14:50:30 RRSAgent has joined #webmachinelearning 14:50:34 logging to https://www.w3.org/2026/04/16-webmachinelearning-irc 14:50:34 RRSAgent, make logs Public 14:50:35 please title this meeting ("meeting: ..."), anssik 14:50:47 Meeting: WebML CG Teleconference – 16 April 2026 14:50:47 Chair: Anssi 14:50:47 Agenda: https://github.com/webmachinelearning/meetings/blob/main/telcons/2026-04-16-cg-agenda.md 14:50:47 Scribe: Anssi 14:50:48 ScribeNick: anssik 14:50:57 Present+ Anssi_Kostiainen 14:51:07 RRSAgent, draft minutes 14:51:08 I have made the request to generate https://www.w3.org/2026/04/16-webmachinelearning-minutes.html anssik 14:54:02 rupert has joined #webmachinelearning 14:58:41 Present+ 14:59:19 brwalder has joined #webmachinelearning 15:00:06 jaeone has joined #webmachinelearning 15:00:55 johannhof has joined #webmachinelearning 15:01:19 domfarolino has joined #webmachinelearning 15:01:25 ... as a reminder, we'll use IRC-based queue management in this meeting: 15:01:29 -> https://www.w3.org/guide/meetings/zakim.html#speakerqueue 15:01:47 Anssi: to suggest agenda topics, use Agenda+ label, e.g.: 15:01:53 -> Agenda+ https://github.com/webmachinelearning/webmcp/labels/Agenda+ 15:01:55 kush has joined #webmachinelearning 15:01:57 benvds has joined #webmachinelearning 15:02:05 Present 15:02:05 Anssi: welcome to the new participants to the group: 15:02:05 Julia has joined #webmachinelearning 15:02:05 Presnet+ 15:02:05 present+ 15:02:05 Winstonc has joined #webmachinelearning 15:02:06 JeffWhelpley has joined #webmachinelearning 15:02:08 ... Fidel Tian and Brendan Ittelson from Zoom 15:02:08 Present+ 15:02:12 ... Andrew Nolan from Microsoft 15:02:16 present+ 15:02:16 ... Ali Spivak from Google 15:02:24 ... Mike Ozburn from Opn.li 15:02:26 ... Jiwoong Yoo and Geunhyung Kim from SEAK 15:02:31 ... Ryan Roemer from Nearform 15:02:31 Iris has joined #webmachinelearning 15:02:35 ... Andrew Comminos from Meta 15:02:36 Present + 15:02:39 ... welcome all to the WebML Community Group! 15:03:00 Topic: WebMCP 15:03:04 gb, this is webmachinelearning/webmcp 15:03:05 anssik, OK. 15:03:18 Subtopic: Protecting tools from 3P scripts in the top-level context 15:03:22 Ehsan has joined #webmachinelearning 15:03:24 Anssi: issue #159 15:03:24 BenGreenstein has joined #webmachinelearning 15:03:30 https://github.com/webmachinelearning/webmcp/issues/159 -> Issue 159 Protecting tools from 3P scripts in the top-level context (by yoavweiss) [Agenda+] 15:03:39 ... I added this issue in an agenda update to discuss WebMCP iframe design before we go to the next issue about WebExtensions API 15:03:46 ... Dominic and the Google team have spend some time exploring this 15:04:06 ... problem statement: "an iframe may have access to information that the top-level document is not privy to" 15:04:18 ... Dominic proposed a postMessage() style safety primitive as a solution 15:04:29 ... Yoav seems to agree a postMessage() like model can work 15:04:41 ... Johann suggests exposing tools to the user via iframe should not expose them to the embedding site automatically 15:04:47 Anssi: I believe the group agrees this issue is important 15:05:34 [ Dominic sharing slides iframe design ] 15:06:20 s/spend/spent 15:06:38 s/slides/slides about 15:10:12 q+ 15:10:15 q? 15:11:12 q+ 15:11:52 q+ 15:11:52 Alexn has joined #webmachinelearning 15:12:06 q+ 15:13:36 Dominic: open questions from the slides: 1) default exposedTo behavior? 2) Should a parent be able to constrain a child's exposedTo[] list? 15:14:07 Alexa has joined #webmachinelearning 15:14:07 ack benvds 15:14:36 yoav has joined #webmachinelearning 15:14:38 Benjamin: this matches closely my thinking in one of the previous issues, I like the shape of this, a few open questions on how to make it work exactly 15:14:39 q? 15:14:42 ack johannhof 15:14:51 q+ 15:15:08 q- 15:15:10 Johann: I think the two open questions are the biggest ones to look into, not exposed should be the default 15:15:27 ... not exposed to the 1P page and not the agent 15:15:46 ... worried about bank.com offering tools to make transactions, these could be attack vectors 15:16:03 ... you don't need to call the tool yourself, just make it convincing for prompt injection attack 15:16:15 ... close enough to the SOP violation 15:16:30 ... that would lead to less adoption of this technology 15:16:55 Dominic: I hope the site with the tools can take more care in who to embed, maybe too much to ask? 15:17:05 Johann: why not go with safe defaults? 15:17:30 Dominic: agents as an extension to a user, the same attack is available if you can trick the user to actuate the same things 15:17:54 q? 15:18:23 q+ 15:18:28 Johann: if you expose a tool, should it be also callable to be embedder? 15:18:37 q? 15:18:59 q+ 15:19:09 ack benvds 15:19:31 Benjamin: the code examples online will frequently include unsafe defaults, this woul not be too helpful 15:19:32 q? 15:19:35 q- 15:19:37 ack Mark_Foltz 15:20:05 Alex has joined #webmachinelearning 15:20:07 Johann: on the 2nd open question, there could be rug pull attacks, you're a helpful too and then overtime poison the context of the parent 15:20:29 ... so the agent would need safery mechanisms that prevent this 15:20:34 q? 15:20:47 Dominic: constrains on exposedTo to fix that? 15:21:06 Johann: I want 1P to be in control 15:21:55 MarkF: different from postMessage, define this at registration time vs. tool calling time 15:22:29 Dominic: in the prototype I expose tool caller origin so during the execution you see whose calling 15:22:55 Johann: unless you use * wildcard 15:23:05 Dominic: more ergonomics for allow update would be good 15:23:06 q? 15:23:09 ack yoav 15:23:33 Yoav: this is great in terms of the model, and how to control different frames in the frame tree 15:23:46 ... agree on the open question with Johann, use safe defaults always 15:23:57 ... expected same origin exposure part of defaults 15:24:01 chris has joined #webmachinelearning 15:24:13 ... constraining childs for expose list, no immediate use case for this 15:24:30 ... we should make sure we have affordances to build it in the future 15:24:55 ... Johann's use cases are about restricting the tools, not disallow childA's tools from childB 15:25:07 q? 15:25:34 Yoav: default should be do nothing? 15:25:42 ... exposed to agents but not other origins 15:25:43 +1 15:26:24 Johann: from security point of view, wildcard considerations different for a new API 15:26:53 Yoav: for impersonation the parent constraints the child, the exposeTo is opt-in, if I impersonate I opt-in to do that? 15:27:04 Johann: the child needs to opt-in to parent 15:27:11 q? 15:28:44 Dominic: the child should do due diligence to check who is embedding it 15:28:56 q? 15:29:00 ack kush 15:29:46 Kushal: the behavour Johann wants, is there's no value set in array 15:30:03 ... what if someone copies code found online and puts it into an iframe 15:30:22 q? 15:30:23 ... all the agents will mix tools, iframe or embedder has no control over thoe 15:30:24 q+ 15:30:35 ack benvds 15:31:15 Johann: I'm worries about intentional attack, embed site to cause confusion 15:32:48 Benjamin: ancestor to be considered 15:33:46 +1 15:34:05 Iris has joined #webmachinelearning 15:34:29 +1 15:34:36 +1 15:34:49 +1 15:34:54 RESOLUTION: Spec a registration-time origin exposure via registerTool() exposedTo with Permission Policy. 15:34:59 Subtopic: WebExtensions API to enumerate and invoke tools 15:35:04 Anssi: issue #74 15:35:05 https://github.com/webmachinelearning/webmcp/issues/74 -> Issue 74 WebExtensions API to enumerate and invoke tools (by reillyeon) [Agenda+] 15:35:49 Anssi: skipping this given no participation from WECG 15:36:07 Subtopic: Cross-document tool response mechanism 15:36:14 Anssi: issue #135 15:36:15 https://github.com/webmachinelearning/webmcp/issues/135 -> Issue 135 Cross-document tool response mechanism (by domfarolino) [Agenda+] [declarative] 15:36:26 ... this declarative API related issue was spun off from the mothership declarative PR #76, now merged 15:36:27 https://github.com/webmachinelearning/webmcp/pull/76 -> MERGED Pull Request 76 Declarative API Explainer (by domfarolino) 15:36:41 Anssi: the key question posed in this issue: 15:36:45 ... "Should the agent receive a response from the next page, after a declarative

tool navigates?" 15:37:50 Dominic: considering a more general approach for this, we have looked into what BrandonW proposed, element style mechanism 15:38:08 +q 15:38:12 q? 15:38:42 ack Alex 15:40:03 Alex: would love to see the details on the element 15:40:31 ... would it be better to tag this "HTML list" with this tag, rather than create a separate way to display this information? 15:40:51 ... this model context, declarative read, would condense information 15:41:08 Dominic: this is sound, the downside is we push more work on the developer 15:41:36 ... we want to be token efficient, could introduce a few attributes 15:42:04 ... this may be annoying to the developers, they need an extra step with JSON on the page, maybe many pages already have JSON-LD for this? 15:42:11 q+ 15:42:16 ... we need to talk to real sites and see how they feel about this 15:43:07 Alex: agree, declarative read API has a way for the model to read from the page, subset of information for the model to read, need to hear from practitioners and sites how this would work, iterate on the design 15:43:07 q? 15:43:10 ack kush 15:43:41 Kushal: avoiding developers to need duplicate data, we'd just take what is put in the DOM, hard to standardize how to extract data from the DOM 15:43:45 +q 15:44:15 Kushal: if there's information that goes in there, it is additional context, we learn from implementation experience, when to do DOM scraping and not 15:44:17 q? 15:44:23 ack brwalder 15:44:54 q+ 15:44:57 Brandon: to Kushal's point, for in-page agents or iframe agents, they are not going to have access to the DOM, using the mechanism we're proposing, we expose through iframes, that's how they get any context from other iframes 15:45:10 ... it is important to have a mechanism for read operations that does not rely on the DOM 15:45:19 ... even if that means duplicating some information on the DOM 15:45:40 ... in our testing, sometimes the most efficient workflow is not easily derived from human-readable DOM 15:45:46 ... example, ordering from a restaurant 15:45:53 ... a menu fits into LLM's context window 15:46:15 ... better to consume the entire menu rather that the DOM that may have multiple pages 15:46:25 ... human readable is not the same as LLM readable 15:46:28 q? 15:46:31 ack Mark_Foltz 15:47:01 MarkF: I was thinking if we want to provide signal to developer when to populate 15:47:37 ... form submitted via tool calling, we might target navigation via extra navigation, something in HTTP or document itself that signals this page load is consumer by agent 15:47:48 Dominic: header could be good for this 15:47:59 q? 15:49:01 q? 15:49:23 q? 15:50:19 Alex: I haven't personally found benefit in form submission information, other than error messages 15:50:35 ... does not need to be tied to tool call, these are multi-step processes 15:51:21 +q 15:51:23 ... I like the idea of element, curious to see if we should add this level of complexity 15:51:26 ack brwalder 15:51:45 Brandon: it sounds like we're not all aligned on whether a response to form submission is useful 15:52:16 ... has use beyond that, used in declarative read operation, could be used in form submission results if right attributes added 15:52:52 ... propose we response to look into element without committing to form submission response with it 15:52:58 Alexn has joined #webmachinelearning 15:53:38 +1 15:53:40 +1 15:54:18 +1 15:54:27 +q 15:54:44 RESOLUTION: Explore element without committing to form submission response with it. (issue #135) 15:54:56 -q 15:55:00 q? 15:55:54 +q 15:56:10 Subtopic: WebExtensions API to enumerate and invoke tools 15:56:14 Anssi: issue #74 15:56:15 https://github.com/webmachinelearning/webmcp/issues/74 -> Issue 74 WebExtensions API to enumerate and invoke tools (by reillyeon) [Agenda+] 15:56:35 Anssi: Simeon from WECG asked in the issue: 15:56:40 ... - Should extensions also be able to expose their own WebMCP capabilities to the browser? 