HTML Review Draft — Published 18 January 2021: review tracker
Closed this issue · 10 comments
This is a review tracker of HTML Review Draft — Published 18 January 2021.
Requested
Important Changes between Jan 2020 and Jan 2021
Accessibility?
-
whatwg/html@db55877
Allow heading content within legend and summary elements -
whatwg/html@ffc5c53
Do not use tabindex to determine interactive content -
whatwg/html@f7a3dcc
Allow setting default accessibility semantics for custom elements
I18N?
-
whatwg/html@21b5234
Make document's character encoding reflect byte order mark -
whatwg/html@5bad12a
Allow autocomplete="username" with -
whatwg/html@884dfc4
Make hidden input charset checks case insensitive
Security & Privacy?
-
whatwg/html@931ecf4
Prevent [[CryptographicNonce]] from being emptied -
whatwg/html@e910f6a
Prevent downloads in <iframe sandbox> by default -
whatwg/html@1529ed1
Correct CrossOriginProperties and callers -
whatwg/html@4b3c4ff
Use same origin-domain when initializing a document -
whatwg/html@9115e58
Update worker global scope's owner set earlier -
whatwg/html@e9fbde0
Add referrerpolicy="" to img's relevant mutations -
whatwg/html@c9fddd7
Add cross-origin opener policy -
whatwg/html@70b8bb4
Add cross-origin embedder policy -
whatwg/html@c9d8983
Add the cross-origin isolated primitive -
whatwg/html@f781a90
Introduce the "cross-origin-isolated” permission -
whatwg/html@d37f992
Add the Origin-Isolation header -
whatwg/html@ea6b0ca
Specify sequence of navigation failure checks -
whatwg/html@cbcf6ac
Make COOP+COEP not imply cross-origin isolated
Architecture?
-
whatwg/html@a511341
Add more checks when matching SharedWorkerGlobalScopes -
whatwg/html@0283e9e
Add"lazy loading images”
-
whatwg/html@344798b
Fix the entry settings object for promise callbacks -
whatwg/html@f425515
Navigation: avoid processing a response twice -
whatwg/html@9b8f636
is to be rendered as a replaced element
-
whatwg/html@7fe9953
Stop mapping <iframe hspace/vspace> to style -
whatwg/html@760a144
BroadcastChannel: move destination close flag -
whatwg/html@9d7a82c
Add connected check to input/change events for checkboxes/radios -
Define the top-level origin of an environment settings object
-
whatwg/html@7eef537
Remove one "mark paint timing call" in update the rendering -
whatwg/html@c747ce0
Fire an error event for parse errors when constructing SharedWorker -
whatwg/html@203842a
Layering: Implement HostEnqueuePromiseJob -
whatwg/html@2053069
Note how orientation metadata affects naturalWidth/Height -
whatwg/html@80e087c
Do not throw when cloning %ObjectPrototype% -
whatwg/html@c76e86c
Convert "queue a task" to "queue an element task" -
whatwg/html@cd59059
Clean up the event loop and agent correspondence -
whatwg/html@12a2a56
Make all agent allocation imperative -
whatwg/html@b954ac0
Change "scripting is disabled" to be per-global -
whatwg/html@5e7d606
Disentangle images loading on-demand from scripting -
whatwg/html@af228b2
Remove the title argument from registerProtocolHandler() -
whatwg/html@6144c0c
Prevent execution of (some) scripts moving between documents -
whatwg/html@caebee3
Stop dispatching invalid on -
whatwg/html@49962ba
Define height attribute for thead, tbody, and tfoot elements -
whatwg/html@72a6f17
registerProtocolHandler(): only "https" schemes for the handler -
whatwg/html@9deddcd
registerProtocolHandler() cleanup -
whatwg/html@351d56a
Specify image lazy loading in terms of IntersectionObserver -
whatwg/html@9e77887
Add<link disabled> -
whatwg/html@bb0bcac
Fix sandboxing flags handling in browsing context creation -
whatwg/html@f913be0
Expose Worker and SharedWorker less -
whatwg/html@db2ce7e
Change request destinations of nested navigations -
whatwg/html@31b264a
Redo top-level origin and add top-level creation URL -
whatwg/html@c9fddd7
Add cross-origin opener policy -
whatwg/html@70b8bb4
