypto-secure-curves/> >> * Other more modern algorithms (OCB, Argon2, SHA-3, ...) >> * Feature detection (of those algorithms)? >> * Streaming >> >> (Daniel Huigens: I might be in Europe, not 100% sure yet whether I >> can attend in person) >> >> >> Process + WG + Other >> >> * spec issues that need decisions >> * Meeting times. >> >> >> New Stuff >> >> * arcsjs >> <https://github.com/project-oak/arcsjs-chromium/tree/main/doc/explainer> >> and the related WICG proposal >> <https://github.com/WICG/proposals/issues/62> >> * Exposing "public static resource" metadata: whatwg/html#8143 >> <https://github.com/whatwg/html/issues/8143> (the role of CORP & TAO) >> >> (Small proposal: maybe merge XS-Leaks & Isolation sections? Similarly >> Partitioning could be under Ads + Stuff.) >> > > -- > Giorgio Maone > https://maone.net -- Giorgio Maone https://maone.net
Received on Wednesday, 14 September 2022 13:22:40 UTC