WebAppSec Teleconference

04 May 2015


Brad Hill, Dan Veditz
bhill2, mkwst


The topic for #webappsec is:


(12:04:26 PM)

Topic for #webappsec set by bhill2 at 11:59:33 on 05/04/15 (12:04:26 PM)

12: 04:29 PM Zakim: +??P6
... 04:32 PM tanvi: zakim, who is here?
... 04:32 PM Zakim: On the phone I see BHill, francois, jww, drx-goog,

[Mozilla], +1.310.597.aadd, +1.503.712.aaee, [Microsoft], ??P6

12: 04:34 PM Zakim: [Mozilla] has dveditz
... 04:34 PM Zakim: On IRC I see tanvi, drx-goog, jww, gmaone, bhill2,

francois, dveditz, schuki, deian, terri, freddyb, manu, pde, mkwst,

Josh_Soref, tobie, timeless, Zakim, trackbot, wseltzer

12: 04:38 PM tanvi: zakim, tanvi is aadd
... 04:38 PM Zakim: sorry, tanvi, I do not recognize a party named 'tanvi'
... 04:41 PM freddyb: Zakim, I am ??P6
... 04:41 PM Zakim: +freddyb; got it
... 04:47 PM tanvi: zakim, I am aadd
... 04:47 PM Zakim: +tanvi; got it
... 04:48 PM terri: Zakim, aaee is me
... 04:48 PM Zakim: +terri; got it
... 05:01 PM bhill2: zakim, who is here?
... 05:01 PM Zakim: On the phone I see BHill, francois, jww, drx-goog,

[Mozilla], tanvi, terri, [Microsoft], freddyb

12: 05:03 PM Zakim: [Mozilla] has dveditz
... 05:03 PM Zakim: On IRC I see tanvi, drx-goog, jww, gmaone, bhill2,

francois, dveditz, schuki, deian, terri, freddyb, manu, pde, mkwst,

Josh_Soref, tobie, timeless, Zakim, trackbot, wseltzer

dwalp [~dwalp@public.cloak] entered the room. (12:05:17 PM)

12: 05:51 PM bhill2: scribenick: bhill2
... 05:59 PM bhill2: TOPIC: Agenda bashing
... 06:11 PM Zakim: + +1.650.253.aaff
... 06:34 PM bhill2: TOPIC: Minutes Approval
... 06:37 PM dveditz: bhill2: this is our first try at a topical WASWG

meeting, but we can leave a little room for other business. is there any?

12: 06:43 PM bhill2:


12: 06:44 PM dveditz: ... none, ok moving on
... 06:51 PM tanvi: i think theres a typo in the agenda - 12:12 - 1:00

Spec Focus: Mixed Content

12: 06:59 PM mkwst: Zakim, aaff is mkwst
... 06:59 PM Zakim: +mkwst; got it
... 07:01 PM tanvi: Spec Focus: Subresource Integrity
... 07:02 PM bhill2: Any objections to unanimous consent to approve minutes?
... 07:02 PM dveditz: ... minutes posted at the usual place, any

objection to unanimous consent to approving the minutes

12: 07:14 PM bhill2: hearing no objections, minutes approved
... 07:15 PM dveditz: ... hearing none, the minutes are approved
... 07:29 PM bhill2: TOPIC: FPWD of Credential Management
... 07:34 PM dveditz: ... couple news items. FPWD of Credentials was


12: 08:01 PM bhill2: TOPIC: CfC on EPR
... 08:23 PM dveditz: ... kudos to Mike West for last minute work

modifying the proposal to accommodate the Credentials CG

12: 08:35 PM bhill2: TOPIC: F2F in Berlin week of July 13?
... 08:52 PM mkwst: bhill2: I think the CfC for EPR resolves today,

doesn't it?

12: 09:03 PM dveditz: ... tentative F2F coinciding with the W3C TAG

meeting in Berlin

12: 09:19 PM mkwst: bhill2:


says May 4th.

12: 09:50 PM dveditz: ... best to take advantage of proximity with TAG to

discuss cross-cutting specs, upgrade, mixed content blocking, @@

12: 10:20 PM dveditz: ... I've heard from some people who can make it and

some who can't. Please reach out to me and let me know if you can make it

12: 10:46 PM bhill2: TOPIC: [CSP] data: vs * in the real world
... 10:51 PM dveditz: ... The grace period for people rejoining the WG

after our recharter has expired. Friends don't let friends drop out of

the WG

12: 10:55 PM bhill2:


12: 11:17 PM Zakim: + +1.415.857.aagg
... 11:33 PM dveditz: ... In CSP dveditz brought up the issue that the

spec and chrome differ on handling * and data: urls

devd [~devd@public.cloak] entered the room. (12:11:37 PM)

12: 12:05 PM bhill2: brought up as this seems to be relevant to immediate

implementation concerns with Firefox

12: 12:22 PM bhill2: dveditz: new spec-compliant impl is at risk of being

backed out due to compat

12: 12:40 PM bhill2: ... need to figure out how strongly we need to fight

for that

12: 12:49 PM bhill2: ... what is Chrome likely to do?
... 13:15 PM bhill2: mkwst: the branch point for next release of Chrome

is in a week-ish, plan a change to make Chrome spec compliant as well

12: 13:29 PM bhill2: ... that is broken, would like to live in a world

where we match the spec

12: 13:36 PM bhill2: ... it is possible we may have missed the boat already
... 14:18 PM bhill2: ... possible to fix chrome extensions, but on open

web hope we can land a change

12: 15:20 PM bhill2: dveditz: if we can't keep current spec due to

compat, next proposal is to make spec more complicated, * includes data:

for images but not other things

12: 15:30 PM bhill2: ... not actually concerned about data: for images
... 15:43 PM bhill2: mkwst: more complicated spec is bad, but understand

where we are coming from

12: 15:51 PM bhill2: dveditz: not my first choice
... 16:51 PM bhill2: dveditz: cnn not super urgent

puhley [~puhley@public.cloak] entered the room. (12:16:57 PM)

12: 17:58 PM bhill2: mkwst: will send you a CL soon
... 18:28 PM bhill2: TOPIC: Subresource Integrity
... 18:57 PM bhill2: freddyb: recent changes
... 19:19 PM bhill2: reporting: we used to have something piggybacking on

CSP reporting facility through a CSP directive

12: 19:31 PM freddyb: (that's francois, not me )
... 19:31 PM bhill2: ... these are both gone, now we have error events

and there is no more reporting in v1

12: 19:41 PM bhill2: s/freddyb/francois
... 19:43 PM bhill2: (sorry!)
... 19:48 PM freddyb: (np)
... 20:17 PM bhill2: francois: next: authors are now able to specify more

than one hash with the same strength, and will pass if content matches

one of the hashes

12: 20:37 PM bhill2: ... if providing more than one subresource based on

UA sniffing, content negotiation, can specify all possible hashes in the

integrity attribute

12: 21:07 PM bhill2: ... other big change is that MIME types are no

longer checked, first part of metadata used to be mime type and checked

that headers matched expected type

12: 21:16 PM bhill2: ... used to be a global option, before that it was a

per-hash option

12: 21:33 PM bhill2: ... both are removed from v1, we have restored the

ability to have per-hash options through a question mark notation

12: 21:49 PM bhill2: ... but not defining any options at this time. this

is purely a forward compat allowance

12: 22:08 PM bhill2: ... reason for removing was that it was believed

that it should be part of a different spec

12: 22:20 PM bhill2: ... perhaps things like disabling content sniffing

from user agent which is already a different header

12: 22:37 PM bhill2: dveditz: is there only room for one option after ?
... 22:59 PM bhill2: francois: we haven't defined exactly what we would

put in there, but a rough format for specifying option names and values

12: 23:07 PM bhill2: ... and can be more than one, looks a little bit

like a query string

12: 23:21 PM bhill2: jww: syntax is explicit in allowing multiple

name/value option pairs

12: 23:26 PM bhill2: dveditz: with ?
... 23:31 PM bhill2: jww: maybe a ;
... 23:42 PM bhill2: dveditz: make sure we test it with bogus options to

make sure we ignore them

12: 23:51 PM bhill2: ... are unknown options ignored or do they break


12: 23:56 PM bhill2: francois: all will be ignored now
... 24:03 PM bhill2: dveditz: ok, hoping they would be ignored
... 24:19 PM bhill2: jww: chrome ignores for now
... 24:27 PM bhill2: jww: also is separated by multiple question marks
... 25:07 PM bhill2: bhill2: we could make the x509 mistake and a have a

critical bit, but let's not make that mistake

12: 25:46 PM bhill2: dveditz: we need to be clear they are options, and

<scribe> unknown ones MUST be ignored

12: 26:07 PM bhill2: francois: last change is possibly the biggest one
... 26:20 PM bhill2: ... require CORS or same origin for it to be

eligible for SRI

12: 26:39 PM bhill2: ... used to also include publicly cachable,


12: 27:37 PM bhill2: ... now it has to be loaded via CORS, allowing us to

mitigate against brute-forcing resources with few possible contents

12: 27:55 PM bhill2: ... downside is this will likely harm adoption as

all resources now have to opt into CORS

12: 28:16 PM bhill2: ... one of the main reason this spec was started, in

the short term not going to work because jQuery doesn't expose the CORS


12: 28:29 PM bhill2: ... can we evangelize to them and get them to add

the headers? I hope we can.

