Light week, with only a handful of intents to implement; most of the entries were deprecate+remove (which I ignored).
Triaged 2017-01-14 to 2017-01-23 inclusive, (up to #1005 in https://bit.ly/blinkintents):
Implement: Dangling markup mitigations [https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/rOs6YRyBEpw/D3pzVwGJAgAJ] - Mike's work to lock down vectors used for exfiltration in the presence of markup injection (e.g. to make stealing of CSP nonces harder). Security-positive.
Implement and ship: MediaStreamTrack.getSettings() [https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/wJwVSo52Dno/z5Tg0JmVAgAJ] - returns information about a MediaStreamTrack (source of video/audio from a user device). One interesting property is the facing mode which says where the media source is facing relation to the user; however, given that this is behind the permission and the user had to allow media capture this doesn't look troubling.
Implement and ship: Browser Shortcuts in Fullscreen [https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/wlRDnLbyVlk/uuByF-a1AgAJ] - sensitive key combos (e.g. Ctrl+T, Ctrl+W) will now be intercept-able by the web app when in fullscreen mode. Some incremental risk of phishing if user is accustomed to opening new tabs viai shortcuts and will forget they are in fullscreen mode, but overall okay.
Implement and ship: Shoutcast support [https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/qS63pYso4P0/FP6xymqNAwAJ]. If you're wondering "what year is this?" then don't worry all that much -- the proposed change is to re-allow previously disabled HTTP/0.9 responses over non-default ports only if they start with a Shoutcast magic string ("ICY"). But the context is worth reading, at least for the entertainment value ;-)
Cheers,
-Artur
I sent the following feedback on the blink-dev thread for this feature:
Assuming XSS on a domain, an attacker could queue up downloading that happens on behalf of the victim domain, in the background, even after the user has closed the browser. Though if UI is always shown then this is probably not all that interesting.
There are a handful of things that likely just need a bit of clarification in the spec:
What happens with downloads initiated from incognito mode? Should they terminate immediately once the incognito session is over?
The spec doesn’t mention credentials. It appears that backgroundFetch.fetch() needs to be called on a request object that has been set up beforehand. I can imagine that an implementation would likely punt the request to an external downloading process that is longer-lived than the browser itself.
On the desktop, does the download stop if the user closes the notification? As spec’d, it shouldn’t be possible to close the notification and have the download persist in the background.
What happens if you clear browsing data while a download is in progress?
How is the user aware of ongoing downloads on a mobile browser?
What’s the scope of a “tag”? (Per-origin? What about protocol scheme?) I would expect the tag mechanism to obey the SOP.
Is CORS respected?
Is this mechanism regulated appropriately by CSP? (E.g.: connect-src)
Mike says he'll post the update for them really soon now ™
--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
Implement and ship: native media controls customization API
No security concerns. Just some customization for the media controls presented to a user (to discourage everyone implementing their own media controls).
Implement and ship: Temporarily stop permission requests after 3 dismissals
No security concerns. This can only deny powerful features to websites (based on strictly local data).
Implement: Unprefix -webkit-line-break behind 'test' runtime flag
No new security concerns. Behind a flag, affects text layout (possibly only East Asian scripts?)
Implement and ship: DeviceOrientationEvent and DeviceMotionEvent constructors
No concerns. Adds synthetic event constructors for testing, but doesn’t expose more device features to the web.
Implement and ship: SVGImageElement as CanvasImageSource
No (new) security concerns. Leaking history/cross-origin data through canvas is a known problem, but the implementers make it clear that tainting is handled like for other image sources.
Implement: `sample` property for CSP reports.
Some privacy concerns, but samples are limited to 40 chars and mkwst@ himself is running the show.
Implement and ship: RTCPeerConnection icegatheringstatechange event
No security concerns. From what I can tell, this doesn’t introduce any new API surface (assuming correct implementation), only a convenience event for WebRTC peer connections. In case you – like me – are wondering what “ICE” means here, it stands for Interactive Connectivity Establishment.
»Lucas
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to a topic in the Google Groups "Security-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/security-dev/2H3ZiI_INm0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-dev+unsubscribe@chromium.org.
