ep134 Monthly Platform 202310
- published_at
- 2023-10-31
- guest
- @myakura
- toc
-
headings
Theme
第 134 回のテーマは 2023 年 10 月の Monthly Platform です。
Show Note
Chrome 動向
Stable: 118
Updates
-
New in Chrome 118 - Chrome for Developers
- https://developer.chrome.com/en/blog/new-in-chrome-118/
- CSS @scope rule.
- scripting and prefers-reduced-transparency media features
- Sources panel improvements in DevTools
-
Chrome 119 beta - Chrome for Developers
- https://developer.chrome.com/en/blog/chrome-119-beta/
-
CSS
:user-validand:user-invalidCSS pseudo-classes- CSS Relative Color Syntax (RCS)
- CSS clip-path geometry-box values
- CSS clip-path xywh() and rect() values
-
Web APIs
- Cookie Expires/Max-Age attribute upper limit for prior storage
- DisplayMediaStreamOptions monitorTypeSurfaces
- Fenced Frames functionality updates
- Intersection Observer scroll margin
- Keyboard-focusable scroll containers
- Private Network Access restrictions for automotive
- Read Chrome device attributes
- Replace dangling markup in target name to
_blank - Sec-CH-Prefers-Reduced-Transparency user preference media features Client Hints header
- Standard compliant URL host punctuation characters
- WebCodecs AudioEncoder bitrateMode
- X25519Kyber768 key encapsulation for TLS
-
Origin trials in progress
- Open popups as fullscreen windows
-
Deprecations and removals
- Remove Web SQL
- Remove Sanitizer API
- Remove data: URL in SVGUseElement
- Remove non-standard shadowroot attribute for declarative shadow DOM
-
What's New in DevTools (Chrome 119) - Chrome for Developers
- https://developer.chrome.com/en/blog/new-in-devtools-119/
-
Improved @property section in Elements > Styles
- Editable @property rule
- Issues with invalid @property rules are reported
- Updated list of devices to emulate
- Pretty-print inline JSON in script tags in Sources
- Autocomplete private fields in Console
- Lighthouse 11.1.0
- Accessibility improvements
- Web SQL deprecation
- Screenshot aspect ratio validation in Application > Manifest
- Miscellaneous highlights
Intents
-
Ship: Accordion pattern using name attribute on
<details>elements - Ship: Attribution Reporting API feature (aggregation coordinator selection)
-
Ship: CSS
:dir()pseudo-class selector -
Ship: CSS
<image>Syntax for registered Custom Properties - Ship: Deprecate old CSS custom state syntax
- Ship: Fire toggle events using microtasks
-
Ship: HTMLSelectElement
showPicker() - Ship: Media Session API: enterpictureinpicture action
- Ship: PointerEvent.deviceId for Mult-Pen Inking
- Ship: Relaxed CSS Nesting
- Ship: WebGPU f16 support
- Ship: MediaStreamTrack Stats
- Ship: Implement requestPermission() for DeviceOrientationEvent and DeviceMotionEvent
- Ship: Web Bluetooth getDevices(), BluetoothDevice.watchAdvertisements(), and BluetoothAdvertisingEvent
- Ship: The Login Status API and its use in FedCM
- Ship: Async Clipboard API: Read unsanitized HTML
-
Ship: CSS
<transform-function>and<transform-list>Syntax for registered Custom Properties -
Ship: CSS Exponential Functions
- https://groups.google.com/a/chromium.org/g/blink-dev/c/oAu01pBscs8
pow(),sqrt(),hypot(),log(),exp()
-
Ship: CSS Scrollbars:
scrollbar-color,scrollbar-width- https://groups.google.com/a/chromium.org/g/blink-dev/c/PkEsMirl2zE
- webkit 独自だったものを標準化
- Ship: CSS masking
-
Ship: Deprecate and remove Theora support
- https://groups.google.com/a/chromium.org/g/blink-dev/c/qqDdLkeyk7Y
- オープンな映像コーデックの Theora を外す
- セキュリティリスクが高まっているため
- すでに多くのビデオが VP8/9 などに移行しているため影響は少ないと判断
- Ship: FedCM extensions: Error API and Auto-Selected Flag API
- Ship: Fenced Frame - Functionality Updates
-
Ship: MediaCapabilities: Query HDR support with
decodingInfo() - Ship: Permissions policy violation reports
- Ship: Private Aggregation API: aggregation coordinator selection
-
Ship: Protected Audience
clearOriginJoinedAdInterestGroups()& interest group limit changes & kAnonStatus - Ship: Ruby-specific display values
- Ship: WebAssembly Multi-Memory
- Ship: WebCodecs support for enabling AV1 screen content coding tools
- Ship: WebGPU maxBindGroupsPlusVertexBuffers limit
- Ship: Interoperable Pointer and Mouse boundary events after DOM changes
- Ship: Array.fromAsync
- Ship: WebGPU timestamp queries
- Ship: WebGPU on Android
- Prototype: CSS Masking
- Prototype: Extending Storage Access API (SAA) to non-cookie storage
-
Prototype: Invokers
- https://groups.google.com/a/chromium.org/g/blink-dev/c/tDanwUCp2cg
- Popover/dialog を宣言的に開閉するための仕組み
- ボタンに
invoketarget属性を追加し、ダイアログと関連付ける
- Prototype: View Transitions: transition types
- Prototype: HTTP method in ResourceTiming
- Prototype: Verifying IPFS client
- Prototype: Web Printing API
- Prototype: WebAuthn related origins
- Implement and Ship: Feature detection for supported clipboard formats
-
Implement and Ship: Media query support for video
<source>elements - Prototype and Ship: URL.canParse
-
Re-implement and Ship: CSS Font Loading API - FontFaceSet:
check()method -
Experiment:
'priority'HTTP request header - Experiment: Protected Audience Bidding & Auction Services
- Experiment: Unrestricted access to performance.measureUserAgentSpecificMemory()
- Experiment: Web app scope extensions
- Experiment: IP Protection Phase 0
- Experiment: Private Network Access permission to relax mixed content
- Experiment: Cookie Deprecation Labeling
- Experiment: Load common payloads from privacy-preserving single-keyed cache
- Experiment: Extending Storage Access API (SAA) to non-cookie storage
- Request for Extend Deprecation Trial: Restrict "private network requests" for subresources from public websites to secure contexts.
- Extend Experiment: No-Vary-Search header, Speculation Rules expects_no_vary_search support in prefetch cache
- Extend Origin Trial: Cross App and Web Attribution Measurement M120-M123
- PSA: Extra supported format for Protected Audience size macros
- PSA: New baseline format for test-harness tests
- PSA: Web IDL async iterable now supported in Blink-V8 bindings
- PSA: request TAG feedback early!
- PSA: Storage Access API & dedicated workers
- PSA: requestAnimationFrame & DocumentTImeline timestamps time are now coarsensed
-
Web-Facing Change PSA: Set IndexedDB transaction durability to
relaxedby default - Merging a UseCounter addition
- Don't forget to sign up to host a talk at BlinkOn 18!
- We're just 1 week away from BlinkOn 18!
- [blink-dev] BlinkOn 18 is tomorrow!
- Web-Facing Change PSA: View Transitions: making callback non-nullable
- Change:
- Unship:
- Remove:
Other
-
web.dev
- Effectively loading ads without impacting page speed
- New to the web platform in September
- Changes to the web.dev infrastructure
-
google developer blog
- Join us online from 23-27 October for Passkeys Week - Google for Developers
- google developer japan blog
-
chrome developer blog
- What's New in WebGPU (Chrome 118) - Chrome for Developers
- Chrome starts supporting passkeys on iCloud Keychain on macOS - Chrome for Developers
- DevTools Tips: Debugging Chrome extensions - Chrome for Developers
- New origin trial for fullscreen popup windows - Chrome for Developers
- API Improvements for working with files in the browser - Chrome for Developers
- Preparing for the end of third-party cookies - Chrome for Developers
- CSS relative color syntax - Chrome for Developers
- Serial over Bluetooth on the web - Chrome for Developers
-
Chromium issue tracker migration - Chrome for Developers
- https://developer.chrome.com/en/blog/chromium-issue-tracker-migration/
- 2024 年 1 月に Chromium の issue 管理を bugs.chromium.org から Google Issue Tracker に変更する
- Sanitizer API deprecation - Chrome for Developers
- What's happening in Chrome Extensions? - Chrome for Developers
- Select element: now with horizontal rules - Chrome for Developers
- CSS text-wrap: pretty - Chrome for Developers
- What's New in WebGPU (Chrome 119) - Chrome for Developers
- CSS prefers-reduced-transparency - Chrome for Developers
-
chromium blog
- https://blog.chromium.org/
- Chromium Blog: Unlocking the power of TLS certificate automation for a safer and more reliable Internet
- Chromium Blog: Update to Developers: Chromium Issue Tracker migration
- canary
-
google security blog
- Google Online Security Blog: Expanding our exploit reward program to Chrome and Cloud
- Google Online Security Blog: Scaling BeyondCorp with AI-Assisted Access Control Policies
- Google Online Security Blog: Enhanced Google Play Protect real-time scanning for app installs
- Google Online Security Blog: Joint Industry statement of support for Consumer IoT Security Principles
- Google Online Security Blog: Google's reward criteria for reporting bugs in AI products
- Google Online Security Blog: Increasing transparency in AI security
- Google Online Security Blog: Android 14 introduces first-of-its-kind cellular connectivity security features
-
v8
- Control-flow Integrity in V8 · V8
-
other
- BlinkOn 18
- Passkeys are now enabled by default for Google users
- How Passkeys work: A Google security expert explains
- 5 improvements to Chrome's address bar
- Project Zero: An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit
-
PC 版 Chrome で艦これを起動しようとすると画面が真っ白になる!|キニナルベル
- https://kininaruberu.com/kancollearekore/chrome_login
- HTTPS Upgrades により mixed contents となってしまい表示されない?
-
艦これの表示が壊れた
- https://twitter.com/KanColle_STAFF/status/1713048810291962131
-
「艦これ」開発/運営 on X: "提督の皆さん、お疲れさまです! ブラウザ【 Chrome 】さんの今夏~秋の更新以降、「艦これ」接続時に真っ白い画面で動作しないケースが発生する場合がありますが、この場合は下記の方法などで Chrome でも接続可能です。 Chrome 提督でお困りの方はお試しください。
-
https 移行も準備していますが、既に使われている一般ではない(そして通信及び機能的には問題のない)ブラウザ環境も留意して、移行は慎重にしています。
-
Google Chrome で Web サイトが表示されなくなったお客様へ | さくらのサポート情報
- https://help.sakura.ad.jp/notification/n-2624/
- おそらく HTTPS Upgrade によって表示されないサイトが出ている
-
公開中の Web サイトに Google Chrome でアクセスできなくなった - よくあるご質問 - さくらのサポート情報
- https://faq.sakura.ad.jp/s/article/000001530
-
Google Chrome のアップデートで、 HTTP 接続(http://~ )が自動で HTTPS 接続(https://~)にリダイレクトされるようになり、 SSL の設定が有効になっていないと、正常に表示できなくなってしまう場合があります。
- 証明書を設定するように誘導している
Firefox 動向
Stable: 119
Updates
- Firefox 119.0, See All New Features, Updates and Fixes
-
Firefox 119 for developers - Mozilla | MDN
- https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/119
- Array grouping
- Well-formed Unicode strings
- COEP: credentialless
- ARIA reflection (non-IDREF)
- All Lights Green for 119 - These Weeks in Firefox: Issue 145 - Firefox Nightly News
- Developments Aplenty for 120 - These Weeks in Firefox: Issue 146 - Firefox Nightly News
- More WebExtensions! Coming to an Android near you soon - These Weeks in Firefox: Issue 147 - Firefox Nightly News
Intents
-
Ship: CSS
text-wrap: balance - Ship: Early Hints Preconnect for Fx120
- Ship: Storage Access API, update to per-frame model
-
Ship: Global Privacy Control
- https://groups.google.com/a/mozilla.org/g/dev-platform/c/373F82Jzcjs
Sec-GPC,navigator.globalPrivacyControl
- Prototype and Ship: Line-height Units (lh, rlh)
-
Prototype and Ship: CSS text-indent keywords
hanging&each-line - Prototype and Ship: User Activation API
- Prototype and Ship: iframe lazy loading
-
Prototype and Ship:
light-dark()color function- https://groups.google.com/a/mozilla.org/g/dev-platform/c/18t2jK1FtJA
- ライトモード、ダークモード時の色を一括指定できる関数
- eg.
color: light-dark(black, white); background: light-dark(white, black)
- Change:
- Remove:
Newsletter
- Firefox WebDriver Newsletter - 119 - Firefox Developer Experience
- Firefox DevTools Newsletter - 119 - Firefox Developer Experience
MDN / Open Web Docs
-
Docs to Secure the Web Forward
- https://openwebdocs.org/content/posts/secure-the-web-forward/
- Secure the Web Forward に OWD が参加
- Documentation for web security education が必要という話をした
- MDN で行ったアンケートで Security 周りの理解が難しいという結果を経て
-
Sovereign Tech Fund invests in Open Web Docs
- https://openwebdocs.org/content/posts/sovereign-tech-fund/
- Sovereign Tech Fund からの援助で BCD(Browser Compat Data) の自動更新や機能のグループ化に取り組む
- STF はドイツの連邦経済・気候保護省が出資、 SPRIND(ドイツのイノベーション関係の機関)運営
- Migrating from GitHub to GitLab seamlessly: A step-by-step guide | MDN Blog
-
Introduction to web sustainability | MDN Blog
- https://developer.mozilla.org/en-US/blog/introduction-to-web-sustainability/
- Web のパフォーマンス改善が SDG に繋がる
- Optimizing DevSecOps workflows with GitLab's conditional CI/CD pipelines | MDN Blog
- Coming Soon: MDN Observatory 2.0 | MDN Blog
Standard Position
-
今月 Close された Issue と PR ものをみる
- https://github.com/mozilla/standards-positions/issues?q=closed%3A%3E2023-10-01+
-
Positive
- Fire toggle events using microtasks · Issue #901 · mozilla/standards-positions
- Feature detection for supported clipboard formats · Issue #889 · mozilla/standards-positions
-
Allow
<hr>tags inside<select>tags · Issue #887 · mozilla/standards-positions -
HTMLSelectElement
showPicker()· Issue #886 · mozilla/standards-positions - CSS Color 5: Relative Color Syntax · Issue #841 · mozilla/standards-positions
- Lazy loading for iframes · Issue #840 · mozilla/standards-positions
- UserActivation API · Issue #838 · mozilla/standards-positions
- Request for Mozilla Position: Zstandard compression format for Content-Encoding · Issue #775 · mozilla/standards-positions
- Request for Mozilla Position: import conditions - supports() · Issue #761 · mozilla/standards-positions
- fetch streaming upload · Issue #663 · mozilla/standards-positions
- Storage Buckets API · Issue #475 · mozilla/standards-positions
Other
- Say (an encrypted) hello to a more private internet
- Mozilla announces 25 honorees for the Rise 25 Awards
- Built for privacy: Partnering to deploy Oblivious HTTP and Prio in Firefox
- Built for Privacy: Partnering to Deploy Oblivious HTTP and Prio in Firefox - Mozilla Hacks - the Web developer blog
- Intent to Approve Commscope's CA Inclusion Request
- Updated Incident Reporting Requirements
- Introducing Mozilla's AI Guide, the developers onboarding ramp to AI
- Global Network Fee Proposals are Troubling. Here are Three Paths Forward. - Open Policy & Advocacy
Safari 動向
Stable: 17.1
Updates
-
Safari Technology Preview 180
- https://webkit.org/blog/14664/release-notes-for-safari-technology-preview-180/
- Added support for
rect()shape forshape-outside,clip-path, andoffset-path. - Removed support for the auto value from alignment-baseline. (268008@main)
- Added support for CanDeclareGlobalFunction abstract operation and related implementations. (267655@main)
- Added support for HasVarDeclaration abstract operation. (267891@main)
-
Safari Technology Preview 181 | WebKit
- https://webkit.org/blog/14721/release-notes-for-safari-technology-preview-181/
- Added support for content-visibility. (268313@main) (114734606)
- Added support for one-time-code as an allowed autocomplete field name. (268097@main) (115684196)
- Added MediaStream support for whiteBalanceMode. (268102@main) (115552800)
- Removed margin-trim behavior for floats to match specification changes. (268227@main) (115794102)
-
WebKit Features in Safari 17.1
- https://webkit.org/blog/14735/webkit-features-in-safari-17-1/
- Managed Media Source API to iPhone
Standard Positions
-
今月 Close されたものをみる
- https://github.com/WebKit/standards-positions/issues?q=is%3Aissue+closed%3A%3E2023-10-01+
-
Support
- Request for position: WebDriver BiDi · Issue #240 · WebKit/standards-positions
- CSS Ruby Annotation Layout Module Level 1 · Issue #232 · WebKit/standards-positions
- Resource Timing: Add interim response timings · Issue #109 · WebKit/standards-positions
- CustomStateSet for custom elements · Issue #56 · WebKit/standards-positions
- Wildcards in Permissions Policy Origins · Issue #51 · WebKit/standards-positions
- Navigation API · Issue #34 · WebKit/standards-positions
-
Neutral
- border-boundary CSS property · Issue #201 · WebKit/standards-positions
-
Oppose
- Compute Pressure API · Issue #255 · WebKit/standards-positions
- Web Preferences API · Issue #252 · WebKit/standards-positions
Other
- Get ready for Interop 2024 | WebKit
- Simplified Responsive Design Mode | WebKit
Edge 動向
Stable: 118
Updates
Other
- Announcing general availability of the new Microsoft Teams app for Windows and Mac - Microsoft Community Hub
-
Rebuilt Microsoft Teams app promises twice the speed and half the RAM usage | Ars Technica
- https://arstechnica.com/gadgets/2023/10/rebuilt-microsoft-teams-app-promises-twice-the-speed-and-half-the-ram-usage/
- Teams アプリが Electron から WebView2 ベースになった
- macOS の WebView2 もベータで出ているらしい
-
Home - Microsoft Apps
- https://apps.microsoft.com/
- Microsoft Store がリニューアル
- Judah Gabriel: "Hey! Today we released the new https://t.co/g2dIFhnDWG - app store for Windows. 🎉 Proud of this work! It's built with web components, using @buildWithLit, @shoelace_style, @vite_js, @pwabuilder's PWA template, App Tools router, running on C# ASPNET backend. 😎"
- https://twitter.com/JudahGabriel/status/1710075338326454390
- 以前は React だったが、 Vite, PWABuilder, Lit, Shoelace などに移行
- Fiddler Web Debugger Turns 20 - text/plain
-
Security Tradeoffs: Privacy - text/plain
- https://textslashplain.com/2023/10/04/security-tradeoffs-privacy/
- DoH や ECH が有効になることでプライバシー保護は向上している
- しかし、接続先が IP しかわらかなくなるため、セキュリティ製品が機能しなくなる
- そこで Managed なデバイスではオフにされることがある
- ここにセキュリティとプライバシーのトレードオフがある
- Beware: URLs are Pointers to Mutable Entities - text/plain
- Security: The Impact of Time - text/plain
- ServiceWorkers vs. Network Filtering - text/plain
- Protecting Auth Tokens - text/plain
WHATWG/W3C 動向
Draft
-
Recommendation
- Web Content Accessibility Guidelines (WCAG) 2.2 is a W3C Recommendation
- Proposed Recommendation
- Candidate Recommendation
- Working Draft
- First Public Working Draft
-
Chartering
- Advance notice: Work in progress on Devices and Sensors Working Group Charter
- Call for Participation: Math Working Group Charter Approved; Join the Math WG
- Call for Participation: MiniApps Working Group Charter Approved; Join the MiniApps WG
- Call for Participation: PNG Working Group Charter Approved; Join the PNG WG
- Call for Participation: Web of Things Working Group Charter Approved; Join the WoT WG
- New incubation: Cross-Origin-Opener-Policy: restrict-properties
- Open Cloud Mesh Community Group created
- Proposed W3C Charter: Private Advertising Technology Working Group (until 2023-11-13/14)
- Proposed W3C Charter: WebAssembly Working Group (until 2023-11-09/10); Current Charter Extended
Other
-
Hiring: Web Security Lead | 2023 | News | W3C
- https://www.w3.org/news/2023/hiring-web-security-lead/
-
W3C is seeking a full-time staff member to lead our Web Security standardization efforts.
- https://www.w3.org/careers/2023-web-security-lead-job-posting/
- W3C announces Seth Dobbs as next CEO
-
The WHATWG Blog - The URL Pattern Standard
- https://blog.whatwg.org/url-pattern-standard
- URLPattern が WHATWG の仕様に
- URL Pattern Standard
TC39 動向
Meeting
- 今月の minutes はまだ読み終わってないので来月
- 2023-07
Proposals Diff
New Proposals
Other
- TC39-TG4 - Ecma International
- 6 年を経て Float16Array を Stage 3 にしてもらった - pixiv inside
WinterCG 動向
- Meeting や大きな動きがあった月だけやる
Meeting
- 2023-10-05 - Meeting · Issue #56 · wintercg/admin
IETF 動向
WG
-
IETF
- https://datatracker.ietf.org/meeting/
- IETF 118 Final Agenda
- IETF 118 Preliminary Agenda
-
httpwg
- https://lists.w3.org/Archives/Public/ietf-http-wg/
- https://github.com/httpwg/wg-materials/
- Artart last call review of draft-ietf-httpbis-alias-proxy-status-05
- Call for adoption: draft-nottingham-http-cache-groups
- DRAFT agenda for IETF119 from Mark Nottingham
- Genart last call review of draft-ietf-httpbis-alias-proxy-status-05
- Httpdir last call review of draft-ietf-wish-whip-09
- I-D Action: draft-ietf-httpbis-resumable-upload-02.txt
- I-D Action: draft-ietf-httpbis-unprompted-auth-05.txt
- IETF 118 hackathon project for resumable uploads
- Intdir telechat review of draft-ietf-httpbis-alias-proxy-status-05
- Last Call: draft-ietf-httpbis-alias-proxy-status-05.txt (HTTP Proxy-Status Parameter for Next-Hop Aliases) to Proposed Standard
- Opsdir last call review of draft-ietf-httpbis-alias-proxy-status-05
- Prague side meeting: HTTP/2 concurrency and request cancellation (CVE-2023-44487) from Mark Nottingham
- Robert Wilton's No Objection on draft-ietf-httpbis-alias-proxy-status-05: (with COMMENT)
- Secondary Certificates from Mark Nottingham
- Unprompted Auth and Exported Authenticators
-
quicwg
- https://mailarchive.ietf.org/arch/browse/quic/
- https://github.com/quicwg/wg-materials
- I-D Action: draft-ietf-quic-ack-frequency-07.txt
- I-D Action: draft-ietf-quic-multipath-06.txt
- I-D Action: draft-ietf-quic-qlog-main-schema-07.txt
- I-D Action: draft-ietf-quic-qlog-quic-events-06.txt
- I-D Action: draft-ietf-quic-reliable-stream-reset-03.txt
- IETF 118 Agenda Items
- Multipath QUIC Interop at Hackathon
- QUIC Address Discovery
- Reliable Stream Resets: Requesting a Reset at a Specific Offset
- TSV AD office hours
- quic - Requested session has been scheduled for IETF 118
- webtrans
-
tlswg
- https://mailarchive.ietf.org/arch/browse/tls/
- https://github.com/tlswg/wg-materials
- Closing out final ECH issues
- I-D Action: draft-ietf-tls-ctls-09.txt
- I-D Action: draft-ietf-tls-dtls-rrc-10.txt
- I-D Action: draft-ietf-tls-esni-17.txt
- I-D Action: draft-ietf-tls-rfc8447bis-05.txt
- I-D Action: draft-ietf-tls-wkech-04.txt
- Legacy RSASSA-PKCS1-v1_5 codepoints for TLS 1.3
- tls@ietf118
- wpack
- masque
- pearg
- privacypass
-
ohai
- I-D Action: draft-ietf-ohai-svcb-config-07.txt
- Protocol Action: 'Discovery of Oblivious Services via Service Binding Records' to Proposed Standard (draft-ietf-ohai-svcb-config-07.txt)
- Requesting Review of W3C Verifiable Credentials guidance on Oblivious HTTP
- dispatch
- secdispatch
Other
- Call for Comment: draft-iab-privacy-partitioning-03 (Partitioning as an Architecture for Privacy)
- Constrained RESTful Environments (core) WG Interim Meeting Cancelled (was 2023-10-25)
- IAB Statement on the Risks of Attestation of Software and Hardware on the Open Internet
- Last Call: draft-ietf-tsvwg-ecn-encap-guidelines-20.txt (Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP) to Best Current Practice
- Last Call: draft-ietf-tsvwg-rfc6040update-shim-19.txt (Propagating Explicit Congestion Notification Across IP Tunnel Headers Separated by a Shim) to Proposed Standard
- Protocol Action: 'Discovery of Oblivious Services via Service Binding Records' to Proposed Standard (draft-ietf-ohai-svcb-config-07.txt)
- Protocol Action: 'Privacy Pass Issuance Protocol' to Proposed Standard (draft-ietf-privacypass-protocol-16.txt)
- RFC 9474 on RSA Blind Signatures
- RFC 9484 on Proxying IP in HTTP
- RFC 9495 on Certification Authority Authorization (CAA) Processing for Email Addresses
CDN 動向
Cloudflare
- 1.1.1.1 lookup failures on October 4th, 2023
- 2023 年 10 月 4 日の 1.1.1.1 ルックアップ障害
- Announcing General Availability for the Magic WAN Connector: the easiest way to jumpstart SASE transformation for your network
- Birthday Week recap: everything we announced - plus an AI-powered opportunity for startups
- バースデーウィークの総括:当社のすべての発表、そしておよびスタートアップ企業にとっての AI 活用の機会
- Cache Reserve goes GA: enhanced control to minimize egress costs
- Cache Rules go GA: precision control over every part of your cache
- Cyber attacks in the Israel-Hamas war
- Empowering our partners with the new Tenant Platform dashboard
- HTTP/2 Rapid Reset: deconstructing the record-breaking attack
- HTTP/2 Rapid Reset:記録的勢いの攻撃を無効化
- HTTP/2 Zero-Day vulnerability results in record-breaking DDoS attacks
- HTTP/2 zero-day 脆弱性により史上最大の DDoS 攻撃が発生
- How Cloudflare mitigated yet another Okta compromise
- Hyperdrive:データベースをあたかもグローバルであるかのように感じさせる
- Internet traffic patterns in Israel and Palestine following the October 2023 attacks
- Introducing the Project Argus Datacenter-ready Secure Control Module design specification
- Malicious "RedAlert - Rocket Alerts" Application Targets Israeli Phone Calls, SMS, and User Information
- Network flow monitoring is GA, providing end-to-end traffic visibility
- Q3 2023 Internet disruption summary
- Uncovering the Hidden WebP vulnerability: a tale of a CVE with much bigger implications than it originally seemed
- Waiting Room adds multi-host and path coverage, unlocking broader protection and multilingual setups
- Waiting Room は、マルチホストとパスのカバレッジを拡充し、より広範な保護と多言語セットアップを実現できる製品です
- ポスト量子暗号が一般利用可能に
Fastly
- Thriving amidst chaos: Managed security tips for Black Friday weekend | Fastly
- Firefox and Fastly take another step toward a privacy upgrade for the internet | Fastly
Other
- Akamai 103 Early Hints Prototype: The Results Are In | Akamai
- Guidance on the Recent Critical libwebp and libvpx Vulnerabilities | Akamai
- An Open Partnership Ecosystem for Building Solutions at the Edge | Akamai
- How Akamai Protects Customers from HTTP/2 Rapid Reset DDoS Attacks | Akamai
- Strengthening Vercel's Infrastructure against HTTP/2 Rapid Reset Attacks - Vercel
セキュリティ動向
-
偽サイトもアドレス欄に鍵マーク、証明書を確認してフィッシング詐欺を見抜こう | 日経クロステック(xTECH)
- https://xtech.nikkei.com/atcl/nxt/column/18/02574/090700003/
-
証明書には信頼度の高い順に EV 、 OV 、 DV という 3 種類がある(図 33)。このうち詐欺で悪用されるのが DV 証明書。「Let's Encrypt」という認証局では無料で発行しており、フィッシング対策協議会によれば、一部の例外を除いて大半のフィッシングサイトでこの証明書が利用されているという。大手企業が利用するケースは考えにくい。ブラウザーの証明書ビューアーで、発行者が「Let's Encrypt」の場合は用心しよう(図 34)。
-
HTTP/2 Rapid Reset
- 仕組み: 新手の HTTP/2 「Rapid Reset」 DDoS 攻撃 | Google Cloud 公式ブログ
-
HTTP/2 Rapid Reset:記録的勢いの攻撃を無効化
- https://blog.cloudflare.com/ja-jp/technical-breakdown-http2-rapid-reset-ddos-attack-ja-jp/
- これが一番わかりやすい
- HTTP/2 のストリームは多重化できて、それぞれが状態遷移をもつ
- RST を送ると、そのストリームを閉じることができる
- ストリーム数の上限は Settings で交換でき、それ以上は落とせる
- Cloudflare は TLS を解く Proxy と、バックエンドに送るための Proxy がある
- ここで、一度にたくさんの Stream を開始するようリクエストを送る
- それぞれをすぐに RST すると、ストリーム数上限にひっかからず無限に送れる
- しかし、 Proxy は後ろの Origin に forward するためにバッファに貯めている
- RST されるとリソースを解放し、 Origin に通知するが、早いとここが詰まる
- 攻撃者は上限にひっからないように、無限にリソースを確保させられる
- Proxy がさばききれなくなり、 Proxy 上でエラーになる
- Origin ではエラーがおこらないので、サービス提供者はなぜ落ちたかわからない
- 対策として、 IP の監視や短時間での RST 数のカウントなどで TLS Proxy 側で対策
- 今ではおおよそ対策済み
周辺動向
-
230610 講演 第 1 部 (登) - 配布資料その 1 - 秘密の NTT 電話局、フレッツ光、インターネット入門.pdf
- https://dnobori.cyber.ipa.go.jp/ppt/download/20230610_soumu/230610%20%E8%AC%9B%E6%BC%94%20%E7%AC%AC1%E9%83%A8%20(%E7%99%BB)%20-%20%E9%85%8D%E5%B8%83%E8%B3%87%E6%96%99%E3%81%9D%E3%81%AE1%20-%20%E7%A7%98%E5%AF%86%E3%81%AE%20NTT%20%E9%9B%BB%E8%A9%B1%E5%B1%80%E3%80%81%E3%83%95%E3%83%AC%E3%83%83%E3%83%84%E5%85%89%E3%80%81%E3%82%A4%E3%83%B3%E3%82%BF%E3%83%BC%E3%83%8D%E3%83%83%E3%83%88%E5%85%A5%E9%96%80.pdf
- ImperialViolet - Chrome support for passkeys in iCloud Keychain
- October Conference News | Igalia
- ARIA-AT Public Data Management Page - Bocoup
イベント
-
10 月
- 17-19: BlinkOn18
-
11 月
- 7-10: IETF 118 Prague
- 19: JSConf JP
- 27-30: TC39 meeting SF (remote)
-
12 月
- 16: 次世代 Web カンファレンス
Wrap Up
-
Chrome
-
118
- @scope
-
119
- :user-valid/:user-invalid
- CSS Relative color syntax
- Replace dangling markup in target to
_blank - Standard compliant URL
- Remove WebSQL
- Remove Sanitizer API V0
-
Ship
- details name
- Relaxed CSS Nesting
- WebGPU f16
- CSS scrollbar-width/scrollbar-color
- CSS Ruby display values
- Array.fromAsync
- source media
- URL.canParse
-
Prototype
- Invokers
- Verifying IPFS client
- Web Printing API
-
Experiment
- Priority header
- IP Protection Phase 0
- Cookie deprecation labeling
-
Deprecate and Remove
- Theora
-
web.dev
- インフラが変わった
- 機械翻訳が導入された
-
Chrome Developers
- Chromium issue tracker migration
- 3rd-party Cookie 終了への準備
-
Chromium blog
- TLS certificate automation
-
other
- Passkeys enabled by default for Google users
- HTTPS Upgrades で壊れる(艦これ、さくらで公開しているサイト)
-
118
-
Firefox
-
119
- Array grouping
- ARIA reflection
-
Ship
- text-wrap: balance
- Early Hints preconnect
- Global Privacy Control
- lh/rlh
- User Activation API
- iframe lazy loading
- light-dark()
-
MDN Blog
- Secure the Web Forward に OWD 参加
- ドイツ政府系の Sovereign Tech Fund からの援助で BCD を更新していく
- Web Sustainability
-
Standard Position
- hr in select
- select.showPicker()
- Relative Color Syntax
- Zstandard
- Fetch streaming upload
- Storage Buckets API
-
other
- ECH
- OHTTP
-
119
-
Safari
-
TP 181
- content-visibility
- autocomplete="one-time-code"
-
Safari 17.1
- Managed Media Source API
-
blog
- Interop 2024
- Responsive Design Mode
-
Standard Position
- CSS Ruby
- Navigation API
- negative to Compute Pressure API
- negative to Web Preferences API
- other
-
TP 181
-
Edge
- Teams が WebView2 ベースに
- Microsoft Store が React から Lit に
- DoH/ECH によるプライバシーの向上でセキュリティ製品の管理が難しくなっている by ericlaw
-
W3C/WHATWG
-
Spec
- WCAG 2.2 Rec
-
other
- Web Security Lead 募集中
- URLPattern が WHATWG に
-
Spec
-
TC39
- Float16Array が Stage 3 に
-
IETF
- RFC 9474 RSA Blind Signatures
- RFC 9484 Proxying IP in HTTP
-
CDN 動向
- 1.1.1.1 障害
- HTTP/2 Rapid Reset
-
セキュリティ動向
- Let's Encrypt はフィッシングという残念な記事
- HTTP/2 Rapid Reset
-
周辺動向
- 登さんのインターネット入門
- Chrome の パスキーが iCloud Keychain に