Ehsan: Haven’t finished reviewing it yet, try to do it next week.

Hadley: Are we ok on time for this one?

Ehsan: They didn’t mention any deadline on the issue.

Yves: I’ll try to take a look at that next week.

Skipped

Ehsan: Almost finished with it, but haven't finalized my review yet.

Yves: Making progress on it; no conclusion yet.

Yves: Not much progress over the holidays. Remember having a potential thing about link things throught he reporting URL. e.g. add a specific site to the block list with a unique url as the reporting URL, to link sites. Didn't have time to check if that's possible. Generally looks interesting to prevent things that happened in the past like poking open ports.

Ehsan: I read through it, and still working on my review. When you read the threat model, they don't consider the server to be the bad entity.

Yves: I thought they wanted to prevent people from scanning using the API, and it's good for that. Wondering about people misusing it for other purposes.

Ehsan: They mention side-channels, and I focused on that, but your threat is more sensible.

Yves: Mine is a kind of side-channel anyway.

Ehsan: I'm positive in general. Wanted to suggest that the proponents explain it through an example. They say CSP is not relevant, but they don't go through something concrete. Could improve the explainer, but that's minor.

Yves: Wonder if there's a way to differentiate between plain HTTPS, Web Transport, and Web Sockets. Having the intended protocol in there might be useful.

Matthew: Overall we sound positive, with suggestions for improving the explainer. (2 of those: protocol + example). Yves, you're still checking on the possible threats, and we should raise that concern. Either of you want to draft the comment?

Yves: I'll draft it this week, and Ehsan can review.

Yves: Drafted a comment, and waiting for Ehsan to add to it.

Ehsan: I'm discussing inside Samsung. I agree with your points, and will add 1-2 things, which need discussion. I'm wondering what happens if the CSP and allowlist overlap, or one is missing. Couldn't find a place that discribes the conflict. They should clarify the hierarchy, which takes priority. Second, maybe it can be used to fingerprint? Looking for a concrete example, but I think it can be used.

Yves: Think fingerprinting is probably less important and probably reuses the same thing as exfiltrating data. Except maybe a timing attack, since you refuse the connection before starting it.

Ehsan: They mention something about side-channels, but they don't clarify.

Yves: Worth mentioning the possibility of problems so they can add it to the security considerations.