20:46:52 <RRSAgent> RRSAgent has joined #webappsec
20:46:52 <RRSAgent> logging to http://www.w3.org/2013/07/16-webappsec-irc
20:47:11 <bhill2> aha.. so in the "status" window, "/invite zakim #webappsec"
20:53:05 <bhill2> Meeting: WebAppSec WG Teleconference 16-Jul-2013
20:53:47 <bhill2> Chair: bhill2
20:53:57 <bhill2> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013Jul/0010.html
20:54:34 <bhill2> zakim, this will be 92794
20:54:34 <Zakim> ok, bhill2; I see SEC_WASWG()5:00PM scheduled to start in 6 minutes
20:58:52 <Zakim> SEC_WASWG()5:00PM has now started
20:59:00 <Zakim> +bhill
20:59:07 <neilm> neilm has joined #webappsec
20:59:44 <Zakim> +??P2
21:00:09 <gmaone> Zakim, ??P2 is gmaone
21:00:09 <Zakim> +gmaone; got it
21:00:37 <Zakim> + +1.650.488.aaaa
21:00:51 <Zakim> +TimBL
21:00:58 <wseltzer> zakim, Timbl is really Wendy
21:00:58 <Zakim> +Wendy; got it
21:01:03 <tlr> tlr has joined #webappsec
21:01:50 <Zakim> + +1.714.488.aabb
21:02:09 <neilm> zakim, aabb is neilm
21:02:09 <Zakim> +neilm; got it
21:02:57 <Zakim> + +33.9.51.58.aacc
21:03:15 <bhill2> zakim, aacc is yoav
21:03:15 <Zakim> +yoav; got it
21:03:46 <bhill2> ekr sends his regrets
21:03:58 <mkwst_> zakim, aaaa is mkwst
21:03:58 <Zakim> +mkwst; got it
21:04:37 <Zakim> +[Mozilla]
21:04:41 <wseltzer> [Next meeting August 13]
21:04:50 <tanvi1> tanvi1 has joined #webappsec
21:04:55 <wseltzer> s/meeting/call/
21:05:00 <tanvi1> Zakim, who is here?
21:05:00 <Zakim> On the phone I see bhill, gmaone, mkwst, Wendy, neilm, yoav, [Mozilla]
21:05:01 <Zakim> On IRC I see tanvi1, tlr, neilm, RRSAgent, Zakim, gmaone, bhill2, yoav, odinho, wseltzer, trackbot, timeless, mkwst_
21:05:10 <tanvi1> Zakim, [Mozilla] is tanvi
21:05:11 <Zakim> +tanvi; got it
21:05:24 <bhill2> Topic: Minutes approval
21:05:27 <bhill2> http://www.w3.org/2013/06/04-webappsec-minutes.html
21:05:31 <tanvi1> tanvi1 has joined #webappsec
21:06:07 <wseltzer> [for future ref: scribe instructions https://www.w3.org/2008/xmlsec/Group/Scribe-Instructions.html ]
21:06:20 <bhill2> scribenick: mkwst
21:06:39 <mkwst> bhill2: objections to minutes?
21:06:45 <mkwst> everyone: ...
21:07:06 <mkwst> bhill2: agenda bashing!
21:07:12 <mkwst> bhill2: new topics?
21:07:24 <bhill2> Topic: Open Actions
21:07:30 <bhill2> http://www.w3.org/2011/webappsec/track/actions/open?sort=owner
21:08:26 <mkwst> bhill2: adam and dan aren't on the call. skipping.
21:08:32 <tanvi1> dan may be running late
21:08:33 <mkwst> bhill2: action-127
21:09:12 <Zakim> +[IPcaller]
21:09:13 <mkwst> mkwst: will address both issues this week.
21:09:34 <wseltzer> zakim, [IP is dveditz
21:09:34 <Zakim> +dveditz; got it
21:09:41 <mkwst> deveitz: hi.
21:09:44 <dveditz> dveditz has joined #webappsec
21:09:52 <mkwst> bhill2: dan, how about those open actions?
21:10:10 <mkwst> dveditz: nothing to add since last time.
21:10:18 <bhill2> Topic: script-hash proposal
21:10:24 <dveditz> Zakim, who is here?
