Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial Content for the W3C WebAppSec WG Mitigations Wiki #639

Merged
merged 1 commit into from
Mar 21, 2024

Conversation

aaronshim
Copy link
Contributor

We proposed that a wiki be created to house our knowledge of how to deploy security features.

We had initially started drafts in a publicly shared Google Drive folder, but we had never migrated them to this repository. Thanks to contributions from @ddworken and @shhnjk and many others, we are now formatting the initial drafts into Markdown and moving the development over to this repository in order to centralize the content.

… Thank you so much for the great content!
Copy link

@ddworken ddworken left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you for porting this to GitHub!

@mikewest
Copy link
Member

Hey folks, thanks for doing this work!

Given the slight gap between our initial discussion and this PR, is this something you would be interested in talking about in Wednesday's meeting? I think landing it in webappsec's wiki is probably fine, but given how things have developed with MDN over the years, it might be reasonable to reassess the final home we're aiming for.

cc @dveditz

@simon-friedberger
Copy link

Should this be on MDN? MDN seems like the canonical place to me, personally. And it does have guides on several topics so it would not be a new format.

@mikewest
Copy link
Member

In the webappsec meeting last night, we agreed to land this so the material's available in a format that's somewhat simpler to parse than this PR. I'll do that now.

There was, however, discussion around MDN on the one hand (as @simon-friedberger notes, https://developer.mozilla.org/en-US/docs/Learn/ now exists, and seems much more likely to be a place where developers would look for information like this), and a W3C venue that @simoneonofri is planning on the other. I think either of those could be a better home for this material in the long run. Hopefully @aaronshim, et al, can think through how best to port this content elsewhere.

@mikewest mikewest merged commit 4ce3f47 into w3c:main Mar 21, 2024
@aaronshim
Copy link
Contributor Author

Thank you @simon-friedberger and @mikewest for the discussion-- I definitely agree the points presented above, as MDN has the brand recognition amongst developers and could help getting more folks to look at this content.

@simon-friedberger so that we don't end up dropping this idea, is there a MDN contact that I could speak with to get a better idea of how the publication process works for MDN?

And thank you again @mikewest for accepting the PR while we search for other potential homes for this content!

@simoneonofri
Copy link

simoneonofri commented Mar 21, 2024

Thanks to @simon-friedberger and @mikewest for being available and to @aaronshim for bringing this up.

The idea is to create a Community Group co-chaired by @torgo, dedicated to web application developers.

On the MDN side, we have @wbamberg and @Elchi3, and this issue can be useful for them.

@sideshowbarker
Copy link
Contributor

sideshowbarker commented Mar 21, 2024

@aaronshim

@simon-friedberger so that we don't end up dropping this idea, is there a MDN contact that I could speak with to get a better idea of how the publication process works for MDN?

On the MDN side, we have @wbamberg and @Elchi3 that this issue can be useful for them.

I’m an MDN committer-reviewer, and while I defer to @wbamberg and @Elchi3 on if/where this would fit into MDN, I’d be happy to make time to give help and guidance to anybody willing to do the specific work on fitting it into MDN in an appropriate place (assuming that @wbamberg and @Elchi3 do reckon we could find an appropriate place).

@simon-friedberger
Copy link

simon-friedberger commented Mar 22, 2024

@aaronshim

@simon-friedberger so that we don't end up dropping this idea, is there a MDN contact that I could speak with to get a better idea of how the publication process works for MDN?

I hope I'm understanding the question correctly, all of MDN is on GH. For example you can find the main content here https://github.com/mdn/content and for content questions hit up @Rumyra. The generation is mostly here https://github.com/mdn/yari and for questions go to @fiji-flo.

@wbamberg
Copy link

@mozfreddyb also emailed me about this work in the context of a project we are currently planning to add/update/extend security docs on MDN: openwebdocs/project#198.

That project currently describes a possible outline for some web security docs: https://docs.google.com/document/d/1p1GtjmTd1uQrO2PRb_uUflAfQpEsfs7hBaopYeuoPMM/edit, which we presented at the recent W3C breakouts day.


For the high-level question of where these docs could live on MDN...

These docs seem to me to fit into the category that the security docs outline calls "tools" - that is, documentation for web platform features can use to address vulnerabilities. Although "mitigations" sounds like a better name :).

I think a question is whether they live alongside the technology they belong to (i.e. HTTP, afaict) or the function the serve (i.e. Security). I mean for example, reference documentation for HTTP headers all lives under HTTP, and that makes sense, but maybe guide documentation for how to use specific security-related HTTP headers should live under Security.

If you look at the sidebar in https://developer.mozilla.org/en-US/docs/Web/HTTP you'll see that there does claim to be an "HTTP/Security" bit, but really it's kind of vestigial, just linking to HTTP reference pages and off-MDN pages - that is, there's no actual dedicated "HTTP security" place.

My feeling is that it would be easier for people to find these and mentally connect them with security practices if we had them under Security, so maybe https://developer.mozilla.org/en-US/docs/Web/Security/Mitigations might be a good place?


For the more detailed questions about how we could look at organizing them within their location on MDN...

At the moment there are four mitigations under here, is there an idea of how we might expect this list to grow? It doesn't have to get exhaustive, but it helps to have an idea of whether any kind of template we want to have for them will adapt well to future docs.

It looks like there is already an implicit template for these docs, of "Rolling out X/Understanding X breakages/FAQ". Of course templates aren't set in stone and we can update them as we go along, but it's good for readers if we can present consistent structures so they know how to find things.

Beyond that I haven't looked at the content in a lot of detail but it would be great to think about how it can be integrated into other aspects of this security documentation and MDN in general, and where it gives clues for other pages we should have - for example https://w3c.github.io/webappsec/mitigation-guidance/COOP/ links to external pages for tabnabbing and xs-leaks, so maybe we should have these documented as attacks in the nascent MDN security documentation?

@aaronshim
Copy link
Contributor Author

Hi @wbamberg thank you for your detailed thoughts! I also recently chatted with @simoneonofri and heard about the W3C breakout focusing on web security docs-- I'm excited to see where this effort goes and am happy to help out!

One thing I noticed in the minutes was the emphasis on "experts from the industry" to help with the docs-- rest assured, I think the material here will be a good starting point for the MDN efforts, as the initial content was contributed by the various industry experts (attending the WebAppSec WG meetings) who led large-scale industry adoption efforts (in real-world web applications with large user bases) of their respective mitigations.

As per the format/template and questions of completeness of the various lists of attacks/mitigations listed in the initial outline, is there a more canonical issue elsewhere on Github where we can discuss those ideas further? Thank you!

@wbamberg
Copy link

As per the format/template and questions of completeness of the various lists of attacks/mitigations listed in the initial outline, is there a more canonical issue elsewhere on Github where we can discuss those ideas further? Thank you!

Longer term, the CG mentioned by Simone would be a great place, but for now the project issue is probably best: openwebdocs/project#198 .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants