IRC log of webappsec on 2013-10-22

Timestamps are in UTC.

20:33:44 [RRSAgent]
RRSAgent has joined #webappsec
20:33:44 [RRSAgent]
logging to
20:33:46 [trackbot]
RRSAgent, make logs world
20:33:46 [Zakim]
Zakim has joined #webappsec
20:33:48 [trackbot]
Zakim, this will be
20:33:48 [Zakim]
I don't understand 'this will be', trackbot
20:33:49 [trackbot]
Meeting: Web Application Security Working Group Teleconference
20:33:49 [trackbot]
Date: 22 October 2013
20:34:13 [wseltzer]
zakim, this will be WASWG
20:34:13 [Zakim]
ok, wseltzer; I see SEC_WASWG()5:00PM scheduled to start in 26 minutes
20:34:49 [wseltzer]
wseltzer has changed the topic to: Agenda 22 Oct:
20:51:15 [Zakim]
SEC_WASWG()5:00PM has now started
20:51:17 [Zakim]
20:51:45 [Zakim]
20:51:46 [Zakim]
SEC_WASWG()5:00PM has ended
20:51:46 [Zakim]
Attendees were glenn
20:51:59 [glenn]
zakim, this will be WASWG
20:51:59 [Zakim]
ok, glenn; I see SEC_WASWG()5:00PM scheduled to start in 9 minutes
20:55:47 [bhill2]
bhill2 has joined #webappsec
20:56:06 [ekr]
ekr has joined #webappsec
20:56:13 [bhill2]
20:56:32 [ekr]
bhill2: test received
20:56:36 [ekr]
I will be a few minutes
20:56:38 [ekr]
20:57:00 [bhill2]
Meeting: WebAppSec WG Teleconference, 22-Oct-2013
20:57:05 [bhill2]
Chairs: bhill2, ekr
20:57:13 [bhill2]
20:57:27 [bhill2]
zakim, this will be 92794
20:57:27 [Zakim]
ok, bhill2; I see SEC_WASWG()5:00PM scheduled to start in 3 minutes
20:57:49 [Zakim]
SEC_WASWG()5:00PM has now started
20:57:50 [Zakim]
20:58:41 [Zakim]
20:58:43 [Zakim]
20:58:43 [Zakim]
20:59:30 [wseltzer]
Charter diff:;r2=1.12;f=h
20:59:41 [Zakim]
21:00:05 [ccarson]
ccarson has joined #webappsec
21:00:16 [Zakim]
21:00:25 [Zakim]
21:00:41 [abarth]
abarth has joined #webappsec
21:00:43 [mkwst]
Zakim, +??P4 is mkwst
21:00:43 [Zakim]
sorry, mkwst, I do not recognize a party named '+??P4'
21:00:51 [mkwst]
Zakim, ??P4 is mkwst
21:00:51 [Zakim]
+mkwst; got it
21:01:19 [Zakim]
21:02:04 [Zakim]
21:02:14 [Zakim]
21:02:20 [bhill2]
is P6 giorgio?
21:02:32 [gmaone]
zakim, ??P6 is gmaone
21:02:32 [Zakim]
+gmaone; got it
21:02:50 [jww]
jww has joined #webappsec
21:03:00 [tanvi]
tanvi has joined #webappsec
21:03:10 [Zakim]
+ +1.650.386.aaaa
21:03:29 [tanvi]
Zakim, aaaa is tanvi
21:03:29 [Zakim]
+tanvi; got it
21:04:07 [tanvi]
Zakim, who is here
21:04:07 [Zakim]
tanvi, you need to end that query with '?'
21:04:11 [tanvi]
Zakim, who is here?
21:04:11 [Zakim]
On the phone I see BHill, Wendy, abarth, glenn, mkwst, CCarson, gmaone, gopal, tanvi
21:04:13 [Zakim]
On IRC I see tanvi, jww, abarth, ccarson, ekr, bhill2, Zakim, RRSAgent, gmaone, neilm, glenn, trackbot, mkwst, timeless, wseltzer
21:04:25 [klee]
klee has joined #webappsec
21:05:42 [bhill2]
Gopal, are you able to scribe? JeffH sent his regrets today, you are next.
21:05:59 [Zakim]
+ +1.714.795.aabb
21:06:15 [bhill2]
scribenick: mkwst
21:06:16 [puhley]
puhley has joined #webappsec
21:06:20 [neilm]
Zakim, aabb is neilm
21:06:20 [Zakim]
+neilm; got it
21:06:35 [bhill2]
zakim, who is here?
21:06:35 [Zakim]
On the phone I see BHill, Wendy, abarth, glenn, mkwst, CCarson, gmaone, gopal, tanvi, neilm
21:06:37 [Zakim]
On IRC I see puhley, klee, tanvi, jww, abarth, ccarson, ekr, bhill2, Zakim, RRSAgent, gmaone, neilm, glenn, trackbot, mkwst, timeless, wseltzer
21:06:51 [bhill2]
TOPIC: Minutes approval
21:06:56 [bhill2]
last meeting's draft at:
21:06:59 [Zakim]
21:07:09 [mkwst]
bhill: Objections to approving minutes?
21:07:14 [mkwst]
everyone: ...
21:07:18 [mkwst]
bhill: approved.
21:07:19 [bhill2]
TOPIC: Agenda Bashing
21:07:24 [wseltzer]
21:07:30 [mkwst]
bhill: Any other business?
21:07:33 [bhill2]
ack wseltzer
21:07:36 [Zakim]
+ +1.415.596.aacc
21:07:52 [dveditz]
dveditz has joined #webappsec
21:08:14 [mkwst]
wseltzer: Charter? Add to agenda, reps should comment.
21:08:29 [bhill2]
zakim, aacc is puhley
21:08:29 [Zakim]
+puhley; got it
21:08:35 [wseltzer]
s/reps should comment/thanks to those whose reps commented/
21:08:40 [bhill2]
TOPIC: tracker
21:08:41 [bhill2]
21:11:05 [mkwst]
bhill: delay ACTION-141 to mid-December. Not CSP 1.1.
21:11:14 [mkwst]
bhill: ACTION-143
21:11:48 [mkwst]
(sorry; missed a bit there. my network connection is poor.)
21:11:57 [mkwst]
bhill: push ACTION-143 to next call.
21:12:07 [mkwst]
bhill: ACTION-144. Not tackling that in 1.1.
21:12:26 [mkwst]
bhill: ACTION-133. Consider that done.
21:12:38 [mkwst]
bhill: Cannot normatively spec what's in xpath.
21:13:06 [mkwst]
bhill: Structure changes dynamically. Implementers might want to include additional metadata, tagging ancestor elements.
21:13:16 [mkwst]
bhill: Closing, comment directly on draft.
21:13:30 [mkwst]
bhill: ACTION-146.
21:13:42 [Zakim]
+ +1.781.369.aadd
21:14:07 [Zakim]
21:14:10 [wseltzer]
zakim, aadd is gopal
21:14:10 [Zakim]
+gopal; got it
21:14:16 [mkwst]
bhill: Both of dveditz's actions are still open.
21:14:28 [mkwst]
bhill: script interface?
21:15:03 [mkwst]
mkwst: would like to get something into 1.1 if possible.
21:15:14 [mkwst]
bhill: nice to have. can we get it done?
21:15:24 [mkwst]
bhill: due date? help?
21:15:25 [gopal]
gopal has joined #webappsec
21:15:52 [mkwst]
mkwst: probably. what's the 1.1 timeframe?
21:16:07 [mkwst]
bhill: October. It would be nice not to slip.
21:16:40 [mkwst]
mkwst: if i can't get it done this week, let's bump it.
21:16:46 [mkwst]
bhill: updating due date.
21:16:59 [mkwst]
bhill: referrer policy, closing.
21:17:23 [mkwst]
bhill: new text for extension/CSP interaction.
21:17:49 [mkwst]
mkwst: i thought dveditz was doing that. oops. will do that this week.
21:18:05 [mkwst]
glenn: i'll work on that with mike.
21:18:11 [mkwst]
bhill: updating due date.
21:18:30 [bhill2]
TOPIC: UISecurity input protection algorithm
21:18:31 [bhill2]
21:18:46 [mkwst]
bhill: posted a new draft of UISecurity spec.
21:18:54 [gmaone]
21:19:05 [wseltzer]
21:19:05 [trackbot]
ACTION-134 -- Brad Hill to report dependencies on event types -- due 2013-05-25 -- PENDINGREVIEW
21:19:05 [trackbot]
21:19:42 [mkwst]
bhill: touch/pointer events might not be defined in all agents;
21:19:59 [bhill2]
21:20:18 [mkwst]
bhill: "should" requirement documented in
21:20:35 [mkwst]
bhill: does that avoid the dependencies, abarth?
21:20:41 [mkwst]
abarth: looks fine.
21:20:46 [mkwst]
bhill: closing.
21:21:06 [mkwst]
bhill: compositing.
21:21:16 [mkwst]
bhill: text to list, comments back from david.
21:21:29 [mkwst]
bhill: new editor's draft. comments or questions?
21:22:02 [mkwst]
bhill: new algorithm looks good. might even be faster than the previous.
21:22:29 [mkwst]
bhill: looks like we could reuse some of the things coming up in webrtc; tab capture, etc.
21:22:58 [mkwst]
bhill: tracking dynamic region of changes for input protection might be problematic.
21:23:23 [mkwst]
bhill: remove ability to specify clipping rectangle around cursor?
21:23:51 [mkwst]
bhill: if no clipping window, and specify document root, probably breaks things.
21:25:02 [mkwst]
gmaone: is this a roadblock we can't work around?
21:25:15 [mkwst]
bhill: leave them in for now.
21:25:24 [mkwst]
bhill: if at risk, we can make a decision later.
21:25:46 [bhill2]
TOPIC: frame-options location
21:25:47 [bhill2]
21:26:13 [mkwst]
bhill: thoughts on moving frame-options out of UISecurity?
21:26:40 [mkwst]
bhill: dveditz proposed it. ian liked it.
21:26:48 [mkwst]
bhill: will this change the speed of adoption?
21:26:54 [mkwst]
tanvi: why is it a bad idea?
21:27:19 [mkwst]
bhill: collection of related functionality in UISecurity spec. about ready to go to last call there.
21:27:56 [mkwst]
bhill: one cohesive document describing approach to securing UI.
21:28:02 [mkwst]
tanvi: timelines will be fairly similar?
21:28:13 [mkwst]
bhill: editorial timelines similar.
21:28:51 [mkwst]
bhill: browser folks comment on implementations?
21:29:33 [mkwst]
abarth: questions about how the whole thing would look in compositor model.
21:29:59 [mkwst]
bhill: maybe talk to whitehat folks. they like security. and they have a browser.
21:30:25 [mkwst]
tanvi: frame-options. firefox has frame-ancestors, which does more or less the same thing.
21:30:33 [mkwst]
tanvi: kept in both prefixed and unprefixed header.
21:30:48 [mkwst]
tanvi: folks can use it now, but we'd like to switch to the standard syntax.
21:31:07 [mkwst]
bhill: input protection heuristic?
21:31:14 [mkwst]
tanvi: don't know if anyone's looked at that.
21:31:41 [mkwst]
bhill: let's revisit this before last call.
21:32:05 [bhill2]
TOPIC: script hashes, inline and src'd
21:32:06 [bhill2]
21:32:37 [mkwst]
bhill: inline content only seems to be the way the list is going.
21:33:01 [mkwst]
bhill: external script via separate spec; subresource integrity.
21:33:16 [mkwst]
bhill: no objection to script hashes apply only to inline content.
21:33:23 [bhill2]
TOPIC: referrer control strawman
21:33:24 [bhill2]
21:34:23 [bhill2]
mkwst: more or less direct relationship to referrer control meta implemented in webkit browsers
21:34:44 [bhill2]
three questions:
21:34:55 [bhill2]
mkwst: ... 1: a good idea?
21:35:16 [bhill2]
... 2: how integration with Fetch should work or refer to / integrate with W3C spec?
21:35:23 [bhill2]
... 3. never mind..
21:35:53 [mkwst]
mkwst: 3. multiple policies?
21:35:55 [bhill2]
... 3. multiple policies?
21:38:18 [mkwst]
mkwst: questions around whether conflict resolution is reasonable. use-cases for single-page applications to inject policy for various views.
21:38:25 [bhill2]
abarth: this is where a DOM API would be good, to set/unset it
21:39:37 [mkwst]
mkwst: allowing loosening referrer policy would be different than other directives.
21:39:55 [bhill2]
abarth: we could be in a better place in the future when better at mutating policies
21:39:56 [mkwst]
abarth: might have some sort of mutable vs. immutable policy distinction.
21:40:28 [mkwst]
bhill: could specify something around the api such that headers are immutable, but api-settings might be more flexible.
21:40:47 [mkwst]
abarth: setting via api when views change.
21:41:23 [mkwst]
mkwst: wait?
21:41:33 [mkwst]
abarth: we might address use cases in a different way.
21:42:29 [mkwst]
mkwst: a little concerned about having differing behaviors for <meta> vs CSP.
21:43:27 [mkwst]
abarth: introduces complexity to referrer policy for a document. if it comes from one, mutable, from the other, immutable.
21:44:03 [Zakim]
21:44:13 [ekr]
sorry had to go
21:44:27 [mkwst]
mkwst: will ask for feedback on the list with a more clear description of the problem.
21:44:35 [mkwst]
bhill: other business? charter update.
21:44:40 [bhill2]
TOPIC: Charter update, AOB
21:44:50 [wseltzer]
21:45:16 [wseltzer]
21:45:27 [mkwst]
wseltzer: proposed charter, went to advisory committee, members indicated support.
21:45:59 [mkwst]
wseltzer: comments: perhaps the group should add something about CSP for the legacy web, and for established frameworks like jQuery.
21:46:22 [mkwst]
wseltzer: is there anything we might want to clarify, respond to those comments about the scope>
21:46:46 [mkwst]
bhill: script hash/nonce are the major attempt in 1.1 to deal with legacy.
21:47:08 [mkwst]
bhill: not problematic to add that to scope explicitly.
21:47:21 [mkwst]
bhill: legacy libraries, eval is probably the main problem.
21:47:42 [mkwst]
bhill: is CSP the right place to tackle that? perhaps tainting would be better?
21:47:47 [mkwst]
bhill: more fundamental change.
21:48:30 [mkwst]
bhill: think we're getting good traction, actually.
21:48:51 [mkwst]
??: feature detection would be useful.
21:49:06 [mkwst]
bhill: yes, that's certainly an interesting part of 1.1.
21:49:08 [wseltzer]
21:49:17 [bhill2]
ack wseltzer
21:49:22 [mkwst]
bhill: objections to adding language to charter to deal with legacy?
21:49:47 [mkwst]
wseltzer: would also be fine to respond that we're working on that, without making any changes to charter.
21:50:06 [mkwst]
wseltzer: next step is to present to tomorrow's w3c meeting.
21:50:41 [Zakim]
21:50:43 [Zakim]
21:50:44 [Zakim]
21:50:45 [mkwst]
bhill: thanks, and good night!
21:50:45 [Zakim]
21:50:46 [bhill2]
rrsagent, make logs public-visible
21:50:47 [Zakim]
21:50:49 [Zakim]
21:50:49 [Zakim]
21:50:50 [Zakim]
21:50:52 [bhill2]
rrsagent, make minutes
21:50:52 [RRSAgent]
I have made the request to generate bhill2
21:50:52 [Zakim]
21:50:57 [Zakim]
21:51:08 [gopal]
gopal has left #webappsec
21:51:09 [bhill2]
rrsagent, set logs public-visible
21:51:30 [bhill2]
bhill2 has left #webappsec
21:54:28 [wseltzer]
trackbot, end teleconf
21:54:28 [trackbot]
Zakim, list attendees
21:54:28 [Zakim]
As of this point the attendees have been BHill, Wendy, abarth, glenn, mkwst, CCarson, gopal, gmaone, +1.650.386.aaaa, tanvi, +1.714.795.aabb, neilm, ekr, +1.415.596.aacc, puhley,
21:54:31 [Zakim]
... +1.781.369.aadd
21:54:36 [trackbot]
RRSAgent, please draft minutes
21:54:36 [RRSAgent]
I have made the request to generate trackbot
21:54:37 [trackbot]
RRSAgent, bye
21:54:37 [RRSAgent]
I see no action items