Web Standards Update

London Web Standards – 18 May 2015

Daniel Appelquist (@torgo)

Co-Chair, W3C Technical Architecture Group (@w3ctag)

These slides: https://slides.com/torgo/lws-power

TAG Update

New TAG members:

Yan Zhu (Yahoo!)

Hadley Beeman (UK Gov)

David Barron (Mozilla)

The TAG (circa April 2015)

The web needs to clean up its act on security & privacy

So what's happening?

US Whitehouse Proposal

The Whitehouse has proposed to require federal web sites to be https-only
They posted this proposal to github for comment: https://github.com/GSA/https
W3C TAG has +1’d this proposal https://github.com/GSA/https/issues/94

BTW: Whitehouse seeks comment on proposal via GitHub

Security & Privacy Self-Review

https://w3ctag.github.io/security-questionnaire/

Opportunistic Encryption

https://httpwg.github.io/http-extensions/encryption.html

That “s” – and some of the web's other greatest mistakes

Discussion: “Is https everywhere harmful?”
discourse.specifiction.org/t/is-https-everywhere-harmful/

Permissions API

https://w3c.github.io/permissions/

Finer-grained control over permissions-requesting APIs

A permissions anti-pattern

Ask permission
for a purpose

Secure Contexts

Née “Privileged Contexts,” née “Powerful Features”
Joint work between TAG and Web Apps Security Group

https://w3c.github.io/webappsec/specs/powerfulfeatures/

What's a Powerful Feature?

The feature provides access to sensitive data
The feature provides access to sensor data on a user’s device
The feature provides access to or information about other devices a user has access to
The feature exposes temporary or persistent identifiers
The feature introduces some state for an origin which persists across browsing sessions
The feature manipulates a user agent’s native UI in some way which could trick the user
The feature requests user permission

…and the web is adding more and more of these, all the time!

One does not simply…

…encrypt the web.

Thanks!

Daniel Appelquist

@torgo – @w3ctag – @tefdigital

Blatant Plug

”Hack Day” Event

Part hack-a-thon; part developer conference

September 25-26 in Shoreditch

Currently accepting session proposals:

lanyrd.com/2015/ota15/

overtheair.org - @overtheair

SPONSORSHIP OPPORTUNITIES AVAILABLE!

Powerful Features for LWS

By Daniel Appelquist

Powerful Features for LWS

Lightning Talk for LWS 18 May 2015

20,439

Daniel Appelquist

https://mastodon.social/@torgo

torgo.com