WebAppSec WG [Jan|15]2013

Chai: bhill2,ekr

<scribe> Scribe: gopal

<scribe> ScribeNick:gopal

<tanvi> hi

<imelven> happy new year, #webappsec

<neil> zakim: aagg

<imelven> oh tanvi already got us

<neil> zakim: aagg is neil

<abresee> Sorry, could you run that by me one more time?

bhill2: any items to add to agenda
... CORS status missed publication deadline
... review probably happen next week

<imelven> where would this be ?

bhill2: briefly talked about brief meeting scheduled tentatively for 23-26 april
... ebay/paypal sponsored in bay area

<bhill2> http://www.w3.org/wiki/HTML/wg/2013-04-Agenda

<bhill2> https://www.w3.org/2011/webappsec/track/actions/open

<ekr_> I regretttably have terrible connectivity here.

bhill2: action item 3 leave it as is
... action item 92 to dveditz, look at issue 32

<bhill2> https://www.w3.org/2011/webappsec/track/issues/32

<bhill2> ISSUE-32: Do we specify that path-specificity applies only to hierarchical URI schemes?

<trackbot> Notes added to ISSUE-32 Do we specify that path-specificity applies only to hierarchical URI schemes?.

dveditz: haven't looked at it yet

bhill2: action 94 to mike west
... leave it open

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0030.html

bhill2: action 98, marked as pending review
... marking closed
... action 101, reassigned to Brad to escalate issue
... action 104 to abarth,

abarth: push to next call and will look at it

bhill2: action 105, change due date to next call
... action 106, Mike is not on call, leave it as is
... associated products to issues
... opened up lot of feedback and questions,

<bhill2> example: associate ACTION-123 with ISSUE-45

<bhill2> will create an association

<bhill2> https://www.w3.org/2011/webappsec/track/issues/raised

<gioma1> I'm here , but no mic

<bhill2> raised issues. number 20

bhill2: issue-20 , no volunteer

<gioma1> I can take on issue 20

<bhill2> ACTION to bhill2 investigate assistive technologies use of real or synthetic events

<trackbot> Error finding 'to'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.

<bhill2> ACTION bhill2 to investigate assistive technologies use of real or synthetic events

<trackbot> Created ACTION-107 - Investigate assistive technologies use of real or synthetic events [on Brad Hill - due 2013-01-22].

bhill2: currently on issue 21,

<bhill2> associate ACTION-107 with ISSUE-21

<trackbot> ACTION-107 (Investigate assistive technologies use of real or synthetic events) associated with ISSUE-21.

<abresee> Do you mean issue 21?

<bhill2> ACTION gioma1 to query list on whether default UI Security hueristic behavior should be block or report

<trackbot> Error finding 'gioma1'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.

<gioma1> I'm trying to update the list

giomal please specify your w3c name

<bhill2> ACTION bhill2 to query list on whether default UI Security hueristic behavior should be block or report

<gioma1> done

<trackbot> Created ACTION-108 - to query list on whether default UI Security hueristic behavior should be block or report [on Brad Hill - due 2013-01-22].

<bhill2> associate ACTION-108 with ISSUE-20

<trackbot> ACTION-108 (to query list on whether default UI Security hueristic behavior should be block or report) associated with ISSUE-20.

bhill2: on issue-22

<gioma1> gopal: registered gioma1 nick

bhill2: have to look at it again, does anyone understand what we are talking about in this issue

jeff: trying to think if there is an exclusive directive for frame options

<bhill2> “the directive is ignored if specified in a META tag” according to

<bhill2> http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx so that’s what we’ve done. There’s no official spec so “compatibility with IE” (which introduced the feature) is the goal.

abarth: metatag may come quite late in the document. Makes no sense to bury it in the document

<bhill2> <-- from Dan Veditz in comments to http://blog.mozilla.org/security/2010/09/08/x-frame-options/

<jeffh> we shouldn't neglect/forget: https://tools.ietf.org/html/draft-ietf-websec-frame-options-00

<jeffh> "meta" doesn't appear in the latter

<jeffh> fwiw

<bhill2> ACTION dveditz to add spec language to CSP 1.1 regarding certain directives not honored in META

<trackbot> Created ACTION-109 - Add spec language to CSP 1.1 regarding certain directives not honored in META [on Daniel Veditz - due 2013-01-22].

dveditz: similar to html 5 wg spec, use allowed in meta tag , no-allowed in metatag,

<bhill2> associate ACTION-109 with ISSUE-26

<trackbot> ACTION-109 (Add spec language to CSP 1.1 regarding certain directives not honored in META) associated with ISSUE-26.

dveditz: will follow up with issue and add more details

<bhill2> ACTION bhill2 to clarify that frame-options not allowed in META, reference relative to CSP 1.1 spec

<trackbot> Created ACTION-110 - Clarify that frame-options not allowed in META, reference relative to CSP 1.1 spec [on Brad Hill - due 2013-01-22].

