15:02:21 RRSAgent has joined #webmachinelearning 15:02:25 logging to https://www.w3.org/2025/10/16-webmachinelearning-irc 15:02:25 RRSAgent, make logs Public 15:02:26 please title this meeting ("meeting: ..."), anssik 15:02:28 Meeting: WebML CG Teleconference – 16 October 2025 15:02:29 Chair: Anssi 15:02:33 Agenda: https://github.com/webmachinelearning/meetings/blob/main/telcons/2025-10-16-cg-agenda.md 15:02:37 Scribe: Anssi 15:02:41 scribeNick: anssik 15:02:47 Present+ Anssi_Kostiainen 15:02:51 Regrets+ Kenneth_Christiansen 15:02:59 Present+ Alex_Nahas 15:03:02 Present+ Brandon_Walderman 15:03:13 Present+ Davis_Shaver 15:03:21 Present+ Ehsan_Toreini 15:03:30 Present+ Jason_McGhee 15:03:43 Present+ Khushal_Sagar 15:03:43 jason has joined #webmachinelearning 15:03:50 Present+ Leo_Lee 15:03:53 zkis has joined #webmachinelearning 15:04:05 Present+ Markus_Tavenrath 15:04:12 Present+ Zoltan_Kis 15:04:19 RRSAgent, draft minutes 15:04:20 I have made the request to generate https://www.w3.org/2025/10/16-webmachinelearning-minutes.html anssik 15:04:38 Present+ Christian_Liebel 15:05:07 Present+ Tarek_Ziade 15:05:12 RRSAgent, draft minutes 15:05:13 I have made the request to generate https://www.w3.org/2025/10/16-webmachinelearning-minutes.html anssik 15:05:19 tarek has joined #webmachinelearning 15:05:25 Anssi: first, please welcome: 15:05:30 ... Fabio Bernardon from NVIDIA 15:05:42 ... Yash Kumar Gupta from Adobe 15:05:49 ... Alexandra Klepper and Mark Foltz from Google 15:05:58 ... Davis Shaver and Stephen Erickson from The Washington Post 15:06:03 ... Matthew Stewart as an individual contributor 15:06:07 ... to the WebML Community Group! 15:06:48 Davis: I'm a staff SW engineer at The Washing Post, we're identifying new business models in the AI age 15:07:42 Topic: F2F Agenda brainstorming 15:07:52 gb, this is webmachinelearning/meetings 15:07:53 anssik, OK. 15:08:00 Anssi: F2F Agenda issue #35 15:08:00 https://github.com/webmachinelearning/meetings/issues/35 -> Issue 35 WebML WG/CG F2F Agenda - TPAC 2025 (Kobe, Japan) (by anssiko) 15:08:21 Anssi: I want to discuss, review and update draft WebML WG/CG F2F Agenda based on your feedback 15:08:25 ... first, I will share the overall F2F plan for both WG and CG because many of you are participating both the groups due to synergies 15:08:32 ... note on logistics: 15:08:35 ... registration open until 3 November 15:08:59 ... meeting dates are 10-11 November 2025 (start on 9/10 for remotes in Pacific timezone!) 15:09:10 mtavenrath has joined #webmachinelearning 15:09:30 ... WG topics discussed on the first day 15:09:40 ... CG topics discussed on the second day 15:09:52 ... please export invites as .ics from: 15:09:57 -> 10 November 2025 (Working Group) https://www.w3.org/events/meetings/f63193ec-259b-4ab8-ad65-a5a6e0adf556/ 15:10:01 -> 11 November 2025 (Community Group) https://www.w3.org/events/meetings/091a2581-034b-4afa-8ddc-91155bd4d710/ 15:10:22 Anssi: we have good F2F participation, currently 50 in-person participants including observers, excluding remote participants 15:10:31 jason has joined #webmachinelearning 15:10:50 ... to set the expectations for the F2F meeting: 15:11:06 ... F2F is an opportunity to get to know people, including folks outside the group and the wider community 15:11:16 ... humans usually work better together when they know each other 15:11:31 ... we will not do low-level specification PR reviews on a big screen at the F2F, an async GH-driven work mode is better for that 15:12:06 ... rather we try to make resolutions and seek consensus on important issues, chart the path forward, and eat Japanese food in a great company 15:12:22 Anssi: I've put up a draft to solicit feedback via comments for both TBA topics and timing to avoid scheduling conflicts as best as we can 15:13:20 Present+ Nitin_Pasumarthy 15:13:30 Present+ Rafael_Cintron 15:13:38 RafaelCintron has joined #webmachinelearning 15:14:15 Nitin: I work for LinkedIn and have been following this groups work for long, previous worked on web performance, now looking at new explorations and working on LLM and memory