Add cross-origin embedder policy -
whatwg/html@bb864bd
Define "secure context” -
whatwg/html@c9d8983
Add the cross-origin isolated primitive -
whatwg/html@231538d
Add <iframe> lazyloading -
whatwg/html@a2294a9
Change MessagePort owner from incumbent to current -
whatwg/html@81d7284
Add the manifest link relation -
whatwg/html@63a0e64
Fire a load event for network errors in -
whatwg/html@898a25e
Introduce the navigation params struct -
whatwg/html@82a0784
Do not delay the load event for aborted media loads -
whatwg/html@ac285c0
Sanitize classic script's base URL when muted errors flag is set -
whatwg/html@230af41
Adjust registerProtocolHandler() handling -
whatwg/html@c7c6b17
Remove HTTPS state -
whatwg/html@2333203
Add preservesPitch to HTMLMediaElement -
whatwg/html@a1ad979
Extend "window open steps" to observe COOP -
whatwg/html@4191e0c
Define the foundations of find-in-page -
whatwg/html@e991e2f
Remove user override of window.open() in a sandbox -
whatwg/html@f781a90
Introduce the "cross-origin-isolated” permission -
whatwg/html@97c73c3
Add MIME type checking for HTTP(S) worker scripts -
whatwg/html@40e3868
Remove the dragexit event -
whatwg/html@3c52fe1
Allow mutating -
whatwg/html@539f4e8
Fix contradictory missing value default for formmethod=“" -
whatwg/html@b417e88
Fire "input" events as composed -
whatwg/html@bd32618
Define X-Frame-Options processing -
whatwg/html@8c90eb6
Augment COEP violation report -
whatwg/html@d37f992
Add the Origin-Isolation header -
whatwg/html@ea6b0ca
Specify sequence of navigation failure checks -
whatwg/html@c8d5ad3
Set "destination" of requests from -
whatwg/html@ed61fda
Resolve whenDefined()'s promise with the element's constructor -
whatwg/html@7d852a3
COOP: modify redirect handling -
whatwg/html@804da31
Remove width attribute fallback from sizes calculation -
whatwg/html@140dd67
Remove allowpaymentrequest attribute -
whatwg/html@16667c3
Prevent attachInternals() use before custom element constructor -
whatwg/html@564dfd5
Add shadowRoot to ElementInternals -
whatwg/html@1076db6
Rendering: further details/summary cleanup -
whatwg/html@b3b7add
Change beforeunload, unload, and bfcache interaction -
whatwg/html@25c78e4
Move worklets into the HTML Standard
whatwg/html@f703a2c
Allow implementations to kill worklets whenever, by default
whatwg/html@de47fa3
Disallow import() in worklets -
whatwg/html@440fde8
Suggest a rootMargin strategy for lazy-loaded elements -
whatwg/html@979af15
Change modal s to be positioned via CSS -
whatwg/html@a2d27c6
Stop passing CSP algorithms unused parameters -
whatwg/html@d324d9b
Make the default "process the linked resource" algorithm a noop -
whatwg/html@0666f4e
Add cross-origin opener policy reporting -
whatwg/html@2ae50c6
Fix regression in iframe/frame loading -
whatwg/html@e4330d5
Remove AppCache -
whatwg/html@65b2af5
Gate beforeunload dialogs behind sticky activation -
whatwg/html@fee73fa
Top-level await integration -
whatwg/html@07a5b3e
Introduce the system focus concept -
whatwg/html@cbcf6ac
Make COOP+COEP not imply cross-origin isolated -
whatwg/html@4b6e5ba
Reset window.name also when opener is set to null
whatwg/html#6478 is also raising concerns
In whatwg/html#6933 (comment), I requested a warning around references to the Reporting API. Here is proposed language for that:
Notice: the (above / below) functionality hooks into the Reporting API, which is a not-yet-standardized
work in progress at W3C and which has unresolved privacy issues. In particular, some are concerned
that the Reporting API functionality violates the W3C's hierarchy of constituencies by exposing users
to potential harms while the primary beneficiaries of the API are websites. Implementors are
encouraged to follow these issues and be aware that this functionality could change or be removed as
those discussions progress.
