See also: IRC log
<scribe> Meeting: WebAppSec Teleconference 16-Dec-2015
<scribe> Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0035.html
<mkwst> In another meeting, will be dialing in fairly soon.
<teddink_> Good morning
<scribe> scribenick: bhill2
no new agenda topics
http://www.w3.org/2011/webappsec/draft-minutes/2015-11-16-webappsec-minutes.html
<dveditz> http://www.w3.org/2011/webappsec/draft-minutes/2015-11-16-webappsec-minutes.html
dveditz: any objection to unanimous consent to approve?
no objections
dveditz: minutes approved
dveditz: CSP Cookie Controls and CSP Embedded Enforcement specs started calls for exclusions this week
bhill2: FIDO Alliance has made it's member submission of their 2.0 APIs
wseltzer: and we will shortly be sending a proposed charter for review for web authentication related to this
dveditz: different from credential WG?
wseltzer: entirely separate
<wseltzer> https://w3c.github.io/websec/web-authentication-charter
dveditz: seems like overlapping concerns
bhill2: I don't think it does overlap much, but a good reason for people here who know and care about security to take a look at the charter
wseltzer: also want to thank the group for lots of good work over the year
Continue with a spec rotation schedule or go to an "as-needed"
schedule like WebApps/WebPlatform?
mkwst: seems nice to have a
forcing function to ensure that specs are acutally moving,
there are a few that have not moved in a long time
... valuable to revisit on a periodic basis
... not clear we need to structure our calls around that,
things may pop up that are more important
... but at some point it is helpful to have a forcing function
to ensure we still want to be doing something
terri: agree, also easier to justify to my management all the specs we are working on, appreciate even null update
bhill2: those were some of my motivations for the approach, I will nominate the specs that have gone the longest time for the early part of next year and fill out the calendar from there
dveditz: seems like unanimous agreement and that as we work on more specs that approach has helped
<dveditz> https://w3c.github.io/webappsec-uisecurity/
bhill2: will send a CfC after making some typo corrections, would hope that Googlers can encourage the folks working on Intersection Observer to give feedback
mkwst: working to ensure that there is a single point of contact at Google for brad and dan on this topic
mkwst: would be nice if folks
would look at it
... very few behavioral changes
... lots of clarifications re: integration of spec with other
specifications like fetch and html to make it clear how it
integrates with browser internals
... what hooks are necessary and where those hooks are
called
... need to upstream some hooks to WHATWG and W3C, but most are
present in the CSP3 spec already as a sort of todo list
... need to know how that will work for HTML at the W3C
wseltzer: maybe we can arrange a chat with Web Platform WG chairs
<dveditz> https://w3c.github.io/webappsec-csp/
mkwst: other set of changes is to make CSP more modular
<wseltzer> ACTION: wseltzer to schedule conversation with Web Platform WG chairs and WebAppSec re CSP3 [recorded in http://www.w3.org/2015/12/16-webappsec-minutes.html#action01]
<trackbot> Created ACTION-215 - Schedule conversation with web platform wg chairs and webappsec re csp3 [on Wendy Seltzer - due 2015-12-23].
mkwst: CSP2 took an incredibly long time to move, would like CSP3 to move faster
<wseltzer> trackbot, action-215 due 2016-01-15
<trackbot> Set action-215 Schedule conversation with web platform wg chairs and webappsec re csp3 due date to 2016-01-15.
mkwst: at TPAC, discussed
breaking out features so things can move quickly, independently
of the core
... mostly directives and algorithms associated with
directives
... and CSP algorithm will call it at the right time
... hopeful it will also work for new kinds of directives we
are coming up with
teddink_: hello from Microsoft
Edge team, taking over for Kevin Hill
... also looking forward to some quality time with CSP3 spec
and getting up to speed
mkwst: also working with Ilya
Grigorik and web performance WG to define a more generic
reporting mechanism
... not specified inside CSP for broader set of things like xss
auditor, error reporting, perf, etc.
