21:59:41 <RRSAgent> RRSAgent has joined #webappsec
21:59:41 <RRSAgent> logging to http://www.w3.org/2012/11/20-webappsec-irc
22:00:00 <bhill1> zakim, this will be 92794
22:00:00 <Zakim> ok, bhill1; I see SEC_WASWG()5:00PM scheduled to start now
22:00:04 <tanvi> tanvi has joined #webappsec
22:00:05 <bhill1> rrsagent, begin
22:00:54 <abarth> abarth has joined #webappsec
22:02:01 <tanvi> Zakim, who is here
22:02:01 <Zakim> tanvi, you need to end that query with '?'
22:02:05 <ccarson> ccarson has joined #webappsec
22:02:06 <tanvi> Zakim, who is here?
22:02:06 <Zakim> SEC_WASWG()5:00PM has not yet started, tanvi
22:02:08 <Zakim> On IRC I see ccarson, abarth, tanvi, RRSAgent, Zakim, gioma1, dveditz, trackbot, bhill1, odinho, timeless, mkwst, erlend, wseltzer, caribou, tobie
22:02:36 <bhill1> Meeting: WebAppSec WG Teleconference Nov 20, 2012
22:02:40 <imelven> imelven has joined #webappsec
22:02:43 <imelven> hello !
22:02:47 <bhill1> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0089.html
22:02:54 <bhill1> Chair: bhill2
22:02:58 <bhill1> Scribe: Adam Barth
22:03:04 <bhill1> Scribenick: abarth
22:03:37 <abarth>  /invite rrsagent
22:03:39 <bhill1> zakim, who is here?
22:03:39 <Zakim> SEC_WASWG()5:00PM has not yet started, bhill1
22:03:40 <Zakim> On IRC I see imelven, ccarson, abarth, tanvi, RRSAgent, Zakim, gioma1, dveditz, trackbot, bhill1, odinho, timeless, mkwst, erlend, wseltzer, caribou, tobie
22:04:29 <abarth> zakim, list attendees
22:04:29 <Zakim> sorry, abarth, I don't know what conference this is
22:04:38 <gioma1> gioma1 is on the phone
22:04:50 <abarth> rrsagent, begin
22:04:57 <abarth> zakim, this is 92794
22:04:58 <Zakim> ok, abarth; that matches SEC_WASWG()5:00PM
22:05:07 <abarth> Meeting: <name> (WebAppSec WG TPAC2011 F2F [Oct 31|Nov 1] 2011)
22:05:14 <abarth> Scribe: abarth
22:05:22 <abarth> ScribeNick: abarth
22:05:30 <jeffh> jeffh has joined #webappsec
22:06:31 <abarth> no minutes for TPAC yet
22:06:40 <abarth> busy week of catchup for bhill1
22:06:47 <abarth> should be ready for next call
22:06:56 <abarth> bhill1: any more items for agenda?
22:06:56 <Zakim> +[IPcaller]
22:07:17 <abarth> bhill1: Add discussion of CSP 1.1 to FPWD
22:07:28 <abarth> bhill1: after rechartering discussion
22:07:34 <abarth> bhill1: news
22:07:43 <abarth> bhill1: TPAC successful
22:07:48 <abarth> bhill1: met with anne about CORS
22:07:54 <dveditz> zakim, who is here?
22:07:54 <Zakim> On the phone I see +1.650.648.aaaa, ??P1, ??P3, ??P4, [Mozilla], ??P5, +1.206.304.aabb, +1.310.597.aacc, +1.866.317.aadd, +1.415.596.aaee, [IPcaller]
22:07:56 <Zakim> On IRC I see jeffh, imelven, ccarson, abarth, tanvi, RRSAgent, Zakim, gioma1, dveditz, trackbot, bhill1, odinho, timeless, mkwst, erlend, wseltzer, caribou, tobie
22:08:07 <abarth> bhill1: CORS should be stable for several years
22:08:20 <abarth> bhill1: we should try to get to CR,  making progress down that road
22:08:37 <abarth> bhill1: invited expert from web accessibility working group
22:08:45 <abarth> bhill1: related to UI safety algorithms
22:09:00 <abarth> bhill1: updated the text based on this information
22:09:09 <puhley> puhley has joined #webappsec
22:09:24 <abarth> bhill1: In other news, CSP 1.0 has been published as a CR
22:09:32 <abarth> bhill1: and a FPWD of UI safety
22:10:02 <abarth> bhill1: IETF was in Atlanta and liasoned with websec working group
22:10:19 <abarth> bhill1: IETF web sec agreed to move work on future of frame-options to UI safey draft
22:10:33 <abarth> bhill1: Tobias will join the working group to help with that work
22:10:59 <abarth> bhill1: TPAC plenary session about fingerprinting
22:11:09 <abarth> bhill1: is it futile?