optimizations 15:14:52 Anssi: 11 November 2025 is the Community Group F2F, here's the top-level view: 15:15:02 ... - WebMCP 15:15:11 ... we can fit 5-6 key issues for discussion 15:15:42 ... possible other broader topics include: accessibility, security threat modeling, TAG design review, coordination with other groups e.g. AI Agent Protocol CG 15:15:48 ... for the broader topics, we may pull in participants from other groups subject to their availability 15:17:05 Rafael: I might join the WebMCP discussion 15:17:21 -> https://github.com/webmachinelearning/meetings/issues/35 15:17:21 https://github.com/webmachinelearning/meetings/issues/35 -> Issue 35 WebML WG/CG F2F Agenda - TPAC 2025 (Kobe, Japan) (by anssiko) 15:17:57 Anssi: - Built-in AI APIs: 15:18:02 ... Prompt API 15:18:04 ... Writing Assistance APIs 15:18:10 ... Translator and Language Detector APIs 15:18:15 ... Proofreader API 15:18:31 ... all these APIs are backed by on-device ML models bundled with the OS or the browser 15:18:42 ... we can cover ~2-3 key issues for each Built-in AI API 15:18:54 ... I'd propose we use `Agenda+` label to triage issues for F2F across all the CG repos 15:19:18 ... if you don't have triage permissions, please drop a comment in the F2F issue #35 and the triage team will take care of the rest 15:19:19 https://github.com/webmachinelearning/meetings/issues/35 -> Issue 35 WebML WG/CG F2F Agenda - TPAC 2025 (Kobe, Japan) (by anssiko) 15:19:43 ... we also very much welcome volunteers who'd like to pick up editor responsibilities for any of these APIs 15:20:08 ... Domenic who edited these Built-in AI APIs left them in a good shape for the new editors to continue work 15:20:14 ... please get in touch with me if you're interested in becoming an editor 15:20:36 ... Domenic also shared his design principles for these Buit-in AI APIs that is useful context for all group participants interested in these APIs: 15:20:41 -> Designing the Built-in AI Web APIs by Domenic Denicola https://domenic.me/builtin-ai-api-design/ 15:20:55 Anssi: my recommendation would be to aim to have two editors per spec to allow for efficient peer review 15:20:59 ... if you know someone who'd be a good fit or would like to step up yourself, please let me know via email 15:22:29 Anssi: - Proposals for new incubations 15:22:35 -> New proposals repo https://github.com/webmachinelearning/proposals 15:22:39 Anssi: in the last F2F session we will review proposed new incubations 15:23:07 ... for example, I had some out-of-band discussion with Alex and Jason about MCP-UI, and filed a proposal issue for it to explore whether and how this intersects with the web platform 15:23:49 Topic: WebMCP API 15:23:57 gb, this is webmachinelearning/webmcp 15:23:58 anssik, OK. 15:24:06 Subtopic: Elicitation 15:24:09 Anssi: issue #21 15:24:10 https://github.com/webmachinelearning/webmcp/issues/21 -> Issue 21 Elicitation (by bwalderman) [Agenda+] 15:24:32 ... at our last teleconference, we made the following resolution for this issue: 15:24:36 nitinpasumarthy has joined #webmachinelearning 15:24:36 "Tool execution should be able to start/stop yielding to the user throughout its lifecycle" -> https://www.w3.org/2025/10/02-webmachinelearning-minutes.html#b79f 15:24:47 Anssi: since then, Brandon shared an example for an imperative API that does yielding: 15:24:51 -> https://github.com/webmachinelearning/webmcp/issues/21#issuecomment-3362388408 15:24:51 https://github.com/webmachinelearning/webmcp/issues/21 -> Issue 21 Elicitation (by bwalderman) [Agenda+] 15:25:57 Brandon: the idea is that during MCP tool function call, the tool function can tell the browser it needs user interaction, nested function runs with user having full control, user expected to return result, click a button or anything, once the user has provided their input 15:26:11 ... nested function can be an async promise that returns to the assistant 15:26:27 ... follow-up discussion on concerns, Khushal brought up 15:26:46 ... the concern was a site that is abusing the API to grab user attention similar to popups 15:27:44 q+ 15:27:56 ... can browser mitigate this by disallowing these tools for such abusive sites similar to popup blockers? 