20:56:25 <RRSAgent> RRSAgent has joined #webappsec
20:56:25 <RRSAgent> logging to http://www.w3.org/2013/07/02-webappsec-irc
20:56:54 <bhill2> Meeting: WebAppSec WG Teleconference 2-Jul-2013
20:57:00 <bhill2> Chair: bhill2, ekr
20:57:22 <bhill2> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013Jul/0000.html
20:58:04 <ccarson> ccarson has joined #webappsec
20:58:34 <bhill2> zakim, this is 92794
20:58:34 <Zakim> ok, bhill2; that matches SEC_WASWG()5:00PM
20:58:42 <bhill2> zakim, who is here?
20:58:42 <Zakim> On the phone I see +1.650.648.aaaa, +1.303.229.aabb
20:58:44 <Zakim> On IRC I see ccarson, RRSAgent, Zakim, bhill2, gmaone, dveditz, jeffh, yoav, trackbot, odinho, wseltzer, timeless, mkwst_
20:58:44 <Zakim> + +1.206.304.aacc
20:58:52 <bhill2> zakim, aabb is bhill2
20:58:52 <Zakim> +bhill2; got it
20:59:00 <ccarson> zakin, aacc is ccarson
20:59:05 <ccarson> zakim, aac is ccarson
20:59:05 <Zakim> sorry, ccarson, I do not recognize a party named 'aac'
20:59:07 <Zakim> +??P3
20:59:11 <ccarson> zakim, aacc is ccarson
20:59:11 <Zakim> +ccarson; got it
20:59:13 <bhill2> zakim, aaaa is abarth
20:59:13 <Zakim> +abarth; got it
20:59:20 <neilm> neilm has joined #webappsec
20:59:22 <gmaone> zakim, ??P3 is gmaone
20:59:22 <Zakim> +gmaone; got it
20:59:25 <Zakim> +[Mozilla]
20:59:45 <abarth> abarth has joined #webappsec
20:59:49 <jimio> jimio has joined #webappsec
21:00:02 <bhill2> zakim, Mozilla has tanvi
21:00:02 <Zakim> +tanvi; got it
21:00:07 <tanvi> tanvi has joined #webappsec
21:00:13 <tanvi> Zakim, who is here
21:00:13 <Zakim> tanvi, you need to end that query with '?'
21:00:20 <tanvi> Zakim, who is here?
21:00:20 <Zakim> On the phone I see abarth, bhill2, ccarson, gmaone, [Mozilla]
21:00:21 <Zakim> [Mozilla] has tanvi
21:00:21 <Zakim> On IRC I see tanvi, jimio, abarth, neilm, ccarson, RRSAgent, Zakim, bhill2, gmaone, dveditz, jeffh, yoav, trackbot, odinho, wseltzer, timeless, mkwst_
21:00:32 <tanvi> Zakim, [Mozilla] is tanvi_and_garrett
21:00:32 <Zakim> +tanvi_and_garrett; got it
21:00:45 <Zakim> +[GVoice]
21:00:50 <Zakim> + +1.866.294.aadd
21:00:59 <Zakim> + +1.714.488.aaee
21:01:19 <bhill2> neilm, are you OK to scribe - or did you already do it last time?
21:01:21 <grobinson> grobinson has joined #webappsec
21:01:30 <neilm> Zakim, aaee is neilm
21:01:30 <Zakim> +neilm; got it
21:01:45 <neilm> did it last time, glad to do it again (unless someone wants to do it)
21:01:59 <bhill2> next on list is jimio
21:02:04 <Zakim> -neilm
21:02:04 <jimio> I'm here too
21:02:09 <bhill2> mind scribing?
21:02:18 <klee> klee has joined #webappsec
21:02:28 <Zakim> +neilm
21:02:32 <jimio> no prob — I've probably forgotten some of my zakim shorthand
21:02:36 <bhill2> Scribe: Jim O'Leary
21:02:39 <bhill2> Scribenick: jimio
21:03:32 <jimio> here, on mute (I'm Gvoice)
21:03:53 <Zakim> +Wendy
21:04:06 <Zakim> +[Mozilla]
21:04:27 <ekr> ekr has joined #webappsec
21:04:40 <jimio> Zakim, [GVoice] is jimio
21:04:40 <Zakim> +jimio; got it
21:05:15 <bhill2> zakim, who is here?
