The topic for #webappsec is:
https://lists.w3.org/Archives/Public/public-webappsec/2015May/0007.html
(12:04:26 PM)
Topic for #webappsec set by bhill2 at 11:59:33 on 05/04/15 (12:04:26 PM)
12: 04:29 PM Zakim: +??P6
... 04:32 PM tanvi: zakim, who is here?
... 04:32 PM Zakim: On the phone I see BHill, francois, jww, drx-goog,
[Mozilla], +1.310.597.aadd, +1.503.712.aaee, [Microsoft], ??P6
12: 04:34 PM Zakim: [Mozilla] has dveditz
... 04:34 PM Zakim: On IRC I see tanvi, drx-goog, jww, gmaone, bhill2,
francois, dveditz, schuki, deian, terri, freddyb, manu, pde, mkwst,
Josh_Soref, tobie, timeless, Zakim, trackbot, wseltzer
12: 04:38 PM tanvi: zakim, tanvi is aadd
... 04:38 PM Zakim: sorry, tanvi, I do not recognize a party named 'tanvi'
... 04:41 PM freddyb: Zakim, I am ??P6
... 04:41 PM Zakim: +freddyb; got it
... 04:47 PM tanvi: zakim, I am aadd
... 04:47 PM Zakim: +tanvi; got it
... 04:48 PM terri: Zakim, aaee is me
... 04:48 PM Zakim: +terri; got it
... 05:01 PM bhill2: zakim, who is here?
... 05:01 PM Zakim: On the phone I see BHill, francois, jww, drx-goog,
[Mozilla], tanvi, terri, [Microsoft], freddyb
12: 05:03 PM Zakim: [Mozilla] has dveditz
... 05:03 PM Zakim: On IRC I see tanvi, drx-goog, jww, gmaone, bhill2,
francois, dveditz, schuki, deian, terri, freddyb, manu, pde, mkwst,
Josh_Soref, tobie, timeless, Zakim, trackbot, wseltzer
dwalp [~dwalp@public.cloak] entered the room. (12:05:17 PM)
12: 05:51 PM bhill2: scribenick: bhill2
... 05:59 PM bhill2: TOPIC: Agenda bashing
... 06:11 PM Zakim: + +1.650.253.aaff
... 06:34 PM bhill2: TOPIC: Minutes Approval
... 06:37 PM dveditz: bhill2: this is our first try at a topical WASWG
meeting, but we can leave a little room for other business. is there any?
12: 06:43 PM bhill2:
http://www.w3.org/2011/webappsec/draft-minutes/2015-04-06-webappsec-minutes.html
12: 06:44 PM dveditz: ... none, ok moving on
... 06:51 PM tanvi: i think theres a typo in the agenda - 12:12 - 1:00
Spec Focus: Mixed Content
12: 06:59 PM mkwst: Zakim, aaff is mkwst
... 06:59 PM Zakim: +mkwst; got it
... 07:01 PM tanvi: Spec Focus: Subresource Integrity
... 07:02 PM bhill2: Any objections to unanimous consent to approve minutes?
... 07:02 PM dveditz: ... minutes posted at the usual place, any
objection to unanimous consent to approving the minutes
12: 07:14 PM bhill2: hearing no objections, minutes approved
... 07:15 PM dveditz: ... hearing none, the minutes are approved
... 07:29 PM bhill2: TOPIC: FPWD of Credential Management
... 07:34 PM dveditz: ... couple news items. FPWD of Credentials was
published
12: 08:01 PM bhill2: TOPIC: CfC on EPR
... 08:23 PM dveditz: ... kudos to Mike West for last minute work
modifying the proposal to accommodate the Credentials CG
12: 08:35 PM bhill2: TOPIC: F2F in Berlin week of July 13?
... 08:52 PM mkwst: bhill2: I think the CfC for EPR resolves today,
doesn't it?
12: 09:03 PM dveditz: ... tentative F2F coinciding with the W3C TAG
meeting in Berlin
12: 09:19 PM mkwst: bhill2:
https://lists.w3.org/Archives/Public/public-webappsec/2015Apr/0268.html
says May 4th.
12: 09:50 PM dveditz: ... best to take advantage of proximity with TAG to
discuss cross-cutting specs, upgrade, mixed content blocking, @@
12: 10:20 PM dveditz: ... I've heard from some people who can make it and
some who can't. Please reach out to me and let me know if you can make it
12: 10:46 PM bhill2: TOPIC: [CSP] data: vs * in the real world
... 10:51 PM dveditz: ... The grace period for people rejoining the WG
after our recharter has expired. Friends don't let friends drop out of
the WG
12: 10:55 PM bhill2:
https://lists.w3.org/Archives/Public/public-webappsec/2015Apr/0242.html
12: 11:17 PM Zakim: + +1.415.857.aagg
... 11:33 PM dveditz: ... In CSP dveditz brought up the issue that the
spec and chrome differ on handling * and data: urls
devd [~devd@public.cloak] entered the room. (12:11:37 PM)
12: 12:05 PM bhill2: brought up as this seems to be relevant to immediate
implementation concerns with Firefox
12: 12:22 PM bhill2: dveditz: new spec-compliant impl is at risk of being
backed out due to compat
12: 12:40 PM bhill2: ... need to figure out how strongly we need to fight
for that
12: 12:49 PM bhill2: ... what is Chrome likely to do?
