21:56:06 RRSAgent has joined #webappsec 21:56:06 logging to http://www.w3.org/2014/01/14-webappsec-irc 21:56:14 Zakim has joined #webappsec 21:56:29 Meeting: WebAppSec Teleconference 14 Jan 2014 21:56:32 Chair: bhill2 21:56:36 Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0068.html 21:56:43 zakim, this will be 92794 21:56:43 ok, bhill2; I see SEC_WASWG()5:00PM scheduled to start in 4 minutes 21:58:10 SEC_WASWG()5:00PM has now started 21:58:17 +[IPcaller] 21:58:36 +BHill 21:58:58 Zakim [IPcaller] is neilm 21:59:04 Zakim, [IPcaller] is neilm 21:59:04 +neilm; got it 21:59:17 freddyb has joined #webappsec 22:00:07 +??P2 22:00:12 -??P2 22:00:28 +??P2 22:00:31 dveditz has joined #webappsec 22:01:12 I am this "??P2", Zakim reports...and have yet to find out how this all works :) 22:01:15 terri has joined #webappsec 22:01:27 +[IPcaller] 22:01:30 +??P5 22:01:31 +gopal 22:01:38 + +1.503.712.aaaa 22:01:38 Zakim, dveditz is IPcaller 22:01:40 sorry, dveditz, I do not recognize a party named 'dveditz' 22:01:47 Zakim, IPCaller is dveditz 22:01:47 +dveditz; got it 22:01:47 Zakim, ??P5 is gmaone 22:01:48 +gmaone; got it 22:01:52 Zakim: I am ??P2 22:01:53 +mkwst 22:02:06 Zakim, ??P2 is freddyb 22:02:06 +freddyb; got it 22:02:09 +Wendy 22:02:10 gmaone: thanks :) 22:02:21 mkwst has joined #webappsec 22:02:27 Zakim, I am aaaa 22:02:27 +terri; got it 22:02:33 Scribe: Neil Matatall 22:02:37 Scribenick: neilm 22:02:53 Regrets: ekr 22:03:02 klee has joined #webappsec 22:04:03 can't tell if the call dropped or what. 22:04:04 it's completely quiet for me 22:04:15 yes 22:04:31 http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0068.html 22:04:34 today's agenda 22:04:39 zakim, who is here? 22:04:39 On the phone I see neilm, BHill, freddyb, dveditz, gmaone, gopal, terri, mkwst, Wendy 22:04:41 On IRC I see klee, mkwst, terri, dveditz, freddyb, Zakim, RRSAgent, bhill2, neilm, gmaone, timeless, wseltzer, trackbot 22:04:45 -terri 22:05:10 TOPIC: minutes approval 22:05:22 http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0003.html 22:05:39 http://www.w3.org/2013/12/17-webappsec-minutes.html < - real minutes link 22:05:51 TOPIC: Agenda bashing 22:06:33 +terri 22:10:56 TOPIC: New conference call time 22:11:45 http://doodle.com/qrrdy4qe2a5kdi3b 22:12:05 bhill2: not going to close voting today, perhaps 8 or 9 PST 22:12:20 I considered this a representative week, fwiw 22:12:51 ... Monday 8:30 PST and Friday ??? likely candidates 22:13:36 ... who is security lover? Speak up :) 22:13:54 8:30 pm or am? 22:14:11 klee: AM PST 22:14:21 I'd be down with that 22:15:30 TOPIC: Open Actions 22:15:31 https://www.w3.org/2011/webappsec/track/actions/open?sort=owner 22:16:20 + +1.415.832.aabb 22:17:03 puhley has joined #webappsec 22:20:32 TOPIC: CSP 1.1 updates 22:20:38 http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0001.html 22:21:22 mkwst: 1. removed most of script interface, needs to be reworked 22:21:43 ... suggested push out to 1.2 (policy violation event still exists) 22:22:34 ... 2. meta element changes converting todos 22:23:12 ... 3: Workers no longer inherit policy automatically, rather when generated from origins w/ unique urls. 22:23:57 ... 4: new child-src directive, default context source list, used for frame/worker/popup-src directives 22:24:25 ... and child-src inherits from default-src 22:26:13 ... nothing governs window.open 22:29:27 in general, if you're not talking: please mute. the feedback is indeed annoying 22:29:35 -gopal 22:29:37 -Wendy 22:29:49 I'm having trouble hearing much of anything because of it. 22:29:51 grobinson|laptop has joined #webappsec 22:29:55 +Wendy 22:30:02 zakim, who is making noise? 