14:48:24 RRSAgent has joined #webmachinelearning 14:48:28 logging to https://www.w3.org/2025/12/11-webmachinelearning-irc 14:48:28 RRSAgent, make logs Public 14:48:29 please title this meeting ("meeting: ..."), anssik 14:48:29 Meeting: WebML CG Teleconference – 11 December 2025 14:48:36 Chair: Anssi 14:48:41 Agenda: https://github.com/webmachinelearning/meetings/blob/main/telcons/2025-12-11-cg-agenda.md 14:48:45 Scribe: Anssi 14:48:51 scribeNick: anssik 14:49:09 Present+ Anssi_Kostiainen 14:49:22 RRSAgent, draft minutes 14:49:23 I have made the request to generate https://www.w3.org/2025/12/11-webmachinelearning-minutes.html anssik 14:58:56 Tarek has joined #webmachinelearning 14:59:13 Present+ Tarek_Ziade 15:00:29 Present+ Jeff_Whelpley 15:00:48 davisshaver has joined #webmachinelearning 15:00:58 Present+ David_Shaver 15:01:19 jeffwhelpley has joined #webmachinelearning 15:02:41 Present+ Rob_Kochman 15:02:50 Present+ Queenie_Zhang 15:02:57 Present+ Brandon_Walderman 15:03:13 Present+ Emily_Lauber 15:03:14 brwalder has joined #webmachinelearning 15:03:19 vasilii has joined #webmachinelearning 15:03:52 Present+ Vasilii_Trofimchuk 15:04:08 Present+ James_Garbutt 15:04:23 Present+ Johann_Hofmann 15:04:32 RobKochman has joined #webmachinelearning 15:04:36 Anssi: welcome back to our telcons after the TPAC F2F 15:04:42 Anssi: first, I'd like to welcome our latest new participants: 15:04:52 ... Masashi Hirano from Cybozu 15:05:06 ... Sven Schultze, Nils-Lucas Schönfeld from Technical University of Darmstadt 15:05:17 ... Paola Di Maio from Ronin Institute for Independent Scholarship 15:05:23 ... Simon Wijckmans from Client side development Inc (CSide) 15:05:39 ... Victor Huang, Emily Lauber from Microsoft 15:06:03 ... Kasper Kulikowski, Reilly Grant, Isaac Ahouma, Johann Hofmann, Chi Yo Tsai, Chris Harrelson, Penelope McLachlan, Jingyun Liu, Daniel Rojas from Google 15:06:16 ... Simon Farshid from assistant-ui 15:06:16 ... Jeff Whelpley from GetHuman 15:06:24 ... Kryspin Ziemski, Mariam H., James Garbutt, Ryuya Hasegawa, Iris Johnson as individual contributors 15:06:28 ... to the WebML Community Group! 15:06:47 Present+ Reilly_Grant 15:07:43 Anssi: Jeff Whelpley, co-founder of GetHuman, we use ML and AI for many things, Boston-based, excited to join 15:08:32 Victor has joined #webmachinelearning 15:08:47 Anssi: Vasilii from Block, working with Anthropic on MCP and founded AAIF recently 15:09:41 q? 15:09:46 q+ 15:09:50 ack anssik 15:10:00 Topic: WebMCP API 15:10:16 gb, this is webmachinelearning/webmcp 15:10:16 anssik, OK. 15:11:04 Anssi: for WebMCP discussion today, we will follow up on TPAC 2025 topics 15:11:08 ... in addition to that, we have one Proofreader API topic on the agenda 15:11:16 Subtopic: Communication with the TAG 15:11:23 Anssi: issue #35 15:11:24 https://github.com/webmachinelearning/webmcp/issues/35 -> Issue 35 Communication with the TAG (by xiaochengh) 15:12:02 ... at TPAC 2025 we had a discussion with the TAG and resolved to continue development of WebMCP as the high-level API as per the TAG guidance and coordinate with the AI Agent Protocol CG on new protocols 15:12:07 -> https://www.w3.org/2025/11/11-webmachinelearning-minutes.html#224c 15:12:19 Anssi: no further feedback has been brought to my attention since our TPAC discussion on this matter 15:12:34 ... any comments or updates from anyone? 15:12:42 Present+ Victor_Huang 15:12:49 Anssi: I have one related update to share 15:13:11 Anssi: at TPAC 2025 we heard that the TAG's "loudest concern is that MCP is not going to last" 15:13:31 ... to help address this concern, Anthropic has decided to migrate the MCP development into a newly launched neutral forum, Agentic AI Foundation (AAIF), hosted as a Directed Fund under the Linux Foundation 15:13:42 ... I'm working with Dom to formalize our group's coordination relationship with AAIF 15:13:46 ... we're tracking this effort as a charter development issue 15:13:51 -> Agentic AI Foundation coordination https://github.com/webmachinelearning/charter/issues/14 15:13:52 https://github.com/webmachinelearning/charter/issues/14 -> Issue 14 Agentic AI Foundation coordination (by anssiko) 15:14:04 emlauber has joined #webmachinelearning 15:14:09 johannhof has joined #webmachinelearning 15:14:43 Sorry what is the issue? 