15:59:22 <RRSAgent> RRSAgent has joined #webappsec
15:59:22 <RRSAgent> logging to http://www.w3.org/2014/02/12-webappsec-irc
15:59:24 <trackbot> RRSAgent, make logs world
15:59:24 <Zakim> Zakim has joined #webappsec
15:59:26 <trackbot> Zakim, this will be WASWG
15:59:26 <Zakim> ok, trackbot, I see SEC_WASWG()11:00AM already started
15:59:27 <trackbot> Meeting: Web Application Security Working Group Teleconference
15:59:27 <trackbot> Date: 12 February 2014
16:00:10 <Zakim> +Wendy
16:00:47 <hillbrad> hillbrad has joined #webappsec
16:00:58 <mkwst> huzzah.
16:01:00 <Zakim> +BHill
16:01:13 <mkwst> yeah, i can scribe. i think it's my turn anyway.
16:01:18 <hillbrad> hillbrad has changed the topic to: http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0029.html
16:01:37 <richt> richt has joined #webappsec
16:01:50 <terri> terri has joined #webappsec
16:02:24 <Zakim> +[IPcaller]
16:02:33 <gmaone> Is anybody trying to call Zakim's VOIP and failing like me?
16:02:36 <gopal> gopal has joined #webappsec
16:02:49 <richt> Present+ Rich_Tibbett
16:02:52 <richt> zakim, IPcaller is me
16:02:52 <Zakim> +richt; got it
16:03:07 <Zakim> +dveditz
16:03:08 <Zakim> +terri
16:03:09 <hillbrad> Meeting: WebAppSec WG Teleconference 12-Feb-2014
16:03:12 <hillbrad> Chairs; bhill2, ekr
16:03:17 <hillbrad> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0029.html
16:03:45 <wseltzer> zakim, mute Wendy
16:03:45 <Zakim> Wendy should now be muted
16:03:57 <wseltzer> zakim, I am Wendy
16:03:57 <Zakim> ok, wseltzer, I now associate you with Wendy
16:04:27 <Zakim> + +1.781.369.aaaa
16:04:54 <wseltzer> zakim, aaaa is gopal
16:04:54 <Zakim> +gopal; got it
16:05:04 <mkwst> wseltzer: the bot wasn't up when i dialed in; can i somehow ensure that i'm associated with whatever number i'm dialed in on?
16:05:12 <wseltzer> zakim, who is on the call?
16:05:12 <Zakim> On the phone I see mkwst, Wendy (muted), BHill, richt, dveditz, terri, gopal
16:05:18 <mkwst> ah, sweet. :)
16:06:11 <Zakim> +[Mozilla]
16:06:17 <ekr> ekr has joined #webappsec
16:06:24 <wseltzer> zakim, Mozilla has ekr
16:06:24 <Zakim> +ekr; got it
16:06:39 <terri> sorry, apparently I had the call muted.  fixed
16:06:46 <ekr> scribenick, ekr
16:06:55 <ekr> scribenick: ekr
16:07:28 <hillbrad> zakim, who is here?
16:07:28 <Zakim> On the phone I see mkwst, Wendy (muted), BHill, richt, dveditz, terri, gopal, [Mozilla]
16:07:30 <Zakim> [Mozilla] has ekr
16:07:30 <Zakim> On IRC I see ekr, gopal, terri, richt, hillbrad, Zakim, RRSAgent, dom, gmaone, mkwst, timeless, tobie_, wseltzer, trackbot
16:07:46 <ekr> Topic: Minutes approval:      http://www.w3.org/2014/01/14-webappsec-minutes.html
16:08:05 <glenn> glenn has joined #webappsec
16:08:21 <ekr> No objections, minutes approved
16:09:20 <ekr> bhill2: going to start a CfC for the FPWD of subresource integrity.
16:09:35 <ekr> zakim, who is talking?
16:09:45 <Zakim> ekr, listening for 10 seconds I heard sound from the following: BHill (62%), [Mozilla] (15%)
16:10:03 <ekr> mkwst: I will have a bunch of feedback on subresource integrity
16:10:16 <ekr> bhill2: New CSP 1.1. WD published yesterday morning
16:11:23 <ekr> Topic: CSP Formal Objection
16:11:24 <ekr>        http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0165.html
16:11:41 <ekr> bhill2: as chair, I think we have rough consensus. don't need need to reopen the issue.
16:12:11 <ekr> ??? : as I understand it there are two objections
16:12:23 <mkwst> ekr: s/???/dveditz/
16:12:44 <ekr> bhill2: 1. Language -- we left it to implementors. 2. Objection to removal of language, but from Bjoern who is nit a wg member.
