Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Planning TPAC. #654

Closed
mikewest opened this issue Aug 19, 2024 · 11 comments
Closed

Planning TPAC. #654

mikewest opened this issue Aug 19, 2024 · 11 comments

Comments

@mikewest
Copy link
Member

mikewest commented Aug 19, 2024

TPAC is coming! We should create an agenda for the two sessions we have (on 23.09.2024 and 26.09.2024). As we align on topics, we'll update this comment with the current agenda understanding. It would be ideal to propose and discuss topics below!

Draft Agenda

WIP, still pulling things together.

23.09.2024, 9:00 - 12:30, 2 Ballroom Level - California B

26.09.2024, 9:00 - 12:30, 4 Concourse Level - Laguna

@mikewest
Copy link
Member Author

We discussed things in https://github.com/w3c/webappsec/blob/main/meetings/2024/2024-07-17-minutes.md#tpac; the following topics were proposed:

From @johnwilander:

  • CSP Next. Adoption curve of CSP is not awesome. Great security feature. Something holding the masses of developers back. Would love to revisit that CSP Next document.

  • Origin vs Site. We try to start with origin, end up with site. Cross site storage is an example: partitioning on the origin basis, other vendors are regressing to site. Might need to follow. Security discussion is important as a parallel to the privacy discussion.

  • Quirks: Same Site lax by default. Compatibility thing. Need to either align or put a deadline on it.

  • CHIPS. Could all these cookies be ephemeral? Needs to find a WG home. Will have multiple engine implementations. Currently in Privacy CG/WICG. https://github.com/privacycg/CHIPS

  • Login Status API. Steaming ahead towards standardization. Half of an implementation in Chromium, working on something in WebKit. Could be in FedID WG, but seemsto have wider use, could be here.

From @twiss:

  • Curve 25519 in WebCrypto:

    • Was a conversation around what exactly ed25519 and x25519 mean. IETF conversation should happen next week, can follow up with the outcome.
    • Other, more modern algorithms. Wrote a draft, pointing to SHA3, etc. Can discuss.
    • Proposal for feature detection. Given addition of ed25519, might already be too late since you'll need to use try/catch today.
    • Streaming. Mentioned at last TPAC. Not much progress. Could try to write a draft prior to TPAC if interest.

And @punkeel suggested discussing Device Bound Session Credentials (which has also proposed a breakout).

More ideas ever so welcome!

@estark37
Copy link
Contributor

Hi Mike! There have been a few topics circulating that might be interesting for WebAppSec as future areas of work:

  • Remote CryptoKeys
  • Integrity and transparency of web applications (don't think there is anything written up, but it seems like there is a range of interest from expanded SRI / signature-based SRI to full-application signing and source code transparecy)

Also, @camillelamy is OOO but she will be at TPAC and I assume some time to talk about Document Isolation Policy would be appreciated. Also we could maybe do an update on Private Network Access, if that's of interest?

@Frosne
Copy link

Frosne commented Aug 20, 2024

Hi,
Adding to the suggestions from @twiss, we can discuss PQ algorithms, as well as better/more corner cases tests.

@johannhof
Copy link
Member

@aamuley and @DCtheTall have made some progress on w3c/webappsec-csp#664 that they'd like to share out, so I'd like to reserve some time for that @mikewest :)

@yoavweiss
Copy link
Contributor

Hey folks!

I'd love to chat about a few different topics:

In terms of timeslots, I have a bit of a conflict 😨
I can hop over on either Monday or Thursday at 10:30 for 30 minutes, or potentially Thursday at 12:00.
Let me know if any of that works!

@DCtheTall
Copy link
Member

DCtheTall commented Sep 11, 2024

Hey WebAppSec folks,

One topic I would like to discuss at TPAC is our work to Standardize Security Semantics of Cross-Site Cookies.

Thanks!

@weizman
Copy link
Member

weizman commented Sep 11, 2024

I would love to get a chance to talk about the RIC proposal we're working on (incubated by WICG cc @yoavweiss), which focuses on granting web apps control over same origin realms within its execution environment to harden its integrity at runtime (I can only do Thursday, if that's interesting and works)

@ddworken
Copy link

One other topic that could be interesting to discuss is future improvements to COOP. Previously, COOP restrict-properties had been the answer here, but that effort has now been replaced by Document Isolation Policy. In the long term, there could be value in continuing to invest in alternative COOP-like policies to enable sites to more flexibly defend against XS-Leaks.

@sanketj
Copy link
Member

sanketj commented Sep 16, 2024

We'd like to cover w3c/webappsec-permissions-policy#273, since we're working on this in Chromium. We'd prefer if we can cover this during Monday's meeting, due to conflicting meetings on Thursday. cc: @siliu1

@sanketj
Copy link
Member

sanketj commented Sep 20, 2024

We'd like to cover w3c/webappsec-permissions-policy#273, since we're working on this in Chromium. We'd prefer if we can cover this during Monday's meeting, due to conflicting meetings on Thursday. cc: @siliu1

@mikewest Friendly ping on whether we can get this issue on the TPAC agenda?

@mikewest
Copy link
Member Author

@sanketj: After talking with @clelland, it does seem like there's enough time to talk through the outstanding issues; I've squeezed it in on Monday, but we might want to move it around based on folks' availability.

@ALL: Thanks for the feedback. I've taken the draft agenda above, updated it slightly, and put it up at https://github.com/w3c/webappsec/blob/main/meetings/2024/2024-09-TPAC-agenda.md. Looking forward to seeing y'all tomorrow!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants