HTML Review Draft — Published 18 January 2021: review tracker

[siusin]

This is a review tracker of HTML Review Draft — Published 18 January 2021.

Requested

• A11y
• I18n
• Privacy (6933, 6934)
• TAG
• Security

Important Changes between Jan 2020 and Jan 2021

Accessibility?

• whatwg/html@db55877
  Allow heading content within legend and summary elements

• whatwg/html@ffc5c53
  Do not use tabindex to determine interactive content

• whatwg/html@f7a3dcc
  Allow setting default accessibility semantics for custom elements

I18N?

• whatwg/html@21b5234
  Make document's character encoding reflect byte order mark

• whatwg/html@5bad12a
  Allow autocomplete="username" with

• whatwg/html@884dfc4
  Make hidden input charset checks case insensitive

Security & Privacy?

• whatwg/html@931ecf4
  Prevent [[CryptographicNonce]] from being emptied

• whatwg/html@e910f6a
  Prevent downloads in <iframe sandbox> by default

• whatwg/html@1529ed1
  Correct CrossOriginProperties and callers

• whatwg/html@4b3c4ff
  Use same origin-domain when initializing a document

• whatwg/html@9115e58
  Update worker global scope's owner set earlier

• whatwg/html@e9fbde0
  Add referrerpolicy="" to img's relevant mutations

• whatwg/html@c9fddd7
  Add cross-origin opener policy

• whatwg/html@70b8bb4
  Add cross-origin embedder policy

• whatwg/html@c9d8983
  Add the cross-origin isolated primitive

• whatwg/html@f781a90
  Introduce the "cross-origin-isolated” permission

• whatwg/html@d37f992
  Add the Origin-Isolation header

• whatwg/html@ea6b0ca
  Specify sequence of navigation failure checks

• whatwg/html@cbcf6ac
  Make COOP+COEP not imply cross-origin isolated

Architecture?

• whatwg/html@a511341
  Add more checks when matching SharedWorkerGlobalScopes

• whatwg/html@0283e9e
  Add "lazy loading images”

• whatwg/html@344798b
  Fix the entry settings object for promise callbacks

• whatwg/html@f425515
  Navigation: avoid processing a response twice

• whatwg/html@9b8f636
  is to be rendered as a replaced element

• whatwg/html@7fe9953
  Stop mapping <iframe hspace/vspace> to style

• whatwg/html@760a144
  BroadcastChannel: move destination close flag

• whatwg/html@9d7a82c
  Add connected check to input/change events for checkboxes/radios

• whatwg/html@916a923

• Define the top-level origin of an environment settings object

• whatwg/html@7eef537
  Remove one "mark paint timing call" in update the rendering

• whatwg/html@c747ce0
  Fire an error event for parse errors when constructing SharedWorker

• whatwg/html@203842a
  Layering: Implement HostEnqueuePromiseJob

• whatwg/html@2053069
  Note how orientation metadata affects naturalWidth/Height

• whatwg/html@80e087c
  Do not throw when cloning %ObjectPrototype%

• whatwg/html@c76e86c
  Convert "queue a task" to "queue an element task"

• whatwg/html@cd59059
  Clean up the event loop and agent correspondence

• whatwg/html@12a2a56
  Make all agent allocation imperative

• whatwg/html@b954ac0
  Change "scripting is disabled" to be per-global

• whatwg/html@5e7d606
  Disentangle images loading on-demand from scripting

• whatwg/html@af228b2
  Remove the title argument from registerProtocolHandler()

• whatwg/html@6144c0c
  Prevent execution of (some) scripts moving between documents

• whatwg/html@caebee3
  Stop dispatching invalid on

• whatwg/html@49962ba
  Define height attribute for thead, tbody, and tfoot elements

• whatwg/html@72a6f17
  registerProtocolHandler(): only "https" schemes for the handler

• whatwg/html@9deddcd
  registerProtocolHandler() cleanup

• whatwg/html@351d56a
  Specify image lazy loading in terms of IntersectionObserver

• whatwg/html@9e77887
  Add <link disabled>

• whatwg/html@bb0bcac
  Fix sandboxing flags handling in browsing context creation

