Closed DCtheTall closed 1 week ago
mikewest
commented
4 months ago Thanks! Let's treat this as a CfC to publish this document as a draft note, get a round of feedback or two and aim to call it done by TPAC? Next meeting is on the 17th. I think we can formalize publication at that point.
/cc @dveditz @simoneonofri
mikewest
commented
4 months ago Actually, I'm now wondering whether this would be a good fit for the new SWAG group that's spinning up: https://www.w3.org/community/swag/. WDYT about the WG NOTE vs CG Report dichotomy for something like this, @simoneonofri?
Same question could apply to https://www.w3.org/TR/post-spectre-webdev/, I think.
simoneonofri
commented
4 months ago hi @mikewest thank you for the pointer, talking with @torgo about that
arturjanc
commented
4 months ago My gut feeling is that while the notes seem similar to some extent (trying to unpack complex web platform behaviors related to the process model and cookies respectively), they're meant for fairly different audiences. The post-Spectre note is primarily geared towards web developers and tells them how to apply isolation protections for their services, whereas the cookie note is meant primarily for implementers / browser vendors to discuss the security trade-offs of different cookie-related behaviors. I.e. it's not particularly actionable for web developers as-is (but arguably useful to get some cross-vendor alignment in this space).
So I think WebAppSec might be a slightly better place for the cookie note conceptually, but I'm not at all opposed to SWAG if others have a preference for it.
DCtheTall
commented
2 weeks ago Hello all, given that when we presented this work at TPAC 2024 and the reaction was positive, I think it makes sense to move the draft note hosted at https://dcthetall.github.io/webappsec-standardizing-security-semantics-of-cross-site-cookies/ to the W3C org.
@simoneonofri would you be able to help us with that? Thank you :)
simoneonofri
commented
2 weeks ago hi @DCtheTall, from the GitHub side, if you can give me the permissions as the repository owner, I can transfer it (procedure here https://w3c.github.io/repo-transfer.html), and configure the w3c.json to link to the group
DCtheTall
commented
1 week ago Thanks Simone, I invited you to be a collaborator and will give you write permissions.
EDIT: @simoneonofri turns out collaborators cannot transfer repositories. I just requested to transfer the repo to you.
simoneonofri
commented
1 week ago @DCtheTall, thanks. I transferred the repository to w3c orga; now it is here: https://github.com/w3c/webappsec-standardizing-security-semantics-of-cross-site-cookies
DCtheTall
commented
1 week ago Thanks, @simoneonofri
Hey WebAppSec,
Last year we discussed an effort to standardize differences we noticed between browsers' third-party cookie blocking mechanisms. We also discussed standardizing behavior for certain edge use cases for
SameSite=Nonecookies.@arturjanc and I have published a draft note I am hosting we would like to publish as a WebAppSec note.
Thanks all in advance for your feedback!