21:05:15 <Zakim> On the phone I see abarth, bhill2, ccarson, gmaone, tanvi_and_garrett, jimio, +1.866.294.aadd, neilm, Wendy, [Mozilla]
21:05:17 <Zakim> tanvi_and_garrett has tanvi
21:05:17 <Zakim> On IRC I see ekr, klee, grobinson, tanvi, jimio, abarth, neilm, ccarson, RRSAgent, Zakim, bhill2, gmaone, dveditz, jeffh, yoav, trackbot, odinho, wseltzer, timeless, mkwst_
21:05:28 <bhill2> Topic: Minutes Approval
21:05:33 <bhill2> http://www.w3.org/2013/06/04-webappsec-minutes.html
21:06:10 <bhill2> Topic: Tracker
21:06:16 <bhill2> https://www.w3.org/2011/webappsec/track/actions/open?sort=owner
21:06:41 <Zakim> +??P10
21:06:49 <wseltzer> ACTION-104?
21:06:49 <trackbot> ACTION-104 -- Adam Barth to follow up with Goog A11Y and UI teams on disabling browser features (UISafety obstruction check) for A11Y compatibility -- due 2013-01-29 -- OPEN
21:06:49 <trackbot> http://www.w3.org/2011/webappsec/track/actions/104
21:07:20 <dveditz> Zakim, who is here?
21:07:20 <Zakim> On the phone I see abarth, bhill2, ccarson, gmaone, tanvi_and_garrett, jimio, +1.866.294.aadd, neilm, Wendy, [Mozilla], ??P10
21:07:21 <jimio> Adam: planning to give up on that action, to be marked as abandoned
21:07:22 <Zakim> tanvi_and_garrett has tanvi
21:07:22 <Zakim> On IRC I see ekr, klee, grobinson, tanvi, jimio, abarth, neilm, ccarson, RRSAgent, Zakim, bhill2, gmaone, dveditz, jeffh, yoav, trackbot, odinho, wseltzer, timeless, mkwst_
21:07:25 <bhill2> https://www.w3.org/2011/webappsec/track/actions/104
21:07:30 <wseltzer> ACTION-141?
21:07:30 <trackbot> ACTION-141 -- Adam Barth to update CSP 1.1 default-scr language to be more general, including coverage of areas not specified by other directives -- due 2013-06-11 -- OPEN
21:07:30 <trackbot> http://www.w3.org/2011/webappsec/track/actions/141
21:07:32 <dveditz> Zakim, ??P10 is dveditz
21:07:32 <Zakim> +dveditz; got it
21:07:58 <jimio> adam: holding off on action-141 until type-fetching spec plays out
21:08:03 <bhill2> https://www.w3.org/2011/webappsec/track/issues/pendingreview
21:08:17 <bhill2> actually: https://www.w3.org/2011/webappsec/track/actions/pendingreview
21:08:27 <jimio> 115: old, 138: made a change, update the item (if people are happy we can close).
21:08:41 <jimio> 138/139/140, if people are happy, let's close these out
21:09:04 <jimio> bhill2: LGTM, any other comments? (no comments - fine to mark complete)
21:09:17 <Zakim> + +1.781.369.aaff
21:09:42 <jimio> bhill2: mark 101 closed as well, we have our own test server that we can use
21:10:02 <gopal> gopal has joined #webappsec
21:10:47 <jimio> bhill2: 124 still open (thank you globalsign for the free cert), the other 2 are UISecurity that haven't been addressed yet
21:10:55 <wseltzer> trackbot, close ACTION-142
21:10:55 <trackbot> Closed ACTION-142 Email bhill, ekr, and tobie re github setup.
21:11:38 <jimio> dveditz: haven't heard any objections, can check these in and call the actions closed
21:11:57 <ekr> trackbot, close action-109
21:11:57 <trackbot> Closed ACTION-109 Add spec language to CSP 1.1 regarding certain directives not honored in META.
21:12:23 <ekr> trackbot, close action 97
21:12:23 <trackbot> Sorry, ekr, I don't understand 'trackbot, close action 97'. Please refer to <http://www.w3.org/2005/06/tracker/irc> for help.
21:12:30 <ekr> trackbot, close action-97
21:12:30 <trackbot> Closed ACTION-97 Propose spec language for policy-uri directive.
21:12:37 <trackbot> Sorry, wseltzer, I don't understand 'trackbot is particular about its -s'. Please refer to <http://www.w3.org/2005/06/tracker/irc> for help.
21:13:10 <jimio> issue on URL vs URI terminology. do we talk about this now, or raise it as a separate issue? (to be logged, we're not going to resolve it on this call)
21:14:14 <jimio> can accept report-uri and make report-url a synonym in the spec
21:15:33 <jimio> no strong opinions in the room right now on uri vs url
21:18:01 <jimio> wseltzer: guidance on "url vs uri" objection, TAG can make objections around architectural issues (if this 'broke the web', this would be a reason not to approve the spec)
21:19:01 <jimio> consensus: we should do the right thing, and hopefully that is inline with what the TAG wants (let's discuss and have a response).
21:20:10 <tanvi> policy-href, policy-location ?
21:20:15 <jimio> abarth: what about 'href' instead of url/uri? but.. it doesn't really matter too much personally
21:21:28 <jimio> bhill2:  should focus more on substance over style - what really matters is how clients treat the responses
21:22:11 <jimio> bhill2:  would prefer 'href' to 'location' if we did decide to change this, given precedence
21:23:30 <jimio> (to be reviewed and brought back up with the list)
21:23:49 <neilm> neilm has joined #webappsec
21:24:12 <jimio> abarth: we'll have mike back for the next call (most likely)
21:24:18 <neilm> neilm has joined #webappsec
21:24:53 <ekr> trackbot, close issue-49
21:24:53 <trackbot> Closed ISSUE-49 add http response code to report?.
21:25:03 <ekr> trackbot: close issue-50
21:25:03 <trackbot> Closed ISSUE-50 plugin-type directive and media source list for IE CLSID guids.
21:25:11 <Zakim> -dveditz
21:25:44 <ekr> trackbot, close issue-51
21:25:44 <trackbot> Closed ISSUE-51 How to handle externally defined <element> with <link rel=import>.
21:26:02 <bhill2> https://www.w3.org/2011/webappsec/track/issues/47
21:26:44 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Jun/att-0057/meta.txt
21:27:40 <ekr> trackbot, close issue-51
21:27:40 <trackbot> Closed ISSUE-51 How to handle externally defined <element> with <link rel=import>.
21:27:59 <bhill2> Topic: Error handling
21:28:05 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Jun/0102.html
21:28:55 <jimio> bhill2:  when originally raised, there were no objections other than a possible network retry on failure
21:29:02 <jimio> no objections in the room to making this change
21:29:44 <bhill2> ACTION abarth to update CSP1.1 to change error handling behavior for loading blocked resources
21:29:44 <trackbot> Created ACTION-143 - Update CSP1.1 to change error handling behavior for loading blocked resources [on Adam Barth - due 2013-07-09].
21:30:03 <bhill2> Topic: Fetching contexts, Default-src, connect-src, layering, etc.
21:31:58 <jimio> bhill2:  can we do this in a way that doesn't create dependencies between CSP and fetch spec?
21:32:22 <jimio> abarth:  don't want to get our spec blocked by an unstable reference that'll keep it from advancing
21:33:04 <Zakim> +[IPcaller]
21:33:14 <dveditz> Zakim, IPcaller is dveditz
21:33:14 <Zakim> +dveditz; got it
21:34:59 <bhill2> ACTION abarth to propose text on layering of fetch context types with CSP directives
21:34:59 <trackbot> Created ACTION-144 - Propose text on layering of fetch context types with CSP directives [on Adam Barth - due 2013-07-09].
21:35:16 <bhill2> Topic:   Inline whitelisting: hash vs. nonce
21:35:43 <jimio> bhill2: does anybody have a strong feeling that we should have one or the other, not both?
21:36:02 <jimio> seems messy to have both (~75% overlap), though distinct
21:36:13 <jimio> abarth:  feels like these are redundant, we should pick one first
21:36:51 <jimio> abarth:  if after implementing one, we hear from implementors about implementing the other, we revisit
21:37:35 <jimio> mozilla: hash is superior (hash is good for static/caching, less easy to do poorly, code that uses async inline JS would be easier to implement)
21:37:39 <grobinson> https://developers.google.com/analytics/devguides/collection/gajs/asyncTracking
21:38:02 <jimio> abarth:  on the downside, if you have more than one script, it bloats your policy
21:38:11 <jimio> neilm:  has concerns about caching (@twitter)
21:39:22 <jimio> neilm:  we probably wouldn't use nonce, due to potential caching issues
21:40:29 <Zakim> - +1.781.369.aaff
21:40:53 <jimio> if the nonce is reused because of cache, you could maybe introduce predictable nonce that could be known to attacker (via DOM injection?)
21:41:28 <jimio> abarth: cached page could include non-cached content that's different the next time it's loaded
21:41:51 <jimio> bhill2:  seems like we have strong usecases for both, that's why we want to see if there are strong objections to both
21:42:28 <jimio> (not too many people arguing for nonce on the call, but could be due to attendance)
21:43:15 <jimio> script-hash might also be helpful in content-integrity spec
21:45:20 <jimio> bhill2:  people are still experimenting with both. hear that google has invested in script-nonce, but google understands that it's something that might change
21:46:43 <jimio> bhill2:  still need solid spec-text on handling script-hash, should also add a note that both nonce&hash are being investigated and one will likely become deprecated
21:47:40 <bhill2> proposal:  if we get a solid hash source proposal, we can include it in the 1.1 draft with a warning note that it is likely only one of either nonce or hash will advance to Rec
21:48:45 <bhill2> Topic: base64 chars and min length in nonce
21:48:54 <bhill2> dveditz: minimum of 1
21:49:13 <jimio> minimum nonce length of 1. should accept b64 chars as some people are sending down b64 encoded nonces
21:49:14 <Zakim> +[IPcaller]
21:49:20 <bhill2> ACTION abarth to update nonce-value directive to allow b64, b64url chars, specify minimum length of 1
21:49:20 <trackbot> Created ACTION-145 - Update nonce-value directive to allow b64, b64url chars, specify minimum length of 1 [on Adam Barth - due 2013-07-09].
21:49:59 <bhill2> Topic: CSP and workers
21:50:00 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0054.html
21:50:40 <jimio> q: is this a new question? we've talked about this in the past
21:50:44 <bhill2> old thread: http://lists.w3.org/Archives/Public/public-webappsec/2013May/thread.html#msg12
21:51:34 <bhill2> ignore old thread, link, wrong...
21:52:59 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0060.html
21:53:18 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0059.html
21:53:30 <jimio> options: forbid connections from workers when policies aren't exactly equal. could we create copies of workers that aren't shared?
21:55:36 <jimio> bhill2: could workers be used to bypass restrictions: run eval, etc?
21:55:51 <jimio> abarth:  could do something similar with iframe today (load a new one with no CSP policy)
21:55:56 <bhill2> dveditz: perhaps best option is to supply policy with the worker?
21:56:18 <jimio> should we issue a warning when creating a same-domain iframe with a different CSP header?
21:56:29 <bhill2> dveditz: should we issue a warning when loading a same-origin iframe with no or a different CSP policy?
21:57:38 <bhill2> ACTION dveditz to respond to list, propose setting worker policy from header rather than inheriting it
21:57:38 <trackbot> Created ACTION-146 - Respond to list, propose setting worker policy from header rather than inheriting it [on Daniel Veditz - due 2013-07-09].
21:58:48 <jimio> neilm:  brought a nickgreen thread back to life on the list re: hashing
21:59:00 <jimio> bhill2:  proposal needs some brushing up
21:59:14 <Zakim> -[IPcaller]
21:59:16 <Zakim> -[Mozilla]
21:59:17 <Zakim> -dveditz
21:59:18 <Zakim> -neilm
21:59:20 <Zakim> -ccarson
21:59:21 <jimio> thanks :)
21:59:25 <Zakim> -Wendy
21:59:30 <Zakim> -bhill2
21:59:31 <Zakim> -tanvi_and_garrett
21:59:31 <Zakim> -gmaone
21:59:34 <Zakim> - +1.866.294.aadd
21:59:40 <Zakim> -abarth
21:59:48 <bhill2> zakim, list attendees
21:59:48 <Zakim> As of this point the attendees have been +1.650.648.aaaa, +1.303.229.aabb, +1.206.304.aacc, bhill2, ccarson, abarth, gmaone, tanvi, tanvi_and_garrett, +1.866.294.aadd,
21:59:51 <Zakim> ... +1.714.488.aaee, neilm, Wendy, [Mozilla], jimio, dveditz, +1.781.369.aaff, [IPcaller]
21:59:55 <bhill2> rrsagent, make minutes
21:59:55 <RRSAgent> I have made the request to generate http://www.w3.org/2013/07/02-webappsec-minutes.html bhill2
22:00:00 <bhill2> rrsagent, set logs public visible
22:00:17 <bhill2> bhill2 has left #webappsec
22:05:01 <Zakim> disconnecting the lone participant, jimio, in SEC_WASWG()5:00PM
22:05:03 <Zakim> SEC_WASWG()5:00PM has ended
22:05:03 <Zakim> Attendees were +1.650.648.aaaa, +1.303.229.aabb, +1.206.304.aacc, bhill2, ccarson, abarth, gmaone, tanvi, tanvi_and_garrett, +1.866.294.aadd, +1.714.488.aaee, neilm, Wendy,
22:05:03 <Zakim> ... [Mozilla], jimio, dveditz, +1.781.369.aaff, [IPcaller]
22:13:39 <neilm> neilm has joined #webappsec
22:19:18 <tanvi> tanvi has left #webappsec
22:21:42 <ekr> ekr has joined #webappsec
23:50:29 <ekr> ekr has joined #webappsec