20:57:15 RRSAgent has joined #webappsec 20:57:15 logging to http://www.w3.org/2013/09/10-webappsec-irc 20:57:22 zakim, this will be 92794 20:57:23 ok, bhill2; I see SEC_WASWG()5:00PM scheduled to start in 3 minutes 20:57:44 Meeting: WebAppSecWG Teleconference, 9-Sep-2013 20:57:49 Chair: bhill2 20:57:55 Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0020.html 20:58:08 regrets: ekr 20:58:33 gmaone has joined #webappsec 20:59:18 SEC_WASWG()5:00PM has now started 20:59:19 + +1.303.229.aaaa 21:00:35 zakim, aaaa is bhill2 21:00:35 +bhill2; got it 21:00:40 + +1.415.832.aabb 21:00:42 - +1.415.832.aabb 21:00:42 + +1.415.832.aabb 21:00:58 zakim, aabb is peleus 21:00:58 +peleus; got it 21:01:15 +??P2 21:01:18 + +1.866.294.aacc 21:01:22 Danesh has joined #webappsec 21:01:33 zakim, ??P2 is gmaone 21:01:33 +gmaone; got it 21:01:37 klee has joined #webappsec 21:02:01 +[Google] 21:02:12 dveditz has joined #webappsec 21:02:26 puhley has joined #webappsec 21:03:00 +[IPcaller] 21:03:10 zakim, dveditz is ipcaller 21:03:10 sorry, dveditz, I do not recognize a party named 'dveditz' 21:03:19 zakim, Google has danesh 21:03:19 +danesh; got it 21:03:26 zakim, IPcaller is dveditz 21:03:26 +dveditz; got it 21:03:54 neilm has joined #webappsec 21:04:12 sorry, i'll be a little late 21:04:24 hi, i'm the 866 number 21:04:58 zakim, who is here? 21:04:58 On the phone I see bhill2, peleus, gmaone, +1.866.294.aacc, [Google], dveditz 21:05:00 [Google] has danesh 21:05:00 On IRC I see neilm, puhley, dveditz, klee, Danesh, gmaone, RRSAgent, Zakim, bhill2, bhill, odinho, tlr, wseltzer, timeless, mkwst_, trackbot 21:05:08 zakim, aacc is klee 21:05:08 +klee; got it 21:05:59 +[Mozilla] 21:06:21 tanvi has joined #webappsec 21:06:27 Zakim, who is here? 21:06:27 On the phone I see bhill2, peleus, gmaone, klee, [Google], dveditz, [Mozilla] 21:06:29 [Google] has danesh 21:06:29 On IRC I see tanvi, neilm, puhley, dveditz, klee, Danesh, gmaone, RRSAgent, Zakim, bhill2, bhill, odinho, tlr, wseltzer, timeless, mkwst_, trackbot 21:06:42 zakim, Mozilla has tanvi 21:06:42 +tanvi; got it 21:06:42 Zakim, [Mozilla] is tanvi_grobinson 21:06:43 +tanvi_grobinson; got it 21:07:03 grobinson has joined #webappsec 21:07:31 scribenick: dveditz 21:07:47 http://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0020.html 21:08:00 Topic: Minutes Approval 21:08:01 http://www.w3.org/2013/08/27-webappsec-minutes.html 21:08:12 bhill2: approval of the minutes? any objections? 21:08:23 bhill2: consider the minutes approved 21:08:31 bhill2: additional business to add? 21:08:49 bhill2: none, ok.... open issues review 21:08:50 Topic: Actions Review 21:08:51 https://www.w3.org/2011/webappsec/track/actions/open?sort=owner 21:09:07 bhill2: UI security is still backburnered 21:09:52 + +1.714.488.aadd 21:10:16 Zakin, aadd is neilm 21:10:21 bhill2: dveditz is the only other one with an item 21:10:26 Topic: blob, etc. urls 21:10:27 http://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0010.html 21:10:32 dveditz: nothing new to report, investigating implementation 21:10:47 Zakin, aadd is neilm 21:10:52 Zakim, aadd is neilm 21:10:52 +neilm; got it 21:10:57 bhill2: currently have inconsistent behavior with data: and blob: between Firefox and chrome 21:11:11 bhill: chome always treats as equiv and same as "self" and * 21:11:24 bhill: firefox excludes from * and treats a little differently 21:11:54 bhill: proposal to list was to exclude all schemes for inline content from matching * 21:12:29 bhill: dan proposed broadening, * should only match self's scheme (or allow https "upgrade" for http: self) 21:12:59 http://* 21:13:01 https://* 21:13:32 bhill: reason to exclude inline content because they aren't being retrieved, they are repackages 21:16:29 If you want all schemes - e.g. img-src may not be considered security sensitive, no way to specify that 21:16:39 dveditz: yes, unless we introduce a *://* token... ugly 21:17:03 dveditz: but * meaning all schemes means safe policies must use the verbose http://* https://* 21:18:07 bhill: treating inline schems as 'self' opens up xss-like (or eval-like) problems 21:18:41 bhill2 - proposal - for everything but script-src, we consider data/blob to be equivalent to self. for script-src we consider it equivalent to eval. because you can take string content anywhere in the dom and create a blob uri for it and inject a script element into the dom and set the source to be that blob uri. 21:19:56 dveditz - that is complex. it may be more safe but it seems like we should treat data/blob consistently one way or another. 