IRC log of webappsec on 2014-02-12

Timestamps are in UTC.

15:59:22 [RRSAgent]
RRSAgent has joined #webappsec
15:59:22 [RRSAgent]
logging to
15:59:24 [trackbot]
RRSAgent, make logs world
15:59:24 [Zakim]
Zakim has joined #webappsec
15:59:26 [trackbot]
Zakim, this will be WASWG
15:59:26 [Zakim]
ok, trackbot, I see SEC_WASWG()11:00AM already started
15:59:27 [trackbot]
Meeting: Web Application Security Working Group Teleconference
15:59:27 [trackbot]
Date: 12 February 2014
16:00:10 [Zakim]
16:00:47 [hillbrad]
hillbrad has joined #webappsec
16:00:58 [mkwst]
16:01:00 [Zakim]
16:01:13 [mkwst]
yeah, i can scribe. i think it's my turn anyway.
16:01:18 [hillbrad]
hillbrad has changed the topic to:
16:01:37 [richt]
richt has joined #webappsec
16:01:50 [terri]
terri has joined #webappsec
16:02:24 [Zakim]
16:02:33 [gmaone]
Is anybody trying to call Zakim's VOIP and failing like me?
16:02:36 [gopal]
gopal has joined #webappsec
16:02:49 [richt]
Present+ Rich_Tibbett
16:02:52 [richt]
zakim, IPcaller is me
16:02:52 [Zakim]
+richt; got it
16:03:07 [Zakim]
16:03:08 [Zakim]
16:03:09 [hillbrad]
Meeting: WebAppSec WG Teleconference 12-Feb-2014
16:03:12 [hillbrad]
Chairs; bhill2, ekr
16:03:17 [hillbrad]
16:03:45 [wseltzer]
zakim, mute Wendy
16:03:45 [Zakim]
Wendy should now be muted
16:03:57 [wseltzer]
zakim, I am Wendy
16:03:57 [Zakim]
ok, wseltzer, I now associate you with Wendy
16:04:27 [Zakim]
+ +1.781.369.aaaa
16:04:54 [wseltzer]
zakim, aaaa is gopal
16:04:54 [Zakim]
+gopal; got it
16:05:04 [mkwst]
wseltzer: the bot wasn't up when i dialed in; can i somehow ensure that i'm associated with whatever number i'm dialed in on?
16:05:12 [wseltzer]
zakim, who is on the call?
16:05:12 [Zakim]
On the phone I see mkwst, Wendy (muted), BHill, richt, dveditz, terri, gopal
16:05:18 [mkwst]
ah, sweet. :)
16:06:11 [Zakim]
16:06:17 [ekr]
ekr has joined #webappsec
16:06:24 [wseltzer]
zakim, Mozilla has ekr
16:06:24 [Zakim]
+ekr; got it
16:06:39 [terri]
sorry, apparently I had the call muted. fixed
16:06:46 [ekr]
scribenick, ekr
16:06:55 [ekr]
scribenick: ekr
16:07:28 [hillbrad]
zakim, who is here?
16:07:28 [Zakim]
On the phone I see mkwst, Wendy (muted), BHill, richt, dveditz, terri, gopal, [Mozilla]
16:07:30 [Zakim]
[Mozilla] has ekr
16:07:30 [Zakim]
On IRC I see ekr, gopal, terri, richt, hillbrad, Zakim, RRSAgent, dom, gmaone, mkwst, timeless, tobie_, wseltzer, trackbot
16:07:46 [ekr]
Topic: Minutes approval:
16:08:05 [glenn]
glenn has joined #webappsec
16:08:21 [ekr]
No objections, minutes approved
16:09:20 [ekr]
bhill2: going to start a CfC for the FPWD of subresource integrity.
16:09:35 [ekr]
zakim, who is talking?
16:09:45 [Zakim]
ekr, listening for 10 seconds I heard sound from the following: BHill (62%), [Mozilla] (15%)
16:10:03 [ekr]
mkwst: I will have a bunch of feedback on subresource integrity
16:10:16 [ekr]
bhill2: New CSP 1.1. WD published yesterday morning
16:11:23 [ekr]
Topic: CSP Formal Objection
16:11:24 [ekr]
16:11:41 [ekr]
bhill2: as chair, I think we have rough consensus. don't need need to reopen the issue.
16:12:11 [ekr]
??? : as I understand it there are two objections
16:12:23 [mkwst]
ekr: s/???/dveditz/
16:12:44 [ekr]
bhill2: 1. Language -- we left it to implementors. 2. Objection to removal of language, but from Bjoern who is nit a wg member.
