| 10:33 | <freddy> | interesting paper, "WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms" pre-print at https://arxiv.org/abs/2201.01649. They use proof assistant and formalized model to identify security invariants in the web platform |
| 10:35 | <Ms2ger 💉💉💉> | Did they find any? 😅 |
| 12:00 | <zcorpan> | Ms2ger 💉💉💉: freddy: " The mismatch between the access control policies in the DOM and the cookie jar allows a script running in an iframe to access the document.cookie property of the parent page when both pages set document.domain to the same value." |
| 12:01 | <zcorpan> | not sure that's a novel attack though |
| 12:03 | <zcorpan> | the next sentence is " Once the inner frame performs a set cookie of a host-prefix cookie through the parent page DOM, the browser uses the original domain value of the parent page to perform the host prefix checks, breaking the invariant." |
| 12:06 | <freddy> | So, for academics, the title "towards" basically hints to that. I think the main achievement is being able to generate/deduce bugs, even if they are known edge cases. |
| 12:10 | <zcorpan> | interesting point about restricting Trusted Types to secure contexts created an easy bypass |
| 12:31 | <annevk> | How did that create an easy bypass? |
| 14:03 | <zcorpan> | annevk: you can frame from unsecure context |
| 14:03 | <zcorpan> | annevk: https://github.com/w3c/trusted-types/issues/259#issuecomment-630863753 |
| 14:06 | <zcorpan> | TabAtkins: ping https://github.com/whatwg/html/pull/8175 :) |
| 14:09 | <TabAtkins> | I'm still on vacation until Friday |
| 14:10 | <zcorpan> | TabAtkins: ok, enjoy your vacation :) Would you like a ping next week? |
| 14:10 | <TabAtkins> | Yes, please! |
| 18:20 | <wanderview> | anyone in here active on mastodon? I'm looking to increase my coverage of web standards discussion there as I'm less active on twitter... (I'm at wanderview@toot.cafe) |
| 22:50 | <zcorpan> | Bocoup is looking to hire someone with experience in web standards: https://twitter.com/bocoup/status/1590754781358084097 |
| 22:53 | <zcorpan> | wanderview: I'm https://mastodon.social/@zcorpan , maybe you've also seen this tool to find people from twitter https://glitch.com/~fedifinder |