15:28:18 kzworld has joined #webmachinelearning 15:28:45 Brandon: interrupting too often, blocking the entire site would be possible, challenge is sites might get away at least once if we count the times it interrupts the user 15:28:45 q? 15:29:17 Brandon: "the site requires your input, allow once etc." 15:29:23 ack kush 15:29:48 Khushal: there's nothing we can change for the API for that case, we can just throw an error the user refuses to engage, if the site is abused 15:30:18 ... the first time this happens we ask the user to intervene, similarly to what happens with popups, state persists for blocking a site that has been misbehaving 15:30:19 q? 15:30:34 ... overall happy with the API shape, any mitigations are implementation-dependant, do not require API change 15:32:01 Jason: is there already a request this will happen similarly microphone access? 15:33:36 Brandon: I think the point was about what is the permission prompt in the browser 15:34:02 ... there's two points where the user may need to prompt for permission, whether to allow the site to use tools, and whether to allow those tools to pause and require user input, two separate prompt 15:35:02 q+ 15:35:04 Khushal: I was hoping we could resolve this with API shape, does it make sense to surface error to the user 15:35:43 ... falling back to the previous behavior seems like the best path 15:35:47 ack brwalder 15:36:31 Brandon: I think it is worth letting this API throw an error, that gives legitimate sites, for the tool to respond, and assistant take a appropriate actions, stop or take an alternative path 15:36:53 ... important to be able to throw an error, otherwise neither the site not the agent knows it is unable to complete the task 15:37:12 Khushal: the assistant would know, as it is built into the browser? 15:37:30 Brandon: good point, I guess by throwing an error allows developers to customize the behaviour 15:37:44 ... all the browser assistant knows is that the task can't continue 15:38:02 ... if the web developer can catch the error, s/he can implement fallback behaviour 15:38:05 q? 15:38:20 Khushal: no strong opinion on this design point 15:38:40 ... first time the user indicates to the browser the site is abusive is the first time the error is thrown 15:39:09 Brandon: different buttons, is "this site is abusive, I never want to interact with it" an option 15:39:34 Khushal: similar to popups, never allow this site to create popups 15:40:54 sgtm 15:41:22 +1 15:41:53 +1 15:42:07 RESOLUTION: requestUserInteraction API implementation should give user an option to block abusive sites permanently but throw an error to developers so legitimate sites can implement fallback behaviour. 15:42:17 Subtopic: Interleaving interaction 15:42:26 Anssi: issue #20 (related to elicitation #21) 15:42:27 https://github.com/webmachinelearning/webmcp/issues/20 -> Issue 20 Interleaving user and Agent interaction with the site (by khushalsagar) [Agenda+] 15:42:27 https://github.com/webmachinelearning/webmcp/issues/21 -> Issue 21 Elicitation (by bwalderman) [Agenda+] 15:42:43 Anssi: Khushal notes agents doing UI actuation would generally allow only one actor, user or agent, to interact with a site 15:42:53 ... the question is, how to interleave user and agent interaction? 15:43:05 ... elicitation seems to address part of this problem and it looks like we don't have a concrete use case for interleaving, Khushal? 15:43:10 q+ 15:43:20 ... Khushal, do you think we should rescope this issue to the option 2 where the user "takes over" in the middle of the tool exection? 15:43:23 ... or should we close this issue? 15:43:25 ack kush 15:44:02 Khushal: I'm OK closing this, this came to my mind when elicitation was discussed, came up with option 2 15:46:00 The group did not identify a concrete use case for informing sites when users decide to take over in the middle of a tool execution. Eliciation issue #21 considers the case where the site explicitly passing over control to the user to interact. 