16:12:57 [ekr]
… can 't have two people have a tug of war preventing it from going forward
16:13:01 [wseltzer]
16:13:15 [ekr]
dveditz: objections are opposite, right?
16:14:05 [ekr]
bhill2: concerned here with issue glenn raised and that bjoern has responded to re: user-supplied modifications to page via extensions, bookmarks, etc.
16:14:39 [hillbrad]
hillbrad has joined #webappsec
16:14:40 [glenn]
in this case, it is better to not say anything in spec
16:14:58 [ekr]
dveditz: we have seen objections that are useful to users that may unwisely make changes to every page. might be reasonable to require an extension to explicitly override CSP.
16:15:09 [ekr]
… don't know how we would do that technically
16:15:14 [ekr]
… seems like a UA decision
16:15:36 [ekr]
mkwst: agreed. putting limitations on extensions/add-ons might be reasonable but it's not a spec issue
16:17:04 [ekr]
bhill2: a spec must have two interoperating implementations of each feature
16:17:28 [ekr]
… a normative requirement to turn reporting off would need to have implementations in both specs
16:18:06 [ekr]
… nothing stopping browsers from doing that, but it need not be in the spec
16:18:38 [glenn]
zakim, what is the code?
16:18:38 [Zakim]
the conference code is 92794 (tel:+1.617.761.6200, glenn
16:18:53 [ekr]
dveditz: what if firefox or torbrowser decides to have opt-in reporting, is it still conformant.
16:19:19 [Zakim]
16:19:25 [ekr]
bhill2: yes
16:20:16 [ekr]
bhill2: has not seen a coherent threat model for why reporting makes things worse
16:22:12 [wseltzer]
16:22:26 [wseltzer]
16:23:49 [hillbrad]
noted for minutes: no objections to consensus on current language in the tip of the editor's draft, that is, no normative recommendations to user agent implelmenters regarding interaction of CSP and extensions or user-script
16:23:58 [hillbrad]
consensus previously established still stands
16:24:22 [wseltzer]
RESOLVED: previously-established consensus stands
16:24:47 [hillbrad]
mkwst: child-src and popups are 1.2 features
16:24:53 [ekr]
I am back
16:25:05 [hillbrad]
… referrer expressiveness is in current editor's draft
16:25:18 [ekr]
mkwst: processing of meta elements still needs discussion
16:25:23 [hillbrad]
… meta element needs discussing, are use cases current spec would disallow and questions about reasonableness
16:25:27 [hillbrad]
… beacon is not 1.1
16:25:34 [ekr]
hillbrad: I can take over
16:25:45 [ekr]
mkwst: two things I think are interesting, meta element and redirect
16:26:18 [ekr]
wseltzer(?): meta element… was that based on a request.
16:26:29 [ekr]
mkwst: some cases where you can't control HTTP headers
16:26:31 [fjh]
fjh has joined #webappsec
16:26:34 [fjh]
16:27:03 [ekr]
wseltzer: maybe we should consider other options. probably wouldn't be too hard for github or such to allow people to provide meta
16:27:14 [wseltzer]
16:27:21 [ekr]
s/provide meta/to provide the content that would be in meta/
16:27:30 [ekr]
mkwst: I don't see a threat here.
16:27:50 [ekr]
… I don't understand what the problem is
16:28:04 [Zakim]
16:28:05 [fjh]
zakim, IPcaller is me
16:28:05 [Zakim]
+fjh; got it
16:28:19 [ekr]
dveditz: what are you not concerned about? header? script element after the page is loaded
16:28:22 [fjh]
16:28:30 [fjh]
zakim, who is here?
16:28:30 [Zakim]
On the phone I see mkwst, Wendy (muted), BHill, richt, dveditz, terri, gopal, [Mozilla], glenn, fjh
16:28:32 [Zakim]
[Mozilla] has ekr
16:28:32 [Zakim]
On IRC I see fjh, hillbrad, glenn, ekr, gopal, terri, richt, Zakim, RRSAgent, dom, gmaone, mkwst, timeless, tobie_, wseltzer, trackbot
16:28:55 [ekr]
mkwst: given that we restrict reporting, etc. by policy, so how is this different than if I could inject a non-CSP meta tag
16:29:11 [ekr]
terri: I'm not convinced. let me see if we can figure out how to attack this here.
