21:49:30 <RRSAgent> RRSAgent has joined #webappsec
21:49:30 <RRSAgent> logging to http://www.w3.org/2013/02/12-webappsec-irc
21:49:36 <Zakim> Zakim has joined #webappsec
21:49:54 <bhill> zakim, this will be 92794
21:49:54 <Zakim> ok, bhill; I see SEC_WASWG()5:00PM scheduled to start in 11 minutes
21:53:21 <gmaone> gmaone has joined #webappsec
21:55:36 <Zakim> SEC_WASWG()5:00PM has now started
21:55:43 <Zakim> +abarth
21:55:51 <abarth> abarth has joined #webappsec
21:56:34 <Zakim> +ekr_
21:56:42 <ekr> ekr has joined #webappsec
21:56:50 <ekr> zakim, who is here?
21:56:50 <Zakim> On the phone I see abarth, ekr_
21:56:51 <Zakim> On IRC I see ekr, abarth, gmaone, Zakim, RRSAgent, jimio, jeffh, bhill, timeless, mkwst_, erlend, trackbot, caribou
21:57:04 <bhill> rrsagent, begin
21:57:25 <bhill> Meeting: WebAppSec WG 2-Feb-2012 Teleconference
21:57:29 <bhill> Chairs: bhill2, ekr
21:57:33 <Zakim> +??P15
21:57:39 <bhill> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0032.html
21:57:47 <gmaone> zakim, ??P15 is gmaone
21:57:47 <Zakim> +gmaone; got it
21:57:57 <bhill> Any volunteers to scribe if jrossi can't attend?
21:58:43 <ekr> next on the list is tanvi.
21:59:42 <ccarson> ccarson has joined #webappsec
21:59:49 <bhill> ...don't see her in chat yet, either
22:00:00 <Zakim> +ccarson
22:00:32 <neil> neil has joined #webappsec
22:01:09 <gopal> gopal has joined #webappsec
22:01:18 <Zakim> +neil
22:01:43 <Zakim> +bhill2
22:02:05 <Zakim> +jimio
22:02:44 <Zakim> +gopal
22:02:51 <Zakim> +[Mozilla]
22:03:02 <Zakim> +jeffh
22:03:22 <jeffh> ah, zakim "knows" me........
22:03:47 <Zakim> -[Mozilla]
22:04:12 <ekr> scribenick: ekr
22:04:16 <jeffh> moz was muddy for me too
22:04:21 <bhill> zakim, who is here?
22:04:21 <Zakim> On the phone I see abarth, ekr_, gmaone, ccarson, neil, bhill2, jimio, gopal, jeffh
22:04:24 <Zakim> On IRC I see gopal, neil, ccarson, ekr, abarth, gmaone, Zakim, RRSAgent, jimio, jeffh, bhill, timeless, mkwst_, erlend, trackbot, caribou
22:04:45 <Zakim> +[Mozilla]
22:05:53 <bhill> http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0015.html
22:05:53 <tanvi> tanvi has joined #webappsec
22:06:00 <tanvi> Zakim, who is here
22:06:00 <Zakim> tanvi, you need to end that query with '?'
22:06:03 <bhill> csp and the threats from inline styles
22:06:05 <imelven2> imelven2 has joined #webappsec
22:06:06 <tanvi> Zakim, who is here?
22:06:06 <Zakim> On the phone I see abarth, ekr_, gmaone, ccarson, neil, bhill2, jimio, gopal, jeffh, [Mozilla]
22:06:08 <Zakim> On IRC I see imelven2, tanvi, gopal, neil, ccarson, ekr, abarth, gmaone, Zakim, RRSAgent, jimio, jeffh, bhill, timeless, mkwst_, erlend, trackbot, caribou
22:06:14 <imelven> thanks brad
22:06:19 <tanvi> Zakim, [Mozilla] is tanvi_and_imelven
22:06:19 <Zakim> +tanvi_and_imelven; got it
22:07:08 <bhill> Joint F2F April 25-26
22:08:28 <ekr> bhill: proposed agenda, one test day
22:08:39 <ekr> … perhaps friday, focus on CSP testing
22:09:05 <bhill> https://www.w3.org/2011/webappsec/track/actions/open
22:10:41 <ekr> Action 92/Issue 32
22:10:41 <trackbot> Error finding '92/Issue'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.
