W3C

WebAppSec Teleconference 7-May-2013

07 May 2013

Agenda

See also: IRC log

Attendees

Present
+1.303.229.aaaa, bhill2, +1.425.865.aabb, +1.949.273.aacc, neil, ccarson, gmaone, +1.650.648.aadd, abarth, +1.650.678.aaee, +1.866.317.aaff, ekr, JeffH, +1.801.701.aagg, adam(digicert), +1.978.944.aahh, gopal
Regrets
Chair
SV_MEETING_CHAIR
Scribe
Neil Matatall

Contents

<jeffh> zakim aaff is JeffH

<bhill2> irc.w3.org is a pretty good web client if you're somewhere that blocks irc

<jeffh> mibbit is also an option

<ekr> Test

<bhill2> howdy

<bhill2> Scribe: Neil Matatall

<bhill2> Scribenick: neil

Minutes Approval

<abresee> testing

<bhill2> resolved: minutes approved

bhill2: no objections, minutes approved
... sent publication request to w3c to publish UI-sec directives draft, going up later this week

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0032.html

bhill2: checked in example code + framework for testing CSP
... moving from mercurial -> github

<bhill2> ACTION: abarth to issue CfC to list on new WD publication of CSP 1.1 [recorded in http://www.w3.org/2013/05/07-webappsec-minutes.html#action01]

<trackbot> Created ACTION-136 - Issue CfC to list on new WD publication of CSP 1.1 [on Adam Barth - due 2013-05-14].

<bhill2> one update: http://lists.w3.org/Archives/Public/public-webappsec/2013May/0038.html

bhill2: discussing rechartering - good group - continue progress
... handle upcoming issues in other groups
... sub resource hashing
... no mixed content
... http[s]? vs http[s]? handling
... custom elements
... any objections to broadening of scope?

abarth: chrome interesting in convering w/ mozilla on this

jeffh: sounds good to me

bhill2: add scope to charter - annotations to shadow DOM sub trees and web components model
... imposing strict behaviors for (inner|out)HTML, standardizing toStaticHTML
... sandboxing components, like iframes + postMessage but easier to use

ccarson: boeing +1

<jeffh> seems fine

<jeffh> I suggest wordsmithing on the list

Tracker

<bhill2> https://www.w3.org/2011/webappsec/track/actions/open?sort=owner

<bhill2> ekr, can you man the tracker?

<ekr> brad, working on it

<ekr> my network is sucking

<ekr> OK, I now have it

<ekr> adam: what was the resolution of 115?

<abarth> ekr: move to pending review

bhill2: skipping raised issues, pending cleanup

HTTP Auth and CORS

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0034.html

bhill2: discussing http auth, handling 401s for CORS + credentials
... no proposed spec text
... should we re-open CORS or will it become part of fetch?

abarth: not worth re-opening, more like on-going refinements

bhill2: to raise on the list

<bhill2> ACTION: bhill2 to query list whether CORS HTTP auth should re-open spec [recorded in http://www.w3.org/2013/05/07-webappsec-minutes.html#action02]

<trackbot> Created ACTION-137 - Query list whether CORS HTTP auth should re-open spec [on Brad Hill - due 2013-05-14].

Security implications of cross-origin violation reports in CSP

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0033.html

bhill2: mkwst_ brought up iframe scoped to origin, loading a resource could cause a redirect, leaking identity information

abarth: came up before when full URLs were part of violations reports
... providing only host name helps address this info

bhill2: issues with leaking secrets in URL, also what can be inferred from the presence of a redirect
... e.g. redirect implies an authenticated session

abarth: another example, logged in pages much slower than logged out so there's a timing attack too

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0025.html

<bhill2> was actual list thread

Cross-origin reporting

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0033.html

abarth: best thing to do might be use a new content type
... would people care about the content type?

bhill2: content of request body is constrained, not "arbitrarily horrible" ^TM

<bhill2> ACTION: abarth to update csp report content-type to application/csp-report or similar [recorded in http://www.w3.org/2013/05/07-webappsec-minutes.html#action03]

<trackbot> Created ACTION-138 - Update csp report content-type to application/csp-report or similar [on Adam Barth - due 2013-05-14].

innerHTML, web components, sandboxing, etc.

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0009.html

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0010.html

abarth: solicit use cases as well as proposals

bhill2: yeah, we might want to wait until the new charter is out
... finding a common solution is ideal, we don't want to further complicate things

srcdoc, data, inheriting CSP policies

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Apr/0097.html

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0005.html

<ekr> doh, lost call

abarth: spec language is next step, some discussions w/ imelvin

trimming the securitypolicy DOM interface

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0004.html

bhill2: pushback on the list to limiting, feelings that we shouldn't be restricting interfaces
... adding hooks for specific use cases, need to solicit use cases

abarth: to clarify, make the proposed change and let people raise objections as needed?

bhill2: it's reasonable and consistent

<bhill2> trackbot, end meeting

Summary of Action Items

[NEW] ACTION: abarth to issue CfC to list on new WD publication of CSP 1.1 [recorded in http://www.w3.org/2013/05/07-webappsec-minutes.html#action01]
[NEW] ACTION: abarth to update csp report content-type to application/csp-report or similar [recorded in http://www.w3.org/2013/05/07-webappsec-minutes.html#action03]
[NEW] ACTION: bhill2 to query list whether CORS HTTP auth should re-open spec [recorded in http://www.w3.org/2013/05/07-webappsec-minutes.html#action02]
 
[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2017/02/15 22:32:51 $