Triaged 2017-03-20 to 2017-03-24 inclusive, (up to #1069 in https://bit.ly/blinkintents):
Implement and Ship: Partial RTCRtpReceiver and RTCRtpContributingSource [https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/0aTOUhS0wCY/cr-FSkpVCAAJ]
After some discussion with hbos@ & team I don’t see this adds any new design-level concerns for WebRTC. There may be opportunity for fuzzing coverage here and additional security focus on WebRTC overall though.
Ship: `script-sample` property for CSP reports [https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/XlcpobBfJOI/8WYpiyk0CQAJ]
(Intent to Ship is understood to be out of scope but this week I did them anyway.)
From Twitter, there’s the suggestion that reporting UI might not properly deal with XSS payloads in script-sample. I think the burden there is clearly on the reporting UI to do the right thing. I’ve been refactoring a large site to include CSP, which wouldn’t have been possible without data provided from FF’s implementation of this feature.
The opt-in, inline-limited approach is a good way to address previous concerns about cross-origin data leakage. I have to assume that the implementation will properly encode samples for use in JSON.
Implement: CSS conic-gradient() [https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/-z66SwKdklc/5t-NBchECQAJ]
No issues.
Implement and Ship: Frames timing function [https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/j7l8_DjMsVE/OiOo5zNwCQAJ]
No issues.
Implement and Ship: CSS Selectors Level 4: :focus-within pseudo-class [https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/V3RNBhQelSg/twVPZYOACQAJ]
Two things that come to mind on anything like this:
It’s worth considering the potential for interesting behavior assuming injection of CSS on a page is possible. I don’t see that focus-within creates a problem.
Can this somehow better enable clickjacking? I don’t see a possibility here.
This could be considered to enable a sort of “scriptless event handler.” Though I think it’s unlikely that there’s a new attack scenario here that wouldn’t otherwise exist with CSS.
Ship: Feature Policy V1 [https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/uKO1CwiY3ts/62vV7xmaCQAJ]
I called out the following issues / questions on the blink-dev@ intent to ship thread:
If the camera is blocked in a frame, that frame can simply navigate the top level away to use the camera. I’m not sure what the spec’s opinion on this is.
The spec mentions web workers but I’m not sure if / how policy would apply to service workers.
Can this header be supplied via a META tag? This would enable documents on file:// URLs to set Feature Policy.
Presumably there will be test cases to ensure that, for example, “allow” policy specified in a frame doesn’t somehow override “deny” policy specified by its parent.
Reporting (ala CSP) could be helpful with deployment, so it’s something to consider, though maybe not a priority.
It's worth filling out the Privacy and Security section of the spec. There's enough here that's security relevant that it would be worthwhile time spent.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
--
You received this message because you are subscribed to a topic in the Google Groups "Security-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/security-dev/2H3ZiI_INm0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-dev...@chromium.org.
Triaged 2017-03-25 to 2017-04-02 inclusive, (#1070 - #1091 in https://bit.ly/blinkintents):21 intents... was it the end of the quarter or something? :)# Intent to Implement: JavaScript image decode() API.The only change here is to give developers more insight into image decoding, but does not present fundamentally new ability (as the developer can do the same by just inserting the image into the DOM). No concerns.# Intent to Ship: Image Capture APIThis is locked behind the same permission prompt as `getUserMedia`, and locked to secure contexts. It offers developers a little more control over the way images are captured, but not an arbitrary level of control. This seems like only a marginal increase in attack surface over the existing WebRTC APIs.# Intent to Deprecate: Loading resources with newlines in URLsThis was my intent, so... I'm biased, but it seems security-positive.# Intent to implement and ship: Add request identifier to PaymentDetailsInitThis is a developer-controlled string, but so is everything else in this part of the API. No security concerns.# Intent to Deprecate: Remove navigator.vibrate without user gestureCan we remove it with a user gesture too? :) No security concerns with locking this down.# Intent to Experiment: GetInstalledRelatedApps APIThis API has some privacy implication, as it allows a developer to determine whether one of their applications is installed. From a security perspective, however, the potential for mischief is reduced by requiring a secure context, and by locking the available applications to those that explicitly list the requesting origin on the one hand, and those origins that list the requested application on the other. Opting in from both sites removes the abuse scenarios I've thought about.
