15:34:13 RRSAgent has joined #webappsec 15:34:13 logging to http://www.w3.org/2011/10/31-webappsec-irc 15:34:50 Meeting: WebAppSecWG TPAC 2011 F2F - Oct 31 15:35:22 Chairs: Brad Hill (bhill2), Eric Rescorla (ekr) 15:35:41 Agenda: http://www.w3.org/2011/webappsec/TPAC2011.htm 15:52:24 myakura has joined #webappsec 15:53:32 lgombos has joined #webappsec 16:00:08 stpeter has joined #webappsec 16:00:44 tell ekr to stop yammering so we can start the meeting :P 16:01:07 bhill2: only joking ;-) 16:01:21 jcdufourd has joined #webappsec 16:02:26 virginie_from_gem has joined #webappsec 16:02:49 anne has joined #webappsec 16:02:59 we'll get going at 5 after 16:03:02 i'll be there at 10AM, is that okay? 16:03:26 yes, we are expecting you then, and we'll head back to WebApps with you afterwards for the joint session 16:03:26 currently at webapps; having to be at three WGs at the same time is really hard 16:03:40 k thanks 16:03:58 unless we have a bigger breakout room that will fit four WGs 16:05:16 Soonho has joined #webappsec 16:05:45 zakim, who is here? 16:05:45 sorry, bhill2, I don't know what conference this is 16:05:46 On IRC I see Soonho, anne, virginie_from_gem, jcdufourd, stpeter, lgombos, myakura, RRSAgent, Zakim, bhill2, trackbot 16:05:51 Eric has joined #webappsec 16:06:26 present+ SoonhoLee 16:06:50 bsterne has joined #webappsec 16:07:38 ekr has joined #webappsec 16:08:06 Jongyoul has joined #webappsec 16:09:00 so anyone knows what is going to be broadcasted to the IRC channel? 16:10:08 ekr_ has joined #webappsec 16:10:51 Gopal has joined #webappsec 16:10:55 yoiwa has joined #webappsec 16:11:22 is anyone in IRC not in the physical room? just curious 16:11:43 me 16:11:51 well, I see that anne is not in the physical room, for one 16:12:11 zakim rocks 16:12:32 bhill2 is reviewing the agenda 16:12:40 masinter has joined #webappsec 16:12:50 I'm using the voice bridge too, thanks 16:13:51 bhill2 puts on screen http://www.w3.org/2011/08/appsecwg-charter.html 16:15:49 bkihara has joined #webappsec 16:16:12 deliverables being content security policy, secure cross-domain resource sharing, secure cross-domain framing (see charter for details) 16:16:20 brandon has no comments on CSP 16:18:21 CORS is joint deliverable with WebApps WG 16:18:34 UMP status is somewhat less clear, discussion needed 16:19:17 SCDF is farther in the future 16:21:10 coordination desirable with IETF WebSec WG on Frame-Options / SCDF 16:22:43 Jeff Hodges: do we want / need to investigate a broader approach, not just single headers 16:23:23 Brad Hill: especially clickjacking is an artifact of the web architecture, how do we deliver policy for solving? 16:24:06 milestones might need to be revised / updated 16:24:33 charter review questions... 16:24:44 Larry Masinter: it's hard to tell what the scope of this WG is 16:24:53 i.e., where the boundaries are 16:26:00 Larry: might want to document things that we're not doing that need to be done 16:26:21 LM: what is the filter to decide what is in scope for this group or not? 16:26:36 Larry: don't want to lose track of things we decide are out of scope. 16:26:53 LM: don't want to lose track of things that are decided to be out of scope -- need an overall roadmap to web security 16:27:38 I have a TAG action item http://www.w3.org/2001/tag/group/track/actions/607 to hand off http://www.w3.org/2001/tag/2011/02/security-web.html 16:27:48 Brandon: my luggage password is 12345678 16:28:34 ekr_: nice 16:28:53 Larry: This is John Kimpf(?) outline of the history and security features of the web. WE didn't finish it and would like to hand it off to a WG focused on Web security. 16:28:59 Larry: Please accept it as input somehow. 16:29:29 bhill2: What's the process for doing something with this? 16:29:40 Larry: This is an attempt to outline the overall frameworj. 16:29:50 Larry: Should document why these particular deliverables. 16:30:24 bhill2: Sounds like something we want ot publish somehow, but it's not clear to me how to handle it. 16:30:47 tlr: If the WG wants to rearrange structure of deliverables within the same scope, that's fine. 16:31:35 tlr: if you want to add something normative to the list of deliverables nad it's not covered by the current scope, then you need to recharter 16:31:44 Larry, tlr: this happens frequently 16:32:12 tlr: this sounds like a non-normative document. [so probably ok -- EKR] 16:32:47 stpeter: we had the same issue with websec. wanted to work on a framework. Looked at the low hanging fruit. 16:33:20 =jeffh: should be looking at the long-term thing as we chip away 16:33:38 tlr: what's the relationship between all these documents? 16:34:15 s/Kimpf(?)/Kemp/ 16:34:21 ekr: there certainly is space for a document about overall direction (how all these things work together) 16:35:20 ACTION: Investigate this question and figure out how to proceed on it 16:35:20 Sorry, couldn't find user - Investigate 16:35:27 ekr: worry about putting stakes in the ground for particular solutions will partly determine the large solution space in the future 16:35:44 ACTION: unassigned - Investigate what to do with adocument of this scope. 16:35:44 Sorry, couldn't find user - unassigned 16:35:45 dsr has joined #webappsec 16:35:47 TAG ACTION-607: Find an appropriate way to make available http://www.w3.org/2001/tag/2011/02/security-web.html to the Web App Sec working group 16:36:39 dsr: can oyu create the action item cause I'm apparently too stupid to figure it out 16:38:32 ekr: broad framework will either result in duplication or deprecating "patchwork" solutions 16:38:56 linshunghuang has joined #webappsec 16:39:09 ACTION: bhill2 to find an appropriate way to make available http://www.w3.org/2001/tag/2011/02/security-web.html to the Web App Sec working group 16:39:09 Created ACTION-1 - Find an appropriate way to make available http://www.w3.org/2001/tag/2011/02/security-web.html to the Web App Sec working group [on Brad Hill - due 2011-11-07]. 16:39:10 ekr: ask ourselves, "is this patchwork solution committing ourselves to unfortunate consequences in the future?" 16:39:40 masinter says at least document the future-oriented concerns when working on the patches 16:39:43 dsr: are you going to take over scribing? I don't mind doing it for a but, but I have to leave for about 45 min in about 20 16:39:54 thanks 16:40:02 scribenick: dsr 16:40:56 Brad: we are a little bit over the time for the introduction, most of the rest of this morning we are committed to joint work, and Anne is comming here at around 10am 16:41:27 Brad runs through today's agenda. 16:42:31 agenda: http://lists.w3.org/Archives/Public/public-webappsec/2011Oct/0007.html 16:43:46 discussion on tooling 16:44:06 usually specs are in CVS 16:44:14 ACTION: bhill2 get brandon CVS access. 16:44:14 Created ACTION-2 - Get brandon CVS access. [on Brad Hill - due 2011-11-07]. 16:44:21 oh, dsr is scribing, let me know how I can help :) 16:44:29 ACTION: bsterne to move CSP to CVS from Mercurial. 16:44:29 Created ACTION-3 - Move CSP to CVS from Mercurial. [on Brandon Sterne - due 2011-11-07]. 16:45:09 abarth notes that there are a lot of CSP versions out there on the web 16:45:14 Brandon can do that 16:45:15 Adam: a lot of developers have trouble finding the latest version of the spec for CORS (?) 16:45:31 dsr: s/CSP/CORS/ :) 16:45:35 er 16:45:37 other way around 16:45:38 ACTION: bsterne to seek out all old CSP drafts and point them to the new verison 16:45:39 Created ACTION-4 - Seek out all old CSP drafts and point them to the new verison [on Brandon Sterne - due 2011-11-07]. 16:45:39 this is about CSP 16:47:11 ekr: the thought is to have fortnightly calls 16:47:40 bhill2: we need to find times that are least painful 16:47:45 masinter` has joined #webappsec 16:48:18 Brad: points people at the reverse side of the scribe cheatsheet where you can see the timezones for Berlin, San Jose, Seoul and Beijing. There are no good times for calls, so lets try to pick the least painful. 16:49:02 Thomas: let's see who expects to participate in calls? 16:49:07 ACTION: ekr to set up a doodle for selecting a time for calls. 16:49:08 Sorry, couldn't find user - ekr 16:49:24 ACTION: erescorla to set up a doodle for selecting a time for calls 16:49:24 Sorry, couldn't find user - erescorla 16:49:37 ACTION: erescorl to set up a doodle for selecting a time for calls 16:49:38 Created ACTION-5 - Set up a doodle for selecting a time for calls [on Eric Rescorla - due 2011-11-07]. 16:49:42 I finally know my own username 16:49:46 jongyoul_ has joined #webappsec 16:50:25 A show of hands suggests that around 6 people plan to regularly attend calls. 16:51:34 tlr has joined #webappsec 16:52:17 Adam: for some W3C drafts there is a problem that the latest published draft is often out of date. 16:53:28 Brad: this is a question for the editors for decide how frequently that want to push the editors draft out as a public WD. 16:54:10 Thomas: publish at least every 3 months, but perhaps not when the content is changing very rapidly. The pub WD can link to the editor's draft 16:54:49 lgombos has joined #webappsec 16:54:52 Brad displays the CORS editor's draft from 30 Sep 2011 16:54:54 Luca has joined #webappsec 16:55:55 Anne arrives 16:56:18 Anne arrives and introduces himself 16:57:02 CORS implementation... 16:57:09 Anne: CORS is pretty much done and implemented in 4 perhaps 5 browsers 16:57:19 widely deployed and shipped (Adam says IE has a subset of it) 16:57:21 lgombos_ has joined #webappsec 16:57:27 A test suite is however still lacking. 16:57:28 Anne: there is no test suite 16:57:34 We need that to move forward. 16:57:42 Anne: we need a test suite in order to move forward 16:58:27 Brandon: is anybody driving the UMP proposal or has it fizzled out? 16:58:29 lgombos__ has joined #webappsec 16:58:39 lgombos has joined #webappsec 16:58:41 Anne: Tyler and Mark Miller. 16:59:04 jeffh has joined #webappsec 17:00:43 One thing the UPM folks want to avoid is leaking credentials across origins. 17:00:58 Brad: what about test suites? 17:01:19 Anne: it has been pretty much ad hoc to date, but is getting a little better 17:01:58 It is not so clear how much you can do without the html image element. 