12: 28:30 PM tanvi: does jquery plan to change that?
... 28:40 PM bhill2: jww: same-origin resources don't need CORS headers
... 28:40 PM tanvi: nevermind, just answered
... 28:47 PM bhill2: francois: requirement is CORS or same-origin
... 29:01 PM bhill2: freddyb: we did talk to GitHub and they enabled CORS

for everything hosted on github pages

12: 29:23 PM bhill2: ... if we can reach someone it shouldn't be too hard

to convince them for static resources like this

12: 29:29 PM tanvi: is there an example of the brute force attack?
... 29:37 PM bhill2: dveditz: that's too bad
... 29:38 PM terri: is there a backup plan if evangelizing isn't successful?
... 29:52 PM freddyb: tanvi:


12: 29:59 PM bhill2: dev: much easier to go back to publicly cacheable

dada, but I think that evangelization will work

12: 30:07 PM bhill2: dveditz: will be good to evangelize that for other


12: 30:18 PM bhill2: jww: issue is resources for which you don't control

the headers

12: 30:47 PM bhill2: ... don't want to give an oracle over non-public content
... 31:00 PM bhill2: francois: talked with anne and we really tried to

make this work differently

12: 31:21 PM bhill2: ... but there are pages on intranets and home

routers which may be publicly cachable but only on that network

12: 31:30 PM bhill2: ... may contain secrets like a wifi password we

don't want to leak

12: 31:30 PM tanvi: freddyb: i mean an example in the wild
... 32:03 PM bhill2: s/francois/freddyb
... 32:19 PM bhill2: mkwst: have you considered other options? like

anonymous requests?

12: 32:33 PM bhill2: dev: that's what CORS * does?
... 32:38 PM tanvi: if there is no cors header, then make the request

without cookies

12: 32:50 PM bhill2: mkwst: a variant that skips CORS checks but still is


12: 32:58 PM freddyb: *nods*
... 33:05 PM bhill2: dev: we can experiment with looser policies going

ahead, but hard to take away later

12: 33:15 PM bhill2: jww: lots of people are sad about this
... 33:27 PM tanvi: me too
... 34:15 PM bhill2: bhill2: mike's suggestion falls to the same issues

as other network-topology authenticated resources like home


12: 34:34 PM bhill2: (maybe we can opt private address ranges out explicitly)
... 35:09 PM bhill2: francois: first question we want input on: should

there be headers that disable eligibility?

12: 35:26 PM bhill2: ... simpler now, still in spec, but still excludes a

few things like authentication, refresh...

12: 35:52 PM bhill2:


12: 36:23 PM bhill2: freddyb: not that we should define headers, but they

should be defined in fetch, anne's suggestion is to put it in fetch

where it already is but not reinvent the wheel

12: 36:46 PM bhill2: (sorry link should be:


12: 36:56 PM bhill2: francois: so answer could be to refer to a specific

part of the fetch spec?

12: 37:02 PM bhill2: +1
... 37:45 PM francois: https://github.com/w3c/webappsec/issues/317
... 37:56 PM bhill2: francois: next part, how to handle ineligible /

invalid resources

12: 38:23 PM bhill2: ... previously we've determined to fail open in

invalid metadata to enable forward compat

12: 38:33 PM bhill2: ... this issue is about how exactly to define that

fail open behavior

12: 39:52 PM bhill2: dveditz: what about future algorithms, e.g. SHA3
... 40:00 PM bhill2: ... really old clients won't know and enforce this

at all

12: 40:17 PM bhill2: ... why should a client that knows about SRI but not

the new algo be worse than a client that doesn't know about SRI at all?

12: 40:54 PM bhill2: francois: difference here is if author adds

integrity attribute for resource that also has CORS headerrs

12: 41:32 PM bhill2: ... (if you are missing CORS headers, integrity

check never happens) this is to make it more obvious that we would

block the load

12: 41:56 PM bhill2: freddyb: should make a distinction between

unsupported algorithm because it is unknown or because it is known and


12: 42:33 PM bhill2: ... that would mean whenever we remove an algorithm

it should generate a warning because algorithm does not suffice

12: 42:45 PM bhill2: dveditz: I disagree, this breaks pages that are

otherwise perfectly fine

12: 42:51 PM bhill2: ... put a warning on the console
... 43:05 PM bhill2: freddyb: only time to fail closed would be we did

perform the check but hashes didn't add?

12: 44:42 PM tanvi: for non-eligible, the integrity check is not going to

happen anyway because their is no cors. so even if they fixed the

integrity attribute, the load would still complete without checking


12: 45:07 PM tanvi: what's the point of blocking those loads?
... 46:03 PM bhill2: bhill2: question, what happens if CORS eligible

status changes, do we fail closed?