16:29:44 [ekr]
dveditz: can't I also use this to block other things on the page
16:29:59 [ekr]
mkwst: wouldn't this already be worse with non-CSP mechanisms if you could already inject meta
16:30:20 [ekr]
dveditz: having scripts mess with meta tags is not good. an API would be better
16:30:41 [ekr]
… implementation concerns here as well
16:31:23 [ekr]
mkwst: let's take this to the list
16:32:10 [ekr]
bhill2: last major 1.1. Mike, you mentioned referer?
16:32:18 [ekr]
mkwst: my impression is that it is fine
16:32:44 [ekr]
bhiill2: can you get dan and other mozillans to express any concerns with meta asap.
16:32:55 [ekr]
… start CfC for last call on next telecon
16:33:46 [ekr]
Topic: f CORS and whitelisting, exposure of local network IP address
16:33:47 [ekr]
information in URLs,
16:33:57 [ekr]
Editors draft:
16:33:57 [ekr]
16:34:13 [wseltzer]
s/f CORS/DAP WG, re: CORS/
16:34:22 [dom]
Zakim, code?
16:34:22 [Zakim]
the conference code is 92794 (tel:+1.617.761.6200, dom
16:34:38 [Zakim]
16:34:45 [ekr]
… services currently advertising in network via bonjour, etc.
16:34:46 [dom]
Zakim, ??P11 is me
16:34:46 [Zakim]
+dom; got it
16:35:37 [ekr]
… browser gets handle to devices in network
16:36:09 [richt]
NSD discussions on implementer lists:
16:36:14 [ekr]
… some reviews have already happend
16:36:29 [ekr]
… have added CORS support to API.
16:37:13 [ekr]
… also get user opt-in
16:37:52 [ekr]
… user opt-in is extremely important
16:38:27 [ekr]
… don't want to expose routers, etc.
16:38:33 [ekr]
… but we want to expose TVs, etc.
16:38:41 [ekr]
… this why CORS is relevant here.
16:38:55 [ekr]
… here to talk about some of the security concerns
16:39:13 [fjh]
q+ to mention whitelisting and URLs
16:39:18 [ekr]
… wanted to get this group's feedback
16:39:44 [ekr]
fjh: CORS opt-in is a quite reasonable response. why is it should but not must.
16:40:02 [ekr]
sorry, I assumed it was cause you were in queue. Who was that?
16:40:13 [hillbrad]
fjh: this is mike west speaking
16:40:14 [wseltzer]
zakim, who is speaking?
16:40:23 [ekr]
sorry, I am terrible at voices.
16:40:25 [Zakim]
wseltzer, listening for 11 seconds I heard sound from the following: gopal (29%), richt (18%)
16:40:44 [ekr]
richt: we have implementations outside the browser.
16:41:02 [wseltzer]
s/fjh: CORS/mkwst: CORS/
16:41:27 [ekr]
mkwst: these should be a requirement
16:41:44 [dom]
[the editors draft has " A user agent SHOULD only allow web pages to connect with Local-networked Services that have passed a preliminary CORS check indicating they support Cross-Origin Resource Sharing [CORS]"]
16:41:56 [fjh]
16:42:14 [fjh]
16:42:23 [ekr]
richt: browser can blacklist device types
16:42:28 [ekr]
… and users could whitelist devices
16:42:52 [ekr]
mkwst: might be good to put that in this section
16:44:16 [ekr]
richt: you request a service type, you then broadcast a request and the device responds with a CORS header
16:50:48 [ekr]
[…] long colloquy about the strength of the mechanism for verifying CORS consent
16:51:00 [ekr]
to summarize, this is just a mechanism for discovery.
16:51:14 [ekr]
but any actual requests go through their own CORS checks
16:52:03 [ekr]
richt: you get a list of endpoint URLs. These will be local IP addresses.
16:52:04 [fjh]
16:52:11 [fjh]
q+ to ask mike about action
16:52:21 [ekr]
… you don't want to expose local IPs to the Web.
16:52:24 [dom]
[more importantly, we want to filter what requests can be made on these end points]
16:53:44 [ekr]
ekr: webrtc already exposes the local IP address ranges
16:53:58 [ekr]
mkwst: chrome already obfuscates this
16:54:11 [ekr]
… you could have a different scheme
16:54:41 [ekr]
… the communication can contain the local IP addresses
16:55:04 [dom]
[one of the issue is that you want to follow links exposed by the local network services, e.g. link to an image or a video]
16:55:06 [ekr]
btw, you don't need a different scheme
16:55:56 [ekr]
just a different domain
16:56:11 [ekr]
richt: I am worried about whether this stuff is going to leak anyway
16:57:00 [ekr]
mkwst: this is intermediated by the user
16:57:47 [ekr]
richt: user has to consent to discover and then the user can filter the list back
16:57:54 [ekr]
… at the end the web page gets the filtered list
16:58:14 [ekr]
… main concerns are local IP and CORS
16:58:28 [ekr]
fjh: I might raise an issue about whitelisting along with cors.