22:11:19 <abarth> bhill1: link to slides posted to the privacy interest group mailing list
22:11:30 <abarth> bhill1: many open concerns, unsure if any consensus
22:11:48 <abarth> bhill1: harder problem than many realize
22:11:59 <abarth> bhill1: need to have a concrete understanding of the threat model for privacy
22:12:30 <abarth> bhill1: next item on the agenda: CORS CfC
22:12:37 <abarth> bhill1: much discussion at TPAC
22:12:56 <abarth> bhill1: remove the diagram that bhill1 added in the interest of moving the document forward
22:13:02 <abarth> bhill1: incorporated all the comments from jeffh
22:13:11 <abarth> bhill1: (all non-normative)
22:13:21 <abarth> bhill1: some normative changes, mostly bug fixes
22:13:29 <abarth> bhill1: some positive feedback, but not much
22:13:35 <Zakim> -??P3
22:13:37 <abarth> bhill1: please indicate consent on the mailing list
22:13:50 <abarth> bhill1: i helps to have people weigh in when we go to the director
22:13:59 <abarth> bhill1: even something as simple as a +1 helps
22:14:12 <abarth> bhill1: art commented on the exit criteria
22:14:18 <Zakim> +[IPcaller.a]
22:14:23 <dveditz> that's for CSP, not CORS, right?
22:14:30 <abarth> for CORS
22:15:04 <dveditz> are there not two complete implementations?
22:15:14 <abarth> bhill1: is there any objection to setting the exit criteria for CORS as
22:15:28 <abarth> bhill1: two independent implementation of each feature
22:15:31 <Zakim> -??P1
22:15:35 <abarth> bhill1: individually
22:15:49 <abarth> bhill1: …. no objections
22:15:58 <abarth> bhill1: next item: test suite status
22:16:03 <abarth> bhill1: discussed at TPAC
22:16:16 <Zakim> +??P1
22:16:28 <mkwst> Zakim, ??P1 is mkwst
22:16:28 <Zakim> +mkwst; got it
22:16:42 <dveditz> Zakim, who is here
22:16:42 <Zakim> dveditz, you need to end that query with '?'
22:16:43 <abarth> hi mkwst
22:16:51 <dveditz> Zakim, who is here?
22:16:51 <Zakim> On the phone I see +1.650.648.aaaa, ??P4, [Mozilla], ??P5, +1.206.304.aabb, +1.310.597.aacc, +1.866.317.aadd, +1.415.596.aaee, [IPcaller], [IPcaller.a], mkwst
22:16:54 <Zakim> On IRC I see puhley, jeffh, imelven, ccarson, abarth, tanvi, RRSAgent, Zakim, gioma1, dveditz, trackbot, bhill1, odinho, timeless, mkwst, erlend, wseltzer, caribou, tobie
22:16:56 <mkwst> hi abarth :)
22:17:06 <abarth> Zakim: aaaa is abarth
22:17:12 <dveditz> Zakim, ??P4 is dveditz
22:17:12 <Zakim> +dveditz; got it
22:17:21 <abarth> Zakim, aaaa is abarth
22:17:22 <Zakim> +abarth; got it
22:17:36 <abarth> bhill1: Need to fix test suite with Vary: Origin
22:17:40 <gioma1> Zakim, ??P5 is gioma1
22:17:40 <Zakim> +gioma1; got it
22:17:49 <abarth> bhill1: seems like a sharp edge in protocol
22:18:11 <abarth> bhill1: we need to have independent implementations of the user agent portions of the specification
22:18:23 <abarth> bhill1: do you think we should require reference implementations of the server side?
