See also: IRC log
<gmaone> I've been trying to dial in for a while now, but I'm in roaming with an Edge connection and not enough bandwidth for VOIP. Looks like I can only attend on IRC this time :(
<bhill2> Scribe: Gopal Raghavan
<bhill2> Scribenick: gopal
<bhill2> giorgio: we'll try to be good about scribing, thanks
<gmaone> thank you
<bhill2> thanks, wseltzer. :)
<edulix> hi everyone
<freddyb> I'm on IRC but zakim is failing me today *retrying*
<bhill2> zakim aaee is devd
<bhill2> http://www.w3.org/2011/webappsec/draft-minutes/2014-06-18-webappsec-minutes.html
<bhill2> RESOLVED: minutes approved
bhill2: minutes approved: no objections
no additional topics
news: preparing lcwd cps2,
scheduled to be published tomorrow
... last call end period is aug-13, encourage to submit
comments
<bhill2> TPAC registration open, 27-31 Oct, WebAppSec M+Tu:
<bhill2> http://www.w3.org/2014/11/TPAC/
TPAC registration open, scheduled to meet M,Tue
<bhill2> Test the Web Forward CSP event, August 3:
<bhill2> http://testthewebforward.org/events/2014/portland.html
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0005.html
<edulix> (reading http://www.w3.org/2001/12/zakim-irc-bot.html etc)
<mkwst> edulix: If you'd like to talk, talk.
<bhill2> devd: should we reference https://tools.ietf.org/html/rfc6125
daved: is there a spec talk about public suffix
<edulix> ok, I'll talk about the isolated web components a bit: basically, the idea is to say "hey, we have a problem here, there are some things that people are doing as browser extensions because using the web is not secure enough". I don't know what would be the best way (though I did a proposal, it was just to provide an example)
mkwst: don't think csp should be one of them,
<edulix> let me quote something interesting from that thread: "The reason e2e is a Chrome Extension is because we (I'm the Tech Lead of End-To-End) didn't want Google to have access to secret key material. As such, we had to make sure the UI was separate from the GMail UI."
<bhill2> edulix: let's wait until that's the current topic
<edulix> ok
<bhill2> it's on the agenda in a few minutes
dane: agree, public suffix list is ugly and prefers to avoid
<edulix> bhill2: yeah, sorry
daved: concern is regex, restricting capabilities currently. May cause problems with *.com
in general would use csp to increase power of page, but strictly used for security policy
davd: should this be explicitly stated in spec
mkwst: dont' believe either of them add power, but worth adding this in spec somewhere.
bhill2: consensus on wild card
*.com
... should not match downward across
*.example matches everything in *.com
<bhill2> consensus is that wildcards should not match downward across DNS label separators ( *.example.com DOES NOT match example.com), but PSL is not relevant to the CSP heuristic
<dveditz> is that "down" or "up" ?
<bhill2> downward == rightward
davd: clarify downward
<bhill2> https://tools.ietf.org/html/rfc6125#section-6.4
<dveditz> gopal: s/davd/devd/
<bhill2> don't want the RFC6125 semantics - wildcard must be the sole character in a label component
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0000.html
mkwst: worth exploring,
dveditz: sandbox, prevents
attacks the parent context
... people in html should look at not csp
bhill2: could rewrite content of page with two different behavior
devd: someone should suggest recommend solution
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0006.html
<bhill2> edulix: you're up
<edulix> thanks
<edulix> more than isolated web components which was one idea of a specs-newbie (me) on how this might be doable, what I want is to improve end-to-end security in the web, minimizing the trust needed in third parties, including servers. Currently what you end up doing is creating a browser plugin, like for "cryptocat" or "end-to-end" from Google. Each use case is a bit different but the idea is the same: limit the trust on the webserver. subresources integrity
<edulix> helps, iframe helps, but I think that we might need a way to do something like "resource client-side pinning", so that if a new version of cryptocat is going to be used, user can now, and the browser can explore which version is in use and in which part of the page. Anyway, I know this is a bit vague, and maybe it's just me :-P but feedback is welcome
<bhill2> this is a topic we've explored a little bit previously
bhill2: topic explored previously
component model is not same as script source model
dveditz: not sure why this is csp issue
<dveditz> (as opposed to the web components people)
<bhill2> part of the issue here is that this is the Web App Security WG, but we're not in charge of the security model for other specs
<bhill2> really this topic should probably go to webapps, or web security IG, or even TAG
<edulix> so maybe we should think if this relavant here?
bhill2: part of the issue here, we are not in charge of security model for other group
dveditz: there were several other proposals before, interesting concept. If someone is interested in model we could look at that.
