|
| 1 | +# SWAG Minutes - Mon 29 September 2025 |
| 2 | + |
| 3 | +Present: Dan, Florian, Will, Giovanni |
| 4 | + |
| 5 | +## Plans for survey |
| 6 | + |
| 7 | +From Simone: [paraphrased] We won't ask for e-mail but we will ask them to join the community group if they would like to be interviewed... |
| 8 | + |
| 9 | +So what is the next step? |
| 10 | + |
| 11 | +*we debate whether this will be too much friction* |
| 12 | + |
| 13 | +Will: alternative - people could respond on social media. |
| 14 | + |
| 15 | +*we agree to share the survey - and ask people to join the CG if they want to participate in further discussions* |
| 16 | + |
| 17 | +*Dan to work on text.* |
| 18 | + |
| 19 | +## PR 29 Merged |
| 20 | + |
| 21 | +https://github.com/w3c-cg/swag/pull/29 |
| 22 | + |
| 23 | +Dan: I committed Will's feedback.... |
| 24 | + |
| 25 | +## Merge PR 31? |
| 26 | + |
| 27 | +https://github.com/w3c-cg/swag/pull/31 |
| 28 | + |
| 29 | +Floran : wrote an article about SSRF |
| 30 | + |
| 31 | +Dan: *leaves positive review* |
| 32 | + |
| 33 | +*we agree good to merge* |
| 34 | + |
| 35 | +## Discussion on Passkeys? |
| 36 | + |
| 37 | +Will: next thing I want to work on is - authentication - see below - happy to get feedback. I had feedback from Martina - we should really talk about Passkeys - as they are a thing that uses web authentication. She also gave more detail and useful info that I will incorporate into the outline. So updated the outline. |
| 38 | + |
| 39 | +Dan: Anything for our own guidelines? |
| 40 | + |
| 41 | +Will: It might be good to use guidelines around authenticaiton... its own section? |
| 42 | + |
| 43 | +Dan: feels like it should be in security_guidelines.md - as a separate section. |
| 44 | + |
| 45 | +Florian: there's a new CG on credentials and authentication adopton.. Maybe nice to work together. https://www.w3.org/community/wica/ |
| 46 | + |
| 47 | +Simone: this group was an idea from webauthn wg... to promote the adoption of web authentication... a web layer for passkeys. The main problem is the developer needs to choose to use it... I have a list of different authenticaiton types - we can use that. We could also talk with Tim C. directly. |
| 48 | + |
| 49 | +Dan: I suggest we write something ... and then reach out for comment... |
| 50 | + |
| 51 | +Florian: we are working on MDN.. they are working on microsties - we can still share experience. |
| 52 | + |
| 53 | +Will: *will file a SWAG issue* I agree having another top level section in security_guidelines... is the right approach. |
| 54 | + |
| 55 | +## Concrete Attacks |
| 56 | + |
| 57 | +From Florian :"What are concrete attacks you expect to be documented for MDN readers? (web developers, library developers, etc.) |
| 58 | +The attacks we already have are listed here: https://developer.mozilla.org/en-US/docs/Web/Security/Attacks. |
| 59 | +Work in progress articles which we will have soon are: Supply chain attacks, Phishing, IDOR." |
| 60 | + |
| 61 | +New content in review, feedback appreciated: |
| 62 | +- Supply chain attack article: https://github.com/mdn/content/pull/41034 |
| 63 | +- IDOR attack: https://github.com/mdn/content/pull/41200 |
| 64 | +- JavaScript Prototype Pollution: https://github.com/mdn/content/pull/41260 |
| 65 | + - Thanks for the great feedback so far! Will try to work it in the next few days |
| 66 | +- Thinking about writing about DOM Clobbering as well |
| 67 | +- More? |
| 68 | + |
| 69 | +Florian: we're writing documentation for concrete attacks... some are still in review... Supply chain attacks is an open PR... Working on prototype pollution... Lots of feedback... One more in review - indirect object reference... |
| 70 | + |
| 71 | +*discussion on graphql and we agree not to write on this at this time* |
| 72 | + |
| 73 | +Florian: another topic - DOM clobbering attacks... Nice article from Frederick... Might quality for an MDN article as well... Coming to an end with this work... Soon going to switch to authenticaiton. |
| 74 | + |
| 75 | +## Supply chain attacks |
| 76 | + |
| 77 | +https://github.com/mdn/content/pull/41034 - merge? |
| 78 | + |
| 79 | +Dan: let me ask for some additional review... from the OpenSSF community. |
| 80 | + |
| 81 | +*we agree to give Dan a day before merging* |
| 82 | + |
| 83 | +Simone: [on threat modelling] - one of the discussions with the digital credentials API - they were complaining that I listed threats with them ... one proposal was move to a separate doc "threat model for the web"... I will reference the threats that you already have documented. |
| 84 | + |
| 85 | +... we should also talk about "the human web" the threats going to be exploited regarding the human, not only the technical things... |
| 86 | + |
| 87 | +Dan: examples? |
| 88 | + |
| 89 | +Simone: e.g. https://www.panmacmillan.com/authors/tim-berners-lee/this-is-for-everyone/9781035023677 - privacy covers covers many but there are some threats missing... e.g. attention hijacking on social networks ... deceptive patterns ... trying to publish a summary of these threat models somewhere. 3 models ... one is technical - e.g. autoplay, infinite scrolling,... there are some technical remediation... also C2PA could be a potential remediation... Article 25 in EU could be a policy remediation... |
| 90 | + |
| 91 | +Florian: we touched on this a bit - when we wrote about Phishing attacks - also a glossary entry on social engineering... https://developer.mozilla.org/en-US/docs/Glossary/Social_engineering |
| 92 | + |
| 93 | +Simone: https://www.nirandfar.com/how-to-manufacture-desire/ ... as an example ... |
| 94 | + |
| 95 | +## Authentication |
| 96 | + |
| 97 | +Plan: https://docs.google.com/document/d/1miZbXVjs070J2HH0rsDxqPnUaqNtPP51Uo8d4FU6PTk/edit?tab=t.0 . |
| 98 | + |
| 99 | + |
| 100 | +Please review |
0 commit comments