22:18:53 <Zakim> +??P11
22:18:55 <abarth> abarth: I don't think there's a risk that it's not implementable on the server.  I've personally done like four of them
22:19:18 <abarth> bhill1: ok, maybe we can leave that out of the exit criteria
22:19:24 <gioma1> Zakim, ??P11 is gioma1
22:19:24 <Zakim> +gioma1; got it
22:19:32 <abarth> bhill1: next item: rechartering
22:19:45 <abarth> bhill1: sent link to the list
22:19:48 <bhill1> http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/att-0094/Web_Application_Security_Working_Group.htm
22:20:00 <abarth> bhill1: updated version of the charter from TPAC
22:20:05 <abarth> bhill1: mostly the same as the current charter
22:20:13 <tanvi> Zakim, aacc is Tanvi
22:20:13 <Zakim> +Tanvi; got it
22:20:21 <abarth> bhill1: updated timelines to match reality
22:20:30 <abarth> bhill1: added CSP 1.1 with LC in july, etc
22:20:47 <abarth> bhill1: similar schedule for "sub resource integrity"
22:21:01 <abarth> bhill1: want to get a good feel for people's interest in exploring this topic
22:21:15 <abarth> bhill1: been discussed previously as a link fingerprint
22:21:33 <abarth> bhill1: web site can include a hash of the sub resource
22:21:46 <abarth> bhill1: verify that the content you receive is exactly what you expect (e.g., from a third party)
22:22:22 <abarth> bhill1: could also supply an alternate transport that's more cache-friendly
22:22:28 <abarth> bhill1: such as HTTP
22:22:39 <abarth> bhill1: but avoid trigging mixed content warning
22:22:52 <abarth> bhill1: adding more complexity might be a tarpit
22:23:06 <abarth> bhill1: we should liaison with the HTML working group
22:23:18 <abarth> bhill1: there was strong interest in TPAC, but want to discuss with a broader audience
22:24:19 <abarth> abarth: there are definitely people inside of google who would like to see this happen, but that's been true for a while and it hasn't happened yet
22:24:40 <abarth> dveditz: one concern from mozilla is questions about sorts of resources would this work for?
22:24:56 <abarth> dveditz: we also need to worry about the privacy aspects of HTTPS in addition to integrity
22:25:17 <abarth> dveditz: not that a particular resource was loaded, but more the cookies
22:25:40 <abarth> bhill1: are these technical concerns that can be ironed out?
22:25:57 <abarth> dveditz: people are excited about the integrity checking, but some concerns about the interaction with the security indicators
22:26:39 <abarth> abarth: should i dig up proposals from the internal discussions from google?
22:26:47 <abarth> dveditz: there are lots of proposals floating around
22:26:55 <abarth> dveditz: they come down to similar functionality
22:27:18 <abarth> bhill1: I don't have a proposal beyond a chalkboard sketch
22:27:35 <abarth> bhill1: are people interested in doing this in this group?
22:28:09 <dveditz> my answer was not a "no" :-) .. if you've got something concrete it might be a good start
22:28:27 <jeffh> Gerv is one of the folks to chat with: http://www.gerv.net/security/link-fingerprints/
22:28:44 <abarth> abarth: I'll dig around for the design docs and encourage the folks who are interested in them to join the working group
22:29:02 <abarth> jeffh: I think this something to explore and if the right people show up and have cycles, it could be great
22:29:26 <abarth> bhill1: we add two liaison groups to the sys apps group and the web crypto group
22:29:39 <abarth> bhill1: had a joint session with web crypto group
22:29:52 <abarth> bhill1: sys app is starting up
22:30:05 <abarth> bhill1: to adding OS-level API for web content
22:30:15 <abarth> bhill1: the first thing they have to do is come up with a security model
22:30:28 <abarth> bhill1: we should make sure that the security models are consistent and function well with CSP
22:30:57 <abarth> bhill1: ekr wants to make sure we can extend sandbox to make sure it controls access to crypto stuff
22:31:17 <abarth> bhill1: any additions or objections to this list?
22:31:31 <Zakim> -mkwst
22:31:56 <Zakim> +??P1
22:32:07 <mkwst> Zakim, ??P1 is mkwst.
22:32:07 <Zakim> +mkwst; got it
22:32:08 <mkwst> again.
22:32:11 <abarth> bhill1: move to formal approval at the next call
22:32:22 <jeffh> am not certain what "this list" refers to, but the above stuff wrt providing feedback into "sys app" work sounds nominally fine
22:32:44 <abarth> "this list" means the list of groups to liaison with
22:33:02 <jeffh> k, thx for clarification
22:33:03 <abarth> bhill1: next issue: CSP 1.1 issues
22:33:20 <abarth> bhill1: which things before FPWD and which after as issues?