15:46:56 RESOLUTION: The group did not identify a concrete use case for informing sites when users decide to take over in the middle of a tool execution. Elicitation issue #21 considers the case where the site explicitly passing over control to the user to interact. 15:47:07 RRSAgent, draft minutes 15:47:08 I have made the request to generate https://www.w3.org/2025/10/16-webmachinelearning-minutes.html anssik 15:47:22 Subtopic: Prompt injection 15:47:26 Anssi: issue #11 15:47:27 https://github.com/webmachinelearning/webmcp/issues/11 -> Issue 11 Prompt injection (by bwalderman) [Agenda+] 15:47:31 ... I consider this a high priority issue due to security implications 15:47:44 ... if you're aware of security experts in this domain willing to help, please loop them in 15:47:57 ... Brandon, thanks for opening this issue to explore mitigations to the "lethal trifecta" 15:48:01 ... this is well documented in the Simon Willison's blog post and talk: 15:48:06 -> The lethal trifecta for AI agents https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/ 15:48:14 -> Lethal Trifecta talk at the Bay Area AI Security Meetup https://simonwillison.net/2025/Aug/9/bay-area-ai/ 15:48:27 Anssi: Lethal Trifecta refers to combination of 3: private data, untrusted content, and external communication 15:48:41 Anssi: Jason shared another great reference, Brave's blog post about the Comet browser by Perplexity: 15:48:45 -> Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet https://brave.com/blog/comet-prompt-injection/ 15:49:04 Anssi: the same threats and risks MCP is exposed to apply to WebMCP too in broad strokes, I believe 15:49:14 Anssi: I expect us to track developments in the broader agentic AI ecosystem and adapt emerging mitigations to our work 15:49:23 ... talking of mitigations and solutions: 15:49:40 ... Alex proposed an interesting clipboard feature as a mitigation that he also proposed to the official MCP spec, Brandon +1'd this approach 15:49:45 -> Spec Proposal: Give Clients a Clipboard https://github.com/modelcontextprotocol/modelcontextprotocol/discussions/960 15:49:46 https://github.com/modelcontextprotocol/modelcontextprotocol/discussions/960 -> Discussion 960 Spec Proposal: Give Clients a Clipboard (by MiguelsPizza) 15:49:48 q? 15:51:34 Alex: couple of versions of the Clipboard idea, a way to mitigate large pieces of context, sensitive things such as PII 15:51:58 ... responses can be sent to client-manager clipboard that can be read from, when read, triggers elicitation event 15:52:13 ... user has to explicitly say you can paste this information to another site 15:52:38 ... lethal trifecta untrusted content is not fixed by this, but provides some level of mitigation, happy to talk about this more 15:52:53 ... MCP community is iterating on mitigation prompt injection 15:53:55 q+ 15:53:59 ack kush 15:54:09 Khushal: is there an issue on MCP spec that discusses this? 15:54:31 ... it sounds like the API change would probably happen in MCP first and we'd embrace it then in WebMCP 15:54:39 q+ 15:54:55 ... if you have thought how this information is presented to model, there's some identifier that tells you have access to user's name, for example 15:55:07 ... "can you pass the user's name to this another cross-origin tool" 15:55:26 ... I'm wondering if the tool output that comes from some origin, is able to have identifiers to sent to the model 15:55:54 Alex: there's discussions about this on MCP Discourse and elsewhere, I will put a summary in the WebMCP issue 15:56:22 ... the identifier, in my implementation, is a key, key-value store is just a URL, sensitive value has time-to-live 15:56:44 ... all it sees is description and some metadata like "this is social security number coming from X" 15:56:46 q? 15:56:51 ack AlexN 15:57:22 q? 15:57:23 qcomp has joined #webmachinelearning 15:57:45 Subtopic: Declarative API 15:57:51 Anssi: issue #22 and PR #26 15:57:52 https://github.com/webmachinelearning/webmcp/issues/22 -> Issue 22 Declarative API Equivalent (by EisenbergEffect) 15:57:52 https://github.com/webmachinelearning/webmcp/pull/26 -> Pull Request 26 add explainer