Publish minutes of 2021-09-16 meeting

_minutes/2021-09-16-wecg.md

@@ -0,0 +1,146 @@
+# WECG Meetings 2021, Public Notes, Sep 16
+
+* Chair: Simeon Vincent
+* Scribes: Rob Wu
+
+Time: 8 AM PDT = https://everytimezone.com/?t=61428900,384
+
+Call-in details: https://www.w3.org/events/meetings/7fc25ca5-a50c-498c-82e5-f48fc96e1637/20210805T150000
+
+Zoom issues?  ping @zombie (Tomislav Jovanovic, Mozilla) in [chat](https://github.com/w3c/webextensions/blob/main/CONTRIBUTING.md#joining-chat)
+
+## Agenda: [github issues](https://github.com/w3c/webextensions/issues)
+
+* Automated specification builds
+  * [PR 80](https://github.com/w3c/webextensions/pull/80): Create initial deploy.yml
+  * [PR 81](https://github.com/w3c/webextensions/pull/81): Add tobie/pr-preview to the repo
+* Set of related issues about communicating between the extension and web pages
+  * [Issue 57](https://github.com/w3c/webextensions/issues/57): Provide a secure, private, performant mechanism for a web page to access a native extension
+  * [Issue 76](https://github.com/w3c/webextensions/issues/76): assign a code signed "origin" URL to webextensions
+  * [Issue 77](https://github.com/w3c/webextensions/issues/77): Provide a secure drop-in replacement for window.postMessage()
+  * [Issue 78](https://github.com/w3c/webextensions/issues/78): deprecate window.postMessage(message, '\*') for use with extensions
+  * [Issue 75](https://github.com/w3c/webextensions/issues/75): Standardize Firefox exportFunction() and cloneInto()
+* [Issue 71](https://github.com/w3c/webextensions/issues/71): Defining Web Extension privacy and security model
+* [11 issues](https://github.com/w3c/webextensions/issues?q=is%3Aissue+is%3Aopen+created%3A%3E2021-09-01) created since last meeting. Below issues are not covered by previous topics
+  * [Issue 69](https://github.com/w3c/webextensions/issues/69): Use case of `eval`
+  * [Issue 72](https://github.com/w3c/webextensions/issues/72): Use cases that are not well served by service workers
+  * [Issue 73](https://github.com/w3c/webextensions/issues/73): Challenging Service Worker Use Case - Machine Learning Models
+  * [Issue 74](https://github.com/w3c/webextensions/issues/74): `content\_security\_policy` property
+  * [Issue 79](https://github.com/w3c/webextensions/issues/79): Request for History API Improvements \*\*\*
+  * [Issue 82](https://github.com/w3c/webextensions/issues/82): Malware / Phishing protection not possible in Manifest V3 \*\*\*
+
+## Queue (add yourself at the bottom)
+
+* Secure communication between page scripts and content scripts ([issue 57](https://github.com/w3c/webextensions/issues/57)) (Alexei)
+  * https://github.com/w3c/webextensions/issues/57#issuecomment-914491167
+
+## Attendees (sign yourself in)
+
+1. Rob Wu (Mozilla)
+2. Tomislav Jovanovic (Mozilla)
+3. Bradley Cushing (Dashlane)
+4. Carlos Jeurissen (Jeurissen Apps)
+5. Krzysztof Modras (Ghostery)
+6. Daniel Glazman (Dashlane)
+7. Thierry Régagnon (Dashlane)
+8. Timothy Hatcher (Apple)
+9. Alexei (Privacy Badger)
+10. Mukul Purohit (Microsoft)
+11. Mélanie Chauvel (Dashlane)
+12. Jesse Trana
+13. Marwan Liani (Dashlane)
+14. Kiky Tangerine (Grammarly)
+15. Jack Works (Sujitech)
+16. Giorgio Maone (NoScript)
+17. Simeon Vincent (Google)
+18. Andrey Meshhkov (Adguard Software Ltd)
+19. Maxim Topciu (Adguard Software Ltd)
+20. Piyush Chauhan
+21. Alexei (Privacy Badger)
+22. Andrey Meshkov (AdGuard)
+
+## Meeting notes
+
+Automated specification builds
+
+* [PR 80](https://github.com/w3c/webextensions/pull/80): Create initial deploy.yml
+* [PR 81](https://github.com/w3c/webextensions/pull/81): Add tobie/pr-preview to the repo
+* [simeon] FYI ongoing PRs to add automating including bikeshed preview
+
+Communicating between the extension and web pages
+
+* List of related issues
+  * [Issue 57](https://github.com/w3c/webextensions/issues/57): Provide a secure, private, performant mechanism for a web page to access a native extension