12: 46:27 PM bhill2: dev: crossorigin=anonymous forces fail if CORS

headers are missing before integrity check happens anyway

12: 47:12 PM bhill2: dev: agree with brad that guarantee UA is giving is

to website, not user, can give warnings to console

12: 47:27 PM bhill2: dveditz: can we fire another event or will they not

look for that?

12: 47:35 PM bhill2: dev: historically this is always console warnings
... 48:02 PM bhill2: terri: worried about a hash broken and then actual

collisions being created

12: 48:49 PM bhill2: dev: we leave it to the UA, if it is an algorithm

you know to be wrong, the UA can fail closed but it is up to the UA

12: 49:55 PM bhill2: terri: will this be a problem for multiple hashes if

oldest one is bad and only one makes the pass?

12: 50:25 PM bhill2: francois: you can specify more than one algorithm,

and you can specify more than one hash

12: 50:54 PM bhill2: ... first pass is to find the best algorithm and

discard the rest, next pass is to check against the remaining list of

the hashes with the best algorithm known

12: 51:21 PM bhill2: TOPIC: Should we mention MIME types in the security

considerations? #302

12: 51:41 PM bhill2: https://github.com/w3c/webappsec/pull/302
... 52:09 PM bhill2: canonical example is the famous "GIFAR"
... 52:15 PM bhill2: which can be a GIF and JAR file
... 52:50 PM bhill2: http://softwareas.com/svg-and-vml-in-one-chameleon-file/
... 53:28 PM bhill2: freddyb: assumption is that if you're tagging

something with a hash you have examined it somehow

12: 54:14 PM bhill2: terri: this is not GIFAR
... 54:36 PM bhill2: dev: integrity only captures the body of the

response, and other things control the behavior

12: 54:54 PM bhill2: ... think its fine to leave this for options in

future versions

12: 55:03 PM bhill2: ... target is CDN, not arbitrary user-controlled content
... 56:10 PM terri: Security journal with polyglot pdf+gz+??? files:

https://www.alchemistowl.org/pocorgtfo/ (Note: swearing in the link, if

you're opening it up in a public location)

12: 56:28 PM bhill2: freddyb: for now we only support link and script,

for script there is just javascript and vbscript

jww left the room (quit: Ping timeout: 180 seconds). (12:56:35 PM)

12: 56:37 PM bhill2: dveditz: I would leave it out for now
... 57:01 PM bhill2: ... other specs address this, most of these

chameleon resources are useful in an attack scenario e.g. where you have

user uploaded content

12: 57:24 PM bhill2: ... not going to have an integrity attribute in the

place where an image is being misused as a jar file, e.g.

12: 57:31 PM bhill2: ... we should worry about it elsewhere
... 57:50 PM bhill2: +1 good point that attack location will not include

integrity metadata anyway

12: 58:17 PM bhill2: dev: intent is for protecting your content, not

someone else's

12: 58:35 PM bhill2: ... creating a 2nd preimage for benign content is

much harder than creating a deliberate collision

12: 59:40 PM Zakim: -[Microsoft]
... 59:41 PM Zakim: -jww
... 59:42 PM Zakim: -mkwst
... 59:43 PM Zakim: -[Mozilla]
... 59:44 PM Zakim: - +1.415.857.aagg
... 59:45 PM Zakim: -drx-goog
... 59:45 PM Zakim: -tanvi
... 59:47 PM Zakim: -BHill
... 59:51 PM Zakim: -francois
... 59:52 PM Zakim: -terri

1: 00:21 PM Zakim: -freddyb
... 00:23 PM Zakim: SEC_WASWG()3:00PM has ended
... 00:23 PM Zakim: Attendees were BHill, +1.418.907.aaaa,

+1.415.736.aabb, jww, +1.206.876.aacc, francois, drx-goog, dveditz,

+1.310.597.aadd, +1.503.712.aaee, [Microsoft], freddyb, tanvi, terri,

1: 00:23 PM Zakim: ... +1.650.253.aaff, mkwst, +1.415.857.aagg

puhley left the room (quit: ""). (1:00:29 PM)

drx-goog left the room (quit: "Page closed"). (1:00:30 PM)

dwalp left the room (quit: Ping timeout: 180 seconds). (1:04:33 PM)

francois left the room (quit: "leaving"). (1:08:12 PM)

francois [~francois@public.cloak] entered the room. (1:12:47 PM)

devd left the room (quit: Ping timeout: 180 seconds). (1:14:51 PM)

Summary of Action Items

Summary of Resolutions

    [End of minutes]

    Minutes formatted by David Booth's scribe.perl version 1.143 (CVS log)
    $Date: 2015/05/18 23:15:45 $