#585: Reporting
Discussions
2021-01-Kronos
Rossen: This looks like a lot of potential PII problems.
... After a longer discussion we left a number of questions in the issue about privacy, API, naming and overall design.
2021-02-15
Rossen: some feedback since last time.
Rossen: exposing info to 3rd party by design... cross-origin 3rd party servers are included by design according to their feedback.
Peter: it's true you do need to send errors to 3rd parties... you have to be able to identify what sites have the issue...
Dan: maybe we should drill down on this privacy issue specifically?
[discussion on what to do with this]
Rossen: knowing how much scrutiny goes into reporting APIs in general in the lower parts of the OS... there is a ton of scrutiny and documentation if you want to set up a reporting system. You have to be good at tracing the reports, adhering to log requirements, privacy, compliance...
Dan: this could be used for tracking through a back-channel by unscrupulous people...
Rossen: has this come through ping or privacy CG?
Tess: not in privacy CG...
[discussion on privacy review]
Rossen: maybe we can dedicate an entire breakout for this? It's a large spec - we need an agenda. I want to have 3 or 4 large ticket items we want to dive deep on : privacy is one of them. And then draw a large outcome and path forward from that.
Dan: should we invite the spec authors?
Rossen: yes.
2021-05-Arakeen
Reviewed their feedback to earlier review. We're satisfied with the responses and don't see any issues.
@plinss and I took a look at this during our virtual F2F, thank you for filling the Security and Privacy questionnaire. At this point we don't have any further comment on this, this looks OK to proceed. Thanks! (to be validated during the rollup -> propose closing)
OpenedDec 8, 2020
HIQaH! QaH! TAG!
I'm requesting a TAG review of the Reporting API.
The Reporting API is a mechanism for web servers to tell browsers where to send errors and other information about a browsing session.
Explainer¹ (minimally containing user needs and example code): https://github.com/w3c/reporting/blob/master/EXPLAINER.md
Specification URL: https://w3c.github.io/reporting/
Tests: Generic tests, but also feature integration tests
Security and Privacy self-review²: https://github.com/w3c/reporting/blob/master/security-and-privacy-questionnaire.md
GitHub repo (if you prefer feedback filed there): https://github.com/w3c/reporting/
Primary contacts (and their relationship to the specification):
Organization(s)/project(s) driving the specification: Google
Key pieces of existing multi-stakeholder review or discussion of this specification: The Reporting API has been discussed within WebPerfWG several times; TPAC 2019 minutes, TPAC 2020 minutes, as well as issues such as https://github.com/w3c/reporting/issues/158 and https://github.com/w3c/reporting/issues/169, which have resulted in a reduced scope for the specification and changes to the header.
External status/issue trackers for this specification (publicly visible, e.g. Chrome Status):
Further details:
You should also know that, while the Reporting API has shipped in Chrome for some time, and several features have integrated with it, and ReportingObserver has been reviewed by TAG, the API as a whole was never reviewed. This is relevant now as changes have been made to the scope of the API, as well as the header used and its syntax, which Chrome is looking to ship.
We'd prefer the TAG provide feedback as (please delete all but the desired option):
🐛 open issues in our GitHub repo for each point of feedback