22:33:32 <abarth> mkwst: I think its probably worth looking at the issues we currently have
22:33:33 <dveditz> jeffh: the "Dependencies and Liaisons" section of the proposed charter
22:33:44 <jeffh> thx
22:33:49 <abarth> mkwst: not in a big rush to get a draft out the door, but nothing seems like a big blocker
22:33:57 <Zakim> -[IPcaller.a]
22:34:12 <bhill1> http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0025.html
22:34:15 <abarth> bhill1: first issues: continuing the discussion about inline styles
22:34:39 <Zakim> +[IPcaller.a]
22:34:39 <abarth> bhill1: jonas joined us at TPAC to discuss this issue
22:35:10 <abarth> abarth: ian sent me some text---i will review by EoD
22:35:24 <imelven> thanks adam
22:35:36 <abarth> imelven: there have been some more iterations inside mozilla, but nothing too suprising
22:35:40 <abarth> imelven: there are two pieces
22:35:52 <abarth> imelven: one is about the text about what inline styles to block
22:35:57 <jeffh> is the proposed txt re inline styles on the mailing list?
22:36:10 <abarth> imelven: and the second is about a hierarchy from font-src to style-src
22:36:46 <abarth> imelven: add a check when a stylesheet requests a non-image subresources
22:37:01 <abarth> dveditz: I think it was more that background image is a specific value
22:37:11 <abarth> dveditz: as opposed a string that gets parsed
22:37:31 <abarth> abarth: that generally makes sense to me, but I need to get into the details
22:37:39 <abarth> dveditz: mostly about clarity
22:38:04 <abarth> dveditz: they just want to have a spec that's clear
22:38:11 <abarth> imelven: I think its fine to do that in 1.1
22:38:57 <abarth> abarth: we can clarify as much as we want in 1.1 and then bring that text over to 1.0 when we move to PR
22:39:07 <bhill1> http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0028.html
22:39:09 <abarth> bhill1: next item: restricting APIs in CSP
22:39:40 <abarth> bhill1: basic question is whether its work having a mechanism to restrict API access like getUserMedia
22:39:54 <abarth> bhill1: crypto, device APIs that allow access to features
22:39:58 <dveditz> s/work/worth/
22:40:03 <abarth> thx
22:40:31 <abarth> bhill1: ekr has proposed that new features be enabled explicitly in CSP rather than blacklisted
22:40:38 <abarth> bhill1: thoughts from those on the call?
22:41:13 <abarth> dveditz: we've already gone to a "turn things off" model
22:41:33 <abarth> dveditz: largely out of worries about forward compatibility
22:41:43 <abarth> dveditz: but I am concerned that we're adding features all over the browser
22:42:07 <abarth> mkwst: maybe the solution is to combine with sandboxing
22:42:37 <abarth> mkwst: might work well for get user media
22:42:45 <abarth> dveditz: yeah, but you only get one shot at it
22:43:00 <abarth> dveditz: otherwise there will be a time when the UA knows about the feature but doesn't know to sandbox it
22:43:08 <abarth> dveditz: the next version of the UA might break content
22:43:21 <abarth> dveditz: I find the idea appealing, but it is problematic
22:43:39 <abarth> dveditz: alternative: watch every spec is every working group
22:44:09 <abarth> mkwst: sandbox might have less breakage
22:44:14 <imelven> that was me
22:44:14 <jeffh> s/is every/in every/  ?
22:44:14 <imelven> sorry
22:44:21 <abarth> actually that was imelven
22:44:42 <abarth> dveditz: we try to keep on top of the features that are going into our browser and we can try to police them
22:44:53 <abarth> dveditz: if we agree quickly enough, it might be possible
22:47:21 <Zakim> -mkwst
22:47:33 <mkwst> ... Zakim doesn't like me.
22:47:45 <Zakim> +??P1
22:48:28 <abarth> abarth: sys apps will likely want to do this for sys apps api, but scaling to the whole platform is tough
22:48:49 <jeffh> where "this" is somesort of whitelist ?
22:49:02 <mkwst> "this" is an opt-in model for new APIs.
22:49:10 <abarth> yes, features off by default and then needing to be whitelisted in a policy to enable them
22:49:30 <abarth> bhill1: we might want to explore these possibility in CSP 1.1
22:49:58 <bhill1> http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0083.html
22:49:59 <abarth> bhill1: maybe we should table this until we get some concrete proposals
22:50:11 <abarth> bhill1: next topic: subsuming X-XSS-Protection in CSP
22:50:29 <abarth> bhill1: created by Microsoft when then added their XSS filter
22:50:39 <abarth> bhill1: not formally specified, but also in WebKit
22:51:24 <abarth> bhill1: adding into CSP gets us reporting too
22:51:44 <abarth> mkwst: what I've added to CSP 1.1 currently is very basic---just three states
22:51:51 <abarth> mkwst: its unclear how to make the reporting worthwhiel
22:51:59 <abarth> mkwst: we might need to revisit that at some point
22:52:08 <abarth> mkwst: the specification itself is very straightforward
22:52:44 <abarth> dveditz: of the few sites that are using CSP many of them have inline script turned on
22:53:02 <abarth> dveditz: so adding a report for when the XSS filter finds something seems worthwhile
22:53:43 <dveditz> how do you specify the reporting URL? yet another header?
