W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2022

Re: TPAC topics -- please contribute to this list

From: Giorgio Maone <giorgio@maone.net>
Date: Wed, 14 Sep 2022 15:22:24 +0200
Message-ID: <cd3d96aa-5788-a382-43fe-88bb6915ed77@maone.net>
To: WebAppSec WG <public-webappsec@w3.org>
Sorry I didn't manage to attend after all because I was on a flight I 
had to reschedule last minute due to a problem with my passport :(

Hope we'll have the chance to revisit these topics in a regular meeting, 
possibly with the aforementioned researchers whom I've meet last week.

Best,
-- G

On 25/08/22 22:03, Giorgio Maone wrote:
> Hi,
>
> I can only attend remotely and I'm mainly interested in XSLeaks, 
> Injection Stuff & Isolation.
>
> Also, would it be possible / on topicĀ  for the XSLeaks / Isolation 
> session inviting the Leakuidator+ researchers 
> <https://www.usenix.org/conference/usenixsecurity22/presentation/zaheri> 
> (remotely) to hear about their mitigation proposals for standard 
> bodies (in their paper they mention extending CORB to any cross-site 
> navigation)?
>
> Thanks
> -- G
>
> On 18/08/22 09:14, Daniel Veditz wrote:
>> In the working group meeting earlier today we started a list of 
>> topics and issues that we could discuss at TPAC. Please contribute, 
>> especially if you will be attending! Once we have a more complete 
>> list we can winnow it down to the topics that will most benefit from 
>> face-to-face discussions. Our group is scheduled into three two-hour 
>> blocks for formal meetings, and in between those we'll have the 
>> opportunity to attend groups working on related topics like the 
>> Privacy CG, PATCG, and others.
>>
>> Please respond with any of
>> * additional topics
>> * letting us know which topics are most important to you
>> * whether you're attending in person, remotely, or not at all
>> * suggestions for improving the topic groupings
>> * anything else that comes to mind...
>>
>>
>>     XSLeaks
>>
>>   * cross-site leaks (XSLeaks) (Giorgio requests Europe-friendly time)
>>
>>
>>     Injection Stuff
>>
>>   * related to XSLeaks: CSP directives that cause leaks (e.g.
>>     form-action)
>>   * related to the above: CSP as confinement; what's missing, what
>>     could make this a robust defense?
>>   * CSP: webrtc controls
>>   * CSP: WASM source control rather than just on/off?
>>   * Updates on the deployments of injection defenses & isolation
>>     features (CSP, TT, Fetch Metadata, COOP)
>>   * Sanitizer & Trusted Types
>>
>>
>>     ISOLATION
>>
>>   * "Isolation by default"
>>   * site isolation
>>   * New features related to cross-origin isolation: COOP
>>     restrict-properties, anonymous iframes, COEP credentialless.
>>     (Giorgio requests Europe-friendly time)
>>
>>
>>     Permissions
>>
>>   * status of Permission Policy/Registry/API
>>   * Permissions Workshop
>>
>>
>>     Partitioning
>>
>>   * storage partitioning (privacy/performance/security tradeoffs) **
>>     network state / cache partitioning designs/experiments
>>   * Can we finally kill^Wpartition :visited? kthx
>>
>>
>>     Ads and Stuff
>>
>>   * Private Advertising work (in CGs, potential WG), security
>>     considerations or features that belong here ** fenced frames
>>     (wicg) ** private ad attribution (PATCG) ** privacy vs anti-fraud
>>     tradeoffs
>>   * Cookies (Improving Web Ads BG meets Tuesday morning in the same slot)
>>
>>
>>     Web Crypto stuff (now included in this WG's charter)
>>
>>   * Curve25519 and Curve448
>>     <https://wicg.github.io/webcrypto-secure-curves/>
>>   * Other more modern algorithms (OCB, Argon2, SHA-3, ...)
>>   * Feature detection (of those algorithms)?
>>   * Streaming
>>
>> (Daniel Huigens: I might be in Europe, not 100% sure yet whether I 
>> can attend in person)
>>
>>
>>     Process + WG + Other
>>
>>   * spec issues that need decisions
>>   * Meeting times.
>>
>>
>>     New Stuff
>>
>>   * arcsjs
>>     <https://github.com/project-oak/arcsjs-chromium/tree/main/doc/explainer>
>>     and the related WICG proposal
>>     <https://github.com/WICG/proposals/issues/62>
>>   * Exposing "public static resource" metadata: whatwg/html#8143
>>     <https://github.com/whatwg/html/issues/8143> (the role of CORP & TAO)
>>
>> (Small proposal: maybe merge XS-Leaks & Isolation sections? Similarly 
>> Partitioning could be under Ads + Stuff.)
>>
>
> -- 
> Giorgio Maone
> https://maone.net


-- 
Giorgio Maone
https://maone.net
Received on Wednesday, 14 September 2022 13:22:40 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 14 September 2022 13:22:41 UTC