--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
# Intent to Experiment: GetInstalledRelatedApps APIThis API has some privacy implication, as it allows a developer to determine whether one of their applications is installed. From a security perspective, however, the potential for mischief is reduced by requiring a secure context, and by locking the available applications to those that explicitly list the requesting origin on the one hand, and those origins that list the requested application on the other. Opting in from both sites removes the abuse scenarios I've thought about.Would it also be fine by you in the desktop context, or is it only fine by you in the mobile context?I mean, yes, on desktop, the application can install a local server on an agreed port that returns a response when called by the web application. But the user can generally shut it down.In this case, the user cannot escape this query. This information is simply revealed to the web application.I would not want the websites I use to know whether I have their applications without asking me. They, for example, may push me into using them instead of using the website, but I prefer the website. They do not disturb users without their applications, so I am in an inferior position as a result of this API.
(Perhaps I should put this piece of feedback on the original thread, though?)
--
--
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
Triaged 2017-05-08 to 2017-05-12 inclusive, (up to and including #1134 in https://bit.ly/blinkintents):
Implement and Ship: draft-ietf-webpush-encryption-08
[https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/SX9_nZ1NHy8/g-PQuoUiBAAJ]
A move to support the latest version of the encryption scheme used by webpush. I have no concerns but ping’d some of our crypto folks. Quan Nguyen pointed out:
“I would suggest adding a section about verifying peer's public key is on the private key's curve in ECDH protocol. Without this check, for the curve that they use P-256, it would allow attacker to extract the private key.”
Peter Beverloo has relayed this to the folks working on the spec.
Implement and Ship: The password property of PasswordCredential
[https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/nT51eE7fWn4/8HBF1NtqBAAJ]
“allows developers to directly read the password from JavaScript” Well that sounds bad. =) However in discussion on the thread, Dominic Battre pointed out that in Chrome it’s already the case that script can trigger password disclosure into the DOM in an automated way. Thus, allowing the password property wouldn’t enable anything that isn’t already possible.
I recommended a note in the spec to discourage implementation of the password property in browsers with more conservative password managers. (See the thread.) But in Chrome at least, it looks like the password property is reasonable to implement given the password will already be accessible in the DOM, by design.
Implement and Ship: `mediation` enum argument to `CredentialsContainer::get()` in Credential Manager API
[https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/veCKBk1NguM/ctyHrdVWAwAJ]
The user mediation concept is security relevant but I don’t see anything here that’s worrisome. It would be good to have tests to ensure, for example, setting mediation to “silent” doesn’t enable inappropriate credential access.
I think it has some interesting fingerprinting consequences, as now you would be able to know more information about your peer (eg, which codecs does your peer's browser support?).
Referrer policies 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin' ( https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/TgtPUowSWuU/Y-Sn2oRsCAAJ ) - add more referrer options to chrome. I don't know why we call everything strict now a days :-(, but I guess the ship has sailed. That said this strict-origin seems to be useful in that it strips referrers when dropping to HTTP even when a referrer policy exists. I didn't realize before that we were sending referrers to http when a policy was present (since we don't when there isn't one).
onappinstalled and onbeforeinstallprompt event attributes ( https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/_kZHUBQHSXo/1PkuGAOiCAAJ ) - just adding attributes to hook into events that already exist. I guess the only thing that might matter is stuff like XSS filters that don't filter on.* but who cares about that anymore?
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
Triaged 2017-06-26 to 2017-06-30 inclusive, (up to and including row 1188 in https://bit.ly/blinkintents):
There are a couple of new or custom intent types that I’ve seen lately (Intent to Experiment, Intent to Change). It might be good to clarify the triage process (https://www.chromium.org/blink/intent-security-triage) to specify if these should be reviewed during triage.