22:30:15 bhill2, listening for 10 seconds I heard sound from the following: BHill (14%), dveditz (73%), mkwst (31%) 22:31:36 on a sidenote, when it comes to directives: was it discussed in this WG whether it makes sense to put html imports into script-src? 22:31:55 freddy: yes, that was the conclusion we came to 22:31:57 +[Mozilla] 22:32:08 dveditz: potential issues around workers [noise] 22:32:48 bhill2: thanks. I'll read up first then 22:32:49 ... no need for child-src && worker-src, or just have separate frame/worker-src 22:33:52 [noise] 22:33:58 dveditz: is there a cell phone nearby? sometimes they create interference that sounds like that 22:34:29 ???: complexity is a leading blocker for adoption 22:34:30 who is speaking? apf? 22:34:52 was that terri oda speaking? 22:35:05 yes, I'm the former academic on the call 22:37:53 -mkwst 22:38:15 bah. dialing back in. 22:39:25 + +49.162.102.aacc 22:39:25 bhill2: Ian's ideas around CSSOM appear to have no objections and decent support 22:39:59 zakim, i am aacc 22:39:59 +mkwst; got it 22:40:54 bhill2: frame-ancestors in 1.1 (not frame-options) 22:41:32 github ftw 22:41:39 TOPIC: Back compat in CSP 22:41:40 http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0002.html 22:43:05 bhill2: requiring eval for cssom might break things 22:43:31 mkwst: if we feel it's an issue, we need to base decisions on data 22:44:17 ... adding eval to style-src 22:45:36 bhill2: does this impact chrome extensions and the like? 22:45:38 mkwst: no 22:46:35 TOPIC: Sub-Resource Integrity Strawman and Use-Cases 22:46:38 http://w3c.github.io/webappsec/specs/subresourceintegrity/ 22:47:22 FIrefox OS privileged apps have a default CSP of "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'" 22:47:47 but we could easily add "unsafe-eval' to the style-src if we make this change 22:48:07 certified apps (internal things like dialer, sms, ..) don't have 'unsafe-inline' for styles yet 22:48:12 privileged do 22:49:57 1) pros: ensure unauth'd code alerts, cons: might slow things down, might break things 22:50:59 terri: intro needs to be clarified to distinguish from what CSP does 22:52:01 -gmaone 22:52:12 2) "cdn integrity" pros: no brainer, cons: 22:53:22 +??P5 22:53:40 Zakim, I am ??P5 22:53:40 +gmaone; got it 22:53:42 3) "integrity for downloads" cons: result of navigation before direct download might cause issues in a new context 22:54:22 bhill2: is this meaningful? copy/pasting urls is a workaround as well 22:56:52 4) "Ensure UI elements aren't manipulated before being displayed" 22:57:30 interaction with about:// could be controlled 22:58:08 mkwst: chrome new tab page is another example 22:58:35 freddyb: some of these pages are privileged as well 22:59:35 mkwst: 1, 2, 4, 5 can probably be consolidated 23:02:02 - +1.415.832.aabb 23:03:00 zakim, I am aabb 23:03:00 sorry, puhley, I do not see a party named 'aabb' 23:05:36 -neilm 23:05:38 -[Mozilla] 23:05:39 -Wendy 23:05:40 -mkwst 23:05:41 -freddyb 23:05:43 -terri 23:05:44 -gmaone 23:05:48 -dveditz 23:05:49 next call will probably be Friday, Jan 31 23:05:55 zakim, list attendees 23:05:55 As of this point the attendees have been BHill, neilm, gopal, +1.503.712.aaaa, dveditz, gmaone, mkwst, freddyb, Wendy, terri, +1.415.832.aabb, [Mozilla], +49.162.102.aacc 23:06:04 rrsagent, make minutes 23:06:04 I have made the request to generate http://www.w3.org/2014/01/14-webappsec-minutes.html bhill2 23:06:10 rrsagent, set logs public-visible 23:06:17 -BHill 23:06:18 SEC_WASWG()5:00PM has ended 23:06:18 Attendees were BHill, neilm, gopal, +1.503.712.aaaa, dveditz, gmaone, mkwst, freddyb, Wendy, terri, +1.415.832.aabb, [Mozilla], +49.162.102.aacc 23:33:01 terri has joined #webappsec 23:33:39 terri_ has joined #webappsec