22:10:49 <imelven> hopefully we will have our unprefixed CSP stuff at least in nightly before the CSP testing day :)
22:10:58 <bhill> http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0019.html
22:11:09 <bhill> that mail is about subject of how to identify non-hierarchial URIs
22:11:49 <ekr> bhill: still working on 101
22:11:53 <ekr> … skipping 102 (no mike)
22:12:11 <ekr> http://www.w3.org/2011/webappsec/track/actions/104
22:12:25 <imelven> dveditz cannot make the call today, fyi
22:12:42 <ekr> http://www.w3.org/2011/webappsec/track/actions/105
22:12:47 <ekr> bhill: not done yet
22:13:01 <ekr> http://www.w3.org/2011/webappsec/track/actions/106: mike not on the call
22:13:17 <ekr> http://www.w3.org/2011/webappsec/track/actions/107 http://www.w3.org/2011/webappsec/track/actions/108 not done
22:13:29 <ekr> http://www.w3.org/2011/webappsec/track/actions/109  dveditz not on the call
22:13:57 <ekr> https://www.w3.org/2011/webappsec/track/actions/111: complete
22:14:04 <ekr> https://www.w3.org/2011/webappsec/track/actions/113
22:14:25 <ekr> abarth: this is a standards political football.
22:14:33 <ekr> … my opinion is that we shoudl reference the URL spec from whatwg
22:14:40 <ekr> … IETF wanted folks to reference their spec.
22:14:52 <ekr> … some people will be sad about that and complain
22:15:25 <ekr> ekr: I don't think it's good to be abandoning the IETF spec.
22:15:46 <ekr> abarth: we should leave this open, but there may not be a good spec to reference
22:15:56 <ekr> abarth: propose we close the action and leave the issue
22:16:58 <ekr> http://www.w3.org/2011/webappsec/track/actions/114: not done
22:17:08 <ekr> http://www.w3.org/2011/webappsec/track/actions/115: adam will d o it eventually
22:17:40 <ekr> http://www.w3.org/2011/webappsec/track/actions/116: mike was amenable to doing this
22:18:19 <ekr> http://www.w3.org/2011/webappsec/track/actions/118: let the list hash it
22:18:20 <ekr> ot
22:18:22 <ekr> out
22:18:55 <ekr> http://www.w3.org/2011/webappsec/track/actions/119: not done yet
22:19:16 <bhill> https://www.w3.org/2011/webappsec/track/issues/raised
22:19:17 <ekr> bhill: two issues raised in the last two weeks
22:19:25 <ekr> https://www.w3.org/2011/webappsec/track/issues/42
22:19:50 <ekr> https://www.w3.org/2011/webappsec/track/issues/43
22:20:14 <ekr> bhill: does this require any specific language int he CSP spec?
22:20:27 <ekr> abarth: might be worth adding a note
22:21:10 <ekr> bhill: abarth, can you volunteer to do this
22:21:20 <Zakim> -gopal
22:21:39 <ekr> action: abarth to propose language to spec to explain how custom elements are handled (see issue 43)
22:21:39 <trackbot> Created ACTION-120 - Propose language to spec to explain how custom elements are handled (see issue 43) [on Adam Barth - due 2013-02-19].
22:23:39 <ekr> bhill: blank blocked URIs...
22:23:52 <ekr> abarth: this is the same issue as before with URIs.
22:24:05 <ekr> … bjoern is in one camp and people who implement browsers are in a different camp
22:24:34 <ekr> bhill: since this is in a browser.
22:25:01 <bhill> http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0017.html
22:25:04 <jeffh> as I see the two camps:  the on-the-wire protocol camp;  and the we-gotta-parse-whatever-is-handed-to-us (aka browser impls) camp;
22:25:21 <bhill> https://dvcs.w3.org/hg/content-security-policy/rev/001dc8e8bcc3
22:26:39 <ekr> jeffh: well, I actually think that the argument is partly about whether these things are *called* URIs
22:26:50 <d_> d_ has joined #webappsec
22:26:57 <jeffh> that's another facet to the problem space, yes :)
22:26:58 <ekr> abarth: the same issue came up when we did the origin draft.
22:27:11 <ekr> … we cited 5.2 of RFC 3986.
22:27:26 <ekr> s/5.2/3.2/
22:27:42 <ekr> … this section talksa bout a hierarchical element for a naming authroity
22:27:58 <ekr> bhill: sounds good
22:28:12 <ekr> … adam, can you bring this to the list as a suggestion
22:28:25 <bhill> http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0016.html
22:29:23 <ekr> … do any folks on the call have comments on this text?
22:30:08 <ekr> … will take silence as this being good to go.
22:30:24 <ekr> http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0013.html
22:30:25 <bhill> http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0013.html
22:30:35 <ekr> … we discussed this some at TPAC
22:30:49 <ekr> … is this too late and most UAs are already doing this?
22:30:52 <bhill> http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0038.html
22:31:22 <ekr> … dveditz said this was ugly cruft
22:31:32 <ekr> <unknown>: apply the scheme on the page?
22:31:46 <ekr> tanvi: if it's an HTTP page, allow HTTP or HTTPS. If it's an HTTPS page, allow HTTPS only
22:32:36 <ekr> ekr: what about pages which assume they are fetched over HTTPS
22:33:00 <ekr> bhill: my reading of dan's suggestion is that this should be an implicit property.
22:33:12 <ekr> … that CSP in HTTPS should mean no mixed content
22:33:15 <jeffh> ....and that having been fetched over https gives them certain sec props (and that's not necessarily correct)
22:33:27 <ekr> jeffh: right.
22:33:36 <ekr> bhill: is that in the current spec?
22:33:48 <ekr> abarth: no real connection between mixed content blocking and a CSP header?
22:34:00 <ekr> bhill: what if I specify a source without a scheme
22:34:13 <ekr> abarth: if you don't provide a scheme, you inherit the scheme.
22:34:34 <ekr> neil: I just tested this in chrome and that doesn't seem to be true
22:34:39 <ekr> adam: can you provide the test case?
22:34:52 <jeffh> w3c@adambarth.com
22:35:03 <jeffh> yeah, send to list please :)
22:35:03 <imelven> just slightly active on the mailing list, adam :P
22:35:29 <imelven> this came up with hsts also, i brought it up last month or so i think
22:35:47 <ekr> bhill: sounds like no objections to making "secure" behavior the default
22:36:08 <ekr> abarth: what if you just supply a CSP policy that restricts video, you could still have mixed content images
22:36:15 <tanvi> http://www.w3.org/Security/wiki/Content_Security_Policy
22:36:56 <ekr> bhill: what dan was proposing was that if you opt into CSP that mixed content should be blocked by default?
22:37:47 <ekr> neil (?): idea was to allow HTTPS-only if you are on an HTTPS page but HTTP would imply both
22:38:07 <ekr> tanvi: proposal is now that all CSP pages don't allow mixed content unless someone explicitly allows it
22:38:17 <ekr> abarth: this seems like a model change
22:38:19 <ekr> neil: yes.
22:38:21 <imelven> ekr: that was me, not neil
22:38:23 <imelven> both times
22:38:24 <imelven> sorry
22:38:31 <ekr> No worries, I just can't pick up people's names well
22:38:41 <ekr> zakim, who is talking?
22:38:55 <Zakim> ekr, listening for 12 seconds I heard sound from the following: abarth (92%), jimio (7%)
22:40:08 <abarth> what about sites that host assists but set HSTS
22:40:12 <jimio> ^^ not sure how I'm making noise, not dialed in.
22:40:17 <ekr> hah
22:40:23 <abarth> they'll redirect to HTTPS, which breaks the "inherit the scheme for HTTP pages" behavior
22:40:40 <ekr> bhill: this seems to need some list discussion.
22:40:47 <abarth> that issue occurs without HSTS as well if there's a normal HTTP redirect to HTTPS
22:41:04 <ekr> bhill: ian's agenda request
22:41:11 <bhill> http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0015.html
22:41:43 <ekr> imelven: spec currently says blocking inline styles shoudl block style elements and attributs
22:41:51 <ekr> … css object model should not be blocked
22:42:14 <ekr> … what is the difference between the style attribute and the CSSOM.
