w3c / webappsec

Web Application Security Working Group repo
https://www.w3.org/groups/wg/webappsec/
Other
608 stars 149 forks source link

Planning the 2023-04-19. #620

Closed mikewest closed 1 year ago

mikewest commented 1 year ago

Our next call is April 19th. We'll plan it here.

mikewest commented 1 year ago

Due to time constraints, we punted the discussion of https://github.com/mikewest/baseline-header to the next call.

johannhof commented 1 year ago

@dcthetall, @krgovind and I have been working on a new proposal to converge browsers on semantics for blocking cross-site cookies, in the interest of solving security challenges that arise when cross-site cookies continue to be allowed by default in edge cases such as ABA (see more details in the document).

We'd like to present our findings and ideas to this group and discuss possible next steps. I'll also send out a small announcement to public-webappsec. :)

cc @arturjanc @annevk @johnwilander

johannhof commented 1 year ago

Forgot to cc Mozilla folks (@martinthomson @artines1 @mozfreddyb) who we would love to get feedback from ^

mikewest commented 1 year ago

@johannhof: This seems like something we can make time for. Though it will likely end up being specified as part of the cookie spec's "site for cookies" definition, it's clearly security-relevant, and worth discussing with folks in this group.

mikewest commented 1 year ago

Aiming to solidify the agenda with @dveditz tomorrow. Any additional topics come to folks' minds?

bartoszniemczura commented 1 year ago

If we find time, I'd like to circle back on discussions around Trusted Types we had about a year ago (cc @shhnjk @koto) and discuss interest and potential paths for supporting Trusted Types across browsers.

mikewest commented 1 year ago

@bartoszniemczura SGTM.

I'm also inclined to continue punting the baseline header discussion, as there doesn't seem to be any immediate implementation interest. The other topics seem more pressing:

@dveditz, that would leave us with the following agenda:

Does that work for you?

DCtheTall commented 1 year ago

Hello everyone, thank you to those who attended and listened to our presentation.

@dveditz is SameSite/site for cookies based third-party cookie blocking something Mozilla would be interested in implementing for Firefox?

We will reach out to WebKit folks to get their feedback on our proposal. Thanks again!