... 13:15 PM bhill2: mkwst: the branch point for next release of Chrome
is in a week-ish, plan a change to make Chrome spec compliant as well
12: 13:29 PM bhill2: ... that is broken, would like to live in a world
where we match the spec
12: 13:36 PM bhill2: ... it is possible we may have missed the boat already
... 14:18 PM bhill2: ... possible to fix chrome extensions, but on open
web hope we can land a change
12: 15:20 PM bhill2: dveditz: if we can't keep current spec due to
compat, next proposal is to make spec more complicated, * includes data:
for images but not other things
12: 15:30 PM bhill2: ... not actually concerned about data: for images
... 15:43 PM bhill2: mkwst: more complicated spec is bad, but understand
where we are coming from
12: 15:51 PM bhill2: dveditz: not my first choice
... 16:51 PM bhill2: dveditz: cnn not super urgent
puhley [~puhley@public.cloak] entered the room. (12:16:57 PM)
12: 17:58 PM bhill2: mkwst: will send you a CL soon
... 18:28 PM bhill2: TOPIC: Subresource Integrity
... 18:57 PM bhill2: freddyb: recent changes
... 19:19 PM bhill2: reporting: we used to have something piggybacking on
CSP reporting facility through a CSP directive
12: 19:31 PM freddyb: (that's francois, not me )
... 19:31 PM bhill2: ... these are both gone, now we have error events
and there is no more reporting in v1
12: 19:41 PM bhill2: s/freddyb/francois
... 19:43 PM bhill2: (sorry!)
... 19:48 PM freddyb: (np)
... 20:17 PM bhill2: francois: next: authors are now able to specify more
than one hash with the same strength, and will pass if content matches
one of the hashes
12: 20:37 PM bhill2: ... if providing more than one subresource based on
UA sniffing, content negotiation, can specify all possible hashes in the
integrity attribute
12: 21:07 PM bhill2: ... other big change is that MIME types are no
longer checked, first part of metadata used to be mime type and checked
that headers matched expected type
12: 21:16 PM bhill2: ... used to be a global option, before that it was a
per-hash option
12: 21:33 PM bhill2: ... both are removed from v1, we have restored the
ability to have per-hash options through a question mark notation
12: 21:49 PM bhill2: ... but not defining any options at this time. this
is purely a forward compat allowance
12: 22:08 PM bhill2: ... reason for removing was that it was believed
that it should be part of a different spec
12: 22:20 PM bhill2: ... perhaps things like disabling content sniffing
from user agent which is already a different header
12: 22:37 PM bhill2: dveditz: is there only room for one option after ?
... 22:59 PM bhill2: francois: we haven't defined exactly what we would
put in there, but a rough format for specifying option names and values
12: 23:07 PM bhill2: ... and can be more than one, looks a little bit
like a query string
12: 23:21 PM bhill2: jww: syntax is explicit in allowing multiple
name/value option pairs
12: 23:26 PM bhill2: dveditz: with ?
... 23:31 PM bhill2: jww: maybe a ;
... 23:42 PM bhill2: dveditz: make sure we test it with bogus options to
make sure we ignore them
12: 23:51 PM bhill2: ... are unknown options ignored or do they break
integrity?
12: 23:56 PM bhill2: francois: all will be ignored now
... 24:03 PM bhill2: dveditz: ok, hoping they would be ignored
... 24:19 PM bhill2: jww: chrome ignores for now
... 24:27 PM bhill2: jww: also is separated by multiple question marks
... 25:07 PM bhill2: bhill2: we could make the x509 mistake and a have a
critical bit, but let's not make that mistake
12: 25:46 PM bhill2: dveditz: we need to be clear they are options, and
<scribe> unknown ones MUST be ignored
12: 26:07 PM bhill2: francois: last change is possibly the biggest one
... 26:20 PM bhill2: ... require CORS or same origin for it to be
eligible for SRI
12: 26:39 PM bhill2: ... used to also include publicly cachable,
CORS-eligible
12: 27:37 PM bhill2: ... now it has to be loaded via CORS, allowing us to
mitigate against brute-forcing resources with few possible contents
12: 27:55 PM bhill2: ... downside is this will likely harm adoption as
all resources now have to opt into CORS
12: 28:16 PM bhill2: ... one of the main reason this spec was started, in
the short term not going to work because jQuery doesn't expose the CORS
headers
12: 28:29 PM bhill2: ... can we evangelize to them and get them to add
the headers? I hope we can.