17:02:13 Adam: seems fine to use an API to test this 17:02:15 Adam: it is fine to say you should use a given test API 17:02:31 cites the webkit solution 17:02:45 Anne: we may be able to use some work from within Opera, I will ask 17:03:02 virginie_from_gem has joined #webappsec 17:04:27 [ CORS editor's draft: 30 Sep 11 -- http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html ] 17:04:42 Thomas: is the an issue list for CORS? 17:05:56 q? 17:08:11 masinter: would be nice to have a test suite for MIME sniffing, too 17:09:23 Out of scope for this working group, perhaps, but would like someone to put up a framework... http://greenbytes.de/tech/tc/httpcontenttype/ might be a model for building up a sniffing test suite for HTTP (the sniffing test suite for ftp and file -- and others -- would have to be coordinated.) 17:09:23 17:09:37 ACTION: bhill2 to set up testing mailing list 17:09:37 Created ACTION-6 - Set up testing mailing list [on Brad Hill - due 2011-11-07]. 17:09:48 ACTION: bhill2 to set up mecurial repo for test cases 17:09:49 Created ACTION-7 - Set up mecurial repo for test cases [on Brad Hill - due 2011-11-07]. 17:10:11 ACTION: bhill2 to coordinate with phillipe or mike @ w3c on testing infrastructure 17:10:11 Created ACTION-8 - Coordinate with phillipe or mike @ w3c on testing infrastructure [on Brad Hill - due 2011-11-07]. 17:10:45 Anne: not sure if redirect handling is implemented 17:11:02 Anne: other thing holding up CORS is generic complaints about the model as a whole 17:11:10 dsr has joined #webappsec 17:11:44 Anne: objections are both aesthetic and architectural 17:11:56 Anne: e.g., some people don't like the header names 17:12:13 Anne: I think we've addressed most of the concerns to the extent possible 17:12:50 TLR: documenting those concerns and give people a final chance to raise concerns would help 17:13:09 Luca has joined #webappsec 17:13:18 Anne: from WebApps side, what is the best discussion venue? 17:14:03 s/to raise concerns/to object against resolutions/ 17:14:19 bhill2: any concerns with effect of CORS on sandoxed resources? 17:15:07 bhill2: are there cases where unique origins do not transofmr to null? (e.g., data: URL) 17:17:38 bhill2: we might want to look at how this intereacts with CSP, too 17:19:50 (scribe is not capturing everythere here, sorry) 17:20:36 abarth mentions previous proposal to assign a long random string to each origin (was discussed on WebApps list) 17:21:17 you could use http://www.ietf.org/rfc/rfc4122.txt urn UUID? 17:21:54 masinter: so it would seem 17:23:16 adam: CORS interactions with vary 17:24:29 adam: (( describes interaction with CORS and caching, deploying CORS they realize late that it interacts with caching and add a vary: *, which turns out makes traffic spike )) 17:24:52 anne: ((we never did any study ...)) 17:24:54 abarth: currently forbidden to do * and with-credentials -- would it make sense to allow this for applications that know what they are doing? 17:25:27 masinter: it sounds like we need to document an issue with CORS and caching 17:25:44 masinter: i.e., what you could do and what the tradeoffs are 17:26:02 ACTION: abarth to document interactions between CORS and caching / vary header and best practices 17:26:02 Created ACTION-9 - Document interactions between CORS and caching / vary header and best practices [on Adam Barth - due 2011-11-07]. 17:28:58 another question about "is UMP alive or dead?" 17:29:14 do the new HTTP specs need an informative reference to this working group's output in their "Security Considerations" secdtions? 17:29:33 bhill2: we have an action item to follow up with proponents 17:29:47 ACTION: bhill2 to invite mark miller and tyler close to join WG, comment on UMP 17:29:48 Created ACTION-10 - Invite mark miller and tyler close to join WG, comment on UMP [on Brad Hill - due 2011-11-07]. 17:30:12 dsr has joined #webappsec 17:31:53 anne has joined #webappsec 17:32:04 PROPOSED: (masinter) That this WG track and ensure that cross-refs to this WG's specs from other areas are correct 17:33:11 I referenced both http://tools.ietf.org/html/draft-ietf-httpbis-security-properties-05 and http://tools.ietf.org/html/draft-hammer-webfinger-00 17:34:11 RESOLVED: WG shall work to ensure that cross-references to this group's deliverables by other specs are present and correct 17:34:21 masinter: if other specifications want or need to reference the output of this WG, those are part of the requirements from our "customers" 17:36:08 ISSUE: anne to harmonize header spec with OWS / new definitions in HTTP work @ IETF 17:36:09 Created ISSUE-1 - Anne to harmonize header spec with OWS / new definitions in HTTP work @ IETF ; please complete additional details at http://www.w3.org/2011/webappsec/track/issues/1/edit . 17:36:24 anne: Content-Type currently a "simple" header 17:39:44 bhill2 has joined #webappsec 17:39:49 ISSUE: check for simple/standard request needs to check what the value of content-type header is to determine CORS request type 17:39:50 Created ISSUE-2 - Check for simple/standard request needs to check what the value of content-type header is to determine CORS request type ; please complete additional details at http://www.w3.org/2011/webappsec/track/issues/2/edit . 17:40:26 ACTION: Anne to document content-type header values that influence determination of simple / non-simple CORS request type 17:40:27 Created ACTION-11 - Document content-type header values that influence determination of simple / non-simple CORS request type [on Anne van Kesteren - due 2011-11-07]. 17:41:08 Luca has joined #webappsec 17:41:10 masinter` has joined #webappsec 17:41:17 bsterne has joined #webappsec 17:41:41 bsterne_ has joined #webappsec 17:41:45 bkihara has joined #webappsec 17:42:44 stakagi has joined #webappsec 17:43:15 test 17:43:27 bsterne has joined #webappsec 18:01:30 bkihara has joined #webappsec 18:04:24 lgombos has joined #webappsec 18:04:56 anne has joined #webappsec 18:06:29 ekr has joined #webappsec 18:10:49 dsr has joined #webappsec 18:13:43 Gopal has joined #webappsec 18:38:07 ekr has joined #webappsec 18:45:59 bhill2 has joined #webappsec 18:46:10 RRSAgent draft minutes 18:53:59 ekr has joined #webappsec 18:54:10 bsterne has joined #webappsec 18:58:45 EKR has proposed we swap rooms with the Web RTC meeting after lunch, any objections? 18:59:03 (they are too cramped, but their room could accomodate our numbers) 19:29:48 Zakim has left #webappsec 19:51:04 bsterne has joined #webappsec 20:00:08 bhill2 has joined #webappsec 20:01:35 we are retaining original room 20:03:36 bkihara has joined #webappsec 20:04:34 masinter` has joined #webappsec 20:04:58 dsr has joined #webappsec 20:06:33 linshunghuang has joined #webappsec 20:06:59 anne has joined #webappsec 20:09:16 bsterne_ has joined #webappsec 20:12:00 ekr has joined #webappsec 20:12:56 scribenick: dsr 20:13:32 Gopal has joined #webappsec 20:13:54 tlr has joined #webappsec 20:14:20 Brandon: we have an implementation of spec, there are some minor changes pending, but I don't see any blacking issues to moving the spec forward. 20:14:31 s/blacking/blocking/ 20:15:04 Brad: let's see if we can resolve the immediate questions and get the document out after tomorrow's meeting. 20:15:40 Adam: we would like to include some examples and tutorial stuff to help developers. 20:15:58 jeffh has joined #webappsec 20:16:12 There are somethings to discuss, but these can wait until after publication as a first public working draft. 20:16:53 Brad: it seems that Microsoft are looking at CSP, so we may even have two and a half implementations. 20:17:15 Hopefully Microsoft will attend tomorrow and can tell us more. 20:17:27 stpeter_ has joined #webappsec 20:18:26 Brandon: the externalization of JavaScript is a problem for many websites. It is a non-trivial amount of work - there is pain. 20:18:35 jongyoul has joined #webappsec 20:18:55 No clear way to short cut this, other than putting out implementation guides. 20:19:26 jcdufourd has joined #webappsec 20:19:28 Adam: if people start with CSP it proves to be much easier. 20:21:30 Adam: if you move the policy from the header and put it in an HTML meta element that could help. 20:23:09 Peleus: how about sites using content from various different places? 20:23:30 Adam: there are some tools that help to visualize just what is going on. 20:24:37 Adam: attackers can insert elements with ID's that clobber other scripts. 20:25:01 Gopal has joined #webappsec 20:25:31 Brad: there is precedent for W3C to describe security guidelines for specific specs. 20:26:35 Adam: Eduardo describes a way of using JSONP by attackers to get your script to call something on an attackers site. 20:26:58 Brad: developers say JSONP is everywhere and they would like a way to use it safely. 20:27:15 jcdufourd has joined #webappsec 20:27:20 yoiwa has joined #webappsec 20:27:50 Brandon: with JSONP you are making complete trust in the website you are calling. 20:28:34 Eric: this is people who should have been using CORS, but are stuck with JSONP. 20:29:02 Adam: we can tell them, but the impact for these developers of switching is too high. 20:30:47 ISSUE legacy apps make heavy use of JSONP interfaces that are unlikely to be replaced by CORS - how to enable secure use of this? 20:31:03 Adam: we suggest using CORS together with JSONP when appropriate. 20:31:16 ekr has joined #webappsec 20:31:20 Brad: this still involves some changes to their code. 20:32:21 abarth: hacky way is to pull content, see if it parses as JSON, and assume it could've been loaded via script src= anyway 20:33:07 Brad: if you using iframe and postmessage you can build a sandbox 20:33:33 abarth: perf issue there, two requests for one piece of data 20:34:10 Brad: would it make sense for CSP to cover a solution for that? 20:34:29 Brandon: CSP requires site participation 20:34:36 Brad: not really 20:36:08 brad: we want support for CSP to degrade gracefully. we wouldn't want to add jsonp-src instead of script-src to get the benefits of a more strict parsing mode? 20:38:02 Brandon: I would prefer to leave this out of the document at least for now. 20:38:39 Eric: yeah, this sounds like a science project .... 20:39:26 Brad: I agree with Brandon that we need strong interest from developers before including it. 20:40:08 Brandon: each time colleagues come back from OWASP they bring an idea for a new feature for CSP. 20:40:34 Adam: once we finish version one, we should open the floor for new ideas. 20:41:15 There could be a period of experimentation, academic papers etc. and the good ideas would filter down. 20:41:50 Brandon: there would need to be really compelling stories for adding anything into version one at this point. 20:42:13 I feel like this is document should be subtitled "Provide Adam Barth with a 2013 research agenda" 20:42:44 Brad: agree with moving quickly on publishing v1.0 for CSP. What about content sandbox issue, though? 20:43:38 some discussion about legacy browsers and content sniffing, e.g. thinking the content is HTML and just inserting it anyway. 20:44:49 Brandon: what other types of content might you want to render in a sandbox? 20:44:55 Adam: SVG 20:45:45 Adam: this sounds like something for 1.1, and we should iterate quickly. 20:46:25 Eric: can we all agree on an algorithm for making the 1.0 cut? 20:46:40 Adam: thinks that are implemented in Gecko 20:46:54 Brandon: I would change that to in gecko or webkit 20:48:27 Peleus: happy with that provided there is wording on future extensibility 20:48:50 hoashi has joined #webappsec 20:49:08 ISSUE: How to handle directives that are not understood in v 1.0 20:49:09 Created ISSUE-3 - How to handle directives that are not understood in v 1.0 ; please complete additional details at http://www.w3.org/2011/webappsec/track/issues/3/edit . 20:49:25 Adam: I am super excited about extensibility. I would suggest that if your process sees a directive it doesn't understand, it should ignore it. 20:49:33 Luca has joined #webappsec 20:51:08 ACTION: abarth to document lack of critical semantics on policy directives, behavior on unknown extensions or new directives 20:51:08 Created ACTION-12 - Document lack of critical semantics on policy directives, behavior on unknown extensions or new directives [on Adam Barth - due 2011-11-07]. 20:51:56 https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#other-user-agent-considerations 20:52:04 ACTION: abarth to create a wiki page for soft registrations of directives people are experimenting with 20:52:05 Created ACTION-13 - Create a wiki page for soft registrations of directives people are experimenting with [on Adam Barth - due 2011-11-07]. 20:54:37 RESOLVED: Without unanimous consent, no directives without an extant implementation will be included in CSP version 1.0 20:54:49 (as of 10/31/2011) 20:56:18 bhill2: move to call for comments in anticipation of FPWD for CSP following incorporation of minor edits resolved tomorrow 20:57:55 dsr has joined #webappsec 21:00:04 Eric: how soon can we have a CSP 1.0 document ready for publication? 21:00:32 Brandon: we should go over the list of issues first. There is also some editorial feedback to look at. 21:01:29 Jeff: the spec could do with some rewording to make it easier to understand 21:01:40 this is more than trivial editorial change 21:01:57 Brad: how about two weeks to get it read? 21:02:05 s/read/ready/ 21:02:56 Brad: why don't you remove the proposed directives session if the editors don't object. 21:03:32 Brandon: I will do that right now. 21:04:04 Eric: why don't you do that and we can issue a call for comments with a deadline of next Tuesday 21:04:06 ACTION: bsterne to remove proposed directives and make any urgent editorial by COB tomorrow. 21:04:07 Created ACTION-14 - Remove proposed directives and make any urgent editorial by COB tomorrow. [on Brandon Sterne - due 2011-11-07]. 21:04:58 ACTION: erescorl and bhill2 to issue a call for comments before an FPWD to last one week tomorrow COB 21:04:58 Created ACTION-15 - And bhill2 to issue a call for comments before an FPWD to last one week tomorrow COB [on Eric Rescorla - due 2011-11-07]. 21:06:54 PROPOSED: Move LC to February 2012 and CR to April 2012 21:07:25 PROPOSED: PR June 2012 and Rec July 2012 21:08:12 ACTION: anne to update the milestones with dates he feels comfortable with 21:08:13 Created ACTION-16 - Update the milestones with dates he feels comfortable with [on Anne van Kesteren - due 2011-11-07]. 21:09:09 ACTION: bhill2 to add 1.1 as an item on the WG page. 21:09:09 Created ACTION-17 - Add 1.1 as an item on the WG page. [on Brad Hill - due 2011-11-07]. 21:11:14 Plans to update working group page to indicate change in schedule. 21:11:57 FYI: tracker is at: http://www.w3.org/2011/webappsec/track/actions/open 21:16:15 ACTION: bhill2 to round-trip decision on sandboxing in CSP to WHATWG 21:16:16 Created ACTION-18 - Round-trip decision on sandboxing in CSP to WHATWG [on Brad Hill - due 2011-11-07]. 21:16:48 s/WHATWG/HTML WG/ 21:18:10 bsterne: workers are created from a script, this script must conform to the script-src directive 21:18:27 bsterne: XSLT stylesheets must conform to the script-scr directive 21:18:49 bsterne: any content added by XSLT application must be subject to original document's policy 21:20:40 bsterne: technically XSLT creates a new document, the CSP policy of the TEMPLATE is retained by the document that is the result of the transform 21:21:15 dsr has joined #webappsec 21:22:38 abarth: SVG as IMG should not be active content, if it is that is a defect of SVG, not something to be fixed with CSP 21:22:53 abarth: if loaded via object, same as plugin policy 21:23:31 bsterne: top level load of SVG? will have its own CSP header 21:23:42 abarth: what about object pointing to HTML? 21:24:03 ... does that get frame-src or object-src applied to it? or either? 21:24:10 ... we should clarify in the spec 21:24:24 ACTION: abarth to clarify policy applied for html loaded via object tag 21:24:25 Created ACTION-19 - Clarify policy applied for html loaded via object tag [on Adam Barth - due 2011-11-07]. 21:26:14 bsterne: investigate behavior for inline svg 21:26:19 bhill2: need a test case for this probably 21:26:41 bhill2: research on SVG as XSS source for reference/background : http://www.slideshare.net/x00mario/the-image-that-called-me 21:28:34 bsterne: how to restrict plugins with no URI / origin, e.g. gears 21:28:50 abarth: include such local extensions as part of the origin 'self' 21:29:05 ... so plugin-src = none will disallow, * or self will allow 21:29:37 peleus: for edge-case plugins, not for flash 21:29:53 abarth: more about extensions that add capabilties 21:30:30 bsterne: consider adding a way to make policy more granular wrt: plugin loading, to specify mime-times in addition to origins 21:30:40 abarth: e.g. allow flash, but disallow java 21:31:06 erk: for 1.1 at least, how to determine mime-types 21:31:14 bsterne: must be compatible with current object-src directivce 21:31:28 s/directivce/directive/ 21:32:44 bsterne: on topic of policy intersection, existing mozilla documentation describing an algorithm for this has been left out 21:32:56 jeffh: for header + meta 21:33:03 bsterne: or for multiple headers 21:33:38 abarth: thought first policy wins should be algorithm on first encountering this 21:34:04 bsterne: use case is edge load balancer or WAF applying additional policies on top of developer-supplied policy 21:34:31 bsterne: proposal is to say that anything that violates any policy is blocked 21:35:23 ekr: options: first policy wins, or strict AND, or define an intersesction algorithm 21:35:38 abarth: strict AND puts pressure on future to never add "positive" directives to CSP 21:36:09 abarth: preference is first policy wins, second is AND, anything more complicated is vastly less preferred 21:36:22 general agreement that complex intersection is not desired 21:36:58 ekr: are there opptys for injection of weaker policy to win? 21:37:23 abarth: examples exist with anti-XSS filters being injected to nuke protective scripts, e.g. framebusting 21:37:36 abarth: blocking is not always security-positive 21:37:55 abarth: can be made safer by only accepting meta tags in the HEAD, e.g. 21:38:17 bsterne: FF will never try to intersect a META with a header 21:38:28 bsterne: and first META tag wins 21:38:56 bsterne: FF is: AND of headers with no META, or the first META tag only if no headers 21:40:25 abarth: complexity budget is spent, keep it simple 21:41:00 ekr: can we resolve now? 21:41:36 bsterne: don't think so, no iron clad preferences, but prefer to wait for CfC to see if any other implementors (esp. site owners) have preferences 21:42:33 ISSUE: solicit for input on policy intersection / conflict resolution 21:42:34 Created ISSUE-4 - Solicit for input on policy intersection / conflict resolution ; please complete additional details at http://www.w3.org/2011/webappsec/track/issues/4/edit . 21:51:00 linshunghuang has joined #webappsec 22:01:05 MikeSmith has joined #webappsec 22:04:24 ekr has joined #webappsec 22:05:11 Gopal has joined #webappsec 22:05:28 topic is back to csp issues 22:05:37 bhil2: can we save header policy as a meta tag? 22:05:50 abarth: not going to work well due to repackaging of dependent resources 22:06:01 bsterne: don't re-write or save things that got blocked 22:06:22 bsterne: hard thing is same origin restrictions for scripts, etc. how to deliver behavior that site expected when it was online 22:06:48 abarth: another approach to saved content is to take out all scripts, but doesn't work well 22:06:59 abarth: best to take it out of scope, document in security considerations 22:07:07 bsterne: agreed with abarth 22:07:41 bsterne: will add security considerations indicating no expectation of security in a local disk context 22:08:23 bhill2: how to work for apps intended to be started locally 22:08:52 abarth: put in metadata blob specific to app delivery mechanism, no need to specify as part of CSP 22:09:09 abarth: coordinate with widget activity on where to put policy 22:09:29 abarth: CSP is great for this due to low cost of out-of-line delivery of script resources 22:09:58 ACTION: bhill2 to liason with widgets activity on policy placeholder for widgets 22:09:58 Created ACTION-20 - Liason with widgets activity on policy placeholder for widgets [on Brad Hill - due 2011-11-07]. 22:10:59 bsterne: next item: should navigation of documents in a frame be subject to parent document's original restrictions? 22:11:17 bsterne: think that mailing list discussion resolution was yes, restrictions should be applied 22:11:35 bsterne: this includes user-initiated navigation 22:11:53 peleus: could this be used to break framebusting code in an iframe? 22:12:11 abarth: usually navigates to _top, not to different origin 22:12:21 bhill2: can break framebusting with iframe sandbox anyway 22:12:59 MikeSmith has joined #webappsec 22:13:35 bhill2: top-nav and popups are not subject to this restriction? 22:13:47 bsterne: no, top-nav, popups do not inherit restriction 22:14:58 mikesmith: I'm with W3C... 22:15:17 recently launched a new activity (testing activity) 22:15:27 wilhelm: co-chair of testing interest group 22:16:09 ... we're looking at how people test. trying to standardize some different formats so it's easy to make tests portable 22:16:22 ... standardizing web driver API which is an API for telling browser what tod o do 22:16:37 ... can be used to automate a lot of different tests 22:16:53 ... have some examples. about to show them 22:18:51 mikesmith: in the meantime will talk about a system to let anyone run a test suite to let them run tests in their browser. 22:19:09 ... allows you to get aggregated data from users about whethe tests work across different browsers 22:19:31 bhill2: kinda like browserscope 22:19:35 mikesmith: yeah 22:19:43 ... test cases are HTML + some JS 22:20:17 ... testharness.js allows success/fail detection automatically and auto runs the tests and submits the results 22:20:32 ... we prefer that if you can you use testharness.js 22:21:21 Wilhelm showing example. 22:22:29 http://w3c-test.org/resources/testharness.js 22:22:47 wilhelm: a bunch of assert macros 22:23:37 wilhelm: trivially easy to use. 22:24:09 abarth: does this allow you to generate synthetic headers 22:24:31 wilheml: you'd need to talk to a server you control 22:24:39 ekr: compare to qunit? 22:24:43 wilhelm: more tailored 22:25:37 ekr: what about asynchronous 22:25:45 wilhelm: yes, that works 22:26:41 wilhlem: some cases where you have to do manual stuff 22:27:03 ... language bindings for a dozen different languages 22:27:22 ... (this is now simulating user input to browser) 22:28:53 ... some browser-specific tests 22:29:55 dsr has joined #webappsec 22:30:41 mikesmith: w3c runs the server so you can put stuff on it. 22:31:04 ... it runs PHP 22:31:45 mikesmith: adding support for websockets. 22:31:48 philippe: yes 22:31:59 abarth: webkit has a ton of tests we are willing to contribute 22:32:54 abarth: how do you test that something didn't happen 22:33:06 wilhelm: set a variable? 22:33:19 bsterne: this isn't great in gecko either 22:33:40 mailing list for discussion about common testing needs/issues - http://lists.w3.org/Archives/Public/public-test-infra/ public-test-infra@w3.org 22:33:47 abarth: there's some guy with a large test suite that I can probably dig up 22:34:35 http://lists.w3.org/Archives/Public/public-browser-tools-testing/ 22:34:42 public-browser-tools-testing@w3.org 22:34:46 mike smith: there's a new working group for the web driver API 22:35:29 bhill2: is there a yardstick for testing quality before advancement 22:35:59 mikesmith: we don't take a position on this. convention is two implementations that pass a test case. 22:37:13 mikesmith: right now this has a hard-coded "two implementation" rule 22:37:52 draggett: distinguish optional from mandatory features 22:38:43 mikesmiht: not enforcing any test case quality standards 22:39:21 mikesmith: there's a review case process for test cases. currently in HTMLWG we have separate folders and the approved test cases go in approved 22:39:43 ... in the case of HTMLWG we have submission/ that does the obvious thing 22:40:09 tlr has joined #webappsec 22:40:12 ... one of the things we want to do with the IG is write up best practices about how to do stuff 22:40:26 dsr has joined #webappsec 22:40:36 mike@w3.org 22:40:39 ... if you want to start adding test cases, you need maintainer access. just write me 22:41:17 ... need to flag test suites which are required for a WG 22:41:41 ... it's not terrifically stable; having machine problems 22:41:53 ... we do back up the DB 22:42:26 abarth: can you use mercurial 22:42:47 mikesmith: yeah, we can do that 22:44:07 nickscribe: dsr 22:44:50 scribenicj: dsr 22:44:57 scribenick: dsr 22:45:33 ekr has joined #webappsec 22:45:57 Brandon: first is the report format, currently spec as JSON, but will be redone as form encoded. 22:46:45 the second is the blocked URI field in the report should be restricted to just the origin of the blocked URI if it is a cross origin violation 22:47:33 this isn't controversial, so I will just make that change. 22:47:48 We decided to scapt the DOM event. 22:47:58 s/scapt/scrap/ 22:48:35 Adam: I am willing to give up on the form encoding and just go with JSON instead 22:49:41 Brandon: I have a couple of things. One Adam identified today: should violation block loading of content, I kind of think it should. 22:50:26 should read should blocked content fire an event that the page can see. 22:50:56 Adam's example: if an image fails to load you get an error event, similarly we should define events for other content. 22:51:24 the failure of loading the image could be due to CSP, or network problems or ... 22:52:54 Brendan: Adam has already created a fix so that bookmarklet's work even for a page with CSP. Previously the bookmarklet was treated as part of the web page and blocked with its policy. 22:53:54 Adam's fix was to hook into the navigation ... 22:54:23 Adam: the spec doesn't need to explain the implementation, just to say that bookmarklets should work. 22:55:22 MikeSmith has joined #webappsec 22:55:33 Adam: issue about the policy URI. Slow. 22:55:45 Brendan: only slow for the first time. 22:56:26 Brendan: okay leave this as an open issue. 22:57:46 Brad: some implentors may find it easier to maintain the policy at a location pointed to by the URI rather than embedding the policy in the headers. 22:58:12 Peleus: this is a benefif of the Flash security policy file. 22:58:23 s/benefif/benefit/ 22:58:51 Brad: perhaps we should including a performance warning in the spec. 23:00:38 Brendan: Mozilla wants to make ensure that if http is allowed then https, likewise for websockets and websockets over TLS. 23:00:59 s/https/https is also allowed/ 23:01:50 Are there any cases where this isn't appropriate? 23:03:28 Adam: maybe one way to handle this is to allow people to add the protocol scheme to the location. Then http implies both, whilst https is restricted to just http over TLS. 23:04:04 The http and https could be run on different servers, e.g. with user content on the https server making it a bigger target for attackers. 23:06:00 Eric: it is kind of odd having http scheme implie https 23:06:07 s/implie/imply/ 23:07:15 Brandon: the no scheme implies both for a CSP source, explicit schemes don't 23:07:40 Adam: agrees 23:08:03 Adam: I think we really want star to mean everything. 23:08:28 Brandon: I hadn't intended that and we should make that explicit in the spec. 23:08:43 If you only want star you can't whitelist schemes. 23:10:30 Eric: if you want to say any URI with https? 23:10:56 Adam: you would write "https:" that is supported by the grammar. 23:13:04 Brendan: I could definitely live with star meaning any scheme, any host or any path 23:13:22 s/path/port/ 23:14:46 Brendan: we currently say that if no port is specified you use the port of the page. 23:16:12 s/port of the page/default port of the protocol scheme/ 23:20:01 members should review JeffH's comments at: http://lists.w3.org/Archives/Public/public-web-security/2011Mar/0039.html 23:22:03 tlr has joined #webappsec 23:22:04 MikeSmith has joined #webappsec 23:22:14 agenda adjustments for tomorrow: 23:22:25 rrsagent, set logs public 23:22:34 rrsagent, make minutes 23:22:34 I have made the request to generate http://www.w3.org/2011/10/31-webappsec-minutes.html dsr 23:22:41 10:00-11:00 block will be used to revisit any last calls for inclusions in v1.0 FPWD 23:23:04 13:00-onward block will be used to discuss Secure Cross-Origin Framing and Mashups charter item 23:23:18 bhill2 will send out updated agenda so remote participants can join at appropriate times 23:24:12 rrsagent, make minutes 23:24:12 I have made the request to generate http://www.w3.org/2011/10/31-webappsec-minutes.html dsr 23:24:52 ekr has joined #webappsec 23:25:40 Discussion about new directives. 23:26:12 The webappsec WG will standardize these. 23:26:52 Brad: do we want a means to black list new features 23:27:10 Adam: this sounds like something to discuss for 1.1 23:28:13 Brad: the browser vendors here are on short release cycles, but others are on a much longer release cycle and may only implement 1.0 and take a long while to move on to 1.1 23:31:20 Discussion about unspecified concerns e.g. by OWASP about new HTML5 feautures including web sockets. 23:32:14 Brad: we want to avoid a long delay between the discovery of a new attack and the ability to deal with it using CSP. 23:32:30 ekr has joined #webappsec 23:32:58 We could make use of black lists for this, e.g. to disallow injection of specific tags. 23:33:47 MikeSmith has joined #webappsec 23:33:55 brendan: this is clearly not in scope for 1.0, despite being something that some people were hoping for. 23:34:37 Jeff mentions the discussion back in 2010 on white and black lists. 23:35:13 It may be worth taking a second look at that as a lot of the arguments were clearly laid out. 23:35:53 jongyoul has joined #webappsec 23:38:30 we adjourn for the day 23:38:38 rrsagent, make minutes 23:38:38 I have made the request to generate http://www.w3.org/2011/10/31-webappsec-minutes.html dsr 23:38:39 bkihara has left #webappsec 23:38:42 zakim, list attendees 23:39:14 Zakim has joined #webappsec 23:39:27 zakim, list attendees 23:39:27 sorry, bhill2, I don't know what conference this is 23:40:03 rrsagent, make minutes 23:40:03 I have made the request to generate http://www.w3.org/2011/10/31-webappsec-minutes.html bhill2 23:43:17 MikeSmith has joined #webappsec 23:45:05 ekr has joined #webappsec 23:53:14 MikeSmith has joined #webappsec