[wg/css] CSS Working Group Charter

[svgeesus]

New charter proposal, reviewers please take note.

Charter Review

Charter:

If applicable:
diff from previous charter and diff from template

chair dashboard

What kind of charter is this? Check the relevant box / remove irrelevant branches.

• Existing

• Existing WG recharter

Communities suggested for outreach:

Known or potential areas of concern:

Where would charter proponents like to see issues raised? CSSWG issue

Anything else we should think about as we review?

Note: proposed chairs should be copied @... on this issue.

@astearns @atanassov

[ruoxiran]

There is an extra < in section 1. There are no other comments from APA.

[himorin]

no comment or request from i18n, with great thanks for all of your works!

[svgeesus]

Thanks, typo fixed

[svgeesus]

@simoneonofri any security comments? @plehegar any comments from PING?

[simoneonofri]

Hi, @svgeesus, on the charter, it's indicated the need for Security Considerations, and that's fine.
I'm quickly looking at the various deliverables.

There are quite a few, and in general, as written in the various Security Considerations.

To summarize.

Common Threats / Attacks

Information Disclosure (aka Information Leakage)

on several levels (say Infokeak is a Security-Privacy hybrid threat):

• Installed fonts: e.g. the font-face then device information, or coeme @media, @support
• Visited Links: other times in combination with JavaScript leak on user navigation or via CSS Paint
• User Dictionary: as for [pseudo-elements](pseudo
• Images via Timing Attack

Perhaps we can consider it more at the implementation level, infoleak leading to memory corruption, as is specified Transitions, and it would be useful to specify good standards at the implementation level, as happened on WebGPU?

Tampering Data

• CSS Injection, in general
• Loading files from the local network/internet? e.g., Cascading and Inheritance, Values and Units

If we use STRIDE, we also have Spoof Identity, Repudiation, DoS, and Elevation of Privilege. I'm pondering whether they can be applied to CSS as well, if you think of this model, broadly speaking, can you think of anything? (e.g., for DoS, we often implement limitations so as not to saturate resources)

Security Considerations

Some deliverables:

• Still need Security Considerations, e.g., CSS Speech Module
• Have the statement “This specification introduces no new privacy leaks, or security considerations beyond ‘implement it correctly’” e.g., Writing Modes. The directives for correct implementations are specified somewhere, such as in Transforms Module or on Filter Effects? I like this approach.
• Others indicate “introduces no new privacy leaks, or security considerations,” though in that case, it would be useful to point to “known” ones such as on Geometry Interfaces Module.

[svgeesus]

@simoneonofri thank you. As these are comments on individual deliverables it would be helpful to raise them on csswg repo against the relevant spec, so that they don't get lost.

On your more general points:

“introduces no new privacy leaks, or security considerations,”

I hate when people write that, such a bold and unsubstantiated claim. Instead I encourage

No privacy concerns have been raised against this specification
No security concerns have been raised against this specification

In other words statements which are provably true or false.

Some old/unmaintained specs still have one section for both Privacy and Security, or indeed no section at all; I fix these as they get published to /TR.

[simoneonofri]

@svgeesus thank you for your answer.

In general, I think that raising concerns, it seems more an "external" think, even if this should be a joint work between the specs developer and security experts.

And it can make sense that there are no new considerations, but it can be good a reference to the old one.\

However there are some points maybe we should work on, I'll write to the Strategy Team.

[svgeesus]

@tjwhalen any comments on this draft charter from a privacy perspective?

[plehegar]

PING is not yet fine.

[plehegar]

(from PING) There has a batch of issues related to privacy. Was there progress by the CSS WG? In particular on the font fingerprinting front.
Also, media queries did not have a privacy review since 2020. What's the plan to move media queries forward?

[tjwhalen]

@tjwhalen any comments on this draft charter from a privacy perspective?
To build on @plehegar's comments, based on my quick read and helpful discussion from #privacy-reviews (thx Jeffrey Yasskin):

• given the concerns around outstanding privacy issues, the charter should be explicit about planned work: which modules do you expect to work on, create new levels of, and/or advance to CR?
• the charter also should establish a link between the "Classification" in css-2024 through css-2026 and the ED/WC/CR state of the associated specification. In regard to media queries (mentioned above): https://drafts.csswg.org/css-2024/#experimental indicates that most non-CR features aren't intended to be released widely, but it seems to be out of date for media queries: https://caniuse.com/?search=prefers

Thanks for taking time to solicit my comments, particularly as they're at a late stage (and I may be lacking some context, having just shown up!).

[svgeesus]

(from PING) There has a batch of issues related to privacy. Was there progress by the CSS WG? In particular on the font fingerprinting front.

Of those 10, six are flagged "close?".

On the font issue, we thought we had broken the impasse between I18n ("doing this breaks the Web for readers of minority languages") and PING ("no increase in fingerprintable entropy is acceptable for any reason") with some new wording that I18n thought was much better, but PING still said no. Effectively, each horizontal group is happy to throw the other group's users under a bus.

I will look into the MQ situation.

[svgeesus]

This one

• [css-color-5] Question regarding on deman download of ICC file csswg-drafts#7597

was responded to and the commenter was satisfied in 2022 and is still not closed. While this one

• [css-color-4] Prevent fingerprinting with deprecated system colors csswg-drafts#3873

was resolved in 2020 and again, not closed for some reason 4 years later. A bit of tidying up on the PING side would be very welcome.

[svgeesus]

Also, media queries did not have a privacy review since 2020. What's the plan to move media queries forward?

The list of changes since the 2021 WD is very small, which is probably why a re-review was not requested. However, perhaps in consequence, it still has one Privacy and Security section. There does not seem yet to be consensus on

• [mediaqueries] Suggestion: "prefers-pointer-location" csswg-drafts#7872

I will discuss with @frivoal at TPAC

[svgeesus]

I will look into the MQ situation.

I tagged some MQ5 issues with https://github.com/w3c/csswg-drafts/labels/privacy-tracker

[simoneonofri]

@simoneonofri thank you. As these are comments on individual deliverables it would be helpful to raise them on csswg repo against the relevant spec, so that they don't get lost.

we can catch during the various transition requests

On your more general points:

“introduces no new privacy leaks, or security considerations,”

I hate when people write that, such a bold and unsubstantiated claim. Instead I encourage

No privacy concerns have been raised against this specification
No security concerns have been raised against this specification

In other words statements which are provably true or false.

In general, the issue is, has anyone asked within the WG what are the Privacy and Security Considerations?
It's not easy when you're in the “I'm building something” mode to figure out “what could go wrong,” but in general on the CSS side there's a lot of fingerprinting, as they also pointed out from PING and that also has an impact often at the Security level, particularly when we go to work on the GPU.
Probably a correct statement could be “According to the Threat Model (link to threat model), these are the residual threats we have, or I don't sound new threats compared to the general model.”
Step by step we will get there :)

Some old/unmaintained specs still have one section for both Privacy and Security, or indeed no section at all; I fix these as they get published to /TR.

Thank you!

[svgeesus]

Probably a correct statement could be “According to the Threat Model (link to threat model), these are the residual threats we have, or I don't sound new threats compared to the general model.”

I didn't follow the "I don't sound" part. Autocorrect?

[simoneonofri]

s/sound/found/ :)

[astearns]

@svgeesus we resolved yesterday to adopt intersection observer

https://log.csswg.org/irc.w3.org/css/2024-09-26/#e1651268

Could you add this to the upcoming charter?

[astearns]

(support for this move: #457 (comment) )

[svgeesus]

Could you add this to the upcoming charter?

Will do!

[plehegar]

Several of us sat down last week to figure out how to move forward on fonts fingerprinting issue (see also Fonts, Privacy, and Not Breaking the Web). @svgeesus agreed to make a new pull request to attempt to resolve the matter. However, I don't believe the charter has to block on resolving this issue.