<bhill2> associate ACTION-110 with ISSUE-25

<trackbot> ACTION-110 (Clarify that frame-options not allowed in META, reference relative to CSP 1.1 spec) associated with ISSUE-25.

<bhill2> giorgio - are you willing to take an action on ISSUE-27?

<bhill2> https://www.w3.org/2011/webappsec/track/issues/27

bhill2: on issue 27

<gioma1> OK

<bhill2> ACTION gioma1 to provide guidance on efficient enforcment of display-time

<trackbot> Error finding 'gioma1'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.

<gioma1> I swear I registered the nickname, it's on the list. Maybe there's a delay?

<bhill2> ACTION bhill2 to provide guidance on efficient enforcment of display-time

<trackbot> Created ACTION-111 - Provide guidance on efficient enforcment of display-time [on Brad Hill - due 2013-01-22].

<bhill2> associate ACTION-111 with ISSUE-27

<trackbot> ACTION-111 (Provide guidance on efficient enforcment of display-time) associated with ISSUE-27.

<gioma1> ah OK, so the error message is quite misleading

<gioma1> my login name is "gmaone"

bhill2: on issue 28, will wait on it
... on issue 29
... sane defaults for clippping

<bhill2> ACTION gmaone to raise issue 29 on public-webappsec list for further discussion

<trackbot> Created ACTION-112 - Raise issue 29 on public-webappsec list for further discussion [on Giorgio Maone - due 2013-01-22].

<bhill2> associate ACTION-112 with ISSUE-29

<trackbot> ACTION-112 (Raise issue 29 on public-webappsec list for further discussion) associated with ISSUE-29.

bhill2: rest of issues related to csp 1.1

abarth: will take issue-31

<bhill2> ACTION abarth to chase specs and references for URL/URI definition used in CSP 1.1

<trackbot> Created ACTION-113 - Chase specs and references for URL/URI definition used in CSP 1.1 [on Adam Barth - due 2013-01-22].

<bhill2> associate ACTION-113 with ISSUE-31

<trackbot> ACTION-113 (Chase specs and references for URL/URI definition used in CSP 1.1) associated with ISSUE-31.

<bhill2> associate ACTION-92 with ISSUE-32

<trackbot> ACTION-92 (Propose spec text to resolve ISSUE-32) associated with ISSUE-32.

<bhill2> ACTION bhill to assign actions for issues 34, 35, 36, 37, 38, 39 to abarth

<trackbot> Error finding 'bhill'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.

<bhill2> ACTION bhill2 to assign actions for issues 34, 35, 36, 37, 38, 39 to abarth

<trackbot> Created ACTION-114 - Assign actions for issues 34, 35, 36, 37, 38, 39 to abarth [on Brad Hill - due 2013-01-22].

dveditz: instead of product csp 1.1 is there a product for content and integrity

bhill2: leave it as is with csp 1.1

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0112.html

bhill2: anyone wants to express affirmative support for new charter ?
... if no objections, submit it to directors and start a process for approval
... Are there any objections to advancing this charter to directors
... no objections

<bhill2> RESOLVED draft charter is approved by WG members for submission to Director and Advisory Committee

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0013.html

bhill2: script nonces: AND vs OR policy
... anyone on call wants to advocate

abarth: advocate OR

<imelven> ok, agree re unsafe-inline OR nonce

abarth: and: should satisfy both script src and script nonce.

<imelven> agree

dveditz: is it too complicated to have both kinds ("or" nonce and "and" nonce")
... more concerned, don't want magic inline scripts on the page
... if security of inline script depends on not leaking the nonce
... if you make an "OR", it becomes brittle by breaking the nonce

abarth: they need to be inline to get the script working
... eg: couple of web app had perf critical with inline scripts on top.

dveditz: should nonce be in the script?

<jimio> nothing from my side on this.. I'd need to look into it a little bit more as well

bhill2: any web site implementers who have an opinion?

dveditz: more concerned about nonce with inline scripts rather than with script tags

bhill2: move rest of agenda to next call