On Wed, Feb 11, 2015 at 12:47 AM, Daniel Veditz <dved...@mozilla.com> wrote:

> A new version of the charter has been uploaded that hopefully addresses
> these objections
>
> On Thu, Jan 29, 2015 at 10:32 PM, L. David Baron <dba...@dbaron.org>
> wrote:
>
>> (1) The "Confinement with Origin Web Labels" deliverable is described
>>     in a way that makes it unclear what the deliverable would do.  It
>>     should be clearer.  Furthermore, the lack of clarity means we
>>     couldn't evaluate whether we are comfortable with it being in the
>>     charter.
>>
>
> ​Brian's objections seem to be to a different "sub-origin" proposal from
> Joel Weinberger of Google. COWL is essentially a data-tainting proposal
> that builds on the capabilities of CSP to make it safer to use 3rd party
> libraries and mashups. Having it in the charter is not a commitment that
> Mozilla will implement this, but it's a promising idea and having it in the
> charter means it's in scope for WASWG to discuss it.
>

My concern (as raised on the list) is that as phrased it appears to be an
open
research question how to actually "share data with untrusted code", for the
reasons that have been raised already. Presumably we shouldn't be proposing
standardization of things we don't actually know how to do. Were this IETF
I would suggest that this go to IRTF.

I'm fine with this being phrased as a belt-and-suspenders thing (along the
usual
lines of CSP) where you are just trying to prevent accidental leaks by the
confined
code.

-Ekr


(3)
>> ​[...] It's not clear whether this part of the scope is intended to put
>> [...]
>>      https://w3c.github.io/webappsec/specs/powerfulfeatures/ in the scope
>>     of the working group, which we believe should not be, because we
>>     don't believe the WebAppSec WG should be in the role of policing the
>>     specifications of other groups (which is not the role it has
>>     historically held), and we believe that in general specifications
>>     about how to write other specifications have not been successful,
>>     particularly if they attempt to have any mandatory status.
>>
>
> ​This item was indeed a reference to the Powerful Features spec, which has
> been explicitly added to the deliverables section. The Web Application
> Security WG has been directed by the TAG to "document best practices" on
> this (http://www.w3.org/2001/tag/doc/web-https). The charter has been
> clarified to note that only the "algorithm for determining if a given
> context is sufficiently secure" will be normative, and advice on when a
> feature might designate itself as requiring a secure context will be
> non-normative.
>
> (4) We believe the charter should have provision for asynchronous
>
>>     decision making, perhaps as in
>>     http://www.w3.org/2012/webapps/charter/#decisions .
>>
>
> ​The charter was amended to add this. It's no change in practice but it's
> nice to have it documented.
>
> Updated charter:
> https://w3c.github.io/webappsec/admin/webappsec-charter-2015.html​
> Diffs:
> https://github.com/w3c/webappsec/commit/433dcc996c092309b88c4e1ecad425ea80a49aed
>
> -Dan Veditz
>
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to