WebAppSec WG Teleconference 10-September-2014

10 Sep 2014


See also: IRC log


dveditz, BHill, mkwst, gmaone, +1.360.562.aaaa, kevinhill, gmaone2, David, Walp
dveditz, bhill


Zakim.: (

minutes approval

<dveditz> http://www.w3.org/2011/webappsec/draft-minutes/2014-08-27-webappsec-minutes.html

dveditz: Any objections to publishing minutes?

<dveditz> scribenick: mkwst


dveditz: No objections, approved.

Review of Open Actions in the Tracker

agenda bashing

bhill2: Perhaps we can skip around a bit, due to low attendence.
... Are there particular topics of interest?

kevinhill: child-src looks interesting.

dveditz: I drop my objection.

kevinhill: Working on 1.0 implementation.
... Level 2 looks interesting. We think it's a good spec.
... Adoption is a topic I'd like to cover.
... CSP is struggling with adoption. Working in MS to get services to adopt CSP.
... Worthwhile to band together to help websites adopt?
... Yelp, for instance, is doing interesting work.

mkwst: I agree that it's important to get adoption.
... internal google properties are adopting: Gmail, Plus, YouTube, etc.

kevinhill: thinking of sites outside MS and Google.
... nice to see Yelp, for instance.
... important to highlight folks in the community, help the wider net understand the value.

dveditz: people come up with super-complex policies that break all the time.
... suggesting that folks come up with simpler policies, focusing on script-src.
... not a first-line of defense.
... other complaint is reporting: discover how terrible the web is, lots of unexpected errors.
... add-ons, ISPs, etc.
... separating real attacks from noise is difficult.

kevinhill: This is more or less what the Yelp article addresses.

bhill2: setting up some sort of CSP-support mailing list would be helpful.
... shared report-processing mechanisms, code would be excellent

kevinhill: want to go to tooling folks at MS to see what could be done.
... perhaps VS could help developers construct policies.
... tooling around IIS for analysis.
... the more public we can be in the community, the more helpful for folks.
... publish stats about what's being prevented, etc.
... smartscreen filter in the browser. publish statistics.

dveditz: telemetry reporting to the browser? could report what is being blocked for users.
... might be interesting. will talk to folks about that.

kevinhill: comcast example.

mkwst: https is necessary.

bhill2: CSP is a discovery mechanism to understand why HTTPS is critical.

dveditz: browser helper objects that inject content?

kevinhill: Haven't thought about it much.

dveditz: it's a problem everyone has. chrome tries to allow extensions to work.

kevinhill: progress is being made there. i agree that it's important.

<dveditz> thx

mkwst: 1. CSP2 to CR? 2. What does "widely review" mean in the context of the WG?

bhill: 1. Take the doc we're working on and bring it to Director for publication.
... Notify other groups, invite them to take a look at CSP2. Point to blog posts, and presentations, etc.

<dveditz> <mkwst: less concerned about CSP2 than MIX and Referrer which are less visible. I understand the new process doesn't include a last call period>

<dveditz> <mkwst: we don't seem to get much feedback /until/ last call, worried about what happens if we don't have that>

<dveditz> <bhill2: we can always have an informal Last Call ourselves>

mkwst: MIX? Do we wait until the next call? I'd like to get a draft out.

bhill2: Any objections to publishing a new WD of MIX?

<various> : No objections.

bhill2: Ok, we'll take it to the list.

mkwst: Perhaps we could move the call down again? I can do a slightly later call.

<bhill2> ACTION bhill2 to reconsider call time

<trackbot> Created ACTION-187 - Reconsider call time [on Brad Hill - due 2014-09-17].

bhill2: Dropping to hit the WebCrypto workshop.

[CSP] kill or delay child-src?

dveditz: My confusion. Widthdraw question.

davidwalk: Last item: XHR.

XMLHttpRequest. Support for OPTIONS* method.

mkwst: That's a thread that's probably best dealt with on the list, as the folks on that thread don't generally call into WebAppSec.

dveditz: Started in public-webapps@. Probably best to do it via mail.
... Ok. Let's call it early today.

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.139 (CVS log)
$Date: 2017/02/15 22:32:50 $