22:42:18 <ekr> … what's the threat?
22:42:43 <jeffh> CSSOM == css object model
22:42:44 <ekr> … best threat is using CSS selectors to steal passwords, but this seems to be only inline styles
22:43:18 <ekr> … a lot of pushback about what's in the spec and if it's usable in the real world
22:43:48 <ekr> bhill: abarth, any comments?
22:44:01 <jeffh> apparently there's also this msg/thread:  http://lists.w3.org/Archives/Public/public-webappsec/2012Dec/0047.html
22:44:11 <ekr> abarth: I feel like your current feelings are different.
22:44:19 <ekr> imelven: yeah, this is based on pushback from CSS people.
22:44:25 <ekr> abarth: maybe we should reevaluate
22:45:13 <ekr> imelven: one approach would be to make it more granular.
22:45:43 <ekr> … concern about decisions now being overtaken by new behaviors
22:45:52 <Zakim> -bhill2
22:46:07 <ekr> abarth: proposed new token to allow attributes but not elements
22:46:18 <Zakim> +bhill2
22:47:11 <ekr> imelven: please feel fre eto reply to my post
22:47:53 <imelven> it should totally be called unsafe-taco tho
22:48:16 <ekr> Action: imelven to propose some specification text to deal with allowing attributes but not elements
22:48:16 <trackbot> Error finding 'imelven'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.
22:48:20 <bhill> http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0001.html
22:49:07 <ekr> consensus is that yes, we should have inline CSS nonce if we have inline script nonce
22:50:33 <ekr> abarth: if we think about the syntax, we may be able to have the nonce go in the src, we wouldn't need to make foo-nonce and bar-nonce
22:51:23 <ekr> bhill: abarth, can you make this proposal
22:51:43 <ekr> action: abarth to email the list with the generic src-nonce proposal (i.e., not specifically for each thing that could be srced)
22:51:44 <trackbot> Created ACTION-121 - Email the list with the generic src-nonce proposal (i.e., not specifically for each thing that could be srced) [on Adam Barth - due 2013-02-19].
22:52:13 <ekr> bhill: script hash
22:52:36 <ekr> … does anyon think this is a terrible idea
22:52:52 <ekr> … we are having a great discussion on the list. I would like to see someone volunteer to put together a proposal
22:53:54 <ekr> action: nick to put together a proposed script-hash proposal
22:53:54 <trackbot> Error finding 'nick'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.
22:54:51 <imelven> got a link to the online form to register as a w3c user ?
22:55:05 <Zakim> -ekr_
22:57:13 <imelven> (http://www.w3.org/Help/Account/)
22:59:33 <Zakim> -jeffh
22:59:35 <Zakim> -abarth
22:59:35 <Zakim> -jimio
22:59:36 <Zakim> -neil
22:59:37 <bhill> zakim, list attendees
22:59:37 <Zakim> As of this point the attendees have been abarth, ekr_, gmaone, ccarson, neil, bhill2, jimio, gopal, jeffh, tanvi_and_imelven
22:59:39 <Zakim> -tanvi_and_imelven
22:59:42 <Zakim> -ccarson
22:59:49 <Zakim> -gmaone
22:59:53 <bhill> rrsagent, makeminutes
22:59:53 <RRSAgent> I'm logging. I don't understand 'makeminutes', bhill.  Try /msg RRSAgent help
22:59:58 <bhill> rrsagent, make minutes
22:59:58 <RRSAgent> I have made the request to generate http://www.w3.org/2013/02/12-webappsec-minutes.html bhill
23:00:02 <bhill> rrsagent, set logs public-visible
23:00:16 <Zakim> -bhill2
23:00:17 <Zakim> SEC_WASWG()5:00PM has ended
23:00:17 <Zakim> Attendees were abarth, ekr_, gmaone, ccarson, neil, bhill2, jimio, gopal, jeffh, tanvi_and_imelven
23:00:31 <tanvi> tanvi has left #webappsec