Open mikewest opened 3 weeks ago
We discussed things in https://github.com/w3c/webappsec/blob/main/meetings/2024/2024-07-17-minutes.md#tpac; the following topics were proposed:
From @johnwilander:
CSP Next. Adoption curve of CSP is not awesome. Great security feature. Something holding the masses of developers back. Would love to revisit that CSP Next document.
Origin vs Site. We try to start with origin, end up with site. Cross site storage is an example: partitioning on the origin basis, other vendors are regressing to site. Might need to follow. Security discussion is important as a parallel to the privacy discussion.
Quirks: Same Site lax by default. Compatibility thing. Need to either align or put a deadline on it.
CHIPS. Could all these cookies be ephemeral? Needs to find a WG home. Will have multiple engine implementations. Currently in Privacy CG/WICG. https://github.com/privacycg/CHIPS
Login Status API. Steaming ahead towards standardization. Half of an implementation in Chromium, working on something in WebKit. Could be in FedID WG, but seemsto have wider use, could be here.
From @twiss:
Curve 25519 in WebCrypto:
And @punkeel suggested discussing Device Bound Session Credentials (which has also proposed a breakout).
More ideas ever so welcome!
Hi Mike! There have been a few topics circulating that might be interesting for WebAppSec as future areas of work:
Also, @camillelamy is OOO but she will be at TPAC and I assume some time to talk about Document Isolation Policy would be appreciated. Also we could maybe do an update on Private Network Access, if that's of interest?
Hi, Adding to the suggestions from @twiss, we can discuss PQ algorithms, as well as better/more corner cases tests.
@aamuley and @dcthetall have made some progress on https://github.com/w3c/webappsec-csp/issues/664 that they'd like to share out, so I'd like to reserve some time for that @mikewest :)
Hey folks!
I'd love to chat about a few different topics:
In terms of timeslots, I have a bit of a conflict 😨 I can hop over on either Monday or Thursday at 10:30 for 30 minutes, or potentially Thursday at 12:00. Let me know if any of that works!
Hey WebAppSec folks,
One topic I would like to discuss at TPAC is our work to Standardize Security Semantics of Cross-Site Cookies.
Thanks!
I would love to get a chance to talk about the RIC proposal we're working on (incubated by WICG cc @yoavweiss), which focuses on granting web apps control over same origin realms within its execution environment to harden its integrity at runtime (I can only do Thursday, if that's interesting and works)
One other topic that could be interesting to discuss is future improvements to COOP. Previously, COOP restrict-properties had been the answer here, but that effort has now been replaced by Document Isolation Policy. In the long term, there could be value in continuing to invest in alternative COOP-like policies to enable sites to more flexibly defend against XS-Leaks.
TPAC is coming! We should create an agenda for the two sessions we have (on 23.09.2024 and 26.09.2024). As we align on topics, we'll update this comment with the current agenda understanding. It would be ideal to propose and discuss topics below!
23.09.2024
26.09.2024