15:15:17 Vasilii: we're figuring out the intrastructure, big donations to the Agentic AI Foundation are MCP, goose, and AGENTS.md 15:15:27 Ehsan has joined #webmachinelearning 15:16:29 q? 15:16:46 Present+ Leo_Lee 15:16:54 Present+ Ehsan_Toreini 15:17:15 Vasilii: I can take an action to help with the coordination 15:17:28 Anssi: thank you, that's great 15:17:53 jg has joined #webmachinelearning 15:18:17 Subtopic: Privacy & security considerations 15:18:36 Anssi: a follow up to the now closed meta-issue #45 and merged PR #55 15:18:37 https://github.com/webmachinelearning/webmcp/pull/55 -> MERGED Pull Request 55 add security and privacy considerations living document (by victorhuangwq) 15:18:37 https://github.com/webmachinelearning/webmcp/issues/45 -> CLOSED Issue 45 Privacy & security considerations for WebMCP (by victorhuangwq) [Agenda+] 15:18:40 -> TPAC 2025 minutes https://www.w3.org/2025/11/11-webmachinelearning-minutes.html#4af6 15:18:44 -> https://github.com/webmachinelearning/webmcp/blob/main/docs/security-privacy-considerations.md 15:19:18 Anssi: Victor contributed an initial security and privacy considerations document, now landed, thank you! 15:19:23 ... I'd like to discuss the remaining attack vectors that need to be considered to have a fuller picture of the threats 15:19:42 ... and concretely open smaller issues for each topic similarly to issue #44 (discussed as a next topic) 15:19:43 https://github.com/webmachinelearning/webmcp/issues/44 -> Issue 44 Managing action specific permissions (by khushalsagar) 15:19:55 Anssi: Johan had a great breakout at TPAC, Agentic Browsing and the Web's Security Model 15:19:59 -> Breakout slides https://docs.google.com/presentation/d/1JvAw5x6y1GBNQeR5NYrzN01o0txmuCG-LbmeY-5Cqjc/edit?usp=sharing 15:20:03 -> Breakout minutes https://www.w3.org/2025/11/12-agentic-browsing-sec-minutes.html 15:20:23 Anssi: have we integrated all related insights from Johann's breakout? 15:21:15 Johann: thank you, I appreciate the session, I haven't time to dig into the S&P considerations yet, I do think from what I see, overall Victor did great work on these considerations 15:21:56 ... some things specifically from my breakout, origin-boundness, how are we restricting agents to traverse origins, if no x-origin action we have an easier trust model 15:22:54 No worries, I think Johann, with regards to the x-origin concern, there is one issue that I would like your thoughts on as well 15:23:11 https://github.com/webmachinelearning/webmcp/issues/52 15:23:11 https://github.com/webmachinelearning/webmcp/issues/52 -> Issue 52 Should we support cross-origin Agents across frame boundaries (by khushalsagar) [Agenda+] 15:23:15 ^^ this 15:23:23 haha gb got ahead of me 15:23:32 Johann: I will look at issue #52 15:23:33 https://github.com/webmachinelearning/webmcp/issues/52 -> Issue 52 Should we support cross-origin Agents across frame boundaries (by khushalsagar) [Agenda+] 15:23:50 emlauber has joined #webmachinelearning 15:24:29 Anssi: Victor shared additional thoughts on different attack vectors 15:24:47 ... Prompt injection attack is the top-level consideration that was categorized into the following specific attacks: 15:24:53 ... - Metadata / description attacks aka "tool poisoning" 15:24:58 ... - Output injection attacks 15:25:02 ... - Input injection attacks 15:25:12 -> https://github.com/webmachinelearning/webmcp/issues/45#issuecomment-3508563188 15:25:12 https://github.com/webmachinelearning/webmcp/issues/45 -> CLOSED Issue 45 Privacy & security considerations for WebMCP (by victorhuangwq) [Agenda+] 15:25:18 Anssi: it looks like the S+P Considerations document