-
Notifications
You must be signed in to change notification settings - Fork 150
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
124 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,124 @@ | ||
| WebAppSec WG - 2024-06-19 | ||
| ============ | ||
|
|
||
| ## Attendees | ||
|
|
||
| * Mike West (Google) | ||
| * Dan Veditz (Mozilla) | ||
| * Simone Onofri (W3C) | ||
| * Daniel Huigens (Proton) | ||
| * John Wilander (Apple WebKit) | ||
| * Anshuman Goel (Microsoft) | ||
| * Ian Clelland (Google) | ||
| * Maxime Guerreiro (Cloudflare, not WAS member) | ||
| * Gal Weizman (ConsenSys) | ||
| * Simon Friedberger | ||
| * Dylan Cutler (Google) | ||
| * Philippe Le Hegaret (W3C) | ||
|
|
||
| ### Agenda | ||
|
|
||
| * Mini-topics: | ||
| * @marcoscaceres suggested that we drop the webappsec- prefix from our repositories (e.g. w3c/webappsec-credential-management#229) | ||
| * @jonathanKingston asked about next steps for MIX given that several vendors are shipping mixed content upgrades. | ||
| * We've talked about publishing NOTE documents encompassing best practice (around side-channel mitigation and cookies. Should we instead be pushing these towards the new SWAG CG? | ||
| * TPAC: We have two slots: September 23rd and 26th, both days from 9:00-12:30 Pacific. It would be ideal to start sketching an agenda. | ||
| * CSP Next? (John W) | ||
| * Origin vs site, where are we headed as security boundary? (John W) | ||
| * SameSite cookie quirks, such as lax by default but not really (John W) | ||
| * CHIPS roadmap, ephemeral vs persistent, using for quirks (John W) | ||
| * Login Status API in the context of Credential Management (John W) | ||
| * Web Crypto (Daniel H) | ||
| * Curve25519 status | ||
| * Modern algorithms | ||
| * Feature detection? | ||
| * Streaming | ||
|
|
||
| ## Minutes | ||
|
|
||
| ### Mini-Topics | ||
|
|
||
| #### Naming | ||
|
|
||
| mkwst: We have a `webappsec-` repository naming convention. | ||
|
|
||
| dveditz: Right, extracted from directories in the original `webappsec` repository. No particular reason. | ||
|
|
||
| plh: list of repos claimed by this group: https://www.w3.org/groups/wg/webappsec/tools | ||
|
|
||
| mkwst: Any objections to dropping the prefix from our repositories. Marcos suggested that they'd do the work to set up redirects. I wouldn't prioritize this work, but I don't at all object to someone doing the work. | ||
|
|
||
| [General lack of disagreement.] | ||
|
|
||
| mkwst: I'll send an email to the list noting this discussion. | ||
|
|
||
| plh: There will be work on the W3C staff side. Simone can talk to Marcos. | ||
|
|
||
| #### MIX | ||
|
|
||
| mkwst: MIX is at CR and has been forever. MIX2 should be brought to that level as well. | ||
|
|
||
| plh: Do we want "level 1" and "level 2"? | ||
|
|
||
| mkwst: No. | ||
|
|
||
| plh: Need wide review. | ||
|
|
||
| mkwst: Suggest we fold this into the TPAC conversation around "documents we are done with and wrapping them up" | ||
|
|
||
| #### Notes | ||
|
|
||
| mkwst: Notes. https://www.w3.org/TR/post-spectre-webdev/ and https://github.com/w3c/webappsec/issues/653 for example. | ||
|
|
||
| ... couple of notes and suggestions around cookies, security semantics, we can understand if it is good to publish through WebAppSec or SWAG CG, I don't have strong opinions on that. | ||
|
|
||
| plh: Post-Spectre document for example | ||
|
|
||
| mkwst: do we have a place to publish guidance to web developers? but it is important to understand where to put this "line" | ||
|
|
||
| simone: For web developers, we can publish through SWAG. Easier outreach. | ||
|
|
||
| ### TPAC | ||
|
|
||
| mkwst: two sessions (4 hours long), it should be feasible also for Europe, we have a lot of material. we can update to the status of various activities and potential ideas. two questions: | ||
| 1. how do we want to gather these ideas? e.g., GitHub issues? Or a document (e.g., CryptPad/Gdocs) | ||
|
|
||
|
|
||
| dveditz: Stick with GitHub. Can point folks to that via the mailing list. Shared document wouldn't be as easy. Initial comment can be a moderated version of the current understanding of the agenda. | ||
|
|
||
| johnw: GitHub issue SGTM. | ||
|
|
||
| dveditz: I'll create the issue and post it to the list. | ||
|
|
||
| mkwst: priorities? | ||
|
|
||
| johnw: Several things I'm hoping we can talk about: | ||
| * CSP Next. Adoption curve of CSP is not awesome. Great security feature. Something holding the masses of developers back. Would love to revisit that CSP Next document. | ||
| * Origin vs Site. We try to start with origin, end up with site. Cross site storage is an example: partitioning on the origin basis, other vendors are regressing to site. Might need to follow. Security discussion is important as a parallel to the privacy discussion. | ||
| * Quirks: Same Site lax by default. Compatibility thing. Need to either align or put a deadline on it. | ||
| * CHIPS. Could all these cookies be ephemeral? Needs to find a WG home. Will have multiple engine implementations. Currently in Privacy CG/WICG. https://github.com/privacycg/CHIPS | ||
| * Login Status API. Steaming ahead towards standardization. Half of an implementation in Chromium, working on something in WebKit. Could be in FedID WG, but seemsto have wider use, could be here. | ||
|
|
||
| dveditz: Would like to talk about making CSP Next better, but not sure the people there at TPAC are the folks we need to get feedback from. Need to talk to folks who tried to use it and failed, etc. Web developers. Want to get them interested in giving usability feedback. | ||
|
|
||
| johnw: Good point. Opportunity to have browser vendors' devrel teams to do outreach prior to TPAC. | ||
|
|
||
| plh: Breakout at TPAC? | ||
|
|
||
| dveditz: Will propose that breakout: https://github.com/w3c/breakouts-day-2024. Use https://github.com/w3c/breakouts-day-2024/issues | ||
|
|
||
| mkwst: Noting that we should also collect potential TPAC attendance in the GitHub issue. | ||
|
|
||
| danielh: Update on Curve25519: Firefox shipped (in Nightly, on release track). Yay! | ||
| * Was a conversation around what exactly ed25519 and x25519 mean. IETF conversation should happen next week, can follow up with the outcome. | ||
| * Other, more modern algorithms. Wrote a draft, pointing to SHA3, etc. Can discuss. | ||
| * Proposal for feature detection. Given addition of ed25519, might already be too late since you'll need to use try/catch today. | ||
| * Streaming. Mentioned at last TPAC. Not much progress. Could try to write a draft prior to TPAC if interest. | ||
|
|
||
| maxime: Device Bound Session Credentials. | ||
|
|
||
| mkwst: Does sound important. Might end up as a breakout, but we should keep it in mind. | ||
|
|
||
| mkwst: Great. Let's take the conversation to the GitHub issue Dan's going to create. | ||
|
|
||
| dveditz: Not today, probably tomorrow. |