Implement and Ship: URLSearchParams.sort()
[https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/U0p_jFYpgss/st46sTGjAAAJ]
Good to see that sorting maintains the relative order between name-value pairs with equal names. Probably there are some other corner cases to account for in test cases. For example, querystrings with name/value pairs lacking names: ?=1&=2&foo=bar. Or invalid URL encoding in the querystring like %Z. Though probably a bug here would be out of scope for .sort().
Implement and Ship: <data> element
[https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/IjFvnq8yzy8/n_vYt5oUBQAJ]
This is interesting w.r.t. sanitizers in the same way that data-* attributes are interesting. Unfortunately it’s not clear that there’s a good default behavior -- sometimes <data> elements should pass, but not in other cases, it’s entirely application dependent. Similarly, <data> elements could be interesting if they are used by libraries that then enable CSP bypass gadgets. (ref: https://github.com/google/security-research-pocs/tree/master/script-gadgets) I don’t see anything needs to happen for this particular intent though.
Implement and Ship: move onwheel IDL attributes from Element to GlobelEventHandlers
[https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/Wa5sdcDrJnA/JsgX8zhlAQAJ]
OK.
Implement: EME Extension - Policy Check
[https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/Okto6s417Q8/5HfUclFqAQAJ]
Exposes a small bit of info about the user agent but I agree with the conclusions in the Privacy Risk section of the Intent writeup.
Implement and ship: beforeprint and afterprint events
[https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/3B0I0EDKfpk/leSOUkN0AQAJ]
This may make it easier in some sense to print something that doesn’t correspond to what the user actually intended to print. Though I suspect this isn’t a problem that can be easily avoided in any case. It also exposes to javascript that the user attempted to print the page, which might be considered as impacting user privacy. Overall though, the benefits of this feature outweigh the drawbacks.
Implement and ship: <time> element
[https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/e52E3t3ijHo/eyEaNDt1AQAJ]
OK.
Implement and ship: bilinear interpolation for upscaled images
[https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/6L_3ZZeuA0M/STPVOjKwAQAJ]
OK.
Experiment: Shape Detection
[https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/eJnB-5Sg-mQ/uvdWnO2OBQAJ]
Intent to Implement for this one predates the triage rotation. The spec properly rejects cross-origin face detection. I would hope / expect this to fail fast so that timing couldn’t be used to detect faces cross-origin. Any feature like this that exposes low-level hardware functionality is at least a little scary, though in this case the risk seems very limited.
Change: XMLHttpRequest preload matching
[https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/kfE0RHQrULA/RWD3kmfRAQAJ]
OK.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
--
You received this message because you are subscribed to a topic in the Google Groups "Security-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/security-dev/2H3ZiI_INm0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-dev+unsubscribe@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
1206
7/27/2017 Mathias Bynens Ship RegExp `dotAll` mode / `s` flag < LGTM x3 - ECMAScript feature
https://groups.google.com/a/chromium.org/forum#!msg/blink-dev/0uSHjqvgAwQ/CqmFd6KNAwAJ
This makes .* match new lines and such when the s flag is on. Not really that different from status quo.
1207
7/30/2017 Mathias Bynens Ship RegExp lookbehind assertions < LGTM x3 - ECMAScript feature
https://groups.google.com/a/chromium.org/forum#!msg/blink-dev/DKElo3p6n38/PvSV4-KFBAAJ
This enables look behind in regexps for V8. ReDoS and such is the only concern but it's not new. Meh.
--
You received this message because you are subscribed to a topic in the Google Groups "Security-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/security-dev/2H3ZiI_INm0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-dev+unsubscribe@chromium.org.
To unsubscribe from this group and all its topics, send an email to security-dev...@chromium.org.
To unsubscribe from this group and all its topics, send an email to security-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
Triaged 2017-09-18 to 2017-09-24 inclusive, (up to and including row 1259 in https://bit.ly/blinkintents).
Implement: Trusted Types for DOM Manipulation
[https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/qbOrXp9g3B8/hziymUnHAQAJ]
Very cool! I trust Koto, Sebastian, and Mike will get the details right. It looks like this currently dances around sanitization, which is probably the right way to go. (It’s likely out-of-scope for this feature to dictate if a FORM element is safe/unsafe markup, for example.) I should probably dust off my old “Safe Node” concept and see how it might work in conjunction with this proposal. (https://lists.w3.org/Archives/Public/public-webappsec/2016Jan/0113.html)
I sent this over to Christoph Kern to take a look too.
