IRC log of webappsec on 2014-02-26

Timestamps are in UTC.

16:03:13 [RRSAgent]
RRSAgent has joined #webappsec
16:03:13 [RRSAgent]
logging to
16:03:20 [bhill2]
16:03:33 [bhill2]
Meeting: WebAppSec WG Teleconference 26-Feb-2014
16:03:37 [bhill2]
Chairs: bhill2, ekr
16:03:40 [bhill2]
16:03:53 [bhill2]
zakim, who is here?
16:03:53 [Zakim]
sorry, bhill2, I don't know what conference this is
16:03:54 [Zakim]
On IRC I see RRSAgent, Zakim, bhill2, terri, gmaone, PeteF, glenn, anssik, timeless, mkwst, tobie__, wseltzer, trackbot
16:03:58 [bhill2]
zakim, this is 92794
16:03:58 [Zakim]
ok, bhill2; that matches SEC_WASWG()11:00AM
16:04:00 [Zakim]
16:04:03 [bhill2]
zakim, who is here?
16:04:03 [Zakim]
On the phone I see +49.162.102.aaaa, terri, BHill, +1.315.849.aabb, [Mozilla], [GVoice], ??P22
16:04:06 [Zakim]
On IRC I see RRSAgent, Zakim, bhill2, terri, gmaone, PeteF, glenn, anssik, timeless, mkwst, tobie__, wseltzer, trackbot
16:04:11 [mkwst]
zakim, who is talking?
16:04:18 [gmaone]
Zakim, ??P22 is gmaone
16:04:18 [Zakim]
+gmaone; got it
16:04:22 [ekr]
ekr has joined #webappsec
16:04:23 [Zakim]
mkwst, listening for 10 seconds I heard sound from the following: BHill (39%)
16:04:40 [bhill2]
zakim, [Mozilla] has grobinson
16:04:40 [Zakim]
+grobinson; got it
16:04:49 [Zakim]
16:05:06 [wuwei_]
wuwei_ has joined #webappsec
16:05:15 [mkwst]
zakim, aaaa is mkwst.
16:05:16 [Zakim]
+mkwst; got it
16:05:52 [PeteF]
+1.315.849.aabb is Pete Freitag... just listening in
16:06:15 [bhill2]
zakim, who is here?
16:06:15 [Zakim]
On the phone I see mkwst, terri, BHill, +1.315.849.aabb, [Mozilla], [GVoice], gmaone, glenn
16:06:17 [Zakim]
[Mozilla] has grobinson
16:06:17 [Zakim]
On IRC I see wuwei_, ekr, RRSAgent, Zakim, bhill2, terri, gmaone, PeteF, glenn, anssik, timeless, mkwst, tobie__, wseltzer, trackbot
16:06:22 [grobinson]
grobinson has joined #webappsec
16:06:49 [ekr]
[Mozilla] has ekr
16:06:56 [bhill2]
zakim, [mozilla] has ekr
16:06:56 [Zakim]
+ekr; got it
16:06:58 [gmaone]
zakim, +1.315.849.aabb is PeteF
16:06:58 [Zakim]
+PeteF; got it
16:07:51 [bhill2]
Scribe: Mike West
16:07:58 [bhill2]
Scribenick: mkwst
16:08:09 [bhill2]
TOPIC: Minutes approval
16:08:15 [bhill2]
16:08:17 [Zakim]
+ +1.831.246.aacc
16:08:22 [mkwst]
bhill: Objections to last time's minutes?
16:08:32 [mkwst]
bhill: Approved!
16:08:40 [bhill2]
zakim, aacc is dveditz
16:08:40 [Zakim]
+dveditz; got it
16:08:48 [bhill2]
TOPIC: Agenda Bashing
16:09:18 [mkwst]
bhill: How do we get subint to FPWD?
16:09:40 [mkwst]
dveditz: Is redirection part of the leakage discussion?
16:09:44 [mkwst]
mkwst: yes.
16:09:54 [bhill2]
TOPIC: Open Actions Reveiw
16:10:00 [bhill2]
16:11:07 [mkwst]
bhill: Blobs, dveditz?
16:11:23 [mkwst]
mkwst: Current language is that blobs need to be whitelisted explicitly as 'blob:'.
16:11:30 [mkwst]
dveditz: Should be ok.
16:11:38 [Zakim]
16:11:45 [mkwst]
dveditz: One thing.
16:12:13 [mkwst]
dveditz: 'data:' should not match '*'.
16:12:32 [mkwst]
dveditz: 'blob:' too. They should be treated as 'unsafe-inline'.
