From 5d38e78327bbf4ee270bc6d122dbdd169350d8b0 Mon Sep 17 00:00:00 2001 From: Rob Wu Date: Fri, 15 Oct 2021 14:12:27 +0200 Subject: [PATCH] Publish minutes of 2021-10-14 meeting --- _minutes/2021-10-14-wecg.md | 115 ++++++++++++++++++++++++++++++++++++ _minutes/README.md | 3 +- 2 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 _minutes/2021-10-14-wecg.md diff --git a/_minutes/2021-10-14-wecg.md b/_minutes/2021-10-14-wecg.md new file mode 100644 index 00000000..dfee82e9 --- /dev/null +++ b/_minutes/2021-10-14-wecg.md @@ -0,0 +1,115 @@ +# WECG Meetings 2021, Public Notes, Oct 14 + + * Chair: Tomislav Jovanovic + * Scribes: Rob Wu + +Time: 8 AM PDT = https://everytimezone.com/?t=61677300,384 +Call-in details: [WebExtensions CG, 14 October 2021 event](https://www.w3.org/events/meetings/f13adee3-d80c-4348-bc2a-64e006b0db4a/20211014T150000) +Zoom issues? ping @robwu (Rob Wu, Mozilla) in [chat](https://github.com/w3c/webextensions/blob/main/CONTRIBUTING.md#joining-chat) + + +## Agenda: [github issues](https://github.com/w3c/webextensions/issues) + + * New issues carried over from last meeting + * Queue: Do Mozilla and Google agree on main world script injection vs CSP behavior (and more in general the use cases/issues of scripting.registerContentScripts(), [Issue 103](https://github.com/w3c/webextensions/issues/103))? (Maone) (note from Rob: Giorgio was going to file an issue) + * [Document basic file structure #102](https://github.com/w3c/webextensions/pull/102) + * Legitimate use cases for blocking webRequest - [dynamic tracking protection #88](https://github.com/w3c/webextensions/issues/88) + * [request: allow to retrieve a frameID from an <iframe> element #12](https://github.com/w3c/webextensions/issues/12) + * Small update on CSP issues [Carlos Jeurissen] + * Does Apple plan to add support for urlFilter matching in the declarativeNetRequest API? [Andrey Meshkov] + * Secure communication between the main world scripts and the content script/bgpage [#77](https://github.com/w3c/webextensions/issues/77) [#85](https://github.com/w3c/webextensions/issues/85) [#78](https://github.com/w3c/webextensions/issues/78) + + +## Attendees (sign yourself in) + + 1. Tomislav Jovanovic (Mozilla) + 2. Daniel Glazman (Dashlane) + 3. Krzysztof Modras (Ghostery) + 4. Richard Worth (Capital One) + 5. Rob Wu (Mozilla) + 6. Jack Works (Sujitech) + 7. Carlos Jeurissen (Jeurissen Apps) + 8. Alexei (Privacy Badger) + 9. Nir Nahum (WalkMe) + 10. Giorgio Maone (NoScript) + 11. Bradley Cushing (Dashlane) + 12. Timothy Hatcher (Apple) + 13. Andrey Meshkov (AdGuard) + 14. Maxim Topciu (AdGuard) + 15. David Li (Google) + 16. Mukul Purohit (Microsoft) + 17. Oliver Dunk (1Password) + + +## Queue (add yourself at the bottom) + + * It would be good to invite somebody from Google who can speak about Google's MV3 SW plans. (Alexei) + * <add your topic and name here> + + +## Meeting notes + +Notes: + + * Simeon / Google is absent today; the role of chair has been delegated to Tomislav today. + * David Li has joined us to represent Google, mainly to collect questions. + +[Issue 103](https://github.com/w3c/webextensions/issues/103): Use cases and features for registerContentScripts + + * [giorgio] This API based on Mozilla's and looks promising. Rather than filing bugs here and there on crbug, it may be useful to standardize the new API across browsers, to facilitate the development of extensions without hacks in a uniform way (as detailed in the issue). + * [giorgio] main world injection is being implemented for the dynamic content scripts feature. + * [rob] If main world execution is supported, it won't be blocked by e.g. unsafe-eval, but other CSP directives such as img-src would be enforced because the script is indistinguishable from page scripts. + * [timothy] Looking at scripting API in Safari and also supporting main world execution, also respective CSP as mentioned above. + +[Issue 95](https://github.com/w3c/webextensions/issues/95): content_security_policy.content_scripts + + * [carlos] Has Mozilla implemented this, how does it work with the main world? + * [tomislav] As mentioned in the previous point, scripts run in the main world are under the same rules as the web page's CSP. + * [rob] Not implemented, we initially went for compatibility but we are willing to introduce content_security_policy for content scripts if needed. + +[PR 102](https://github.com/w3c/webextensions/pull/102): Document basic file structure + + * [tomislav] Looks good, also agree with Rob's comment about underscore at https://github.com/w3c/webextensions/pull/102#issuecomment-943306117 + * [timothy] We do not do anything special with \_ nor \_metadata. Safari does not have any reserved names (other than \_generated_background_page.html). + * [rob] Resolution is to accept the PR; The review can be done outside of this meeting. + * [carlos] Where would we document details such as reserved names? MDN? + * [tomislav] It is possible to add non-normative notes to the document. MDN is a good place for this. + +[Issue 88](https://github.com/w3c/webextensions/issues/88): Dynamic data-driven Tracking Protection not possible on Manifest V3 + + * [krzysztof] (explains issue as described in the issue) In short, dynamically replaces privacy-sensitive parts of content (path/headers/POST data), using blocking webRequest. + * [tomislav] Side note, Firefox does support blocking webRequest, so “not possible on DNR” would be more accurate than “not possible on Manifest V3”. It may also be more productive to suggest a solution rather than just stating that it's not possible. + * [timothy] Dynamic rules is 5k in Chrome, Safari does not have it yet, but we'll implement it. + * [krzysztof] The lists are too large to fit in a dynamic rule. (explains specific example about replacing identifiable tokens with something else that's privacy-preserving) + * [timothy] Acknowledges that some logic cannot be implemented with just DNR. + * [david] Krzysztof, could you mention your specific example on Github? Then we can consider better support for dynamic rules to support your use case. + * [krzysztof] Can do that, but note that it is just a specific case. There are plenty of other use cases that depend on blocking webRequest. + +[Issue 12](https://github.com/w3c/webextensions/issues/12): request: allow to retrieve a frameID from an `