Web Packaging

18 Sep 2019


dauwhe, wendyreid, zcorpan, Ralph_, jeffh, MasakazuKitahara, duga, hober, domfarolino, chrishtr, kinuko, drousso, romain, horo


jyasskin (jy): wants to describe web packaging and get feedback...

[ see slides ]

<zcorpan> Title: Web Packaging

scribe: <goes thru wpack basics, terminology>
... <goes into relatoinship with signed exchanges>

<wendyreid> scribe+ jeffh

scribe: <goes into unsigned package use cases...>
... <video demo...>
... the demo shows how bundled unsigned exchanges can be utilized
... <goes into signed eschange use cases>
... <goes into impl and deployment state...>
... <currently impl'g navigation to bundles...>
... <spec is in WICG, proposing WG in IETF in Nov>
... open quesiions:
... what's best way to prevent Distributor from handing its user ID to Publisher? Uncredentialed navigation? add attrs to <A> tag?

<kinuko> navigation to bundle fetch/navigation design: https://docs.google.com/document/d/1KFmtiE3DHgKfQH5-nKtLiacMrXsoKIXQZ-VIMGHMje0/view

scribe: how does storage work for unsigned bundles?
... Discussion? (floor open)

reymes: how does navig to signed bundles work

jy: we'll attach bundle to settings object, can trust it cuz it is signed....
... bundle is a resource with a URL, load URL
... you're asking which resource within bundle you load?
... yes, there's a manifest in bundle identifying what to load first

?: can publishers still get analytics (??)

<KenjiBaheux> analytics

<dauwhe> s/analyitics/analytics/

<KenjiBaheux> we got this

jy: <describes how it works...> they do not get http reqs for the url they signed, but if their JS reports back to their servers then they get analytics...

<hober> ack

dauwhe: <somehting about bundle navigation details> I can load the bundle from my local file system? will UA be able to "save a bundle" ?

kuniko: we are thinking of that

dauwhe: what about signed exchanges, it's controversial, are other UAs going to impl ?

kinuko: cant say now, we'll see

<wendyreid> scribe+ wendyreid

zcorpan: any WPTs?

kinuko: we r definitely planning to supply WPTs

zcorpan: please submit issue on WPT wrt signed exchanges

annevk: curious about the origin handling?

<KenjiBaheux> ACTION: please submit issue on WPT wrt signed exchanges

jy: the origin has to contain the pkg url and the claimed url inside the pkg
... this will perhaps intoduce vulns in some non-compliant parsers. have ideas to combine and hash the two URLs... have ideas wrt storage and the the origin(s), but that is not good long-term...

dauwhe: sees usecase from book world where want to have data storage for books that are bundled
... will submit issue re this

bdekoz: origin named in the pkg will have assurances wrt security/priv, how will the distributor also p;rovide same priv assurances...

<KenjiBaheux> ACTION: dauwhe to file an issue regarding use case from book world where want to have data storage for books that are bundled

jy: dunno how to constrain distributor's priv practices. whoever links u to pkg already knows provided that to you, how you got to the distributor is visible in the way loading things on the web is today. want to make the distirbutor request uncred'd which will help....
... but may not be sufficient

annevk: origin question: if u wan to use an unsigned bundle on your own site, can it have the same origin as your site....?

<bdekoz> official mozilla position is that SxG is considered harmful. See: https://mozilla.github.io/standards-positions/

jy: <yes> if start url is same-origin can treat it that way, but in some cases it might ought to be cross-orig untrusted bundle, might need a flag (where?) to indicate that. a 2nd flag is if we have a signed bundle and the sig expires, do you need to re-fectch bundle over the network, bundle source should erhaps help here....
... how do other UA vendors feel about the unsigned bits of this?

bdekoz: they are less controversial than the signed bits of this...
... are we treating this as a redirect (in the context of web perf WG)

jy: as a redirect, if it causes probs with inter nal redirect count have to figure something out -- this wud be in fetch... (bdekoz is the questioner)

raymes: <something about cachcing>

jy: <missed>

raymes: is bundle cached in <some special way?>

kinuko: bundled resource is cached as usual. individual contained resources are not cached.

jy: if u expose to svc wkr it is up to svc wkr (?) -- this not spec'd yet
... slides URL:

<jyasskin> slides: https://docs.google.com/presentation/d/1NZeUbnZqtoOfPMG-V8K5ntj_9snhwfFekLVQoEk9MsM/edit#slide=id.p

Summary of Action Items

[NEW] ACTION: dauwhe to file an issue regarding use case from book world where want to have data storage for books that are bundled
[NEW] ACTION: please submit issue on WPT wrt signed exchanges

Summary of Resolutions

[End of minutes]

Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2019/09/19 06:08:14 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/dies/does/
Succeeded: s/bundle/...bundle/
Succeeded: s/?/reymes/
Succeeded: s/?:how does navig to signed bundles workreymes/reymes: how does navig to signed bundles work/
Succeeded: s/atalinux/analytics/
FAILED: s/atalinux/analytics/
Succeeded: s/atalinux/analyitics/
Succeeded: s/to have chunks of books that are bundled/to have data storage for books that are bundled/
Succeeded: s/?: /bdekoz: /
Succeeded: s/?: /bdekoz: /
Succeeded: s/?: /bdekoz: /
Present: dauwhe wendyreid zcorpan Ralph_ jeffh MasakazuKitahara duga hober domfarolino chrishtr kinuko drousso romain horo
No ScribeNick specified.  Guessing ScribeNick: jeffh
Inferring Scribes: jeffh

WARNING: No "Topic:" lines found.

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: dauwhe please

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report

WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)

[End of scribe.perl diagnostic output]