12: 28:30 PM tanvi: does jquery plan to change that?
... 28:40 PM bhill2: jww: same-origin resources don't need CORS headers
... 28:40 PM tanvi: nevermind, just answered
... 28:47 PM bhill2: francois: requirement is CORS or same-origin
... 29:01 PM bhill2: freddyb: we did talk to GitHub and they enabled CORS
for everything hosted on github pages
12: 29:23 PM bhill2: ... if we can reach someone it shouldn't be too hard
to convince them for static resources like this
12: 29:29 PM tanvi: is there an example of the brute force attack?
... 29:37 PM bhill2: dveditz: that's too bad
... 29:38 PM terri: is there a backup plan if evangelizing isn't successful?
... 29:52 PM freddyb: tanvi:
http://www.w3.org/TR/SRI/#cross-origin-data-leakage-1
12: 29:59 PM bhill2: dev: much easier to go back to publicly cacheable
dada, but I think that evangelization will work
12: 30:07 PM bhill2: dveditz: will be good to evangelize that for other
reasons
12: 30:18 PM bhill2: jww: issue is resources for which you don't control
the headers
12: 30:47 PM bhill2: ... don't want to give an oracle over non-public content
... 31:00 PM bhill2: francois: talked with anne and we really tried to
make this work differently
12: 31:21 PM bhill2: ... but there are pages on intranets and home
routers which may be publicly cachable but only on that network
12: 31:30 PM bhill2: ... may contain secrets like a wifi password we
don't want to leak
12: 31:30 PM tanvi: freddyb: i mean an example in the wild
... 32:03 PM bhill2: s/francois/freddyb
... 32:19 PM bhill2: mkwst: have you considered other options? like
anonymous requests?
12: 32:33 PM bhill2: dev: that's what CORS * does?
... 32:38 PM tanvi: if there is no cors header, then make the request
without cookies
12: 32:50 PM bhill2: mkwst: a variant that skips CORS checks but still is
anonymous
12: 32:58 PM freddyb: *nods*
... 33:05 PM bhill2: dev: we can experiment with looser policies going
ahead, but hard to take away later
12: 33:15 PM bhill2: jww: lots of people are sad about this
... 33:27 PM tanvi: me too
... 34:15 PM bhill2: bhill2: mike's suggestion falls to the same issues
as other network-topology authenticated resources like home
routers/intranets
12: 34:34 PM bhill2: (maybe we can opt private address ranges out explicitly)
... 35:09 PM bhill2: francois: first question we want input on: should
there be headers that disable eligibility?
12: 35:26 PM bhill2: ... simpler now, still in spec, but still excludes a
few things like authentication, refresh...
12: 35:52 PM bhill2:
http://w3c.github.io/webappsec/specs/subresourceintegrity/#agility-1
12: 36:23 PM bhill2: freddyb: not that we should define headers, but they
should be defined in fetch, anne's suggestion is to put it in fetch
where it already is but not reinvent the wheel
12: 36:46 PM bhill2: (sorry link should be:
12: 36:56 PM bhill2: francois: so answer could be to refer to a specific
part of the fetch spec?
12: 37:02 PM bhill2: +1
... 37:45 PM francois: https://github.com/w3c/webappsec/issues/317
... 37:56 PM bhill2: francois: next part, how to handle ineligible /
invalid resources
12: 38:23 PM bhill2: ... previously we've determined to fail open in
invalid metadata to enable forward compat
12: 38:33 PM bhill2: ... this issue is about how exactly to define that
fail open behavior
12: 39:52 PM bhill2: dveditz: what about future algorithms, e.g. SHA3
... 40:00 PM bhill2: ... really old clients won't know and enforce this
at all
12: 40:17 PM bhill2: ... why should a client that knows about SRI but not
the new algo be worse than a client that doesn't know about SRI at all?
12: 40:54 PM bhill2: francois: difference here is if author adds
integrity attribute for resource that also has CORS headerrs
12: 41:32 PM bhill2: ... (if you are missing CORS headers, integrity
check never happens) this is to make it more obvious that we would
block the load
12: 41:56 PM bhill2: freddyb: should make a distinction between
unsupported algorithm because it is unknown or because it is known and
unsupported
12: 42:33 PM bhill2: ... that would mean whenever we remove an algorithm
it should generate a warning because algorithm does not suffice
12: 42:45 PM bhill2: dveditz: I disagree, this breaks pages that are
otherwise perfectly fine
12: 42:51 PM bhill2: ... put a warning on the console
... 43:05 PM bhill2: freddyb: only time to fail closed would be we did
perform the check but hashes didn't add?
