[css-cascade-3] Add Security & Privacy appendix

[tantek]

Please consider adding a Security & Privacy Considerations appendix, at a minimum with answers to the Security & Privacy questionnaire.

https://www.w3.org/TR/security-privacy-questionnaire/

In particular we need to at least say something about @import and CORS, and perhaps interaction with CSP. That has potential (likely) to add normative requirements for implementations. If it's "too late" to add any such normative requiements, they should at least be added as informative guidance, and then made normative in css-cascade-4.

If it helps, I can try answering it and submitting a pull request accordingly.

[SebastianZ]

This is part of issue #207.

Sebastian

[fantasai]

Let's put some actual text here.

[fantasai]

Tab committed some changes for this to https://drafts.csswg.org/css-cascade-3/#priv-sec
Agenda+ for WG review.

[svgeesus]

In general the text there looks good to me; I haven't checked much for things which should be there but are not.

Although, perhaps Script Execution could apply, if a externally imported stylesheet causes some custom code or Houdini APIs to be called? Although I think CORS would apply to that script.

[tabatkins]

I don't think Script Execution is a thing to worry about here; the worst a stylesheet can do is cause an existing defined-and-imported Houdini thing to be invoked more often that originally intended, but the page author still has to import that houdini-using thing into their page on their own, and presumably already intend to use it.

All the other bits are about loading an external sheet that didn't want to be loaded, and extracting its information from side channels; the page is the hostile actor. A hostile stylesheet can't load itself into an innocent page via any mechanism in Cascade; that relies on a failure somewhere else in the stack.

[svgeesus]

Thanks for the explanation @tabatkins makes sense to me.

[css-meeting-bot]

The Working Group just discussed Add Security & Privacy appendix.

The full IRC log of that discussion

<dael> Topic: Add Security & Privacy appendix
<dael> github: https://github.com//issues/620
<dael> TabAtkins: Request for review. Finally wrote one. We're happy with it.
<dael> astearns: Looks like chris looked and thought good
<dael> Rossen: We haven't been able to review, but will happily do it.
<dael> astearns: Are we at point of publishing?
<dael> TabAtkins: I think we are
<dael> fantasai: Yeah, were going to but relized we needed one thing. We wanted to ask WG to review this one thing before publish
<dael> astearns: Rossen would you rather we wait on publish for you to review?
<dael> fantasai: It's CR for both
<dael> fantasai: CR update
<fantasai> resolution to publish from Sydney F2F:
<dael> Rossen: I wouldn't block. We should publish. If we need to make changes we can repub
<fantasai> https://lists.w3.org/Archives/Public/www-style/2018Jul/0018.html
<dael> astearns: Have previous resolution. Would you want an updated?
<dael> fantasai: No, I think previous is fine.