WebAppSec Teleconference, 02-July-2014

02 Jul 2014


See also: IRC log


BHill, +1.781.369.aaaa, +49.162.102.aabb, +1.503.712.aacc, +1.831.246.aadd, davewalp, mkwst__, dveditz, gopal, terri, +1.559.927.aaee, devd, freddyb, +1.310.597.aaff, wuwei, tanvi, +1.949.273.aagg, neilm
bhill2, dveditz
Gopal Raghavan


<gmaone> I've been trying to dial in for a while now, but I'm in roaming with an Edge connection and not enough bandwidth for VOIP. Looks like I can only attend on IRC this time :(

<bhill2> Scribe: Gopal Raghavan

<bhill2> Scribenick: gopal

<bhill2> giorgio: we'll try to be good about scribing, thanks

<gmaone> thank you

<bhill2> thanks, wseltzer. :)

<edulix> hi everyone

<freddyb> I'm on IRC but zakim is failing me today *retrying*

<bhill2> zakim aaee is devd

Minutes approval

<bhill2> http://www.w3.org/2011/webappsec/draft-minutes/2014-06-18-webappsec-minutes.html

<bhill2> RESOLVED: minutes approved

bhill2: minutes approved: no objections

Agenda bashing


no additional topics

news: preparing lcwd cps2, scheduled to be published tomorrow
... last call end period is aug-13, encourage to submit comments

<bhill2> TPAC registration open, 27-31 Oct, WebAppSec M+Tu:

<bhill2> http://www.w3.org/2014/11/TPAC/

TPAC registration open, scheduled to meet M,Tue

<bhill2> Test the Web Forward CSP event, August 3:

<bhill2> http://testthewebforward.org/events/2014/portland.html

CSP wildcard host matching

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0005.html

<edulix> (reading http://www.w3.org/2001/12/zakim-irc-bot.html etc)

<mkwst> edulix: If you'd like to talk, talk.

<bhill2> devd: should we reference https://tools.ietf.org/html/rfc6125

daved: is there a spec talk about public suffix

<edulix> ok, I'll talk about the isolated web components a bit: basically, the idea is to say "hey, we have a problem here, there are some things that people are doing as browser extensions because using the web is not secure enough". I don't know what would be the best way (though I did a proposal, it was just to provide an example)

mkwst: don't think csp should be one of them,

<edulix> let me quote something interesting from that thread: "The reason e2e is a Chrome Extension is because we (I'm the Tech Lead of End-To-End) didn't want Google to have access to secret key material. As such, we had to make sure the UI was separate from the GMail UI."

<bhill2> edulix: let's wait until that's the current topic

<edulix> ok

<bhill2> it's on the agenda in a few minutes

dane: agree, public suffix list is ugly and prefers to avoid

<edulix> bhill2: yeah, sorry

daved: concern is regex, restricting capabilities currently. May cause problems with *.com

in general would use csp to increase power of page, but strictly used for security policy

davd: should this be explicitly stated in spec

mkwst: dont' believe either of them add power, but worth adding this in spec somewhere.

bhill2: consensus on wild card *.com
... should not match downward across

*.example matches everything in *.com

<bhill2> consensus is that wildcards should not match downward across DNS label separators ( *.example.com DOES NOT match example.com), but PSL is not relevant to the CSP heuristic

<dveditz> is that "down" or "up" ?

<bhill2> downward == rightward

davd: clarify downward

<bhill2> https://tools.ietf.org/html/rfc6125#section-6.4

<dveditz> gopal: s/davd/devd/

<bhill2> don't want the RFC6125 semantics - wildcard must be the sole character in a label component

CSP: 'no-external-navigation'?

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0000.html

mkwst: worth exploring,

dveditz: sandbox, prevents attacks the parent context
... people in html should look at not csp

bhill2: could rewrite content of page with two different behavior

devd: someone should suggest recommend solution

Isolated Web Components for a more secure web

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0006.html

<bhill2> edulix: you're up

<edulix> thanks

<edulix> more than isolated web components which was one idea of a specs-newbie (me) on how this might be doable, what I want is to improve end-to-end security in the web, minimizing the trust needed in third parties, including servers. Currently what you end up doing is creating a browser plugin, like for "cryptocat" or "end-to-end" from Google. Each use case is a bit different but the idea is the same: limit the trust on the webserver. subresources integrity

<edulix> helps, iframe helps, but I think that we might need a way to do something like "resource client-side pinning", so that if a new version of cryptocat is going to be used, user can now, and the browser can explore which version is in use and in which part of the page. Anyway, I know this is a bit vague, and maybe it's just me :-P but feedback is welcome

<bhill2> this is a topic we've explored a little bit previously

bhill2: topic explored previously

component model is not same as script source model

dveditz: not sure why this is csp issue

<dveditz> (as opposed to the web components people)

<bhill2> part of the issue here is that this is the Web App Security WG, but we're not in charge of the security model for other specs

<bhill2> really this topic should probably go to webapps, or web security IG, or even TAG

<edulix> so maybe we should think if this relavant here?

bhill2: part of the issue here, we are not in charge of security model for other group

dveditz: there were several other proposals before, interesting concept. If someone is interested in model we could look at that.

