W3C

- DRAFT -

WebAppSec WG Teleconference, 18-Jun-2014

18 Jun 2014

Agenda

See also: IRC log

Attendees

Present
+1.503.712.aaaa, BHill, glenn, +1.310.597.aabb, +1.831.246.aacc, tanvi, dveditz, neilm, +1.781.262.aadd, gopal, David, Walp, terri
Regrets
Chair
bhill2, dveditz
Scribe
Dan Veditz

Contents


<freddyb> I'm lurking on IRC only, as I have a conflicting meeting today

<bhill2> Scribe: Dan Veditz

<bhill2> Scribenick: devditz

<dveditz> david hall speaking... from MS works in the area of networking

Minutes Approval http://www.w3.org/2011/webappsec/draft-minutes/2014-05-21-webappsec-minutes.html

<bhill2> minutes unanimously approved

<dveditz> bhill2: last call was informal due to low attendence, is there approval for the may 21 minutes?

<dveditz> bhill2: approved. agenda bashing:

<dveditz> ... any new topics not in the agenda? ... not

Review of Open Actions in the Tracker

<bhill2> http://www.w3.org/2011/webappsec/track/actions/open?sort=owner

<dveditz> ... review of option actions in tracker

<dveditz> ... Mike sends his regrets, but his items are all related to 1.2 and we can skip those

<dveditz> ... 168 should belong to me [bhill2]. I raised this on the list so marking it closed

<dveditz> ... is devd on the call?

<dveditz> ... skip the sub-resource integrity items then

<dveditz> ... still working through the redirect issues on the list

<dveditz> ... moving on to new topics

News

<dveditz> ... there's a new extended date for call for exclusions for SRI. if you/your org has IP exclusions you have until August 15

<dveditz> ... LC for UI security directives concluded last call, awaiting implementations to make further progress on that spec

<tanvi> http://www.w3.org/2014/11/TPAC/

<bhill2> http://www.w3.org/2014/11/TPAC/

<dveditz> ... TPAC coming up in Santa Clara, would like to have F2F meeting there. registration now open

<dveditz> ... will send a survey to the list to make sure we'll have a quorum of people interested

<dveditz> tanvi: do we know which two of the 4 days it will be?

<dveditz> bhill2: still have a chance to decide, if you have a preference please let us know

<dveditz> ... final news item, bhill hosting a "Test the web forward" event in Portland with imelven

<dveditz> ... Aug 3, focusing on CSP

<dveditz> ... would appreciate anyone coming or publicizing the date. MS will be sending some subject matter experts so there will be other things worked on as well

'Mixed Content' draft up for review.

<dveditz> ... next topic: mixed content draft up for review

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0041.html

<dveditz> ... when we rechartered we talked about developing a spec to describe the nominal behavior of browsers handling mixtures of secure and insecure content

<dveditz> ... mkwst created a draft and is suggesting it's appropriate for this group to work on that topic

<dveditz> ... what do people think about this WG taking on this project

<dveditz> tanvi: I think the draft is in good shape, don't see why we wouldn't continue to work on it. This needs to be standardized so content developers know what to expect

<dveditz> bhill2: seems to be good interest on the part of browser vendor community in implementing this

<dveditz> david walp: we've seen the draft and hope to get feedback to the group soon

<bhill2> ACTION bhill2 to send a CfC to adopt Mixed Content Draft as a WG product

<trackbot> Created ACTION-177 - Send a cfc to adopt mixed content draft as a wg product [on Brad Hill - due 2014-06-25].

<dveditz> bhill2: I will propose to the list that we adopt this specification as a formal part of the WG

[Bug 26061] New: Improve consistency with CSP 1.1 w.r.t. add-on/extension semantics.

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0136.html

<dveditz> bhill2: raised by glenn

<dveditz> ... he wants to backport the CSP 1.1 text into CSP 1.0 since it's not normative text

<dveditz> dveditz: I don't want to disturb the process or risk delaying CSP 1.0

<dveditz> glenn: this is routinely done in non-normative text, will not delay the process

<dveditz> bhill2: if there are no objections I will take this as an action to get this updated

<glenn> thanks

<bhill2> ACTION bhill2 to update CSP 1.0 extensions language for PR to match 1.1 LCWD text

<trackbot> Created ACTION-178 - Update csp 1.0 extensions language for pr to match 1.1 lcwd text [on Brad Hill - due 2014-06-25].

[integrity] The noncanonical-src attribute

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0176.html

<dveditz> bhill2: next topic, noncanonical-src in SRI spec

<dveditz> bhill2: msg from opera asking why having it when you could do it with script? my thought is why make people do it in script if you can do it in declaritive form

<dveditz> bhill2: thoughts on the list

CfC to publish a LCWD of CSP 1.1

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0135.html

<dveditz> ... most impt item -- mkwst thinks we're close to CfC for CSP 1.1 and could handle the remaining issues in the last call period

<dveditz> ... items like blocking redirects, some polish on interaction with svg

<dveditz> ... mkwst and I joined the svg call and there's a wiki page up documenting some of that

<dveditz> ... would like to take a census of the folks on the call

<dveditz> ... any objections?

<dveditz> glenn: are there any features taht need to be identified as at risk?

<dveditz> bhill2: I think.... good point

<dveditz> glenn: if there's expectation that we're going into LC with items at risk it's usual to mark it as such as a warning

<dveditz> ... not much risk if you don't identify it -- the impt time is to do so in CR period

<dveditz> dveditz: nothing Mozilla objects to, but we don't have implementations of all of it

<dveditz> tanvi: agreed

<bhill2> RESOLVED: CSP 1.1 to LCWD

<dveditz> bhill2: any objections from anyone else? hearing no objections we are resolved to take CSP 1.1 to LCWD

<dveditz> glenn: do we have an expected duration for LC?

<dveditz> bhill2: did mkwst list that on his original call?

<dveditz> ... he did not. typically we have done a one-month period in this WG. as a new member would MS need a longer period of time?

<dveditz> david walp: no, we're fine

<dveditz> glenn: < is it reasonable to accommodate ???? (didn't catch it)

<glenn> glenn: is one month sufficient if we need to request review from other groups?

<dveditz> bhill2: typically WC has not heard a response from that group, they're not very active

<bhill2> ACTION bhill2 to investigate duration of LC for CSP 1.1

<trackbot> Created ACTION-179 - Investigate duration of lc for csp 1.1 [on Brad Hill - due 2014-06-25].

<dveditz> dveditz: it's the beginning of summer, many people take large chunks of time off

<glenn> TPAC target sounds good for end LC

<dveditz> bhill2: good point maybe end in August. I'll suggewst that to mike and see what he says

CORS and null

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0037.html

<dveditz> bhill2: anne suggested adding explicit handling for (null) in the CORS spec

<dveditz> ... unfortunately CORS is at recommendation stage, is it worth reopening that spec or do an errata, or handle it in the fetch spec?

<dveditz> ... anyone willing to take it on or should we just consider CORS superseded by fetch

<dveditz> ... not hearing much interest here, will take it back to the list

CSP sandboxing and workers

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0102.html

<dveditz> ... sandboxing workers also related to svg

<dveditz> ... please take a look at the table and think about how it relates to svg

<dveditz> terri: have we heard anything back from svg group?

<dveditz> bhill2: what we should do is take a look at the wiki and make a proposal about how CSP should apply to svg in various modes (as image, style, in-line...)

<dveditz> ... and see what they say about it

Discuss SVG and CSP for the June 5 SVG teleconference

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0093.html

<bhill2> https://www.w3.org/wiki/SVG_Security

<dveditz> ... misc topics about referrers, redirects, whether referrers should be allowed in CSP (header vs. meta tag)

<bhill2> ISSUE should we mark referrer and reflected-xss as AT RISK in CSP 1.1 LCWD?

<dveditz> ... we should mark some of these at risk if we're in LC

<dveditz> ISSUE: should we mark referrer and reflected-xss as AT RISK in CSP 1.1 LCWD?

<trackbot> Created ISSUE-61 - Should we mark referrer and reflected-xss as at risk in csp 1.1 lcwd?. Please complete additional details at <http://www.w3.org/2011/webappsec/track/issues/61/edit>.

<dveditz> terri: are we going to review how CSP is used in manifests of web apps?

<dveditz> bhill2: we have not formally reviewed it as a group

<dveditz> ... would you expect someone from this group to review this?

<dveditz> terri: looks like it will have similar race conditions we're worrying about with the <meta> header

<dveditz> bhill2: when I talked to mark about this it's not quite the same as <meta>

<dveditz> .... will add text saying it's best practice to specify the same policy in headers as in the web app manifest

<dveditz> terri: is there a reference I can link to, or do I just need to tell them "this is what it should say"

<dveditz> bhill2: for installable web apps the manifest will always be there, you should treat it as if it came from a header

CSP: Problems with referrer and reflected-xss

<dveditz> ... and then if you encounted a <meta> policy in addition you can handle it the way CSP normally does

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0178.html

<dveditz> ... is it appropriate to include features like "referrer" that can be seen as WEAKENING the security of the page (in some cases)

<dveditz> ... or should we only include policies that will make the page more secure

<dveditz> ... with my hat as a web sec person (not chair) I think it's better to include as much in one place as possible

<dveditz> tanvi: Firefox has a "don't send the referrer" preference. would the UA have the flexibility to respect a pref if the CSP says to send one?

<dveditz> bhill2: I think it should be clear that the spec shouldn't override a user-setting

<bhill2> ACTION mkwst to document that user-set prefs regarding referrers override CSP-set policies

<trackbot> Created ACTION-180 - Document that user-set prefs regarding referrers override csp-set policies [on Mike West - due 2014-06-25].

<dveditz> bhill2: doesn't sound like there's objections to including these kinds of features

<dveditz> ... would be interested in hearing MS's opinion on this.

<dveditz> david walp: that makes sense. please put it on the list and I'll find the right person to comment on it

<dveditz> tanvi: for the reflected-xss directive it's not clear the site is safer with or without it, so the objection really doesn't clearly apply to this directive anyway

<dveditz> bhill2: the xss filters aren't officially defined as part of the platform so it's a little tricky to say what this flag does because it's controlling behavior that is undefined

<dveditz> ... talk to everyone in 2 wks

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014-06-24 21:01:52 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/even in/event in/
Succeeded: s/.../svg/
Found Scribe: Dan Veditz
Found ScribeNick: devditz
WARNING: No scribe lines found matching ScribeNick pattern: <devditz> ...

WARNING: 0 scribe lines found (out of 179 total lines.)
Are you sure you specified a correct ScribeNick?

Default Present: +1.503.712.aaaa, BHill, glenn, +1.310.597.aabb, +1.831.246.aacc, tanvi, dveditz, neilm, +1.781.262.aadd, gopal, David, Walp, terri
Present: +1.503.712.aaaa BHill glenn +1.310.597.aabb +1.831.246.aacc tanvi dveditz neilm +1.781.262.aadd gopal David Walp terri
Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0180.html
Got date from IRC log name: 18 Jun 2014
Guessing minutes URL: http://www.w3.org/2014/06/18-webappsec-minutes.html
People with action items: 

[End of scribe.perl diagnostic output]