• whatwg/html@f913be0
  Expose Worker and SharedWorker less

• whatwg/html@db2ce7e
  Change request destinations of nested navigations

• whatwg/html@31b264a
  Redo top-level origin and add top-level creation URL

• whatwg/html@c9fddd7
  Add cross-origin opener policy

• whatwg/html@70b8bb4
  Add cross-origin embedder policy

• whatwg/html@bb864bd
  Define "secure context”

• whatwg/html@c9d8983
  Add the cross-origin isolated primitive

• whatwg/html@231538d
  Add <iframe> lazyloading

• whatwg/html@a2294a9
  Change MessagePort owner from incumbent to current

• whatwg/html@81d7284
  Add the manifest link relation

• whatwg/html@63a0e64
  Fire a load event for network errors in

• whatwg/html@898a25e
  Introduce the navigation params struct

• whatwg/html@82a0784
  Do not delay the load event for aborted media loads

• whatwg/html@ac285c0
  Sanitize classic script's base URL when muted errors flag is set

• whatwg/html@230af41
  Adjust registerProtocolHandler() handling

• whatwg/html@c7c6b17
  Remove HTTPS state

• whatwg/html@2333203
  Add preservesPitch to HTMLMediaElement

• whatwg/html@a1ad979
  Extend "window open steps" to observe COOP

• whatwg/html@4191e0c
  Define the foundations of find-in-page

• whatwg/html@e991e2f
  Remove user override of window.open() in a sandbox

• whatwg/html@f781a90
  Introduce the "cross-origin-isolated” permission

• whatwg/html@97c73c3
  Add MIME type checking for HTTP(S) worker scripts

• whatwg/html@40e3868
  Remove the dragexit event

• whatwg/html@3c52fe1
  Allow mutating

• whatwg/html@539f4e8
  Fix contradictory missing value default for formmethod=“"

• whatwg/html@b417e88
  Fire "input" events as composed

• whatwg/html@bd32618
  Define X-Frame-Options processing

• whatwg/html@8c90eb6
  Augment COEP violation report

• whatwg/html@d37f992
  Add the Origin-Isolation header

• whatwg/html@ea6b0ca
  Specify sequence of navigation failure checks

• whatwg/html@c8d5ad3
  Set "destination" of requests from

• whatwg/html@ed61fda
  Resolve whenDefined()'s promise with the element's constructor

• whatwg/html@7d852a3
  COOP: modify redirect handling

• whatwg/html@804da31
  Remove width attribute fallback from sizes calculation

• whatwg/html@140dd67
  Remove allowpaymentrequest attribute

• whatwg/html@16667c3
  Prevent attachInternals() use before custom element constructor

• whatwg/html@564dfd5
  Add shadowRoot to ElementInternals

• whatwg/html@1076db6
  Rendering: further details/summary cleanup

• whatwg/html@b3b7add
  Change beforeunload, unload, and bfcache interaction

• whatwg/html@25c78e4
  Move worklets into the HTML Standard
  whatwg/html@f703a2c
  Allow implementations to kill worklets whenever, by default
  whatwg/html@de47fa3
  Disallow import() in worklets

• whatwg/html@440fde8
  Suggest a rootMargin strategy for lazy-loaded elements

• whatwg/html@979af15
  Change modal s to be positioned via CSS

• whatwg/html@a2d27c6
  Stop passing CSP algorithms unused parameters

• whatwg/html@d324d9b
  Make the default "process the linked resource" algorithm a noop

• whatwg/html@0666f4e
  Add cross-origin opener policy reporting

• whatwg/html@2ae50c6
  Fix regression in iframe/frame loading

• whatwg/html@e4330d5
  Remove AppCache

• whatwg/html@65b2af5
  Gate beforeunload dialogs behind sticky activation

• whatwg/html@fee73fa
  Top-level await integration

• whatwg/html@07a5b3e
  Introduce the system focus concept

• whatwg/html@cbcf6ac
  Make COOP+COEP not imply cross-origin isolated

• whatwg/html@4b6e5ba
  Reset window.name also when opener is set to null

[plehegar]

whatwg/html#6478 is also raising concerns

[samuelweiler]

In whatwg/html#6933 (comment), I requested a warning around references to the Reporting API. Here is proposed language for that:

Notice: the (above / below) functionality hooks into the Reporting API, which is a not-yet-standardized
work in progress at W3C and which has unresolved privacy issues. In particular, some are concerned
that the Reporting API functionality violates the W3C's hierarchy of constituencies by exposing users
to potential harms while the primary beneficiaries of the API are websites. Implementors are
encouraged to follow these issues and be aware that this functionality could change or be removed as
those discussions progress.

[plehegar]

background: this is part of a proposed plan based on a conversation between PING chairs/TC and @plehegar:
[[

• PING will draft warning language. If it makes conclusions re: the reporting API (and, IMHO, it does not need to - it need only refer to 'unresolved concerns about privacy et. al., which might require breaking changes to resolve') @plehegar will want to run it by WebPerf.
• @plehegar will sort out the mechanics for how to display that on the snapshots.
• @plehegar try to get the HTML WG engaged on the discussion re: adding sec/priv sections to these docs, meaning the charter issues (and possibly/probably the doc issues) are still open.
  ]]

cc @LJWatson @hober @sideshowbarker @siusin

[plehegar]

In particular, some are concerned
that the Reporting API functionality violates the W3C's hierarchy of constituencies by exposing users
to potential harms while the primary beneficiaries of the API are websites.

Imho, I don't think we should be specific about concerns related to the Reporting API. If there is an issue opened against the Reporting API related to this concern, we could link to it.

So, how about:

Notice: the (above / below) functionality hooks into the Reporting API, which is a not-yet-standardized
work in progress at W3C and which has unresolved privacy issues (e.g. @@link to specific issues?). Implementors are
encouraged to follow these issues and be aware that this functionality could change or be removed as
those discussions progress.

cc @yoavweiss

[samuelweiler]

Fine with me. @pes10k ?

[pes10k]

a-ok with me too

[yoavweiss]

I'd like to know what specific issues are involved here before adding random warnings to HTML. Looking through Reporting's issues, I found w3c/reporting#168 and w3c/reporting#194

w3c/reporting#194 seems reasonable and the concerns raised there is that delayed reporting could reveal information about the user (e.g. show that they changed networks). But, the solution to this issue is simply to avoid sending delayed reports or condition them e.g. on lack of network changes, and most likely won't involve an API change.

w3c/reporting#168 OTOH is an issue where @pes10k argues that Reporting is somehow special and requires a permission (contrary to many other web platform features that traditionally performed a similar role and do not require permissions: image requests on dismissal events, beacon, <a ping> and Fetch keep-alive are a few that come to mind).
The thread includes a lot of evidence supporting Reporting's role in helping provide users with a more secure web, but it seems like nothing short of accepting @pes10k's premise and requirements would be sufficient and no amount of evidence would be convincing enough. As such, I don't see why we need to litter the HTML spec with pointers to that discussion.

Notice: the (above / below) functionality hooks into the Reporting API, which is a not-yet-standardized
work in progress at W3C and which has unresolved privacy issues (e.g. @@link to specific issues?).

I'd object to calling w3c/reporting#168 "unresolved privacy issues". They seem to be "unsubstantiated privacy concerns" at best.

[samuelweiler]

@yoavweiss Both 168 and 194 are in scope. You might well be right that the ultimate conclusion of 168 will be that @pes10k is "in the rough". In the meantime, though, that discussion looks unresolved. And there's also 194.

Would you prefer we merely say "unresolved discussions" without even characterizing them as "privacy"?

[Adding merely as context: Reporting API is pre-CR. The doc has been around since 2016; the last WD was published in 2018. The doc is in the WebPerf WG, and yoavweiss is one of the WebPerf co-chairs.]

[yoavweiss]

Either "unresolved discussions" or "unresolved privacy-related discussions" works for me. (assuming that the HTML editors are fine with this)

[plehegar]

I believe the compromise for the warning note is:

Notice: the (above / below) functionality hooks into the Reporting API, which is a not-yet-standardized
work in progress at W3C and which has unresolved privacy-related discussions. Implementors are
encouraged to follow these discussions and be aware that this functionality could change or be removed as
those discussions progress.

(I added a link to the open privacy related issues in the reporting repo)