Web Standards Update
London Web Standards – 18 May 2015
Daniel Appelquist (@torgo)
Co-Chair, W3C Technical Architecture Group (@w3ctag)
These slides: https://slides.com/torgo/lws-power
TAG Update
New TAG members:
Yan Zhu (Yahoo!)
Hadley Beeman (UK Gov)
David Barron (Mozilla)
The TAG (circa April 2015)
The web needs to clean up its act on security & privacy
So what's happening?
US Whitehouse Proposal
- The Whitehouse has proposed to require federal web sites to be https-only
- They posted this proposal to github for comment: https://github.com/GSA/https
- W3C TAG has +1’d this proposal https://github.com/GSA/https/issues/94
BTW: Whitehouse seeks comment on proposal via GitHub
Security & Privacy Self-Review
Opportunistic Encryption
That “s” – and some of the web's other greatest mistakes
Discussion: “Is https everywhere harmful?”
discourse.specifiction.org/t/is-https-everywhere-harmful/
Permissions API
Finer-grained control over permissions-requesting APIs
A permissions anti-pattern
Ask permission
for a purpose
Secure Contexts
- Née “Privileged Contexts,” née “Powerful Features”
- Joint work between TAG and Web Apps Security Group
What's a Powerful Feature?
- The feature provides access to sensitive data
- The feature provides access to sensor data on a user’s device
- The feature provides access to or information about other devices a user has access to
- The feature exposes temporary or persistent identifiers
- The feature introduces some state for an origin which persists across browsing sessions
- The feature manipulates a user agent’s native UI in some way which could trick the user
- The feature requests user permission
…and the web is adding more and more of these, all the time!
One does not simply…
…encrypt the web.
Thanks!
Daniel Appelquist
@torgo – @w3ctag – @tefdigital
Blatant Plug
”Hack Day” Event
Part hack-a-thon; part developer conference
September 25-26 in Shoreditch
Currently accepting session proposals:
SPONSORSHIP OPPORTUNITIES AVAILABLE!