does not yet incorporate input injection attacks? Should we open a new issue for it? 15:26:10 Victor: I think for input injection, not sure if it is a concern yet, because the web site themselves have an implementation that take some for of LLM at the other end, not sure if that is a situation where WebMCP is considered 15:26:27 ... I opened a new PR recently to clarify this 15:27:08 ... input injection i.e. where the input to the web tools are used for prompt injection to attack the site itself 15:27:49 Present+ Jason_McGhee 15:28:12 Johann: I'd exclude this from the threat model, it could be helpful to have a spec note about this, however 15:28:29 Good for user land to be aware of it. 15:28:56 Jeff: agreed 15:28:59 q? 15:30:48 Victor: I think my thoughts is we've 70-80% done identifying the threats, have thought of semantic hints, a possible new issue? 15:31:08 ... x-origin agents would increase the scope of the security model significantly 15:31:51 ... S&P considerations should go, not to go into hypothetical territory, wait and see how the adoption will be 15:32:02 present+ Thomas_Steiner 15:32:03 https://github.com/webmachinelearning/webmcp/issues/53 15:32:04 https://github.com/webmachinelearning/webmcp/issues/53 -> Issue 53 Introduce semantic hints for side-effects of tools (by khushalsagar) 15:32:32 Johann: in the solution space, Chrome may have some mitigations on the server-side, should think how to describe that without being able to standardize on the exact model 15:32:33 q? 15:35:14 Victor: wrt Johann's point, should we have things built into WebMCP API that provide guidance to users how to use this API 15:35:15 q? 15:36:37 Johann: I will review everything as an action item, and will figure out possible mitigations 15:36:46 q? 15:37:00 Subtopic: Managing action specific permissions 15:37:04 Anssi: issue #44 15:37:05 https://github.com/webmachinelearning/webmcp/issues/44 -> Issue 44 Managing action specific permissions (by khushalsagar) 15:37:32 ... this issue is about mechanisms for specific permission for e.g. destructive actions that likely always require some type of user consent 15:37:48 ... at TPAC 2025 we resolved that the WebMCP needs a threat model to evaluate the role of browser mediated consent for tool execution 15:38:19 ... I see discussion on how to avoid double prompting, from both site and the agent 15:38:46 ... also discussion on how the website controlled content showing up in a privileged UI can be used by malicious actors 15:39:41 James: is this more of a UX thing, agent technically writes a script and injects, similarly destructive as a tool could be 15:39:47 q+ 15:39:52 ... we can do this today injecting arbitrary code today 15:39:54 q? 15:39:56 ack brwalder 15:40:14 Brandon: absolutely you can write a malicious agent that does things over CDP, attacks a site 15:40:35 ... more of protecting users who are using regular browser, and preventing regular people who are doing hacky things with CDP 15:41:09 ... for the vast majority of people, the browser could mediate, you can always write a CDP script to do hacky things but not many people would do that in mainstream usage 15:41:10 q? 15:41:48 q+ 15:42:11 James: it is not necessarily a developer thing, using CDP, could be a community build MCP server with a snippet of code that is not malicious, but can interact with WebMCP and could go into similar destructive actions 15:42:40 ... concern is about that, not about developer injected thing 15:43:25 Johann: we built the agents to conform with the WebMCP spec, it needs to be expected in this case the agent asks for permission before taking an action 15:43:40 q+ 15:43:42 q? 15:43:49 ack johannhof 15:43:52 ack brwalder 15:44:16 Brandon: this is a valid concern, two side to WebMCP: producer side and consumer side 15:44:59 ... concern for the consumer side because there's always some sort of escape hatch, try to bypass the WebMCP security model, maybe the extension could avoid