IRC log of webappsec on 2014-01-14

Timestamps are in UTC.

21:56:06 [RRSAgent]
RRSAgent has joined #webappsec
21:56:06 [RRSAgent]
logging to
21:56:14 [Zakim]
Zakim has joined #webappsec
21:56:29 [bhill2]
Meeting: WebAppSec Teleconference 14 Jan 2014
21:56:32 [bhill2]
Chair: bhill2
21:56:36 [bhill2]
21:56:43 [bhill2]
zakim, this will be 92794
21:56:43 [Zakim]
ok, bhill2; I see SEC_WASWG()5:00PM scheduled to start in 4 minutes
21:58:10 [Zakim]
SEC_WASWG()5:00PM has now started
21:58:17 [Zakim]
21:58:36 [Zakim]
21:58:58 [neilm]
Zakim [IPcaller] is neilm
21:59:04 [neilm]
Zakim, [IPcaller] is neilm
21:59:04 [Zakim]
+neilm; got it
21:59:17 [freddyb]
freddyb has joined #webappsec
22:00:07 [Zakim]
22:00:12 [Zakim]
22:00:28 [Zakim]
22:00:31 [dveditz]
dveditz has joined #webappsec
22:01:12 [freddyb]
I am this "??P2", Zakim reports...and have yet to find out how this all works :)
22:01:15 [terri]
terri has joined #webappsec
22:01:27 [Zakim]
22:01:30 [Zakim]
22:01:31 [Zakim]
22:01:38 [Zakim]
+ +1.503.712.aaaa
22:01:38 [dveditz]
Zakim, dveditz is IPcaller
22:01:40 [Zakim]
sorry, dveditz, I do not recognize a party named 'dveditz'
22:01:47 [dveditz]
Zakim, IPCaller is dveditz
22:01:47 [Zakim]
+dveditz; got it
22:01:47 [gmaone]
Zakim, ??P5 is gmaone
22:01:48 [Zakim]
+gmaone; got it
22:01:52 [freddyb]
Zakim: I am ??P2
22:01:53 [Zakim]
22:02:06 [gmaone]
Zakim, ??P2 is freddyb
22:02:06 [Zakim]
+freddyb; got it
22:02:09 [Zakim]
22:02:10 [freddyb]
gmaone: thanks :)
22:02:21 [mkwst]
mkwst has joined #webappsec
22:02:27 [terri]
Zakim, I am aaaa
22:02:27 [Zakim]
+terri; got it
22:02:33 [bhill2]
Scribe: Neil Matatall
22:02:37 [bhill2]
Scribenick: neilm
22:02:53 [bhill2]
Regrets: ekr
22:03:02 [klee]
klee has joined #webappsec
22:04:03 [terri]
can't tell if the call dropped or what.
22:04:04 [freddyb]
it's completely quiet for me
22:04:15 [dveditz]
22:04:31 [bhill2]
22:04:34 [bhill2]
today's agenda
22:04:39 [bhill2]
zakim, who is here?
22:04:39 [Zakim]
On the phone I see neilm, BHill, freddyb, dveditz, gmaone, gopal, terri, mkwst, Wendy
22:04:41 [Zakim]
On IRC I see klee, mkwst, terri, dveditz, freddyb, Zakim, RRSAgent, bhill2, neilm, gmaone, timeless, wseltzer, trackbot
22:04:45 [Zakim]
22:05:10 [bhill2]
TOPIC: minutes approval
22:05:22 [bhill2]
22:05:39 [bhill2] < - real minutes link
22:05:51 [bhill2]
TOPIC: Agenda bashing
22:06:33 [Zakim]
22:10:56 [bhill2]
TOPIC: New conference call time
22:11:45 [bhill2]
22:12:05 [neilm]
bhill2: not going to close voting today, perhaps 8 or 9 PST
22:12:20 [freddyb]
I considered this a representative week, fwiw
22:12:51 [neilm]
... Monday 8:30 PST and Friday ??? likely candidates
22:13:36 [neilm]
... who is security lover? Speak up :)
22:13:54 [klee]
8:30 pm or am?
22:14:11 [neilm]
klee: AM PST
22:14:21 [klee]
I'd be down with that
22:15:30 [bhill2]
TOPIC: Open Actions
22:15:31 [bhill2]
22:16:20 [Zakim]
+ +1.415.832.aabb
22:17:03 [puhley]
puhley has joined #webappsec
22:20:32 [bhill2]
TOPIC: CSP 1.1 updates
22:20:38 [bhill2]
22:21:22 [neilm]
mkwst: 1. removed most of script interface, needs to be reworked
22:21:43 [neilm]
... suggested push out to 1.2 (policy violation event still exists)
22:22:34 [neilm]
... 2. meta element changes converting todos
22:23:12 [neilm]
... 3: Workers no longer inherit policy automatically, rather when generated from origins w/ unique urls.
22:23:57 [neilm]
... 4: new child-src directive, default context source list, used for frame/worker/popup-src directives
22:24:25 [neilm]
... and child-src inherits from default-src
22:26:13 [neilm]
... nothing governs
22:29:27 [freddyb]
in general, if you're not talking: please mute. the feedback is indeed annoying
22:29:35 [Zakim]
22:29:37 [Zakim]
22:29:49 [terri]
I'm having trouble hearing much of anything because of it.