21:10:24 <Zakim> On the phone I see bhill, gmaone, mkwst, Wendy, neilm, yoav, tanvi, dveditz
21:10:26 <Zakim> On IRC I see dveditz, tanvi1, tlr, neilm, RRSAgent, Zakim, gmaone, bhill2, yoav, odinho, wseltzer, trackbot, timeless, mkwst
21:10:30 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Jul/0003.html
21:11:11 <mkwst> bhill2: responded to that with some items still outstanding.
21:11:25 <mkwst> bhill2: moved from 'script-nonce' to nonces as a source expression.
21:11:35 <mkwst> bhill2: worth trying the same for 'script-hash'
21:12:01 <mkwst> several folks: yup. makes sense for me too.
21:12:08 <mkwst> bhill2: ni: scheme?
21:12:27 <mkwst> bhill2: semicolons are banned, and would need to be encoded (and ugly)
21:12:50 <mkwst> bhill2: but it exists, and its something we should look at as they might have already worked out some of the corner cases.
21:13:29 <mkwst> mkwst: verbose and ugly, but worth looking at.
21:13:40 <mkwst> dveditz: aren't hashes verbose and ugly?
21:13:54 <mkwst> bhill2: we could propose an alternate delimiter.
21:14:13 <mkwst> mkwst: where would we propose that?
21:14:35 <mkwst> bhill2: "use the rfc??? syntax with the following modification"
21:15:19 <mkwst> mkwst: seems like a reasonable solution.
21:15:47 <mkwst> dveditz: 'ni' is more like other url schemes, which is good.
21:16:07 <mkwst> bhill2: reusing common conventions.
21:16:15 <mkwst> bhill2: sounds like a reasonable place to start exploring.
21:16:30 <mkwst> dveditz: concern about proposal to convert to utf-8 and hash that.
21:16:44 <mkwst> dveditz: script is delivered to the browser in some way, can't we just hash what we get?
21:16:47 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Jul/0004.html
21:16:51 <mkwst> bhill2: i had the same concern in my reply.
21:16:56 <mkwst> bhill2: ^^
21:17:12 <mkwst> bhill2: utf-8 is nonpreferred for some languages.
21:17:34 <mkwst> dveditz: lots of text content, but lots of script?
21:17:46 <mkwst> bhill2: inline script === text.
21:17:56 <mkwst> dveditz: hash only for content of script tag, right?
21:18:06 <mkwst> bhill2: what that turns into depends on the document's encoding.
21:18:18 <mkwst> bhill2: differences between utf-8 and other encodings.
21:18:44 <mkwst> dveditz: server sends script and encoding, we should trust it.
21:19:02 <mkwst> bhill2: force a document to declare an explicit encoding.
21:19:20 <mkwst> bhill2: resolves the problem of potentially rehashing/comparing content.
21:19:59 <mkwst> dveditz: may be difficult for Firefox to get access to the raw bytes.
21:20:12 <mkwst> dveditz: we may have to bite it off anyway.
21:20:30 <mkwst> dveditz: having bytes come out with different hash because of charset seems wrong. bytes are bytes.
21:21:14 <mkwst> yoav: not reencoding to utf-8 on the browser sounds like the right thing to do.
21:21:20 <mkwst> yoav: error prone.
21:21:42 <mkwst> bhill2: encoding = open question. needs more exploration.
21:21:46 <mkwst> bhill2: moving on...
21:22:02 <mkwst> bhill2: which algorithms should we support?
21:22:04 <dveditz> yoav was in particular thinking of the problems the server would have trying to hash it according to what it thought a browser would encode it as
21:22:17 <mkwst> bhill2: rfc5920: agreement in code points with webcrypto?
21:22:56 <mkwst> bhill2: allow truncation of the hash?
21:23:13 <mkwst> bhill2: xml digital signatures did.
21:23:14 <tlr> after a decade
21:23:39 <mkwst> bhill2: don't want to repeat the one-character-truncation problem.
21:23:57 <mkwst> bhill2: canonicalization? no?
21:24:11 <mkwst> bhill2: might not be in control of the developer. perf. optimizations/transformations.
21:24:17 <Zakim> -yoav
21:24:42 <mkwst> mkwst: bytes is bytes sounds good.
21:25:02 <Zakim> +yoav
21:25:05 <mkwst> dveditz: optimizing proxies?
21:25:53 <mkwst> mkwst: mobile operators that optimize whitespace?
21:26:08 <dveditz> transport compression ought to do that well enough, right?
21:26:24 <mkwst> yoav: not predictable. optimizing proxies would need to avoid those transformations.