16:12:53 [freddyb_]
freddyb_ has joined #webappsec
16:13:13 [mkwst]
mkwst: Propose some text?
16:13:21 [mkwst]
dveditz: Sure, where?
16:13:33 [mkwst]
mkwst: In the matching algorithm section. Could add a note anywhere thought.
16:13:42 [mkwst]
dveditz: Intent is to include blob and data.
16:14:17 [mkwst]
mkwst: will find some language for you.
16:14:44 [bhill2]
TOPIC: Call for consensus on UI Security LCWD
16:14:45 [bhill2]
16:15:07 [mkwst]
bhill: CfC for UI Security to LCWD last week.
16:15:14 [mkwst]
bhill: Moved frame-options out into mainline CSP 1.1
16:15:31 [mkwst]
bhill: Push previous spec with that bit removed.
16:15:37 [mkwst]
bhill: No objections to CfC.
16:16:10 [mkwst]
bhill: Motion to move UI Security to LCWD?
16:16:32 [mkwst]
ekr: So moved.
16:16:38 [gmaone]
16:16:46 [mkwst]
gmaone: seconded.
16:17:06 [mkwst]
bhill: Objection to unanimous consent?
16:17:17 [mkwst]
bhill: None heard. LCWD!
16:17:32 [bhill2]
RESOLVED: UI Security to be advanced to Last Call Working Draft
16:17:51 [bhill2]
TOPIC: Paths, Redirects and information leakage in CSP
16:17:52 [bhill2]
16:18:38 [mkwst]
bhill: Proposals from Mike, Michal, etc.
16:18:44 [mkwst]
bhill: summarize?
16:19:09 [mkwst]
dveditz: Summary is that we're screwed. Need to either lose functionality, or live with a bad feature.
16:21:18 [glenn]
zakim, who's noisy?
16:21:28 [bhill2]
option 1: (Egor's proposal) only enforce policy on initial fetch, not on subsequent redirects
16:21:30 [Zakim]
glenn, listening for 11 seconds I heard sound from the following: mkwst (41%)
16:22:13 [mkwst]
mkwst: Summary.
16:23:04 [mkwst]
mkwst: Two options: 1. Allow redirects for source expressions with paths. This would avoid the biggest problem (reading paths cross-origin via brute force).
16:23:14 [bhill2]
option 1 engenders some concern due to widespread presence of open redirectors on many domains
16:24:06 [mkwst]
mkwst: 2. drop reporting, drop the DOM event, pretend that a resource failed to load just as if a network error occurred.
16:24:19 [bhill2]
option 1 also doesn't really solve the problem, it just rate-limits or makes the attacker use tactics like using a frame-per path tested
16:25:11 [mkwst]
dveditz: Reporting isn't the problem. Can tell from the page whether or not the resource loaded.
16:27:24 [mkwst]
mkwst: 'script-src'. would allow ->
16:27:33 [bhill2]
option 3: fallback to checking only at domain granularity on redirects
16:27:35 [mkwst]
dveditz: why wouldn't we fall back to domain level granularity?
16:28:30 [mkwst]
mkwst: Complexity. Seems reasonable to have distinct behavior for paths/no-paths.
16:31:18 [mkwst]
bhill: <individual> Option #1 probably isn't so bad.
16:31:26 [mkwst]
bhill: Part of the trust decision for an origin.
16:31:38 [mkwst]
bhill: less likely that there's redirects past a whitelisted path
16:31:41 [bhill2]
I think that option 1 is the best... <hat = individual>
16:31:43 [mkwst]
bhill: not that complicated.
16:31:59 [bhill2]
simple to implement, explain, trust decision is obvious (including implication of possibility of redirects)
16:32:03 [mkwst]
dveditz: Require paths to be a full match for a path segment?
16:32:24 [bhill2]
and trust / risk of including a redirector can be reduced by specifying a path instead of a full host
16:34:12 [mkwst]
dveditz: Suggested that we not report redirects, report more information about the URL in the document.
16:34:23 [mkwst]
dveditz: Want to drop that suggestion.
16:35:48 [mkwst]
dveditz: Shouldn't report URL for same-origin redirects.
16:36:50 [mkwst]
dveditz: No. I'm saying dont' change the stripping aspect of the spec.
16:38:09 [mkwst]
dveditz: One more question: has the reporting turned out to be useful for real-world use cases?
16:38:23 [mkwst]
dveditz: Twitter?
16:38:57 [glenn]
16:39:23 [mkwst]
bhill: Folks I've talked to find reporting useful.
