Closed mikewest closed 8 months ago
Can I suggest spending some time revisiting some of the long-standing spec bugs in the CSP spec? I got bit by https://github.com/w3c/webappsec-csp/issues/609, and it looks like Safari is following the spec (i.e. not respecting worker-src 'strict-dynamic'
) rather than - well, there's nothing else for it to follow (including no tests that I can find), so I guess "rather than doing what Chrome does". If worker-src 'strict-dynamic'
is to actually be usable it's going to need the spec fixed so Safari will update.
There's a few more, like https://github.com/w3c/webappsec-csp/issues/426, https://github.com/w3c/webappsec-csp/issues/523, https://github.com/w3c/webappsec-csp/issues/423, etc, though I think mostly these haven't lead to implementation issues like the one above.
More generally, getting a more consistent story around hashes, nonces, and strict-dynamic would be of great help. There's a bunch of stuff which has come up over the years - https://github.com/w3c/webappsec-csp/issues/632, https://github.com/w3c/webappsec-csp/issues/375, https://github.com/w3c/webappsec-csp/issues/623, https://github.com/w3c/webappsec-csp/issues/625, https://github.com/w3c/webappsec-csp/issues/433, https://github.com/w3c/webappsec-csp/issues/487, https://github.com/w3c/webappsec-csp/issues/212, etc.
* [Trusted Types](https://w3c.github.io/trusted-types/dist/spec/), given [Mozilla's rekindled interest](https://github.com/mozilla/standards-positions/issues/20#issuecomment-1853427823). Perhaps @koto, @otherdaniel, @mozfreddyb would be interested in chatting through some of the outstanding issues raised in those comments/against the spec?
I can give a <5 minute verbal update, without slides. (The gist is as follows: We want to make sure that TT does not add things to the web platform, which aren't widely regarded as useful or popular. Chrome is shipping UseCounters to that extend. There are some additional issues with spec maintenance and its integration with existing specifications, I hope mostly of editorial natures. Though I wouldn't be surprised if they will result in some additional design work.)
:visited partitioning. @kyraseevers has been pushing ahead with infrastructure changes in Chromium. Perhaps there's interest in discussing some of the feedback (e.g. https://github.com/w3ctag/design-reviews/issues/896#issuecomment-1850567441)?
I'm also happy to give a brief 5 (probably less) minute update, and receive any feedback others may have.
Planning the 2024-01-17 WebAppSec meeting. A few potential topics come to mind:
Trusted Types, given Mozilla's rekindled interest. Perhaps @koto, @otherdaniel, @mozfreddyb would be interested in chatting through some of the outstanding issues raised in those comments/against the spec?
:visited
partitioning. @kyraseevers has been pushing ahead with infrastructure changes in Chromium. Perhaps there's interest in discussing some of the feedback (e.g. https://github.com/w3ctag/design-reviews/issues/896#issuecomment-1850567441)?Cross-Origin-Opener-Policy: restrict-properties
. @camillelamy might have feedback to share from the Origin Trial Chrome's currently running?Your idea goes here.