jyasskin (jy): wants to describe web packaging and get feedback...
[ see slides ]
<zcorpan> Title: Web Packaging
scribe: <goes thru wpack
basics, terminology>
... <goes into relatoinship with signed exchanges>
<wendyreid> scribe+ jeffh
scribe: <goes into unsigned
package use cases...>
... <video demo...>
... the demo shows how bundled unsigned exchanges can be
utilized
... <goes into signed eschange use cases>
... <goes into impl and deployment state...>
... <currently impl'g navigation to bundles...>
... <spec is in WICG, proposing WG in IETF in Nov>
... open quesiions:
... what's best way to prevent Distributor from handing its
user ID to Publisher? Uncredentialed navigation? add attrs to
<A> tag?
<kinuko> navigation to bundle fetch/navigation design: https://docs.google.com/document/d/1KFmtiE3DHgKfQH5-nKtLiacMrXsoKIXQZ-VIMGHMje0/view
scribe: how does storage work for
unsigned bundles?
... Discussion? (floor open)
reymes: how does navig to signed bundles work
jy: we'll attach bundle to
settings object, can trust it cuz it is signed....
... bundle is a resource with a URL, load URL
... you're asking which resource within bundle you load?
... yes, there's a manifest in bundle identifying what to load
first
?: can publishers still get analytics (??)
<KenjiBaheux> analytics
<dauwhe> s/analyitics/analytics/
<KenjiBaheux> we got this
jy: <describes how it works...> they do not get http reqs for the url they signed, but if their JS reports back to their servers then they get analytics...
<hober> ack
dauwhe: <somehting about bundle navigation details> I can load the bundle from my local file system? will UA be able to "save a bundle" ?
kuniko: we are thinking of that
dauwhe: what about signed exchanges, it's controversial, are other UAs going to impl ?
kinuko: cant say now, we'll see
<wendyreid> scribe+ wendyreid
zcorpan: any WPTs?
kinuko: we r definitely planning to supply WPTs
zcorpan: please submit issue on WPT wrt signed exchanges
annevk: curious about the origin handling?
<KenjiBaheux> ACTION: please submit issue on WPT wrt signed exchanges
jy: the origin has to contain the
pkg url and the claimed url inside the pkg
... this will perhaps intoduce vulns in some non-compliant
parsers. have ideas to combine and hash the two URLs... have
ideas wrt storage and the the origin(s), but that is not good
long-term...
dauwhe: sees usecase from book
world where want to have data storage for books that are
bundled
... will submit issue re this
bdekoz: origin named in the pkg will have assurances wrt security/priv, how will the distributor also p;rovide same priv assurances...
<KenjiBaheux> ACTION: dauwhe to file an issue regarding use case from book world where want to have data storage for books that are bundled
jy: dunno how to constrain
distributor's priv practices. whoever links u to pkg already
knows provided that to you, how you got to the distributor is
visible in the way loading things on the web is today. want to
make the distirbutor request uncred'd which will help....
... but may not be sufficient
annevk: origin question: if u wan to use an unsigned bundle on your own site, can it have the same origin as your site....?
<bdekoz> official mozilla position is that SxG is considered harmful. See: https://mozilla.github.io/standards-positions/
jy: <yes> if start url is
same-origin can treat it that way, but in some cases it might
ought to be cross-orig untrusted bundle, might need a flag
(where?) to indicate that. a 2nd flag is if we have a signed
bundle and the sig expires, do you need to re-fectch bundle
over the network, bundle source should erhaps help
here....
... how do other UA vendors feel about the unsigned bits of
this?
bdekoz: they are less
controversial than the signed bits of this...
... are we treating this as a redirect (in the context of web
perf WG)
jy: as a redirect, if it causes probs with inter nal redirect count have to figure something out -- this wud be in fetch... (bdekoz is the questioner)
raymes: <something about cachcing>
jy: <missed>
raymes: is bundle cached in <some special way?>
kinuko: bundled resource is cached as usual. individual contained resources are not cached.
jy: if u expose to svc wkr it is
up to svc wkr (?) -- this not spec'd yet
... slides URL:
<jyasskin> slides: https://docs.google.com/presentation/d/1NZeUbnZqtoOfPMG-V8K5ntj_9snhwfFekLVQoEk9MsM/edit#slide=id.p
This is scribe.perl Revision: 1.154 of Date: 2018/09/25 16:35:56 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/dies/does/ Succeeded: s/bundle/...bundle/ Succeeded: s/?/reymes/ Succeeded: s/?:how does navig to signed bundles workreymes/reymes: how does navig to signed bundles work/ Succeeded: s/atalinux/analytics/ FAILED: s/atalinux/analytics/ Succeeded: s/atalinux/analyitics/ Succeeded: s/to have chunks of books that are bundled/to have data storage for books that are bundled/ Succeeded: s/?: /bdekoz: / Succeeded: s/?: /bdekoz: / Succeeded: s/?: /bdekoz: / Present: dauwhe wendyreid zcorpan Ralph_ jeffh MasakazuKitahara duga hober domfarolino chrishtr kinuko drousso romain horo No ScribeNick specified. Guessing ScribeNick: jeffh Inferring Scribes: jeffh WARNING: No "Topic:" lines found. WARNING: No date found! Assuming today. (Hint: Specify the W3C IRC log URL, and the date will be determined from that.) Or specify the date like this: <dbooth> Date: 12 Sep 2002 People with action items: dauwhe please WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]