Implement and Ship: throw NotSupportedError for unsupported playbackRate
[https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/a0tguvcZZyk/QJjO8R3WFgAJ]
No issues.
Implement: Gesture Delegation
[https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/e7I1tZAfavU/wjgW9s0EBAAJ]
I commented in the thread:
The security questionnaire should probably cover "GestureJacking." That is, the case where a malicious outer page uses this feature to affect a victim frame from a different origin. Right now the feature only seems to regulate autoplay and vibration, so it's no big deal, but in the future maybe more things will rely on activation (?). Behavior w.r.t. sandboxed and nested frames should probably be considered as well.
Maybe it would be sufficient allow gesture delegation only for same-origin scenarios?
Jeffrey Yasskin pointed me to an ongoing discussion of these sorts of issues: https://github.com/WICG/gesture-delegation/issues/4
Note: I switched weeks with Ken Buchanan who will now be taking the first week of October.
To unsubscribe from this group and all its topics, send an email to security-dev...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
"Zentaro, have you added tests that verify whether connection groups for NTLMv2 indeed segregate requests with/without credentials and different cookie settings (e.g. 3rd-party cookie blocking)?"
Last intent date 10/20/2017
Intent to Implement: Slots in a flat tree https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/5s1nbytTL68/SnnummScBAAJ
No Concerns
Intent to implement and ship: import.meta.url
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/Hq3cVNto74c/x7tNhmZUBQAJ
No concerns
--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
--
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to a topic in the Google Groups "Security-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/security-dev/2H3ZiI_INm0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-dev+unsubscribe@chromium.org.
I was totally going to do my triage shift for rows 1335+, but bit.ly/blinkintents shows no entries after 1334. So, no concerns about nothing.How can I check whether whatever thing imports the data into the spreadsheet is still working?
Now that the spreadsheet is back up, Mike and I triaged the rows up to row 1370 (2018-02-04)
Intent to Implement: WebRTC Unified Plan SDP
Signaling the SDP format a given browser supports doesn't appear to create any attack surface. No concerns.
Intent to Implement: CSS Layout API
No concerns
Intent to Ship: Async Clipboard API
Ensuring that clipboard access is available only in the active tab prevents some of the earlier concerns about persistent background access from a Worker to a user's clipboard, which seems dangerous. Still, flagging this thread to Enamel, as I think it might have fallen off the table due to personnel changes.
Intent to Implement: window.focus() exits HTML5 fullscreen
Security positive
Intent to Experiment: Extend Origin Trial - Media Capabilities: decoding
Nothing new
Intent to Implement and Ship: Send “input” event on checkbox click.
No concerns
Intent to Implement and Ship: window.focus() exits HTML5 fullscreen
Same as above
Intent to Implement: Permission Delegation
This is an important change to the way permissions work in general. The Enamel team is involved, and supportive, and the hope is that it will give users a better understanding of who they're expressing trust towards, and to whom they're granting permissions. It seems to me to be a step in the right direction, but it's very much worth keeping an eye on it as it evolves due to e.g. TAG feedback.
Intent to Implement and ship: PerformanceObserver takeRecords()
This improves developer ergonomics, but doesn't enable any action that developers couldn't already take. No concerns.
Intent to Deprecate and remove: URL.createObjectURL with MediaStream
This doesn't result in any change in the functionality exposed to developers. It removes one spelling of a feature, and asks developers to use a different spelling. No concerns.
Intent to Implement and ship: Feature Policy control over Synchronous XHR
Synchronous XHR doesn't create independent security issues, and Feature Policy seems like the right way to give developers control over it as a stepping-stone to complete removal. No concerns.
Intent to Implement and ship: Optional catch binding
No concerns
Intent to Experiment: EME Extension - Policy Check
The explainer discusses privacy considerations (https://github.com/WICG/media-capabilities/blob/master/eme-extension-policy-check.md#privacy-considerations) and points out that the fingerprinting surface doesn’t significantly expand.