21:20:38 dveditz - if you allow blob everywhere except in script-src and object-src (probably), then people have to ask a question every time they use as to whether they need to add it to csp 21:21:04 dveditz - maybe more consistent to just say inline data chunks need to be explicitly allowed if you want to use them 21:21:57 dveditz- Neal, does twitter use data/blob and have any thoughts? Neal - only use data urls for images. dont think use any blobs. 21:22:52 Neal - if its a blob, whether or not it should execute, shoudl be dependent on the uri used. if throw in script-src, wont' work unless you whitelist it specifically 21:23:12 bhill: one of the core rules is no code from strings. this is a clear and obvious bypass 21:23:27 dveditz: I agree 21:27:05 action dveditz to document proposal of simply excluding blob:, data:, etc from matching * everywhere, no explicit tie to unsafe-eval 21:27:05 Created ACTION-149 - Document proposal of simply excluding blob:, data:, etc from matching * everywhere, no explicit tie to unsafe-eval [on Daniel Veditz - due 2013-09-17]. 21:27:29 Topic: Close feature set of CSP 1.1? 21:27:30 http://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0019.html 21:27:31 bhill: if blob must be specified everywhere then putting it in default-src is the equivalent of unsafe-eval. need to put a warning in the spec at least 21:28:20 bhill: need to specify/adjust our schedule again as part of coming up for consideration by the board group 21:28:30 bhill: so should we declare the feature set closed for 1.1 21:29:22 bhill: I've put a proposal on the mailing list 21:30:08 bhill: not a complete proposal, assuming the more settled new features are part of it 21:30:25 bhill: haven't heard any calls to remove any of those other features 21:31:10 bhill: group 1) resolved/settled and in the spec, group 2) mostly settled, in process, and 3) new proposals 21:33:08 bhill: do people think it's an appropriate time to close the feature set 21:33:38 +1 (avoiding muting/unmuting) 21:33:40 dveditz: yes, it's a good time to draw lines 21:34:03 bhill: will move call for consensus for the features on the bubble to the list 21:36:46 bye! 21:36:49 -peleus 21:36:50 dveditz: probably don't need both the SOS and cookie scope feature 21:36:51 thx! 21:36:52 -neilm 21:36:53 -[Google] 21:36:57 bye 21:37:03 -gmaone 21:37:04 bhill: the cookie scope proposal was more CSP-like 21:37:15 action bhill2 to post a CfC to the list on closing the CSP 1.1 feature set 21:37:15 Created ACTION-150 - Post a cfc to the list on closing the csp 1.1 feature set [on Brad Hill - due 2013-09-17]. 21:37:22 rrsagent, set logs public-visible 21:37:25 -tanvi_grobinson 21:37:26 rrsagent make minutes 21:37:26 -dveditz 21:37:35 rrsagent, make minutes 21:37:35 I have made the request to generate http://www.w3.org/2013/09/10-webappsec-minutes.html bhill2 21:37:41 rrsagent, set logs public-visible 21:37:45 -klee 21:37:48 -bhill2 21:37:50 SEC_WASWG()5:00PM has ended 21:37:50 Attendees were +1.303.229.aaaa, bhill2, +1.415.832.aabb, peleus, +1.866.294.aacc, gmaone, danesh, dveditz, klee, tanvi, tanvi_grobinson, +1.714.488.aadd, neilm 21:37:50 tanvi: thanks for scribing while I was talking 21:38:05 bhill2: is there a retroactive way to include those bits? 21:38:16 neilm has joined #webappsec 21:39:37 dveditz: no problem 21:41:24 bhill2 has left #webappsec 21:48:30 bhill has left #webappsec 21:56:42 neilm has joined #webappsec 21:58:55 neilm_ has joined #webappsec 22:08:10 neilm_ has left #webappsec 22:12:34 grobinson has left #webappsec 22:15:33 bhill has joined #webappsec 22:15:44 bhill has left #webappsec 22:38:35 gmaone has joined #webappsec 23:00:53 neilm has joined #webappsec 23:42:48 tanvi has left #webappsec