16:12:57 <ekr> … can 't have two people have a tug of war preventing it from going forward
16:13:01 <wseltzer> s/nit/not/
16:13:15 <ekr> dveditz: objections are opposite, right?
16:14:05 <ekr> bhill2: concerned here with issue glenn raised and that bjoern has responded to re: user-supplied modifications to page via extensions, bookmarks, etc.
16:14:39 <hillbrad> hillbrad has joined #webappsec
16:14:40 <glenn> in this case, it is better to not say anything in spec
16:14:58 <ekr> dveditz: we have seen objections that are useful to users that may unwisely make changes to every page. might be reasonable to require an extension to explicitly override CSP.
16:15:09 <ekr> … don't know how we would do that technically
16:15:14 <ekr> … seems like a UA decision
16:15:36 <ekr> mkwst: agreed. putting limitations on extensions/add-ons might be reasonable but it's not a spec issue
16:17:04 <ekr> bhill2: a spec must have two interoperating implementations of each feature
16:17:28 <ekr> … a normative requirement to turn reporting off would need to have implementations in both specs
16:18:06 <ekr> … nothing stopping browsers from doing that, but it need not be in the spec
16:18:38 <glenn> zakim, what is the code?
16:18:38 <Zakim> the conference code is 92794 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), glenn
16:18:53 <ekr> dveditz: what if firefox or torbrowser decides to have opt-in reporting, is it still conformant.
16:19:19 <Zakim> +glenn
16:19:25 <ekr> bhill2: yes
16:20:16 <ekr> bhill2: has not seen a coherent threat model for why reporting makes things worse
16:22:12 <wseltzer> ->
16:22:26 <wseltzer> http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html
16:23:49 <hillbrad> noted for minutes: no objections to consensus on current language in the tip of the editor's draft, that is, no normative recommendations to user agent implelmenters regarding interaction of CSP and extensions or user-script
16:23:58 <hillbrad> consensus previously established still stands
16:24:22 <wseltzer> RESOLVED: previously-established consensus stands
16:24:47 <hillbrad> mkwst: child-src and popups are 1.2 features
16:24:53 <ekr> I am back
16:25:05 <hillbrad> … referrer expressiveness is in current editor's draft
16:25:18 <ekr> mkwst: processing of meta elements still needs discussion
16:25:23 <hillbrad> … meta element needs discussing, are use cases current spec would disallow and questions about reasonableness
16:25:27 <hillbrad> … beacon is not 1.1
16:25:34 <ekr> hillbrad: I can take over
16:25:45 <ekr> mkwst: two things I think are interesting, meta element and redirect
16:26:18 <ekr> wseltzer(?): meta element… was that based on a request.
16:26:29 <ekr> mkwst: some cases where you can't control HTTP headers
16:26:31 <fjh> fjh has joined #webappsec
16:26:34 <fjh> ec
16:27:03 <ekr> wseltzer: maybe we should consider other options. probably wouldn't be too hard for github or such to allow people to provide meta
16:27:14 <wseltzer> s/wseltzer:/terri:/
16:27:21 <ekr> s/provide meta/to provide the content that would be in meta/
16:27:30 <ekr> mkwst: I don't see a threat here.
16:27:50 <ekr> … I don't understand what the problem is
16:28:04 <Zakim> +[IPcaller]
16:28:05 <fjh> zakim, IPcaller is me
16:28:05 <Zakim> +fjh; got it
16:28:19 <ekr> dveditz: what are you not concerned about? header? script element after the page is loaded
16:28:22 <fjh> s/^ec$//
16:28:30 <fjh> zakim, who is here?
16:28:30 <Zakim> On the phone I see mkwst, Wendy (muted), BHill, richt, dveditz, terri, gopal, [Mozilla], glenn, fjh
16:28:32 <Zakim> [Mozilla] has ekr
16:28:32 <Zakim> On IRC I see fjh, hillbrad, glenn, ekr, gopal, terri, richt, Zakim, RRSAgent, dom, gmaone, mkwst, timeless, tobie_, wseltzer, trackbot
16:28:55 <ekr> mkwst: given that we restrict reporting, etc. by policy, so how is this different than if I could inject a non-CSP meta tag
16:29:11 <ekr> terri: I'm not convinced. let me see if we can figure out how to attack this here.
16:29:44 <ekr> dveditz: can't I also use this to block other things on the page
16:29:59 <ekr> mkwst: wouldn't this already be worse with non-CSP mechanisms if you could already inject meta
16:30:20 <ekr> dveditz: having scripts mess with meta tags is not good. an API would be better
16:30:41 <ekr> … implementation concerns here as well
16:31:23 <ekr> mkwst: let's take this to the list
16:32:10 <ekr> bhill2: last major 1.1. Mike, you mentioned referer?
16:32:18 <ekr> mkwst: my impression is that it is fine
16:32:44 <ekr> bhiill2: can you get dan and other mozillans to express any concerns with meta asap.
16:32:55 <ekr> … start CfC for last call on next telecon
16:33:46 <ekr> Topic: f CORS and whitelisting, exposure of local network IP address
16:33:47 <ekr>                  information in URLs,
16:33:57 <ekr>   Editors draft: https://dvcs.w3.org/hg/dap/raw-file/default/discovery-api/Overview.html
16:33:57 <ekr>   Issues:  http://www.w3.org/2009/dap/track/products/31
16:34:13 <wseltzer> s/f CORS/DAP WG, re: CORS/
16:34:22 <dom> Zakim, code?
16:34:22 <Zakim> the conference code is 92794 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), dom
16:34:38 <Zakim> +??P11
16:34:45 <ekr> … services currently advertising in network via bonjour, etc.
16:34:46 <dom> Zakim, ??P11 is me
16:34:46 <Zakim> +dom; got it
16:35:37 <ekr> … browser gets handle to devices in network
16:36:09 <richt> NSD discussions on implementer lists: http://lists.w3.org/Archives/Public/public-device-apis/2013Sep/0029.html
16:36:14 <ekr> … some reviews have already happend
16:36:29 <ekr> … have added CORS support to API.
16:37:13 <ekr> … also get user opt-in
16:37:52 <ekr> … user opt-in is extremely important
16:38:27 <ekr> … don't want to expose routers, etc.
16:38:33 <ekr> … but we want to expose TVs, etc.
16:38:41 <ekr> … this why CORS is relevant here.
16:38:55 <ekr> … here to talk about some of the security concerns
16:39:13 <fjh> q+ to mention whitelisting and URLs
16:39:18 <ekr> … wanted to get this group's feedback
16:39:44 <ekr> fjh: CORS opt-in is a quite reasonable response. why is it should but not must.
16:40:02 <ekr> sorry, I assumed it was cause you were in queue. Who was that?
16:40:13 <hillbrad> fjh: this is mike west speaking
16:40:14 <wseltzer> zakim, who is speaking?
16:40:23 <ekr> sorry, I am terrible at voices.
16:40:25 <Zakim> wseltzer, listening for 11 seconds I heard sound from the following: gopal (29%), richt (18%)
16:40:44 <ekr> richt: we have implementations outside the browser.
16:41:02 <wseltzer> s/fjh: CORS/mkwst: CORS/
16:41:27 <ekr> mkwst: these should be a requirement
16:41:44 <dom> [the editors draft has " A user agent SHOULD only allow web pages to connect with Local-networked Services that have passed a preliminary CORS check indicating they support Cross-Origin Resource Sharing [CORS]"]
16:41:56 <fjh> https://dvcs.w3.org/hg/dap/raw-file/default/discovery-api/Overview.html
16:42:14 <fjh> https://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html
16:42:23 <ekr> richt: browser can blacklist device types
16:42:28 <ekr> … and users could whitelist devices
16:42:52 <ekr> mkwst: might be good to put that in this section
16:44:16 <ekr> richt: you request a service type, you then broadcast a request and the device responds with a CORS header
16:50:48 <ekr> […] long colloquy about the strength of the mechanism for verifying CORS consent
16:51:00 <ekr> to summarize, this is just a mechanism for discovery.
16:51:14 <ekr> but any actual requests go through their own CORS checks
16:52:03 <ekr> richt: you get a list of endpoint URLs. These will be local IP addresses.
16:52:04 <fjh> q-
16:52:11 <fjh> q+ to ask mike about action
16:52:21 <ekr> … you don't want to expose local IPs to the Web.
16:52:24 <dom> [more importantly, we want to filter what requests can be made on these end points]
16:53:44 <ekr> ekr: webrtc already exposes the local IP address ranges
16:53:58 <ekr> mkwst: chrome already obfuscates this
16:54:11 <ekr> … you could have a different scheme
16:54:41 <ekr> … the communication can contain the local IP addresses
16:55:04 <dom> [one of the issue is that you want to follow links exposed by the local network services, e.g. link to an image or a video]
16:55:06 <ekr> btw, you don't need a different scheme
16:55:56 <ekr> just a different domain
16:56:11 <ekr> richt: I am worried about whether this stuff is going to leak anyway
16:57:00 <ekr> mkwst: this is intermediated by the user
16:57:47 <ekr> richt: user has to consent to discover and then the user can filter the list back
16:57:54 <ekr> … at the end the web page gets the filtered list
16:58:14 <ekr> … main concerns are local IP and CORS
16:58:28 <ekr> fjh: I might raise an issue about whitelisting along with cors.
16:58:33 <ekr> mkwst: what actions do you have in mind
16:58:51 <ekr> s/mkwst:/fjh:/
16:59:14 <ekr> mkwst: I think this is OK now that we have discussed
17:00:08 <Zakim> -glenn
17:00:26 <ekr> dom: what are the next steps? how can the webappsec guys help?
17:00:28 <fjh> q-
17:00:30 <hillbrad> sorry folks, I gotta go - wseltzer can you close the channel, prep logs, etc, please?
17:00:54 <ekr> mkwst: I think you have been working with security team too
17:00:59 <wseltzer> hillbrad, sure
17:00:59 <ekr> sorry, me too...
17:01:04 <hillbrad> thanks all
17:01:06 <ekr> bye
17:01:08 <fjh> much thanks!
17:01:10 <Zakim> -[Mozilla]
17:01:41 <wseltzer> unmute me
17:01:47 <wseltzer> s/unmute me//
17:01:49 <fjh> feedback on the mail list would be very welcome or additional ideas
17:01:51 <wseltzer> zakim, unmute me
17:01:51 <Zakim> Wendy should no longer be muted
17:02:21 <Zakim> -gopal
17:02:53 <Zakim> -dveditz
17:02:55 <Zakim> -dom
17:02:57 <Zakim> -richt
17:02:58 <Zakim> -fjh
17:02:59 <Zakim> -BHill
17:03:05 <Zakim> -mkwst
17:03:10 <Zakim> -terri
17:03:15 <wseltzer> wseltzer: Thanks to Rich and Frederick from DAP; we'll figure out where to continue the discussion.
17:03:18 <wseltzer> [adjourned]
17:03:23 <wseltzer> trackbot, end teleconf
17:03:23 <trackbot> Zakim, list attendees
17:03:23 <Zakim> As of this point the attendees have been mkwst, Wendy, BHill, richt, dveditz, terri, +1.781.369.aaaa, gopal, ekr, glenn, fjh, dom
17:03:31 <Zakim> -Wendy
17:03:31 <trackbot> RRSAgent, please draft minutes
17:03:31 <RRSAgent> I have made the request to generate http://www.w3.org/2014/02/12-webappsec-minutes.html trackbot
17:03:32 <trackbot> RRSAgent, bye
17:03:32 <RRSAgent> I see no action items
17:03:32 <Zakim> SEC_WASWG()11:00AM has ended
17:03:32 <Zakim> Attendees were mkwst, Wendy, BHill, richt, dveditz, terri, +1.781.369.aaaa, gopal, ekr, glenn, fjh, dom
17:04:12 <RRSAgent> RRSAgent has joined #webappsec
17:04:12 <RRSAgent> logging to http://www.w3.org/2014/02/12-webappsec-irc
17:04:17 <wseltzer> rrsagent, make logs public
17:04:32 <wseltzer> rrsagent, make minutes
17:04:32 <RRSAgent> I have made the request to generate http://www.w3.org/2014/02/12-webappsec-minutes.html wseltzer
17:04:57 <dom> dom has left #webappsec
17:04:59 <fjh> fjh has left #webappsec
17:05:09 <wseltzer> Chair: bhill2, ekr
17:05:11 <wseltzer> rrsagent, make minutes
17:05:11 <RRSAgent> I have made the request to generate http://www.w3.org/2014/02/12-webappsec-minutes.html wseltzer
17:08:38 <hillbrad> hillbrad has joined #webappsec
17:17:33 <hillbrad> hillbrad has joined #webappsec
17:17:42 <hillbrad> hillbrad has left #webappsec
17:25:26 <richt_> richt_ has joined #webappsec
19:03:07 <glenn> glenn has joined #webappsec
19:32:25 <Zakim> Zakim has left #webappsec
19:33:52 <richt> richt has joined #webappsec
20:13:06 <glenn_> glenn_ has joined #webappsec
20:32:44 <mkwst> mkwst has joined #webappsec
20:32:54 <timeless> timeless has joined #webappsec
20:32:57 <glenn> glenn has joined #webappsec
20:33:22 <tobie__> tobie__ has joined #webappsec
20:37:35 <glenn> glenn has joined #webappsec
20:39:03 <ekr> ekr has joined #webappsec
21:22:17 <ekr> ekr has joined #webappsec
21:53:13 <ekr> ekr has joined #webappsec
22:01:33 <ekr> ekr has joined #webappsec
22:18:45 <terri> terri has joined #webappsec
22:33:18 <ekr> ekr has joined #webappsec
22:51:08 <ekr> ekr has joined #webappsec