12: 44:42 PM tanvi: for non-eligible, the integrity check is not going to
happen anyway because their is no cors. so even if they fixed the
integrity attribute, the load would still complete without checking
integrity
12: 45:07 PM tanvi: what's the point of blocking those loads?
... 46:03 PM bhill2: bhill2: question, what happens if CORS eligible
status changes, do we fail closed?
12: 46:27 PM bhill2: dev: crossorigin=anonymous forces fail if CORS
headers are missing before integrity check happens anyway
12: 47:12 PM bhill2: dev: agree with brad that guarantee UA is giving is
to website, not user, can give warnings to console
12: 47:27 PM bhill2: dveditz: can we fire another event or will they not
look for that?
12: 47:35 PM bhill2: dev: historically this is always console warnings
... 48:02 PM bhill2: terri: worried about a hash broken and then actual
collisions being created
12: 48:49 PM bhill2: dev: we leave it to the UA, if it is an algorithm
you know to be wrong, the UA can fail closed but it is up to the UA
12: 49:55 PM bhill2: terri: will this be a problem for multiple hashes if
oldest one is bad and only one makes the pass?
12: 50:25 PM bhill2: francois: you can specify more than one algorithm,
and you can specify more than one hash
12: 50:54 PM bhill2: ... first pass is to find the best algorithm and
discard the rest, next pass is to check against the remaining list of
the hashes with the best algorithm known
12: 51:21 PM bhill2: TOPIC: Should we mention MIME types in the security
considerations? #302
12: 51:41 PM bhill2: https://github.com/w3c/webappsec/pull/302
... 52:09 PM bhill2: canonical example is the famous "GIFAR"
... 52:15 PM bhill2: which can be a GIF and JAR file
... 52:50 PM bhill2: http://softwareas.com/svg-and-vml-in-one-chameleon-file/
... 53:28 PM bhill2: freddyb: assumption is that if you're tagging
something with a hash you have examined it somehow
12: 54:14 PM bhill2: terri: this is not GIFAR
... 54:36 PM bhill2: dev: integrity only captures the body of the
response, and other things control the behavior
12: 54:54 PM bhill2: ... think its fine to leave this for options in
future versions
12: 55:03 PM bhill2: ... target is CDN, not arbitrary user-controlled content
... 56:10 PM terri: Security journal with polyglot pdf+gz+??? files:
https://www.alchemistowl.org/pocorgtfo/ (Note: swearing in the link, if
you're opening it up in a public location)
12: 56:28 PM bhill2: freddyb: for now we only support link and script,
for script there is just javascript and vbscript
jww left the room (quit: Ping timeout: 180 seconds). (12:56:35 PM)
12: 56:37 PM bhill2: dveditz: I would leave it out for now
... 57:01 PM bhill2: ... other specs address this, most of these
chameleon resources are useful in an attack scenario e.g. where you have
user uploaded content
12: 57:24 PM bhill2: ... not going to have an integrity attribute in the
place where an image is being misused as a jar file, e.g.
12: 57:31 PM bhill2: ... we should worry about it elsewhere
... 57:50 PM bhill2: +1 good point that attack location will not include
integrity metadata anyway
12: 58:17 PM bhill2: dev: intent is for protecting your content, not
someone else's
12: 58:35 PM bhill2: ... creating a 2nd preimage for benign content is
much harder than creating a deliberate collision
12: 59:40 PM Zakim: -[Microsoft]
... 59:41 PM Zakim: -jww
... 59:42 PM Zakim: -mkwst
... 59:43 PM Zakim: -[Mozilla]
... 59:44 PM Zakim: - +1.415.857.aagg
... 59:45 PM Zakim: -drx-goog
... 59:45 PM Zakim: -tanvi
... 59:47 PM Zakim: -BHill
... 59:51 PM Zakim: -francois
... 59:52 PM Zakim: -terri
1: 00:21 PM Zakim: -freddyb
... 00:23 PM Zakim: SEC_WASWG()3:00PM has ended
... 00:23 PM Zakim: Attendees were BHill, +1.418.907.aaaa,
+1.415.736.aabb, jww, +1.206.876.aacc, francois, drx-goog, dveditz,
+1.310.597.aadd, +1.503.712.aaee, [Microsoft], freddyb, tanvi, terri,
1: 00:23 PM Zakim: ... +1.650.253.aaff, mkwst, +1.415.857.aagg
puhley left the room (quit: ""). (1:00:29 PM)
drx-goog left the room (quit: "Page closed"). (1:00:30 PM)
dwalp left the room (quit: Ping timeout: 180 seconds). (1:04:33 PM)
francois left the room (quit: "leaving"). (1:08:12 PM)
francois [~francois@public.cloak] entered the room. (1:12:47 PM)
devd left the room (quit: Ping timeout: 180 seconds). (1:14:51 PM)