22:29:51 [grobinson|laptop]
grobinson|laptop has joined #webappsec
22:29:55 [Zakim]
22:30:02 [bhill2]
zakim, who is making noise?
22:30:15 [Zakim]
bhill2, listening for 10 seconds I heard sound from the following: BHill (14%), dveditz (73%), mkwst (31%)
22:31:36 [freddyb]
on a sidenote, when it comes to directives: was it discussed in this WG whether it makes sense to put html imports into script-src?
22:31:55 [bhill2]
freddy: yes, that was the conclusion we came to
22:31:57 [Zakim]
22:32:08 [neilm]
dveditz: potential issues around workers [noise]
22:32:48 [freddyb]
bhill2: thanks. I'll read up first then
22:32:49 [neilm]
... no need for child-src && worker-src, or just have separate frame/worker-src
22:33:52 [neilm]
22:33:58 [grobinson|laptop]
dveditz: is there a cell phone nearby? sometimes they create interference that sounds like that
22:34:29 [neilm]
???: complexity is a leading blocker for adoption
22:34:30 [dveditz]
who is speaking? apf?
22:34:52 [bhill2]
was that terri oda speaking?
22:35:05 [terri]
yes, I'm the former academic on the call
22:37:53 [Zakim]
22:38:15 [mkwst]
bah. dialing back in.
22:39:25 [Zakim]
+ +49.162.102.aacc
22:39:25 [neilm]
bhill2: Ian's ideas around CSSOM appear to have no objections and decent support
22:39:59 [mkwst]
zakim, i am aacc
22:39:59 [Zakim]
+mkwst; got it
22:40:54 [neilm]
bhill2: frame-ancestors in 1.1 (not frame-options)
22:41:32 [neilm]
github ftw
22:41:39 [bhill2]
TOPIC: Back compat in CSP
22:41:40 [bhill2]
22:43:05 [neilm]
bhill2: requiring eval for cssom might break things
22:43:31 [neilm]
mkwst: if we feel it's an issue, we need to base decisions on data
22:44:17 [neilm]
... adding eval to style-src
22:45:36 [neilm]
bhill2: does this impact chrome extensions and the like?
22:45:38 [neilm]
mkwst: no
22:46:35 [bhill2]
TOPIC: Sub-Resource Integrity Strawman and Use-Cases
22:46:38 [bhill2]
22:47:22 [dveditz]
FIrefox OS privileged apps have a default CSP of "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'"
22:47:47 [dveditz]
but we could easily add "unsafe-eval' to the style-src if we make this change
22:48:07 [freddyb]
certified apps (internal things like dialer, sms, ..) don't have 'unsafe-inline' for styles yet
22:48:12 [freddyb]
privileged do
22:49:57 [neilm]
1) pros: ensure unauth'd code alerts, cons: might slow things down, might break things
22:50:59 [neilm]
terri: intro needs to be clarified to distinguish from what CSP does
22:52:01 [Zakim]
22:52:12 [neilm]
2) "cdn integrity" pros: no brainer, cons:
22:53:22 [Zakim]
22:53:40 [gmaone]
Zakim, I am ??P5
22:53:40 [Zakim]
+gmaone; got it
22:53:42 [neilm]
3) "integrity for downloads" cons: result of navigation before direct download might cause issues in a new context
22:54:22 [neilm]
bhill2: is this meaningful? copy/pasting urls is a workaround as well
22:56:52 [neilm]
4) "Ensure UI elements aren't manipulated before being displayed"
22:57:30 [neilm]
interaction with about:// could be controlled
22:58:08 [neilm]
mkwst: chrome new tab page is another example
22:58:35 [neilm]
freddyb: some of these pages are privileged as well
22:59:35 [neilm]
mkwst: 1, 2, 4, 5 can probably be consolidated
23:02:02 [Zakim]
- +1.415.832.aabb
23:03:00 [puhley]
zakim, I am aabb
23:03:00 [Zakim]
sorry, puhley, I do not see a party named 'aabb'
23:05:36 [Zakim]
23:05:38 [Zakim]
23:05:39 [Zakim]
23:05:40 [Zakim]
23:05:41 [Zakim]
23:05:43 [Zakim]
23:05:44 [Zakim]
23:05:48 [Zakim]
23:05:49 [bhill2]
next call will probably be Friday, Jan 31
23:05:55 [bhill2]
zakim, list attendees
23:05:55 [Zakim]
As of this point the attendees have been BHill, neilm, gopal, +1.503.712.aaaa, dveditz, gmaone, mkwst, freddyb, Wendy, terri, +1.415.832.aabb, [Mozilla], +49.162.102.aacc
23:06:04 [bhill2]
rrsagent, make minutes
23:06:04 [RRSAgent]
I have made the request to generate bhill2
23:06:10 [bhill2]
rrsagent, set logs public-visible
23:06:17 [Zakim]
23:06:18 [Zakim]
SEC_WASWG()5:00PM has ended
23:06:18 [Zakim]
Attendees were BHill, neilm, gopal, +1.503.712.aaaa, dveditz, gmaone, mkwst, freddyb, Wendy, terri, +1.415.832.aabb, [Mozilla], +49.162.102.aacc
23:33:01 [terri]
terri has joined #webappsec
23:33:39 [terri_]
terri_ has joined #webappsec