search

w3c / security-request

Horizontal review requests will be made via issues in this repo.
4 stars 4 forks source link

Incremental Font Transfer 2021-10-20 #16

Open svgeesus opened 2 years ago

svgeesus commented 2 years ago

We have conducted a self-review of our spec Incremental Font Transfer, and the results can be found at https://github.com/w3c/IFT/issues/35 .

Please check our findings.

Other comments:

samuelweiler commented 2 years ago

Requested review by @paulwouters

samuelweiler commented 2 years ago

@svgeesus , I see that you're citing the version of this spec in TR, not the editor's draft. Which version would you like @paulwouters to review? (n.b. I see that the editor's draft has a much-expanded privacy considerations section. I haven't run a full diff, though.)

svgeesus commented 2 years ago

We get told off if we cite a non-TR spec for wide review, and current advice is to request early review on publication of FPWD.

But yes, please do in practice review the Editors Draft

samuelweiler commented 2 years ago

@svgeesus , thank you. Indeed, for "reasons" we should be reviewing TR specs.

svgeesus commented 2 years ago

An updated WD of IFT has been published which puts into one specification the Range Request and Patch-subset methods, and describes how client and server negotiate which method to use. Please base your review on this new /TR draft. Thanks!

svgeesus commented 1 year ago

14 months later, are there any security review comments?

svgeesus commented 2 months ago

A new WD of IFT is available. This addresses review feedback from the earlier proposals. There is no longer a Range Request vs Patch Subset choice, and there is no longer any special protocol required. Compared to the earlier proposals, the risks of fingerprinting have been reduced and there should no longer be an impact on CDN caching.

Because this is a substantial rewrite, we have a new Explainer

A re-review from a Security perspective would be most welcome!

@simoneonofri

svgeesus commented 2 months ago

@simoneonofri I am guessing this request will wait for SING to be formed, right?

simoneonofri commented 2 months ago

@simoneonofri I am guessing this request will wait for SING to be formed, right?

@svgeesus I've put it in the queue of things to do, surely when there's SING I'll be quicker to do them!