One big note is that this thread was actually meant to be an "Intent to Ship". Would the API owners prefer a new thread to make that clear or can we shift this thread to be such an intent?
Comments-in-line re: TAG. On Thu, Sep 2, 2021 at 9:05 AM Francis McCabe <[email protected]> wrote: > The proposed change is very small and not 'architectural'. The proposal > adds a new policy keyword to CSP and extends the role (slightly) of > script-src itself. > > > On Thu, Sep 2, 2021 at 6:43 AM Yoav Weiss <[email protected]> wrote: > >> >> >> On Wed, Sep 1, 2021 at 9:00 PM Francis McCabe <[email protected]> wrote: >> >>> Contact [email protected] >>> [email protected] >>> >>> Explainer >>> https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md >>> >>> Specificationhttps://github.com/w3c/webappsec-csp/pull/293 >>> >>> Summary >>> >>> Enhancements to Content Security Policy to improve interoperability with >>> WebAssembly. >>> >>> >>> Blink componentBlink >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink> >>> >>> Motivation >>> >>> Allows web developers to be more fine grained in their policy wrt >>> executing WebAssembly. Currently, if there is a non-empty CSP policy for a >>> page, the unsafe-eval policy must be enabled. This allows a developer to >>> use wasm-unsafe-eval that only allows webassembly execution and has no >>> impact on javaScript execution. In addition, the proposal is to extend >>> existing CSP script-src policies to include webassembly. Since WebAssembly >>> does not have an element tag, this will be, initially, to apply script-src >>> policies to the relevant API calls: WebAssembly.instantiateStreaming etc. >>> >>> >>> Initial public proposalhttps://github.com/w3c/webappsec-csp/pull/293 >>> >>> Search tagswasm <https://www.chromestatus.com/features#tags:wasm>, >>> webassembly <https://www.chromestatus.com/features#tags:webassembly>, >>> csp <https://www.chromestatus.com/features#tags:csp> >>> >>> TAG reviewNot needed >>> >> >> Can you expand on why you think a TAG review is not needed? >> > To give a little more background beyond Francis's answer, my take is that this change has already gotten good feedback & review from the WebAppSec & HTML folks who are the experts in this area, making a TAG review superfluous (given that CSP & Wasm are both pre-existing pieces of the platform). > >>> TAG review status >>> >>> Risks >>> >>> >>> Interoperability and Compatibility >>> >>> >>> >>> Gecko: >>> https://github.com/mozilla/standards-positions/issues/574# >>> >>> WebKit: see >>> https://lists.webkit.org/pipermail/webkit-dev/2021-August/031974.html >>> >>> Web developers: >>> See https://crbug.com/948834 >>> >>> >>> Debuggability >>> >>> >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>> ?Yes >>> >>> Flag name >>> >>> Requires code in //chrome?False >>> >>> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=841404 >>> >>> Estimated milestones >>> >>> Link to entry on the Chrome Platform Status >>> https://www.chromestatus.com/feature/5499765773041664 >>> >>> This intent message was generated by Chrome Platform Status >>> <https://www.chromestatus.com/>. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWB-%3DsKJUpiXcZ2jBGZaQ_yAXWOUdO2Jt1mKA3whP7ZqdA%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWB-%3DsKJUpiXcZ2jBGZaQ_yAXWOUdO2Jt1mKA3whP7ZqdA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWB%3DEH%3Dop6WeRX92z5VgLz1DOwnHPvcusV2pXnm6dEkLMg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWB%3DEH%3Dop6WeRX92z5VgLz1DOwnHPvcusV2pXnm6dEkLMg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAEvLGc%2BqZxSS2CDVfmQViuHrkK%2BckMPnKPS%3D9UdckjdFkYmzwQ%40mail.gmail.com.