Intent to Implement: Origin-Signed HTTP Exchanges (Part of Web Packaging)
Yup. There are concerns. The right people are looking into them. We'll expect solid answers before we ship.
Intent to Deprecate and Remove: Extra form data , if "value" attribute is present with non-empty value for <input type=”image”>
No concerns
Intent to Deprecate and Remove: support for position values with 3 parts (excluding background)
No concerns
Intent to Implement and ship: Send “input” Event on activation behavior for radio and file <input> type
No concerns
Intent to Ship: CSS Typed OM
Adding explicit JS types for CSS which currently is done by parsing / generating strings → no new attack surface
Intent to Deprecate and Remove: Support for '#' in data URI body
There's some marginal risk that treating `#` as a fragment in a `data:` URL could result in markup meaning something different than it used to. The risk, however, is mitigated by the fact that the `data:` URL will render in an opaque origin, and by the low usage numbers. Seems reasonable to ship and align with other vendors' behavior: more predictability increases the odds that developers won't shoot themselves in the foot.
Intent to Implement and ship: Unprefix CSS Grid Layout gutter properties
No concerns
Intent to Implement and ship: CSS calc() in media queries
No concerns
Intent to Ship: More spec conformant SendBeacon quota
No concerns
Intent to Implement and ship: make <tr> with transform be a containing block
No concerns
Intent to Experiment: Experiment: Signature-based Resource Loading Restrictions
Similar to the already shipped hash-based variant
Intent to Implement and ship: New CSS Value 'legacy' for the alignment behavior of HTML’s <center> element
No concerns
Intent to Implement: Picture-in-Picture (PiP)
They limit security concerns by restricting the PiP content to an video that is controlled via an HTMLMediaElement. Still have some questions around what happens if you switch tabs or navigate away.
Intent to Deprecate and ship and remove: justify-items: auto
No concerns
Intent to Implement and ship: Support 'x' as a CSS resolution
No concerns
Intent to ship: Create V8 contexts from snapshot by default
No concerns
Intent to Implement and ship: Reading Blob URL for invalid/nonexistent Blob should end with a network error
No concerns
Intent to Implement: Lazily load below-the-fold iframes and images
No concerns
Intent to Implement and ship: performance.memory improvements
This removes data about cross-origin resources, so that’s great
Intent to Implement: Cooperative Scheduling
Security team is already reviewing this.
Intent to Deprecate and remove: Throwing on unimplemented (but valid) CompositeOperation values in WebAnimationsAPI.
No concerns
Intent to Remove: Appcache in non-secure contexts.
Yay!
Intent to Implement: :is()
No concerns
--
You received this message because you are subscribed to a topic in the Google Groups "Security-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/security-dev/2H3ZiI_INm0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-dev...@chromium.org.
To unsubscribe from this group and all its topics, send an email to security-dev+unsubscribe@chromium.org.
To unsubscribe from this group and all its topics, send an email to security-dev...@chromium.org.
--
You received this message because you are subscribed to a topic in the Google Groups "Security-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/security-dev/2H3ZiI_INm0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-dev...@chromium.org.
To unsubscribe from this group and all its topics, send an email to security-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to a topic in the Google Groups "Security-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/security-dev/2H3ZiI_INm0/unsubscribe.
--To unsubscribe from this group and all its topics, send an email to security-dev+unsubscribe@chromium.org.
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
--
You received this message because you are subscribed to a topic in the Google Groups "Security-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/security-dev/2H3ZiI_INm0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-dev...@chromium.org.
--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
--
You received this message because you are subscribed to a topic in the Google Groups "Security-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/security-dev/2H3ZiI_INm0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-dev...@chromium.org.
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
--
You received this message because you are subscribed to a topic in the Google Groups "Security-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/security-dev/2H3ZiI_INm0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-dev...@chromium.org.
--
You received this message because you are subscribed to a topic in the Google Groups "Security-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/security-dev/2H3ZiI_INm0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-dev...@chromium.org.