+  * [Issue 76](https://github.com/w3c/webextensions/issues/76): assign a code signed "origin" URL to webextensions
+  * [Issue 77](https://github.com/w3c/webextensions/issues/77): Provide a secure drop-in replacement for window.postMessage()
+  * [Issue 78](https://github.com/w3c/webextensions/issues/78): deprecate window.postMessage(message, '\*') for use with extensions
+  * [Issue 75](https://github.com/w3c/webextensions/issues/75): Standardize Firefox exportFunction() and cloneInto()
+* [rob] There are multiple related issues where developers are asking for ways to somehow communicate securely between content scripts and web pages.
+* [alexei] Common need for privacy extensions, which want to replace (DOM) APIs in the page with behavior dependent on user preferences stored in extensions. Sender of the message is not present before the page is loaded. The script in the page cannot know for sure whether the objects in the page has been tampered with.
+* [daniel] postMessage exists, but web pages don’t expect messages.
+* [simeon] From Chrome’s POV, the long-term direction is to inject scripts in response to user interaction.
+* [timothy] Extensions may not have the permission to run the script, and at least in Safari the script would be injected when the user has granted the permission.
+* [rob] In Firefox if an extension is already loaded, that could also be an issue. Another issue that came up was injecting scripts into a web page, not possible to completely isolate the injected script from the host page
+* [tomislav] Possible in Firefox using cloneInto/exportFunction to share private info with the web page.
+* [alexei] Issue is that the page could already have tampered with the runtime before the extension can run.
+* [jack] Think that it’s not possible to inject a secure API, because multiple extensions can override APIs. The best that we can do is to offer an API that offers a good developer experience.
+* [simeon] Clarifies that Chrome is not intending to prevent extensions from running content scripts early. Just working towards a model where extension functionality should may run on click. Trying to encourage that extensions run their functionality in response to user invocation.
+* [giorgio] Request: Add a way to configure per-host or per tab content script injection. The absence of that functionality prevents content scripts from running conditional logic before the page scripts run.
+* [rob] An API that allows web pages to communicate with extensions, such as externally\_connectable, does not offer security guarantees that developers are expecting.
+* [timothy] Safari will offer an implementation of externally\_connectable.
+* [rob] Let’s continue the discussion on individual issues.
+
+[Issue 71](https://github.com/w3c/webextensions/issues/71): Defining Web Extension privacy and security model
+
+* [rob] Since we don’t have enough time to cover all topics in today’s meeting, and jkt is not here to participate in the discussion, let’s skip this topic today.
+* [Krzysztof] Manifest v3 when introduced promised improvements to extension privacy. Intention was definitely right, but its implementation (removal of webRequest) dramatically limited what privacy adding like Privacy Badger, DuckDuckGo, Ghostery. While potentially rouge addons can continue to spy on user data without much limitations (via access to content script). If possible we should discuss on how to build a proper extension privacy model, for example: requiring addons to list urls to backends it wishes to communicate in the manifest.json.
+* [simeon] content script access by itself makes privacy impossible to handle, as page scripts can get abused to send data
+
+[Issue 69](https://github.com/w3c/webextensions/issues/69): Use case of `eval`
+
+* [simeon] Chrome disallows eval in MV3 extensions, but still allows sandboxed pages.
+* [jack] Sandboxed page does not help; Purpose of secure ECMAScript is to run the extension scripts in a more secure execution environment.
+* [rob] Jack, could you expand on the need for secure ECMAScript on the issue itself? While this feature could theoretically improve the security of individual extensions, it needs to be weighed against the impact on the security of the whole extension system.
+* [simeon] Read that the goal of this feature is to guard against supply chain attacks.
+* [tomislav] Is this something that could be addressed through Realms?
+* [jack] Before we have realms, we can't upgrade to MV3 because we don't want to reduce the security
+* [jack] WebAssembly needs eval.
+* [simeon] This is not an eval problem, but with WebAssembly.
+* [timothy] Chrome supports unsafe-wasm
+* [simeon] Chrome extensions team is hesitant to support unsafe-wasm in extensions, because we’re not sure whether this capability would continue to be supported in the future. Issue to track wasm support is in https://crbug.com/1173354
+
+[Issue 72](https://github.com/w3c/webextensions/issues/72): Use cases that are not well served by service workers
+
+* [simeon] In the last meeting there was a suggestion to create an issue to track these use cases. If others have more issues to add other than those that I added derived from Chrome, feel free to do so.
+
+[Issue 73](https://github.com/w3c/webextensions/issues/73): Challenging Service Worker Use Case - Machine Learning Models
+
+* [simeon] Yep. This is a known issue. Anyone with experience to speak more about this?
+* [tomislav] Initialization is a common issue, some of which can be solved with a partial in-memory storage mechanism. At least in Firefox we are considering a more generous lifetime for the worker to reduce the impact (not indefinitely, but not not unnecessarily short either).
+* [glazou] We use machine learning in Dashlane. Two issues: 1) the size of the models. 2) the duration of a task that takes longer than what is allowed.
+* [krysztof] Work-around is to open a tab and run the long-running task there. A potential issue is that background tabs are slowed down.
+* [timothy] Background tabs will be suspended on Safari. Not slowing down timers like desktop, but really suspended/frozen. Might be an idea to have a dedicated API to allow extensions to use AI functionality.
+* [simeon] In favor of specific use cases over a generic method like a background page, because the latter impacts users more negatively.
+* [krysztof] IMO it should not be up to the browser to restrict what scripts to run, but the user’s.
+
+Time zone
+
+* [carlos] Current time slot is not friendly to e.g. korean time zone.
+* [tomislav] Please comment on https://github.com/w3c/webextensions/issues/63
+
+[Issue 74](https://github.com/w3c/webextensions/issues/74): `content\_security\_policy` property
+
+* [carlos] Inconsistencies between browsers in CSP. Unable to make the CSP stricter because the CSP is rejected by some browsers.
+* [timothy] That bug is assigned to me and I’ll fix it.
+* [simeon] Some of these bugs look like browser bugs. Let’s fix implementations. Other inconsistencies should be fixed.
+* [rob] Out of time, continue discussing this at the next meeting.
+
+[Issue 79](https://github.com/w3c/webextensions/issues/79): Request for History API Improvements
+
+* Out of time. Not discussed.
+
+[Issue 82](https://github.com/w3c/webextensions/issues/82): Malware / Phishing protection not possible in Manifest V3
+
+* Out of time. Not discussed.
+
+The next meeting will be on [Thursday, September 30th, 8 AM PDT (3 PM UTC)](https://everytimezone.com/?t=6154fe00,384).

_minutes/README.md

@@ -11,11 +11,12 @@ After the end of each meeting, meeting notes are published here.
 
 ## Upcoming meetings
 
-* 2021-09-16 at 8 AM PDT = https://everytimezone.com/?t=61428900,384
 * 2021-09-30 at 8 AM PDT = https://everytimezone.com/?t=6154fe00,384
+* 2021-10-14 at 8 AM PDT = https://everytimezone.com/?t=61677300,384
 
 ## Past meetings
 
+* 2021-09-16 ([minutes](2021-09-16-wecg.md))
 * 2021-09-02 ([minutes](2021-09-02-wecg.md))
 * 2021-08-19 ([minutes](2021-08-19-wecg.md))
 * 2021-08-05 ([minutes](2021-08-05-wecg.md))