[wg/css] CSS Working Group Charter #477
Comments
|
There is an extra < in section 1. There are no other comments from APA. |
|
no comment or request from i18n, with great thanks for all of your works! |
|
Thanks, typo fixed |
|
@simoneonofri any security comments? @plehegar any comments from PING? |
|
Hi, @svgeesus, on the charter, it's indicated the need for Security Considerations, and that's fine. There are quite a few, and in general, as written in the various Security Considerations. To summarize. Common Threats / AttacksInformation Disclosure (aka Information Leakage)on several levels (say Infokeak is a Security-Privacy hybrid threat):
Perhaps we can consider it more at the implementation level, infoleak leading to memory corruption, as is specified Transitions, and it would be useful to specify good standards at the implementation level, as happened on WebGPU? Tampering Data
If we use STRIDE, we also have Spoof Identity, Repudiation, DoS, and Elevation of Privilege. I'm pondering whether they can be applied to CSS as well, if you think of this model, broadly speaking, can you think of anything? (e.g., for DoS, we often implement limitations so as not to saturate resources) Security ConsiderationsSome deliverables:
|
|
@simoneonofri thank you. As these are comments on individual deliverables it would be helpful to raise them on csswg repo against the relevant spec, so that they don't get lost. On your more general points:
I hate when people write that, such a bold and unsubstantiated claim. Instead I encourage
In other words statements which are provably true or false. Some old/unmaintained specs still have one section for both Privacy and Security, or indeed no section at all; I fix these as they get published to /TR. |
|
@svgeesus thank you for your answer. In general, I think that raising concerns, it seems more an "external" think, even if this should be a joint work between the specs developer and security experts. And it can make sense that there are no new considerations, but it can be good a reference to the old one.\ However there are some points maybe we should work on, I'll write to the Strategy Team. |
|
@tjwhalen any comments on this draft charter from a privacy perspective? |
|
PING is not yet fine. |
|
(from PING) There has a batch of issues related to privacy. Was there progress by the CSS WG? In particular on the font fingerprinting front. |
Thanks for taking time to solicit my comments, particularly as they're at a late stage (and I may be lacking some context, having just shown up!). |
Of those 10, six are flagged "close?". On the font issue, we thought we had broken the impasse between I18n ("doing this breaks the Web for readers of minority languages") and PING ("no increase in fingerprintable entropy is acceptable for any reason") with some new wording that I18n thought was much better, but PING still said no. Effectively, each horizontal group is happy to throw the other group's users under a bus. I will look into the MQ situation. |
|
This one was responded to and the commenter was satisfied in 2022 and is still not closed. While this one was resolved in 2020 and again, not closed for some reason 4 years later. A bit of tidying up on the PING side would be very welcome. |
The list of changes since the 2021 WD is very small, which is probably why a re-review was not requested. However, perhaps in consequence, it still has one Privacy and Security section. There does not seem yet to be consensus on I will discuss with @frivoal at TPAC |
I tagged some MQ5 issues with https://github.com/w3c/csswg-drafts/labels/privacy-tracker |
we can catch during the various transition requests
In general, the issue is, has anyone asked within the WG what are the Privacy and Security Considerations?
Thank you! |
I didn't follow the "I don't sound" part. Autocorrect? |
|
s/sound/found/ :) |
|
@svgeesus we resolved yesterday to adopt intersection observer https://log.csswg.org/irc.w3.org/css/2024-09-26/#e1651268 Could you add this to the upcoming charter? |
|
(support for this move: #457 (comment) ) |
Will do! |
|
Several of us sat down last week to figure out how to move forward on fonts fingerprinting issue (see also Fonts, Privacy, and Not Breaking the Web). @svgeesus agreed to make a new pull request to attempt to resolve the matter. However, I don't believe the charter has to block on resolving this issue. |
In that case, @plehegar for this charter review, can we mark the Privacy review as complete? |
I don't expect anything else to come from PING at this point. My suggestion would be that we mention this ongoing work when starting the AC review. |
|
Charter now has current deliverables list including Intersection Observer |
|
from a Privacy perspective, there is still a concern on the lack of progress on the font fingerprinting issue. looking forward for progress following conversations at TPAC. |
|
one minor bit: the text "In order to advance to Proposed Recommendation ," should be updated with the latest charter template. (there might be other things as well) |
Fixed in w3c/charter-drafts@4db4b61 |
@simoneonofri MQ5 now has separate Security and Privacy sections, and each links to the relevant issues list. w3c/csswg-drafts@e59fec8 |
New charter proposal, reviewers please take note.
Charter Review
Charter:
If applicable:
diff from previous charter and diff from template
chair dashboard
What kind of charter is this? Check the relevant box / remove irrelevant branches.
Communities suggested for outreach:
Known or potential areas of concern:
Where would charter proponents like to see issues raised? CSSWG issue
Anything else we should think about as we review?
Note: proposed chairs should be copied @... on this issue.
@astearns @atanassov
The text was updated successfully, but these errors were encountered: