See also: IRC log
<trackbot> Date: 23 April 2014
<bhill2> Meeting: WebAppSec WG Teleconference 23-April-2014
<terri> Zakim: I am aacc
<bhill2> Glenn, will you be able to scribe today?
<scribe> scribenick: glenn
<scribe> chair: bhill2
bhill2: JS conf coming up in
portland or, aug 1-2, testing CSP
... TTWF activity
<bhill2> TTWF at CascadiaJS, August 2, focusing on CSP
<bhill2> following Cascadia JS CascadiaJS 2014 | Portland, OR
<bhill2> http://2014.cascadiajs.com/
bhill2: minutes approval
<bhill2> Draft minutes at: http://www.w3.org/2011/webappsec/draft-minutes/2014-04-09-webappsec-minutes.html
bhill2: any objections to
approve?
... none, minutes approved
<bhill2> http://www.w3.org/2011/webappsec/track/actions/open?sort=owner
UNKNOWN_SPEAKER: no owners here ... should we reassign?
mkwst_: sounds reasonable
<bhill2> Github repo for SRI: https://github.com/w3c/webappsec/issues
bhill2: we have an alternate issues tracked on SRI on above repo
mkwst_: important topic
bhill2: any thoughts?
freddyb: -): fine with
either
... didn't include in prev mtgs
bhill2: wrote new agenda
generator
... will come up regularly from now on
... do we want to migrate action items? issues?
mkwst_: can assign
milestones
... can use one or the other
... github issues more likely to be seen outside WG
... OTOH W3C integrates better with zakim
... vague pref for github, but either way is ok
bhill2: for now, cont fwd with
both
... sync up with doc edits
... may be a little extra work
terri: could have a script to sync?
<terri> that was me
wseltzer: we don't care which
tools are used, but do want to make clear IP commitments on
contributions
... further vetting needed on input from outside WG
ekr: ietf has similar issues
<bhill2> ekr: suggests any substantive issue must also be raised to the list to make IPR commitments clear
bhill2: new recent questions
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0044.html
bhill2: CSP rules should cascade
into SVG
... e.g., img src=svg with embedded image in svg
dveditz: diff between FF and
CHROME
... svg as an image vs svg as inline
... what FF does is render SVG in own doc, sort of like an
iframe
... regardless what CSP says, then incorporate results into
page
freddyb: supposes inline styles should be allowed for SVG
<bhill2> New draft from last week: http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0043.html
<bhill2> http://www.w3.org/TR/svg-integration/
bhill2: how CSP policies apply to
incorporating SVG
... should arrange a call with SVG WG to discuss
<bhill2> ISSUE clarify SVG rules for CSP in 1.1
terri: really need to treat SVG as active content
<bhill2> ACTION bhill2 to arrange some joint meeting time with SVG WG
<trackbot> Created ACTION-170 - Arrange some joint meeting time with svg wg [on Brad Hill - due 2014-04-30].
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0022.html
tanvi: default should be fallback
mode
... 2nd item was non-canonical src
... if fails should fallback be over https? brad says no
... agrees should not require... let author decide
mkwst_: pushback in chrome team
on doing some integrity tests
... specifically for resources served by means other than
https
... push for using https everywhere
... see blink-dev
ekr: is this chrome or google position?
mkwst_: some diffs in opinion; chrome infrastructure team more interested
<ekr> mkwst: can you repost that link....
<tanvi> in the spec in general?
?: should forbid fallback to protocols other than httpsbhill2
scribe: how should UAs regard fallback
<tanvi> brad
<mkwst_> https://groups.google.com/a/chromium.org/d/msg/blink-dev/hTDUpMk_TV8/t_rjlkKfgGgJ is the thread I'm thinking about.
bhill2: separate UI impact
ekr: lot of discussion of this
topic in london
... worried about pushback from chrome
mkwst_: intent to implement was
approved, but only for https
... see how it works on a small sample
... wants basic checks on functionality ... wants data to
proceed with further issues
... blink pos at moment is: let's see if it works
... then we
... we will look further
tanvi: could be used to test for lib version change then fallback to known version
bhill2: further comments? tanvi?
tanvi: not now
terri, tanvi: sorry haven't registered voices yet
<terri> glenn, don't worry, I had the same problem scribing last week!
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0023.html
mkwst_: sounds reasonable
(no-external-navigation)
... first concern is nav by script injection
... meta redirects not covered
... talked about before but not much support then
... e.g., redirect to JS url
... didn't talk about meta redirects at that time
... worried about one thread dan pointed to (blocking from
pages maliciously)
... but NOT FOR 1.1
dveditz: CSP currently does
nothing to prevent injecting links or clickable images
(possibly image)
... folks concerned about these cases
... who would use this?
mkwst_: some would use to hold user on page
bhill2: some confusion on what
CSP is trying to do
... possibly beyond scope
... maybe "meta" is interesting case
... think more about meta in 1.2?
mkwst_: yes
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0021.html
bhill2: have talked about this a
number of times
... but keeps coming up
... make sure we have consensus reflected in 1.1 spec
text
... what made it into spec text was that blob uris and similar
file uris must be explicitly listed: won't match * policy
... does that reflect consensus?
... no objections, will stand as specified
mkwst_: keeps coming up because chrome doesn't implement this yet
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0004.html
bhill2: mutability after doc
load
... current policy is NOT MUTABLE
... but may need to revisit, as keeps coming up: service
workers, installable webapps
... e.g., policy to take effect after service worker
launched
... may differ from initial policy
... possible inconsistency between policies
dveditz: is that really late
binding?
... one visit and a later visit?
bhill2: depends on model of doc
life cycle
... is an installed app a single resource, or for each
instantiation a new life cycle?
dveditz: page might bounce around
server farms on different visits
... could get diff CSP on diff visits
... may be bug or intentional
... what is in spec doesn't prevent or allow...
mkwst: no guarantee that diff loads produce same content or same policy
<bhill2> ACTION bhill2 to propose text to list on ISSUE-58
<trackbot> Created ACTION-171 - Propose text to list on issue-58 [on Brad Hill - due 2014-04-30].
bhill2: aob?