presenting concent checks 15:45:15 q+ 15:45:21 ... browser agents care about user consents 15:45:22 q? 15:46:04 Johann: we can put these as requirements in the spec, can say requires concept with MUSTs 15:46:10 q? 15:46:15 ack Victor 15:46:55 Victor: my main through is, we're going to show a browser-level UI permission, based on a request from the website 15:47:35 ... looks like a regular Permissions API, but the request can be more granular depending on how many and which tools are requested 15:48:20 ... currently main way you can input the tool is dynamic, no way for tools to be checked 15:48:23 q? 15:48:26 q+ 15:48:36 ack johannhof 15:49:12 Johann: I agree with Victor we need to work on disruption aspects on the website 15:49:31 ... I don't think we ever mandate specific UI for web specs 15:50:11 ... should not give websites leverage points to abuse 15:50:12 q? 15:50:22 https://github.com/webmachinelearning/webmcp/issues/44 15:50:23 https://github.com/webmachinelearning/webmcp/issues/44 -> Issue 44 Managing action specific permissions (by khushalsagar) 15:50:38 Subtopic: Declarative approach, new developer feedback and implementation experience 15:50:53 Anssi: PR #26 15:50:54 https://github.com/webmachinelearning/webmcp/pull/26 -> Pull Request 26 add explainer for the declarative api (by MiguelsPizza) [Agenda+] 15:51:46 ... at TPAC our consensus was that reusing ARIA attribute for browsing agents would create a conflict of interest where the ARIA could be optimized for agents making the page less accessible to people using a11y tools 15:51:50 Exactly! 15:52:17 ... to that end, after our TPAC F2F, I was exploring this space and got in touch with Sven Schultze & team from Technical University of Darmstadt who've done research in this space and invited their research team to join this group 15:53:04 ... today, I'd like to discuss developer feedback and implementation experience gathered by Sven and the research group using a new declarative framework, VOIX, as a test vehicle 15:53:09 -> https://arxiv.org/abs/2511.11287v1 15:53:13 -> https://github.com/svenschultze/VOIX 15:53:17 Anssi: to quote the high-order bits from the paper: 15:53:45 ... "VOIX, a web-native framework that enables websites to expose reliable, auditable, and privacy-preserving capabilities for AI agents through simple, declarative HTML elements" 15:54:09 ... "VOIX introduces and tags, allowing developers to explicitly 15:54:09 define available actions and relevant state, thereby creating a clear, machine-readable contract for agent behavior. " 15:54:50 q+ 15:54:56 ack brwalder 15:54:58 q+ 15:55:36 Brandon: I commented initially that we should look at ARIA, I like how this paper makes tool and context first-class citizens 15:56:18 ... context tag is particularly interestin 15:56:24 s/interestin/interesting 15:56:51 ... the context tag makes it possible to give only the necessary control and is good for privacy 15:57:03 ... interesting to see something like the VOIX model in the WebMCP proposal 15:57:04 q? 15:57:10 ack vasilii 15:57:52 Vasilii: agree ARIA is not the right thing for agentic usage, and agree with what Brandon said about VOIX 15:58:18 ... good for privacy, good for web developer control 15:58:48 ... ML agents should only access context field, or context field is additional information? 15:58:49 q? 15:58:56 Gotta go, thanks all! 15:59:16 kush has joined #webmachinelearning 15:59:47 Topic: Proofreader API 15:59:51 gb, this is webmachinelearning/proofreader-api 15:59:51 anssik, OK. 15:59:55 Subopic: Support multiple labels 16:00:00 Anssi: issue #30 and PR #31 16:00:00 https://github.com/webmachinelearning/proofreader-api/pull/31 -> Pull Request 31 Support multiple labels (by QueenieZqq) [Agenda+] 16:00:00 https://github.com/webmachinelearning/proofreader-api/issues/30 -> Issue 30 Support Multiple Labels for Each Correction (by QueenieZqq) [Agenda+] 16:00:02 -> Proofreader API explainer https://github.com/webmachinelearning/proofreader-api 