A new intent would be better, thanks! On Thu, Sep 2, 2021 at 8:55 PM Adam Klein <[email protected]> wrote:
> One big note is that this thread was actually meant to be an "Intent to > Ship". Would the API owners prefer a new thread to make that clear or can > we shift this thread to be such an intent? > > Comments-in-line re: TAG. > > On Thu, Sep 2, 2021 at 9:05 AM Francis McCabe <[email protected]> wrote: > >> The proposed change is very small and not 'architectural'. The proposal >> adds a new policy keyword to CSP and extends the role (slightly) of >> script-src itself. >> >> >> On Thu, Sep 2, 2021 at 6:43 AM Yoav Weiss <[email protected]> wrote: >> >>> >>> >>> On Wed, Sep 1, 2021 at 9:00 PM Francis McCabe <[email protected]> wrote: >>> >>>> Contact [email protected] >>>> [email protected] >>>> >>>> Explainer >>>> https://github.com/WebAssembly/content-security-policy/blob/master/proposals/CSP.md >>>> >>>> Specificationhttps://github.com/w3c/webappsec-csp/pull/293 >>>> >>>> Summary >>>> >>>> Enhancements to Content Security Policy to improve interoperability >>>> with WebAssembly. >>>> >>>> >>>> Blink componentBlink >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink> >>>> >>>> Motivation >>>> >>>> Allows web developers to be more fine grained in their policy wrt >>>> executing WebAssembly. Currently, if there is a non-empty CSP policy for a >>>> page, the unsafe-eval policy must be enabled. This allows a developer to >>>> use wasm-unsafe-eval that only allows webassembly execution and has no >>>> impact on javaScript execution. In addition, the proposal is to extend >>>> existing CSP script-src policies to include webassembly. Since WebAssembly >>>> does not have an element tag, this will be, initially, to apply script-src >>>> policies to the relevant API calls: WebAssembly.instantiateStreaming etc. >>>> >>>> >>>> Initial public proposalhttps://github.com/w3c/webappsec-csp/pull/293 >>>> >>>> Search tagswasm <https://www.chromestatus.com/features#tags:wasm>, >>>> webassembly <https://www.chromestatus.com/features#tags:webassembly>, >>>> csp <https://www.chromestatus.com/features#tags:csp> >>>> >>>> TAG reviewNot needed >>>> >>> >>> Can you expand on why you think a TAG review is not needed? >>> >> > To give a little more background beyond Francis's answer, my take is that > this change has already gotten good feedback & review from the WebAppSec & > HTML folks who are the experts in this area, making a TAG review > superfluous (given that CSP & Wasm are both pre-existing pieces of the > platform). > > >> >>>> TAG review status >>>> >>>> Risks >>>> >>>> >>>> Interoperability and Compatibility >>>> >>>> >>>> >>>> Gecko: >>>> https://github.com/mozilla/standards-positions/issues/574# >>>> >>>> WebKit: see >>>> https://lists.webkit.org/pipermail/webkit-dev/2021-August/031974.html >>>> >>>> Web developers: >>>> See https://crbug.com/948834 >>>> >>>> >>>> Debuggability >>>> >>>> >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>> ?Yes >>>> >>>> Flag name >>>> >>>> Requires code in //chrome?False >>>> >>>> Tracking bug >>>> https://bugs.chromium.org/p/chromium/issues/detail?id=841404 >>>> >>>> Estimated milestones >>>> >>>> Link to entry on the Chrome Platform Status >>>> https://www.chromestatus.com/feature/5499765773041664 >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://www.chromestatus.com/>. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWB-%3DsKJUpiXcZ2jBGZaQ_yAXWOUdO2Jt1mKA3whP7ZqdA%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWB-%3DsKJUpiXcZ2jBGZaQ_yAXWOUdO2Jt1mKA3whP7ZqdA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWB%3DEH%3Dop6WeRX92z5VgLz1DOwnHPvcusV2pXnm6dEkLMg%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE65UWB%3DEH%3Dop6WeRX92z5VgLz1DOwnHPvcusV2pXnm6dEkLMg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfXZKUjQuwu1jhPYMfnTWzhNGudDcKj9oNQyVqxuxFzyMQ%40mail.gmail.com.