21:27:02 <mkwst> mkwst: i don't think we should try to support the pagespeed case. code is different when it comes out the other end.
21:27:27 <mkwst> bhill2: next. scripts can have different content-types. vbscript!
21:27:40 <mkwst> bhill2: inert inline script with nonexecutable content-type.
21:27:57 <mkwst> bhill2: should we include that?
21:28:16 <mkwst> mkwst: what's the threat?
21:28:30 <mkwst> bhill2: valid code in two languages? perhaps far-fetched.
21:28:51 <tlr> comment formats
21:29:01 <mkwst> dveditz: hashes have to be the same. seems unlikely.
21:29:34 <mkwst> dveditz: would the text of the script tag remain in the dom?
21:29:40 <mkwst> dveditz: just execution, i suppose.
21:29:44 <mkwst> bhill2: yeah.
21:29:57 <mkwst> dveditz: we don't load non-matching scripts for the src case.
21:30:10 <mkwst> bhill2: twitter uses inline JSON.
21:30:28 <mkwst> bhill2: still in the spirit of things.
21:30:44 <mkwst> bhill2: algorithm agility.
21:31:11 <mkwst> bhill2: sha-4? if the browser doesn't understand the hash type, how does it fail?
21:31:27 <mkwst> bhill2: what's the failure mode?
21:31:42 <mkwst> dveditz: can't compute a matching hash, will block the ununderstood code.
21:32:14 <mkwst> bhill2: specify sha-1 and sha-3 hashes for script. what should the UA do?
21:32:28 <mkwst> bhill2: perhaps only accept the strongest hashing algo. it knows about?
21:33:00 <mkwst> dveditz: what does "strongest" mean.
21:33:29 <mkwst> bhill2: ordering should be left to the UA.
21:34:01 <mkwst> bhill2: specify multiple algorithms, but include a hash in each algorithm for each resource?
21:34:58 <mkwst> dveditz: not always the case that multiple hash types means multiple listings for each resource.
21:35:08 <mkwst> bhill2: composing policies might also be difficult.
21:35:15 <mkwst> dveditz: only inline content?
21:35:56 <mkwst> dveditz: ni: can include a domain; if we hash loaded content, it would be nice to force usage for performance reasons.
21:36:16 <mkwst> dveditz: if you see two hash types, you have to hash all content twice.
21:36:50 <mkwst> dveditz: performance issues.
21:37:17 <mkwst> bhill2: if sha-1 is broken, what's the migration strategy?
21:37:23 <mkwst> mkwst: UA sniffing?
21:37:53 <mkwst> <sorry, baby. back in a sec. can someone take over scribing?>
21:38:50 <dveditz> yoav: what's the problemw ith accepting only the strongest hash? wouldn't that avoid the perf penalties
21:39:33 <dveditz> dveditz: the different hashes might be from different sources and cover different chunks of content
21:40:02 <dveditz> dveditz: also, which is "strongest"? we'd have to define
21:40:22 <dveditz> yoav: would the policy refer to content ids?
21:40:48 <dveditz> bhill2: I think writing this out and sending it to the list would be the right thing to do here
21:41:23 <dveditz> bhill2: any volunteers to improve this proposal?
21:41:41 <dveditz> bhill2: neil, can you advocate for this proposal?
21:41:47 <dveditz> neilm: sure
21:42:00 <bhill2> list from: http://lists.w3.org/Archives/Public/public-webappsec/2013Jul/0004.html
21:42:39 <bhill2> ACTION neilm to propose updated hash source text to list addressing http://lists.w3.org/Archives/Public/public-webappsec/2013Jul/0004.html
21:42:39 <trackbot> Created ACTION-147 - Propose updated hash source text to list addressing http://lists.w3.org/Archives/Public/public-webappsec/2013Jul/0004.html [on Neil Matatall - due 2013-07-23].
21:43:09 <mkwst> bhill2: thanks neilm!
21:43:11 <dveditz> mkwst: I don't think the scribe will get my stuff automatically... you may want to cut and paste it back
21:43:19 <bhill2> Topic:  CSSOM and unsafe-eval
21:43:20 <dveditz> unless there's some magic commands
21:43:29 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Jul/0006.html
21:43:48 <mkwst> bhill2: post from ian: ^^.
21:43:52 <dveditz> retroactively?
21:44:01 <dveditz> :-)
21:44:52 <bhill2> https://bugzilla.mozilla.org/show_bug.cgi?id=873302
21:45:07 <wseltzer> i|<sorry|scribenick: dveditz
21:45:16 <mkwst> dveditz: we don't block innerHTML, which can be eval-like.
21:45:22 <wseltzer> i|bhill2: thanks neilm!
21:45:23 <mkwst> dveditz: is that a bug?
21:45:34 <wseltzer> i|bhill2: thanks neilm|scribenick: mkwst
21:46:07 <mkwst> bhill2: there's a request to do something about that. script-src, innerhtml directive, etc.
21:46:22 <mkwst> bhill2: my understanding of cssom is incomplete.
21:46:42 <mkwst> bhill2: sounds reasonable on its face.
21:47:28 <mkwst> dveditz: does anyone know of problems that people have had with cssom injection problems?
21:47:54 <mkwst> dveditz: if scripts are approved, that might be good enough.
21:48:29 <mkwst> bhill2: no strong opinions on today's call.
21:48:36 <mkwst> bhill2: table this, poke the list.
21:48:58 <bhill2> Topic: CORS to PR
21:49:55 <bhill2> http://webappsec-test.info/~bhill2/pub/CORS/index.html
21:50:02 <mkwst> bhill2: anne won't be editing the spec, licensing.
21:50:03 <bhill2> diffmarked verison at: http://services.w3.org/htmldiff?doc1=http%3A%2F%2Fwww.w3.org%2FTR%2F2013%2FCR-cors-20130129%2F&doc2=http%3A%2F%2Fwebappsec-test.info%2F~bhill2%2Fpub%2FCORS%2Findex.html
21:50:12 <bhill2> (all in email of : http://lists.w3.org/Archives/Public/public-webappsec/2013Jul/0009.html )
21:50:28 <mkwst> bhill2: only ~2 substantive changes.
21:50:37 <mkwst> bhill2: change reference to the Fetch spec.
21:50:57 <mkwst> bhill2: whatwg spec, not stable, not likely to become stable in the timeline we're looking at.
21:51:16 <tlr> q+
21:51:17 <mkwst> bhill2: CORS shouldn't rely on it. should instead use fetching resources from html5.
21:51:43 <mkwst> tlr: html5 is in cr.
21:52:04 <mkwst> tlr: support changing the reference. will need to talk to them to see if fetching there is stable.
21:52:25 <mkwst> tlr: it's the right step, but talk with HTML after making the change.
21:52:47 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0078.html
21:52:53 <bhill2> add 204 as valid OK status code
21:53:02 <mkwst> bhill2: other change: add 204 as valid status code.
21:53:09 <mkwst> bhill2: will need some test code.
21:53:22 <mkwst> bhill2: mozilla implemented that, not sure about webkit.
21:54:18 <mkwst> bhill2: you get 7 minutes of your life back! enjoy!
21:54:21 <wseltzer> wseltzer has changed the topic to: next call, August 13
21:54:26 <mkwst> bhill2: next call in one month, aug 13.
21:54:40 <Zakim> -Wendy
21:54:43 <Zakim> -neilm
21:54:48 <Zakim> -dveditz
21:54:51 <Zakim> -yoav
21:54:54 <Zakim> -gmaone
21:54:57 <bhill2> zakim, list attendees
21:54:57 <Zakim> As of this point the attendees have been bhill, gmaone, +1.650.488.aaaa, Wendy, +1.714.488.aabb, neilm, +33.9.51.58.aacc, yoav, mkwst, tanvi, [IPcaller], dveditz
21:55:02 <bhill2> rrsagent, make minutes
21:55:02 <RRSAgent> I have made the request to generate http://www.w3.org/2013/07/16-webappsec-minutes.html bhill2
21:55:08 <bhill2> rrsagent, set logs public-visible
21:55:37 <Zakim> -bhill
21:56:05 <yoav> yoav has left #webappsec
21:56:19 <Zakim> -tanvi
21:57:12 <tanvi> tanvi has left #webappsec
22:05:00 <Zakim> disconnecting the lone participant, mkwst, in SEC_WASWG()5:00PM
22:05:06 <Zakim> SEC_WASWG()5:00PM has ended
22:05:06 <Zakim> Attendees were bhill, gmaone, +1.650.488.aaaa, Wendy, +1.714.488.aabb, neilm, +33.9.51.58.aacc, yoav, mkwst, tanvi, [IPcaller], dveditz
23:08:18 <tanvi> tanvi has joined #webappsec