16:00:23 Reilly: Proofreader API is one of the build-in AI APIs in scope of this group being worked on by Queenie 16:00:28 q? 16:01:24 Anssi: this API finds and corrects errors such as grammar, spelling, and punctuation given a text using a built-in model, labeling corrections as "spelling", "punctuation", "capitalization", "preposition", "missing-words", "grammar" 16:01:28 ... this PR proposes to add support for multiple such labels per one correction 16:01:32 ... a concrete example, correction can be both a "capitalization" and "spelling" correction 16:01:46 Topic: WebMCP API explainer-to-spec transition 16:02:14 Anssi: issue #56 16:02:14 Issue 56 not found 16:02:30 gb, this is webmachinelearning/webmcp 16:02:30 anssik, OK. 16:02:43 present+ 16:03:00 Anssi: issue #56 16:03:01 https://github.com/webmachinelearning/webmcp/issues/56 -> Issue 56 Is this a proposal or a group of proposals? (by 43081j) 16:03:49 ... some community participants have been asking good questions that I think could be resolved if we would transition from the WebMCP explainer stage to a Community Group spec draft stage where things are more explicitly specified and scoped 16:03:54 q? 16:04:00 Fabio has joined #webmachinelearning 16:04:06 markafoltz has joined #webmachinelearning 16:04:21 Present+ Mark_Foltz 16:04:29 Khushal: I'm supportive of this transition to draft spec 16:06:47 BenGreenstein has joined #webmachinelearning 16:06:48 +1 16:06:52 +1 16:06:53 +1 16:07:02 RESOLUTION: The group will transition from the WebMCP explainer to a Community Group spec draft stage using the existing explainer, proposal and other supplementary documentation in the repo as the basis. 16:07:07 RRSAgent, draft minutes 16:07:08 I have made the request to generate https://www.w3.org/2025/12/11-webmachinelearning-minutes.html anssik 16:08:14 BenGreenstein has joined #webmachinelearning 16:08:14 markafoltz has joined #webmachinelearning 16:08:14 Fabio has joined #webmachinelearning 16:08:14 kush has joined #webmachinelearning 16:08:14 jg has joined #webmachinelearning 16:08:14 Ehsan has joined #webmachinelearning 16:08:14 Victor has joined #webmachinelearning 16:08:14 RobKochman has joined #webmachinelearning 16:08:14 vasilii has joined #webmachinelearning 16:08:14 brwalder has joined #webmachinelearning 16:08:14 jeffwhelpley has joined #webmachinelearning 16:08:14 Tarek has joined #webmachinelearning 16:08:14 reillyg has joined #webmachinelearning 16:09:25 Present+ Ben_Greenstein 16:09:26 RRSAgent, draft minutes 16:09:28 I have made the request to generate https://www.w3.org/2025/12/11-webmachinelearning-minutes.html anssik 16:10:00 Ehsan has joined #webmachinelearning 16:10:00 RobKochman has joined #webmachinelearning 16:10:00 vasilii has joined #webmachinelearning 16:10:00 brwalder has joined #webmachinelearning 16:10:00 Tarek has joined #webmachinelearning 16:10:00 reillyg has joined #webmachinelearning 16:10:28 s/Subopic/Subtopic 16:12:14 s/interested to see/interested to see 16:13:54 s/community build/community-built 16:14:57 s/requires concept/requires consent 16:16:15 qcomp has joined #webmachinelearning 16:16:31 s/haven't time/haven't had time 16:17:21 s/the web site/the web sites 16:17:35 s/some for of/some form of 16:18:08 s/my thoughts/my thought 16:18:21 s/we've 70/we're 70 16:18:46 s/go, not to/not to 16:25:30 RRSAgent, draft minutes 16:25:31 I have made the request to generate https://www.w3.org/2025/12/11-webmachinelearning-minutes.html anssik 16:31:20 qcomp has joined #webmachinelearning 16:31:20 RobKochman has joined #webmachinelearning 16:31:20 vasilii has joined #webmachinelearning 16:31:20 brwalder has joined #webmachinelearning 16:31:20 Tarek has joined #webmachinelearning 16:31:20 reillyg has joined #webmachinelearning 16:44:44 vasilii has joined #webmachinelearning 16:49:43 vasilii has joined #webmachinelearning 17:00:02 vasilii has joined #webmachinelearning 18:28:28 Zakim has left #webmachinelearning