background: this is part of a proposed plan based on a conversation between PING chairs/TC and @plehegar:
[[
- PING will draft warning language. If it makes conclusions re: the reporting API (and, IMHO, it does not need to - it need only refer to 'unresolved concerns about privacy et. al., which might require breaking changes to resolve') @plehegar will want to run it by WebPerf.
- @plehegar will sort out the mechanics for how to display that on the snapshots.
- @plehegar try to get the HTML WG engaged on the discussion re: adding sec/priv sections to these docs, meaning the charter issues (and possibly/probably the doc issues) are still open.
]]
In particular, some are concerned
that the Reporting API functionality violates the W3C's hierarchy of constituencies by exposing users
to potential harms while the primary beneficiaries of the API are websites.
Imho, I don't think we should be specific about concerns related to the Reporting API. If there is an issue opened against the Reporting API related to this concern, we could link to it.
So, how about:
Notice: the (above / below) functionality hooks into the Reporting API, which is a not-yet-standardized
work in progress at W3C and which has unresolved privacy issues (e.g. @@link to specific issues?). Implementors are
encouraged to follow these issues and be aware that this functionality could change or be removed as
those discussions progress.
cc @yoavweiss
Fine with me. @pes10k ?
a-ok with me too
I'd like to know what specific issues are involved here before adding random warnings to HTML. Looking through Reporting's issues, I found w3c/reporting#168 and w3c/reporting#194
w3c/reporting#194 seems reasonable and the concerns raised there is that delayed reporting could reveal information about the user (e.g. show that they changed networks). But, the solution to this issue is simply to avoid sending delayed reports or condition them e.g. on lack of network changes, and most likely won't involve an API change.
w3c/reporting#168 OTOH is an issue where @pes10k argues that Reporting is somehow special and requires a permission (contrary to many other web platform features that traditionally performed a similar role and do not require permissions: image requests on dismissal events, beacon, <a ping> and Fetch keep-alive are a few that come to mind).
The thread includes a lot of evidence supporting Reporting's role in helping provide users with a more secure web, but it seems like nothing short of accepting @pes10k's premise and requirements would be sufficient and no amount of evidence would be convincing enough. As such, I don't see why we need to litter the HTML spec with pointers to that discussion.
Notice: the (above / below) functionality hooks into the Reporting API, which is a not-yet-standardized
work in progress at W3C and which has unresolved privacy issues (e.g. @@link to specific issues?).
I'd object to calling w3c/reporting#168 "unresolved privacy issues". They seem to be "unsubstantiated privacy concerns" at best.
@yoavweiss Both 168 and 194 are in scope. You might well be right that the ultimate conclusion of 168 will be that @pes10k is "in the rough". In the meantime, though, that discussion looks unresolved. And there's also 194.
Would you prefer we merely say "unresolved discussions" without even characterizing them as "privacy"?
[Adding merely as context: Reporting API is pre-CR. The doc has been around since 2016; the last WD was published in 2018. The doc is in the WebPerf WG, and yoavweiss is one of the WebPerf co-chairs.]
Either "unresolved discussions" or "unresolved privacy-related discussions" works for me. (assuming that the HTML editors are fine with this)
I believe the compromise for the warning note is:
Notice: the (above / below) functionality hooks into the Reporting API, which is a not-yet-standardized
work in progress at W3C and which has unresolved privacy-related discussions. Implementors are
encouraged to follow these discussions and be aware that this functionality could change or be removed as
those discussions progress.
(I added a link to the open privacy related issues in the reporting repo)