Planning TPAC.

[mikewest]

TPAC is coming! We should create an agenda for the two sessions we have (on 23.09.2024 and 26.09.2024). As we align on topics, we'll update this comment with the current agenda understanding. It would be ideal to propose and discuss topics below!

Draft Agenda

WIP, still pulling things together.

23.09.2024, 9:00 - 12:30, 2 Ballroom Level - California B

• 9:00 - 9:15: ☕ and agenda bashing.
• 9:15 - 9:45: Crypto
  • Web Crypto (@twiss)
    • Algorithms (modernizing, post-modernizing)
    • Curve 25591
    • Streaming
    • Feature Detection
  • Remote cryptokeys (@marcoscaceres, @estark37)
• 9:45 - 10:30: Application Integrity/Transparency (@estark37)
  • Extensions to SRI
    • Additional content types
    • Additional assertion types (signatures, etc))
  • require-sri-for (@yoavweiss)
  • Signing / Packaging
• 10:30 - 11:00: ☕ & 🍰 @ Lanai Deck, Fifth Floor
• 11:00 - 12:00: CSP
  • Should the threat model include exfiltration? (@yoavweiss)
  • How can we improve adoption? (@simoneonofri)
  • Could we require injection mitigation for interesting APIs? (@mikewest)
  • Can we ship CSP as a "living CR"?
  • What do we do next? (@johnwilander)
• 12:00 - 12:30: Breakout pitch session. There are a number of breakout sessions (grid, details) on 25.09.2024 that are relevant to this community. Let's talk about them a bit so folks can plan accordingly.

26.09.2024, 9:00 - 12:30, 4 Concourse Level - Laguna

• 9:00 - 9:15: ☕ and agenda bashing.
• 9:15- 10:30: Following up on breakout sessions
  • Deprecations, PEPC, DBSC all seem like they might benefit from more conversation.
  • We can allocate time in this slot more clearly in the hallways on Wednesday.
• 10:30 - 11:00: ☕ & 🍰 @ Lanai Deck, Fifth Floor
• 11:00 - 11:45: Isolation
  • Document Isolation Policy (@camillelamy)
  • Realms Initialization Control (@weizman)
• 11:45 - 12:15: Cookies
  • sandbox="allow-same-site-none-cookies" (@aamuley)
  • Cookie Layering / RFC6265tre (@johannhof, @annevk)
  • CHIPS (@johnwilander, @DCtheTall)
• 12:15 - 12:30: Next steps, followup.

[mikewest]

We discussed things in https://github.com/w3c/webappsec/blob/main/meetings/2024/2024-07-17-minutes.md#tpac; the following topics were proposed:

From @johnwilander:

• CSP Next. Adoption curve of CSP is not awesome. Great security feature. Something holding the masses of developers back. Would love to revisit that CSP Next document.

• Origin vs Site. We try to start with origin, end up with site. Cross site storage is an example: partitioning on the origin basis, other vendors are regressing to site. Might need to follow. Security discussion is important as a parallel to the privacy discussion.

• Quirks: Same Site lax by default. Compatibility thing. Need to either align or put a deadline on it.

• CHIPS. Could all these cookies be ephemeral? Needs to find a WG home. Will have multiple engine implementations. Currently in Privacy CG/WICG. https://github.com/privacycg/CHIPS

• Login Status API. Steaming ahead towards standardization. Half of an implementation in Chromium, working on something in WebKit. Could be in FedID WG, but seemsto have wider use, could be here.

From @twiss:

• Curve 25519 in WebCrypto:

  • Was a conversation around what exactly ed25519 and x25519 mean. IETF conversation should happen next week, can follow up with the outcome.
  • Other, more modern algorithms. Wrote a draft, pointing to SHA3, etc. Can discuss.
  • Proposal for feature detection. Given addition of ed25519, might already be too late since you'll need to use try/catch today.
  • Streaming. Mentioned at last TPAC. Not much progress. Could try to write a draft prior to TPAC if interest.

And @punkeel suggested discussing Device Bound Session Credentials (which has also proposed a breakout).

More ideas ever so welcome!

[estark37]

Hi Mike! There have been a few topics circulating that might be interesting for WebAppSec as future areas of work:

• Remote CryptoKeys
• Integrity and transparency of web applications (don't think there is anything written up, but it seems like there is a range of interest from expanded SRI / signature-based SRI to full-application signing and source code transparecy)

Also, @camillelamy is OOO but she will be at TPAC and I assume some time to talk about Document Isolation Policy would be appreciated. Also we could maybe do an update on Private Network Access, if that's of interest?

[Frosne]

Hi,
Adding to the suggestions from @twiss, we can discuss PQ algorithms, as well as better/more corner cases tests.

[johannhof]

@aamuley and @DCtheTall have made some progress on w3c/webappsec-csp#664 that they'd like to share out, so I'd like to reserve some time for that @mikewest :)

[yoavweiss]

Hey folks!

I'd love to chat about a few different topics:

• require-sri-for in a PCIv4 world
• CSP and data exfiltration
• Capability URLs

In terms of timeslots, I have a bit of a conflict 😨
I can hop over on either Monday or Thursday at 10:30 for 30 minutes, or potentially Thursday at 12:00.
Let me know if any of that works!

[DCtheTall]

Hey WebAppSec folks,

One topic I would like to discuss at TPAC is our work to Standardize Security Semantics of Cross-Site Cookies.

Thanks!

[weizman]

I would love to get a chance to talk about the RIC proposal we're working on (incubated by WICG cc @yoavweiss), which focuses on granting web apps control over same origin realms within its execution environment to harden its integrity at runtime (I can only do Thursday, if that's interesting and works)

[ddworken]

One other topic that could be interesting to discuss is future improvements to COOP. Previously, COOP restrict-properties had been the answer here, but that effort has now been replaced by Document Isolation Policy. In the long term, there could be value in continuing to invest in alternative COOP-like policies to enable sites to more flexibly defend against XS-Leaks.

[sanketj]

We'd like to cover w3c/webappsec-permissions-policy#273, since we're working on this in Chromium. We'd prefer if we can cover this during Monday's meeting, due to conflicting meetings on Thursday. cc: @siliu1

[sanketj]

We'd like to cover w3c/webappsec-permissions-policy#273, since we're working on this in Chromium. We'd prefer if we can cover this during Monday's meeting, due to conflicting meetings on Thursday. cc: @siliu1

@mikewest Friendly ping on whether we can get this issue on the TPAC agenda?

[mikewest]

@sanketj: After talking with @clelland, it does seem like there's enough time to talk through the outstanding issues; I've squeezed it in on Monday, but we might want to move it around based on folks' availability.

@ALL: Thanks for the feedback. I've taken the draft agenda above, updated it slightly, and put it up at https://github.com/w3c/webappsec/blob/main/meetings/2024/2024-09-TPAC-agenda.md. Looking forward to seeing y'all tomorrow!