22:53:54 <dveditz> addition to the X-XSS-Protection header?
22:54:15 <dveditz> or are you saying that you've added it to your CSP impl
22:54:15 <Zakim> -[IPcaller.a]
22:54:24 <abarth> dveditz: we added a report-uri parameter to the X-XSS-Protection header
22:55:52 <abarth> ^^^ that was me talking to dveditz, not something he said
22:55:55 <dveditz> site authors probably just want to know 1) that you blocked/found something, 2) what's the URL (which contains the filtered xss by definition)
22:56:01 <abarth> yeah
22:56:27 <abarth> bhill1: last issue on the agenda: are there certain types of directives that don't make sense in the meta tag
22:56:51 <abarth> bhill1: I would rather spend the last four minutes on asking mkwst and abarth if we're ready to move towards FPWD of 1.1
22:56:55 <dveditz> I'm agnostic whether this happens in CSP or not. seems like a useful feature wherever it goes
22:57:47 <abarth> abarth: I support moving to FPWD so that we have something to work on
22:57:59 <abarth> bhill1: send me a version so we can start that process
22:58:12 <abarth> bhill1: that brings us to the end of the agenda
22:58:30 <abarth> bhill1: thanks everybody
22:58:43 <abarth> bhill1: submit comments on UI safety and CORS CfC
22:58:47 <Zakim> - +1.415.596.aaee
22:58:49 <Zakim> - +1.866.317.aadd
22:58:52 <Zakim> -[Mozilla]
22:58:54 <imelven> thank you ! :)
22:58:56 <Zakim> -??P1
22:59:00 <bhill1> zakim, list attendees
22:59:00 <Zakim> As of this point the attendees have been +1.650.648.aaaa, [Mozilla], +1.206.304.aabb, +1.310.597.aacc, +1.866.317.aadd, +1.415.596.aaee, [IPcaller], mkwst, dveditz, abarth, gioma1,
22:59:01 <jeffh> thanks!
22:59:03 <Zakim> ... Tanvi
22:59:05 <Zakim> -gioma1.a
22:59:08 <Zakim> - +1.206.304.aabb
22:59:13 <abarth> zakim, list attendees
22:59:13 <Zakim> As of this point the attendees have been +1.650.648.aaaa, [Mozilla], +1.206.304.aabb, +1.310.597.aacc, +1.866.317.aadd, +1.415.596.aaee, [IPcaller], mkwst, dveditz, abarth, gioma1,
22:59:17 <Zakim> ... Tanvi
22:59:18 <abarth> RRSAgent, set logs public-visible
22:59:24 <abarth> RRSAgent, make minutes
22:59:24 <RRSAgent> I have made the request to generate http://www.w3.org/2012/11/20-webappsec-minutes.html abarth
22:59:29 <Zakim> -[IPcaller]
22:59:34 <bhill1> thanks, Adam.
22:59:41 <bhill1> happy Thanksgiving to our USA members
22:59:47 <Zakim> -dveditz
22:59:49 <abarth> bhill1: happy thanksgiving to you too
23:00:50 <Zakim> -abarth
23:23:27 <Zakim> -Tanvi
23:28:27 <Zakim> disconnecting the lone participant, gioma1, in SEC_WASWG()5:00PM
23:28:28 <Zakim> SEC_WASWG()5:00PM has ended
23:28:28 <Zakim> Attendees were +1.650.648.aaaa, [Mozilla], +1.206.304.aabb, +1.310.597.aacc, +1.866.317.aadd, +1.415.596.aaee, [IPcaller], mkwst, dveditz, abarth, gioma1, Tanvi
23:43:09 <dveditz> yes?
23:43:58 <dveditz>  X-XSS-Protection already exists, added by IE.
23:44:15 <dveditz> we're talking about subsuming the functionality into CSP to get rid of an X- header
23:44:26 <dveditz> ditto x-frame-options
23:44:41 <dveditz> although not really gone because IE doesn't go away