16:58:33 [ekr]
mkwst: what actions do you have in mind
16:58:51 [ekr]
16:59:14 [ekr]
mkwst: I think this is OK now that we have discussed
17:00:08 [Zakim]
17:00:26 [ekr]
dom: what are the next steps? how can the webappsec guys help?
17:00:28 [fjh]
17:00:30 [hillbrad]
sorry folks, I gotta go - wseltzer can you close the channel, prep logs, etc, please?
17:00:54 [ekr]
mkwst: I think you have been working with security team too
17:00:59 [wseltzer]
hillbrad, sure
17:00:59 [ekr]
sorry, me too...
17:01:04 [hillbrad]
thanks all
17:01:06 [ekr]
17:01:08 [fjh]
much thanks!
17:01:10 [Zakim]
17:01:41 [wseltzer]
unmute me
17:01:47 [wseltzer]
s/unmute me//
17:01:49 [fjh]
feedback on the mail list would be very welcome or additional ideas
17:01:51 [wseltzer]
zakim, unmute me
17:01:51 [Zakim]
Wendy should no longer be muted
17:02:21 [Zakim]
17:02:53 [Zakim]
17:02:55 [Zakim]
17:02:57 [Zakim]
17:02:58 [Zakim]
17:02:59 [Zakim]
17:03:05 [Zakim]
17:03:10 [Zakim]
17:03:15 [wseltzer]
wseltzer: Thanks to Rich and Frederick from DAP; we'll figure out where to continue the discussion.
17:03:18 [wseltzer]
17:03:23 [wseltzer]
trackbot, end teleconf
17:03:23 [trackbot]
Zakim, list attendees
17:03:23 [Zakim]
As of this point the attendees have been mkwst, Wendy, BHill, richt, dveditz, terri, +1.781.369.aaaa, gopal, ekr, glenn, fjh, dom
17:03:31 [Zakim]
17:03:31 [trackbot]
RRSAgent, please draft minutes
17:03:31 [RRSAgent]
I have made the request to generate trackbot
17:03:32 [trackbot]
RRSAgent, bye
17:03:32 [RRSAgent]
I see no action items
17:03:32 [Zakim]
SEC_WASWG()11:00AM has ended
17:03:32 [Zakim]
Attendees were mkwst, Wendy, BHill, richt, dveditz, terri, +1.781.369.aaaa, gopal, ekr, glenn, fjh, dom
17:04:12 [RRSAgent]
RRSAgent has joined #webappsec
17:04:12 [RRSAgent]
logging to
17:04:17 [wseltzer]
rrsagent, make logs public
17:04:32 [wseltzer]
rrsagent, make minutes
17:04:32 [RRSAgent]
I have made the request to generate wseltzer
17:04:57 [dom]
dom has left #webappsec
17:04:59 [fjh]
fjh has left #webappsec
17:05:09 [wseltzer]
Chair: bhill2, ekr
17:05:11 [wseltzer]
rrsagent, make minutes
17:05:11 [RRSAgent]
I have made the request to generate wseltzer
17:08:38 [hillbrad]
hillbrad has joined #webappsec
17:17:33 [hillbrad]
hillbrad has joined #webappsec
17:17:42 [hillbrad]
hillbrad has left #webappsec
17:25:26 [richt_]
richt_ has joined #webappsec
19:03:07 [glenn]
glenn has joined #webappsec
19:32:25 [Zakim]
Zakim has left #webappsec
19:33:52 [richt]
richt has joined #webappsec
20:13:06 [glenn_]
glenn_ has joined #webappsec
20:32:44 [mkwst]
mkwst has joined #webappsec
20:32:54 [timeless]
timeless has joined #webappsec
20:32:57 [glenn]
glenn has joined #webappsec
20:33:22 [tobie__]
tobie__ has joined #webappsec
20:37:35 [glenn]
glenn has joined #webappsec
20:39:03 [ekr]
ekr has joined #webappsec
21:22:17 [ekr]
ekr has joined #webappsec
21:53:13 [ekr]
ekr has joined #webappsec
22:01:33 [ekr]
ekr has joined #webappsec
22:18:45 [terri]
terri has joined #webappsec
22:33:18 [ekr]
ekr has joined #webappsec
22:51:08 [ekr]
ekr has joined #webappsec