W3C

Web Application Security Working Group Teleconference

23 Apr 2014

Agenda

See also: IRC log

Attendees

Present
Regrets
Chair
bhill2 ekr
Scribe
glenn

Contents


<trackbot> Date: 23 April 2014

<bhill2> Meeting: WebAppSec WG Teleconference 23-April-2014

<terri> Zakim: I am aacc

<bhill2> Glenn, will you be able to scribe today?

<scribe> scribenick: glenn

<scribe> chair: bhill2

bhill2: JS conf coming up in portland or, aug 1-2, testing CSP
... TTWF activity

<bhill2> TTWF at CascadiaJS, August 2, focusing on CSP

<bhill2> following Cascadia JS CascadiaJS 2014 | Portland, OR

<bhill2> http://2014.cascadiajs.com/

bhill2: minutes approval

<bhill2> Draft minutes at: http://www.w3.org/2011/webappsec/draft-minutes/2014-04-09-webappsec-minutes.html

bhill2: any objections to approve?
... none, minutes approved

agenda bashing

Review of Open Actions in the Tracker

<bhill2> http://www.w3.org/2011/webappsec/track/actions/open?sort=owner

UNKNOWN_SPEAKER: no owners here ... should we reassign?

mkwst_: sounds reasonable

<bhill2> Github repo for SRI: https://github.com/w3c/webappsec/issues

bhill2: we have an alternate issues tracked on SRI on above repo

mkwst_: important topic

bhill2: any thoughts?

freddyb: -): fine with either
... didn't include in prev mtgs

bhill2: wrote new agenda generator
... will come up regularly from now on
... do we want to migrate action items? issues?

mkwst_: can assign milestones
... can use one or the other
... github issues more likely to be seen outside WG
... OTOH W3C integrates better with zakim
... vague pref for github, but either way is ok

bhill2: for now, cont fwd with both
... sync up with doc edits
... may be a little extra work

terri: could have a script to sync?

<terri> that was me

wseltzer: we don't care which tools are used, but do want to make clear IP commitments on contributions
... further vetting needed on input from outside WG

ekr: ietf has similar issues

<bhill2> ekr: suggests any substantive issue must also be raised to the list to make IPR commitments clear

[CSP] SVG-in-img implementation difference

bhill2: new recent questions

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0044.html

bhill2: CSP rules should cascade into SVG
... e.g., img src=svg with embedded image in svg

dveditz: diff between FF and CHROME
... svg as an image vs svg as inline
... what FF does is render SVG in own doc, sort of like an iframe
... regardless what CSP says, then incorporate results into page

freddyb: supposes inline styles should be allowed for SVG

<bhill2> New draft from last week: http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0043.html

<bhill2> http://www.w3.org/TR/svg-integration/

bhill2: how CSP policies apply to incorporating SVG
... should arrange a call with SVG WG to discuss

<bhill2> ISSUE clarify SVG rules for CSP in 1.1

terri: really need to treat SVG as active content

<bhill2> ACTION bhill2 to arrange some joint meeting time with SVG WG

<trackbot> Created ACTION-170 - Arrange some joint meeting time with svg wg [on Brad Hill - due 2014-04-30].

[Integrity] Comments/Questions on Subresource Integrity spec

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0022.html

tanvi: default should be fallback mode
... 2nd item was non-canonical src
... if fails should fallback be over https? brad says no
... agrees should not require... let author decide

mkwst_: pushback in chrome team on doing some integrity tests
... specifically for resources served by means other than https
... push for using https everywhere
... see blink-dev

ekr: is this chrome or google position?

mkwst_: some diffs in opinion; chrome infrastructure team more interested

<ekr> mkwst: can you repost that link....

<tanvi> in the spec in general?

?: should forbid fallback to protocols other than httpsbhill2

scribe: how should UAs regard fallback

<tanvi> brad

<mkwst_> https://groups.google.com/a/chromium.org/d/msg/blink-dev/hTDUpMk_TV8/t_rjlkKfgGgJ is the thread I'm thinking about.

bhill2: separate UI impact

ekr: lot of discussion of this topic in london
... worried about pushback from chrome

mkwst_: intent to implement was approved, but only for https
... see how it works on a small sample
... wants basic checks on functionality ... wants data to proceed with further issues
... blink pos at moment is: let's see if it works
... then we
... we will look further

tanvi: could be used to test for lib version change then fallback to known version

bhill2: further comments? tanvi?

tanvi: not now

what to hash?

terri, tanvi: sorry haven't registered voices yet

CSP no-external-navigation

<terri> glenn, don't worry, I had the same problem scribing last week!

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0023.html

mkwst_: sounds reasonable (no-external-navigation)
... first concern is nav by script injection
... meta redirects not covered
... talked about before but not much support then
... e.g., redirect to JS url
... didn't talk about meta redirects at that time
... worried about one thread dan pointed to (blocking from pages maliciously)
... but NOT FOR 1.1

dveditz: CSP currently does nothing to prevent injecting links or clickable images (possibly image)
... folks concerned about these cases
... who would use this?

mkwst_: some would use to hold user on page

bhill2: some confusion on what CSP is trying to do
... possibly beyond scope
... maybe "meta" is interesting case
... think more about meta in 1.2?

mkwst_: yes

CSP, Blob Workers, and Firefox

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0021.html

bhill2: have talked about this a number of times
... but keeps coming up
... make sure we have consensus reflected in 1.1 spec text
... what made it into spec text was that blob uris and similar file uris must be explicitly listed: won't match * policy
... does that reflect consensus?
... no objections, will stand as specified

mkwst_: keeps coming up because chrome doesn't implement this yet

webappsec-ISSUE-58 (Late binding of CSP): Late binding of CSP policies [CSP 1.1]

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0004.html

bhill2: mutability after doc load
... current policy is NOT MUTABLE
... but may need to revisit, as keeps coming up: service workers, installable webapps
... e.g., policy to take effect after service worker launched
... may differ from initial policy
... possible inconsistency between policies

dveditz: is that really late binding?
... one visit and a later visit?

bhill2: depends on model of doc life cycle
... is an installed app a single resource, or for each instantiation a new life cycle?

dveditz: page might bounce around server farms on different visits
... could get diff CSP on diff visits
... may be bug or intentional
... what is in spec doesn't prevent or allow...

mkwst: no guarantee that diff loads produce same content or same policy

<bhill2> ACTION bhill2 to propose text to list on ISSUE-58

<trackbot> Created ACTION-171 - Propose text to list on issue-58 [on Brad Hill - due 2014-04-30].

AOB

bhill2: aob?

Adjournment

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014-05-07 15:59:25 $