... this is important to Google because we are DDoSing google
front end servers with CSP violation reports
... want to be able to coalesce requests at a minimum and hope
it will be a one stop shop for this kind of reporting
bhill2: Web Telemetry WG?
<mkwst> webperf
+1 universal telemetry/reporting system would be awesome
dveditz: folks at Mozilla are unhappy about deprecating frame-src, want separate control from workers
mkwst: I want to do the same
thing
... know brad had qualms about that, would be good to
revisit
well, not happy, b/c it would've created a lot of work :(
hta: has been approved and is just waiting for publication process to complete
(hta is Harald Alvestrand)
dveditz: Sean Palmer has proposed
a mechanism to support detached signatures for SRI
... proposed mechanism was in a separate attribute, not sure
how he thought they would be combined
... signatures and an integrity check seem fairly distinct
bhill2: there is also a third
proposal that was floated by Dev about using keys where we
currently specify hashes in CSP to shorten policy
declarations
... another distinct use case from trusting a remote signing
key but yet another approach to trusting content with keys
mkwst: suggest poking SRI editors in new year is a good way, volunteer them for the next call ;)
francois: the Martin Thompson
proposal is being implemented at Mozilla for internal purposes
(not exposed to web content yet)
... but will get some implementation experience and be able to
talk about it later if it's appropriate
dveditz: should we resume in the new year on the 6th or the 13th?
thanks wseltzer
mkwst; suggest 4 weeks is better, not much will happen
more comfy chair time
https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0030.html
https://docs.google.com/document/d/13c4hTlm2XgVYpxfGL1a8fcvI1CAUdIgd662DfElk_ow/edit
hta: some background, when we
were doing WebRTC and especially data capture
... a number of places where we say " and then you grant
permission "
... very ad-hoc
... questioned why not use the permissions manager
module?
... WebRTC and MediaCapture groups favorably received the
idea
dveditz: we want the Permissions spec to be extensible and voluntary, in general happy you've come to us
mkwst: things being done with
WebRTC seems very much in the same vein as what else is
happening in this document
... would be a good idea to talk directly with the editors of
that document. Mounir and Marcos
dveditz: technically we own the spec but are sort of midwife for WebAPI group but didn't fit their charter
mkwst: convince implementers it makes sense and you are good to go
wseltzer: if anyone is willing to
take on some description and evangelism of the work happening
here
... particularly developer focused and success stories that we
can share to get these technologies into broader circulation,
that would be fantastic
... also TAGs documentation of "what's next after Keygen" is
also looking for a home
bhill2: I've looked at that,
joined the last TAG call and owe some PRs there
... think API work that comes out of that doc maybe ends up in
proposed Web AuthN WG
terri: I'm working on getting
approval to do developer docs
... will have a better idea in january
yay!
wseltzer: more groups are requiring security and privacy considerations explicitly in charters now
dveditz: adjourned, see you all on Jan 13
<dveditz> Thanks for the questionnaire link, mkwst, I hadn't noticed that came out
<mkwst> dveditz: Nick put together a blog post as well with some links to the PING work.
<mkwst> I can't find that at the moment, but perhaps wseltzer has a link?
<wseltzer> https://www.w3.org/blog/2015/12/tools-to-ensure-security-and-privacy-of-the-open-web-platform/
<wseltzer> thanks mkwst
<wseltzer> trackbot, end teleconf
This is scribe.perl Revision: 1.144 of Date: 2015/11/17 08:39:34 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/francios/francois/ Found ScribeNick: bhill2 Inferring Scribes: bhill2 Default Present: wseltzer, francois, bhill2, estark, terri, gmaone, Michael_Irwin, Ted_Dinklocker, dveditz, mkwst Present: wseltzer francois bhill2 estark terri gmaone Michael_Irwin Ted_Dinklocker dveditz mkwst Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0035.html Found Date: 16 Dec 2015 Guessing minutes URL: http://www.w3.org/2015/12/16-webappsec-minutes.html People with action items: wseltzer[End of scribe.perl diagnostic output]