<terri> I don't think Web Security IG. they seem to be focused on reviewing existing specs, not creating new ones at this time.

<freddyb> (there was XBL (=XML Binding Language))

<bhill2> at the last WebApps face-to-face meeting which I attended as a guest, Maciej and Alex Russell were discussing how to do this, and provide a security model and barrier between components and the including page. it doesn't seem like that has progressed much, and I am concerned that as deployment starts it will be very hard to change the security model once they become widely used without breaking lots of resources

<edulix> gopal: what do you mean with "interested in model", what model?

<edulix> bhill2: that's interesting

<bhill2> edulix: can you join the call by voice? I think you will find it easier to follow

<freddyb> edulix: gopal is the scribe at today's meeting. he notes what other people currently say during the teleconference :-)

<edulix> bhill2: uhm I'll try to do that in the next meeting maybe? I'm new here

<edulix> i.e. I don't have the setup

bhill2: we should take this to webapps group

dveditz: will talk to web apps group

<edulix> dveditz: that'd be nice. I tried to collect in my original post a set of examples to set what we are really trying to do

<edulix> or more like, what people are doing right now and what are the possible uses-cases

<bhill2> I think the issue is not a lack of desire to have better security properties, but difficulty in deciding on a good model that can be well implemented

[blink-dev] Proposal: Prefer secure origins

<bhill2> for powerful new web platform features

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0234.html

dveditz: no end of bugs in xpl context was isolated so then go privilege things, so they can get to different context, it can be a tricky implementation in browser.

<terri> I'm sorry, I have to run to another meeting. I'll try to stay on IRC, but my attention will be a bit divided.

bhill2: how webappsec should engage with this discussion

dveditz: websock allows sockets from insecure page, not from secure pages....

mkwst: https only or secure origin only, worth looking at spec, differs from mixed content. Not specific for this WG.

<bhill2> mkwst: +1 to that

[CSP] Additional report field: report-only:

<bhill2> &quot;true|false&quot;

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0221.html

bhill2: additional flag for report only

neilm: convinced this is not important

[integrity] The noncanonical-src attribute

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0176.html

bhill2: non-canonical-src attribute

<dveditz> freddyb: still here?

mkwst: suggestion non-canonical src as specified in current draft is not clear, lot of hand waving

bhill2: agreed, action item to update usecase

<bhill2> ACTION bhill2 to suggest more clear use case and language around exact behavior for noncanonical-src

<trackbot> Created ACTION-181 - Suggest more clear use case and language around exact behavior for noncanonical-src [on Brad Hill - due 2014-07-09].

mkwst: usecase is ok, language needs clarification

[MIX] blob URLs

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0235.html

unique vs opaque identifier

bhill2: if blobs can have origin that is not self, we may need to take an action to see how this impacts handling of a blob

devd: how origin of blob is url of scheme data?

<bhill2> we need to discuss more on list

<bhill2> ACTION bhill2 to make sure blob origin is discussed further on list

<trackbot> Created ACTION-182 - Make sure blob origin is discussed further on list [on Brad Hill - due 2014-07-09].

CfC to publish FPWD of Mixed Content.

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0217.html

davewalp: should go forward with FPWD

bhill2: not objections

<bhill2> no objections to unanimous approval

<bhill2> RESOLVED: publish [MIX] as FPWD

PFWG comments on User Interface Security

<bhill2> Directives for Content Security Policy

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0256.html

bhill2: last call expired for user interface security directive
... any concerns or changes to spec, what our next steps might be
... partial implementation in existing spec, no one has additional plans to implement

Reducing reporting noise

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0216.html

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0187.html

dveditz; 3 ideas outlined, per web page to be able to specify "i am only interested in certain amount of reports"

scribe: some people concerned the reporting interface will be overwhelmed
... attacker could theoritcally take advantage of reporting interface

devd: ok to add wording, are any user agents planning to add this

<bhill2> ACTION mkwst to add language that user-agent may decline to send reports for priority of constituency reasons and still be conforming

<trackbot> Created ACTION-183 - Add language that user-agent may decline to send reports for priority of constituency reasons and still be conforming [on Mike West - due 2014-07-09].

<bhill2> interest in max-reports-per-page syntax?

<dveditz> + 0.5 ?

<bhill2> interest in throttling reports with a frequency parameter?

<dveditz> +1

<mkwst> +0.2

<dveditz> :-)

bhill2: add +1 to channel if you are interested to max-repots-per-page

devd: all this should be possible with js interface

mkwst; difficult to do real sampling across the page

dveditz; don't think you might want to sample within the reports of the single page

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2017/02/15 22:32:50 $