<terri> I don't think Web Security IG. they seem to be focused on reviewing existing specs, not creating new ones at this time.
<freddyb> (there was XBL (=XML Binding Language))
<bhill2> at the last WebApps face-to-face meeting which I attended as a guest, Maciej and Alex Russell were discussing how to do this, and provide a security model and barrier between components and the including page. it doesn't seem like that has progressed much, and I am concerned that as deployment starts it will be very hard to change the security model once they become widely used without breaking lots of resources
<edulix> gopal: what do you mean with "interested in model", what model?
<edulix> bhill2: that's interesting
<bhill2> edulix: can you join the call by voice? I think you will find it easier to follow
<freddyb> edulix: gopal is the scribe at today's meeting. he notes what other people currently say during the teleconference :-)
<edulix> bhill2: uhm I'll try to do that in the next meeting maybe? I'm new here
<edulix> i.e. I don't have the setup
bhill2: we should take this to webapps group
dveditz: will talk to web apps group
<edulix> dveditz: that'd be nice. I tried to collect in my original post a set of examples to set what we are really trying to do
<edulix> or more like, what people are doing right now and what are the possible uses-cases
<bhill2> I think the issue is not a lack of desire to have better security properties, but difficulty in deciding on a good model that can be well implemented
<bhill2> for powerful new web platform features
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0234.html
dveditz: no end of bugs in xpl context was isolated so then go privilege things, so they can get to different context, it can be a tricky implementation in browser.
<terri> I'm sorry, I have to run to another meeting. I'll try to stay on IRC, but my attention will be a bit divided.
bhill2: how webappsec should engage with this discussion
dveditz: websock allows sockets from insecure page, not from secure pages....
mkwst: https only or secure origin only, worth looking at spec, differs from mixed content. Not specific for this WG.
<bhill2> mkwst: +1 to that
<bhill2> "true|false"
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0221.html
bhill2: additional flag for report only
neilm: convinced this is not important
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0176.html
bhill2: non-canonical-src attribute
<dveditz> freddyb: still here?
mkwst: suggestion non-canonical src as specified in current draft is not clear, lot of hand waving
bhill2: agreed, action item to update usecase
<bhill2> ACTION bhill2 to suggest more clear use case and language around exact behavior for noncanonical-src
<trackbot> Created ACTION-181 - Suggest more clear use case and language around exact behavior for noncanonical-src [on Brad Hill - due 2014-07-09].
mkwst: usecase is ok, language needs clarification
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0235.html
unique vs opaque identifier
bhill2: if blobs can have origin that is not self, we may need to take an action to see how this impacts handling of a blob
devd: how origin of blob is url of scheme data?
<bhill2> we need to discuss more on list
<bhill2> ACTION bhill2 to make sure blob origin is discussed further on list
<trackbot> Created ACTION-182 - Make sure blob origin is discussed further on list [on Brad Hill - due 2014-07-09].
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0217.html
davewalp: should go forward with FPWD
bhill2: not objections
<bhill2> no objections to unanimous approval
<bhill2> RESOLVED: publish [MIX] as FPWD
<bhill2> Directives for Content Security Policy
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0256.html
bhill2: last call expired for
user interface security directive
... any concerns or changes to spec, what our next steps might
be
... partial implementation in existing spec, no one has
additional plans to implement
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0216.html
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0187.html
dveditz; 3 ideas outlined, per web page to be able to specify "i am only interested in certain amount of reports"
scribe: some people concerned the
reporting interface will be overwhelmed
... attacker could theoritcally take advantage of reporting
interface
devd: ok to add wording, are any user agents planning to add this
<bhill2> ACTION mkwst to add language that user-agent may decline to send reports for priority of constituency reasons and still be conforming
<trackbot> Created ACTION-183 - Add language that user-agent may decline to send reports for priority of constituency reasons and still be conforming [on Mike West - due 2014-07-09].
<bhill2> interest in max-reports-per-page syntax?
<dveditz> + 0.5 ?
<bhill2> interest in throttling reports with a frequency parameter?
<dveditz> +1
<mkwst> +0.2
<dveditz> :-)
bhill2: add +1 to channel if you are interested to max-repots-per-page
devd: all this should be possible with js interface
mkwst; difficult to do real sampling across the page
dveditz; don't think you might want to sample within the reports of the single page