15:56:44 ... - Should extensions also be able to expose their own WebMCP capabilities to websites? 15:56:49 Anssi: WebExtensions Community Group (WECG) F2F took place in London last week 15:56:53 -> WECG F2F agenda https://github.com/w3c/webextensions/wiki/2026-London-F2F-Coordination#-mlai-1-45-min- 15:57:02 -> WECG F2F meeting notes https://docs.google.com/document/d/1LLa1rXT00ESnY26-XskmIAaBPxxAmsqLg_E6ynZec8Q/edit?tab=t.sdxnwqgtx9m6#heading=h.hsaydc4umylt 15:57:18 Anssi: a lot of discussion about WebMCP <-> WebExtensions interaction took place at the F2F 15:57:24 Anssi: I don't want to speak on behalf of WECG 15:57:45 ... I will also look into scheduling a joint discussion with the interested WECG folks 15:58:28 Dominic: we will also meet with Extensions people at Google today 15:59:12 Topic: Writing Assistance APIs 15:59:16 gb, this is webmachinelearning/writing-assistance-apis 15:59:16 anssik, OK. 15:59:21 Subtopic: Summarizer preference parameter 15:59:25 Anssi: PR #102 to address issue #96 15:59:29 https://github.com/webmachinelearning/writing-assistance-apis/issues/96 -> Issue 96 New parameter to support model tiering in Summarizer (by jingyun19) 15:59:29 https://github.com/webmachinelearning/writing-assistance-apis/pull/102 -> Pull Request 102 Add clarifications to Summarizer preference parameter (by jaewon078) [Agenda+] 15:59:31 ... Jaewon Lee from Google shared the PR for review with the group (thanks!) 15:59:47 ... this PR adds the following note to the spec for conflicting constraints and routing fallbacks: 15:59:51 ... "When resolving the underlying model, the implementation should prioritize hard functional constraints over the "preference" hint. For example, if the requested options require specific capabilities (such as a requested language in "expectedInputLanguages") that are only supported by a model that does not align with the requested "preference", the implementation should select the model capable of completing the task." 15:59:56 ... I see no concerns raised in the PR review, and adequate review time has been provided 16:00:00 ... any additional comments from the group? 16:00:06 ... we're good to merge this PR after addressing the few review comments, thank you for this contribution, Jaewon! 16:00:49 Jaewon: thank you for explaining the change, we addressed the group's feedback with this PR 16:01:06 -q 16:01:17 RESOLUTION: Add clarifications to Summarizer preference parameter per PR #102. 16:01:23 RRSAgent, draft minutes 16:01:24 I have made the request to generate https://www.w3.org/2026/04/16-webmachinelearning-minutes.html anssik 16:03:34 Present+ Alex_Nahas 16:03:44 Present+ Ben_Greenstein 16:03:58 Present+ Ben_VanderSloot 16:04:07 Present+ Brandon_Walderman 16:04:19 Present+ Christian_Liebel 16:04:38 Present+ Dominic_Farolino 16:04:45 Present+ Ehsan_Toreini 16:04:53 Present+ Iris_Johnson 16:04:59 Present+ Jaewon_Lee 16:05:12 Present+ Jean_Vanderdonckt 16:05:26 Present+ Jeff_Whelpley 16:05:34 Present+ Julia_Pagnucco 16:06:38 Present+ Khushal_Sagar 16:06:45 Present- kush 16:06:56 Present+ Rupert_Manfredi 16:07:23 Present+ Saron_Yitbarek 16:07:33 Present+ Tania_Millan 16:07:46 Present+ Winston_Chen 16:08:06 Present+ Yoav_Weiss 16:08:10 RRSAgent, draft minutes 16:08:12 I have made the request to generate https://www.w3.org/2026/04/16-webmachinelearning-minutes.html anssik 16:13:35 s/Presnet+// 16:14:53 s/not the agent/not to the agent 16:16:10 s/to be embedder/to the embedder 16:16:21 s/woul not/would not 16:16:54 s/helpful too/helpful tool 16:17:14 s/overtime/over time 16:17:24 s/safery/safety 16:17:51 s/whose calling/who is calling 16:18:24 s/exposure part/exposure to be part 16:19:48 s/is there's/what if there's 16:20:02 s/over thoe/over those 16:23:40 s/skipping this given no participation from WECG/[ reorder the agenda to discuss this issue later today ] 16:26:30 s/we response/we resolve 16:27:33 RRSAgent, draft minutes 16:27:34 I have made the request to generate https://www.w3.org/2026/04/16-webmachinelearning-minutes.html anssik 19:31:28 Zakim has left #webmachinelearning