for the declarative api (by MiguelsPizza) 15:57:56 ... we discussed this a month ago in our meeting: 15:57:59 -> [18 September 2025] Declarative API https://www.w3.org/2025/09/18-webmachinelearning-minutes.html#553a 15:58:12 Anssi: since our last review, we've received feedback via both GH issue and PR, let's discuss both, first issue feedback, then PR review comments 15:58:27 ... in issue #22 Tom and Brandon had an exchange how this fits in with MCP service discovery crawlers 15:58:39 ... Brandon pointed out the Capability Discovery issue #8 is related, for which we made the following resolution: 15:58:40 https://github.com/webmachinelearning/webmcp/issues/8 -> Issue 8 Should tools be a means for capability discovery? (by bokand) 15:58:50 -> "The group wants to make the tools be part of the discovery mechanism and continues to explore and prototype API shapes that satisfy this requirement. This includes the declarative API proposal that complements the imperative API, as well as the JSON manifest, with pros/cons documented" https://www.w3.org/2025/10/02-webmachinelearning-minutes.html#da4c 15:58:57 Anssi: then Brandon asks: 15:59:04 ... "should crawlers rely on a site's toolset to understand its capabilities?" 15:59:15 ... "Or, should sites have a high-level description of their capabilities (e.g. "This is a photo editing app") in the HTML or in a known location that crawlers can access?" 15:59:54 -> https://github.com/webmachinelearning/webmcp/issues/22#issuecomment-3325672899 15:59:54 https://github.com/webmachinelearning/webmcp/issues/22 -> Issue 22 Declarative API Equivalent (by EisenbergEffect) 16:00:49 Brandon: I was relating this issue to issue #8 by David, it sounds like Google has put more thought on this, not much to add right now 16:01:27 Anssi: in PR #26 Brandon asked was reusing ARIA attributes instead of introducing new tool-* attributes considered? 16:01:55 Khushal: I think what's proposed in the issue is different, which HTML content to expose to the agent, the fact the attributes map to an imperative API is a good design 16:03:48 ... concern in the issue was to not ship imperative only API without declarative API 16:04:40 Topic: Built-in AI APIs 16:04:59 Anssi: as the last topic, I'd like to have a discussion on the Built-in AI APIs, future directions, editorship transitions 16:05:09 ... these APIs are at different level of maturity, some are shipping while some are at their explainer stage 16:05:11 ... here's the current spec and implementation status: 16:05:32 ... - Prompt API has a spec and explainer, ships for Extensions only in Chrome 138, Dev Preview in Edge 138 16:05:47 ... - Writing Assistance APIs has a spec and explainer, Origin Trial in Chrome 137-142, Dev Preview in Edge 138 16:05:59 ... - Translator and Language Detector APIs has a spec and explainer, ships in Chrome 138 16:06:04 ... - Proofreader API has an explainer 16:06:12 ... please double-check the implementation status from the canonical sources: 16:06:16 -> https://developer.chrome.com/docs/ai/built-in-apis 16:06:20 -> https://learn.microsoft.com/en-us/microsoft-edge/web-platform/prompt-api 16:06:24 -> https://learn.microsoft.com/en-us/microsoft-edge/web-platform/writing-assistance-apis 16:07:08 RRSAgent, draft minutes 16:07:09 I have made the request to generate https://www.w3.org/2025/10/16-webmachinelearning-minutes.html anssik 16:14:31 s/groups work/group's work 16:19:39 s/legitimate sites, for the tool/legitimate sites with tools 16:19:59 s/take a appropriate actions/take an appropriate action 16:20:35 s/by throwing an error/throwing an error 16:21:23 s/different buttons/browser UI could provide different buttons 16:23:02 s/client-manager/client-managed 16:24:45 s/time-to-live/time to live (TTL) 16:25:51 s/have a discussion on the/share an update on the 16:25:55 RRSAgent, draft minutes 16:25:56 I have made the request to generate https://www.w3.org/2025/10/16-webmachinelearning-minutes.html anssik 18:02:29 Zakim has left #webmachinelearning 18:25:11 qcomp has joined #webmachinelearning 18:54:55 davisshaver has joined #webmachinelearning