16:39:48 [mkwst]
bhill: Report-only is useful. Anomaly detection, etc.
16:40:03 [mkwst]
bhill: Thought-leader with regard to reporting in the security space.
16:40:24 [bhill2]
TOPIC: Extension note text in CSP
16:40:27 [mkwst]
dveditz: Reporting isn't always awesome.
16:40:42 [mkwst]
ekr: Might not be a Mozilla consensus.
16:41:03 [bhill2]
ack glenn
16:41:08 [mkwst]
glenn: Worked with a spec that's making reporting optional, except when report-only is used. Might be reasonable to look at.
16:41:34 [mkwst]
glenn: Not yet public.
16:41:49 [mkwst]
bhill: Reporting does have users. Would make folks unhappy to lose it.
16:42:00 [bhill2]
looks like approaching something like:
16:42:14 [mkwst]
bhill: Extension note discussion.
16:42:26 [mkwst]
glenn: New information, reopening for discussion?
16:42:48 [mkwst]
bhill: Groundswell of interest. Folks expressing concern at the resolution of the objection.
16:42:59 [bhill2]
"User agents may allow users to modify or bypass CSP enforcement, through user preferences and/or third-party additions to the user-agent" so that we're not tied to specifically bookmarklets and extensions."
16:43:16 [gopal]
gopal has joined #webappsec
16:43:22 [bhill2]
or rather "User agents may allow users to modify or bypass CSP enforcement, through user preferences and/or third-party additions to the user-agent."
16:43:38 [mkwst]
glenn: Trying to be accommodating of new suggestions. Last suggestions seems close to something we could accept.
16:43:56 [mkwst]
dveditz: Normative or non-normative.
16:44:15 [gmaone]
What about "User agents should not prevent users from modifying or bypass etc..."?
16:44:18 [mkwst]
dveditz: Suggestions for UA should not be normative.
16:44:22 [glenn]
16:44:22 [mkwst]
(or Should? :) )
16:44:38 [mkwst]
grobinson: Third-party additions?
16:44:59 [mkwst]
grobinson: Don't want to tacitly accept malware.
16:45:07 [mkwst]
grobinson: "User-instigated third-party additions"?
16:45:18 [mkwst]
bhill: Wide leeway, non-normative.
16:45:29 [mkwst]
bhill: Chrome doesn't allow side-loaded extensions, for example.
16:45:49 [mkwst]
bhill: Don't want to ask for special treatment in that sideloading sense.
16:46:36 [mkwst]
bhill: Can the editors add that language to the spec? Seems satisfactory to everyone in the community who has expressed interest and concern.
16:46:41 [mkwst]
glenn: Ok with this.
16:46:54 [mkwst]
glenn: Neglected to remove a related piece of language in
16:47:02 [mkwst]
glenn: "ignore this step" bookmarklets.
16:47:07 [mkwst]
glenn: Should be remove as well.
16:48:01 [mkwst]
glenn: Falls into the category of "user preferences" or "third-party additions".
16:48:25 [mkwst]
glenn: But tied to the earlier language. Haven't looked at the editing history, but seem closely related.
16:48:31 [mkwst]
glenn: Suggesting that this one should be removed as well.
16:48:38 [bhill2]
"User agents may allow users to modify or bypass CSP enforcement, through user preferences, bookmarklets, and/or third-party additions to the user-agent"
16:48:39 [mkwst]
glenn: New language covers both.
16:49:05 [mkwst]
mkwst: fine with that.
16:51:22 [mkwst]
ekr: I don't care. SHOULD vs MAY vs SHOULD NOT. Not useful.
16:51:29 [mkwst]
bhill: This text seems reasonable. Let's do it.
16:51:41 [mkwst]
bhill: Reflects the consensus. May choose to do this, but not required to.
16:52:04 [mkwst]
bhill: Not going to satisfy everyone, but we can live with it. Should close it and move on.
16:52:13 [mkwst]
wseltzer: Won't be surprised if we see more argument next week.
16:52:21 [terri]
that was me, actually
16:52:26 [mkwst]
bhill: Not everyone's ever going to be happy about anything.
16:52:41 [terri]
(not wseltzer, who I haven't heard today)
16:52:45 [mkwst]
(Sorry, Terri! Bad with voices...)
16:52:57 [bhill2]
ACTION: mkwst to remove
16:52:57 [mkwst]
bhill: Should remove the text as well.
16:52:57 [trackbot]
Error finding 'mkwst'. You can review and register nicknames at <>.
16:53:15 [mkwst]
(bhill: I'm mwest2)
16:53:26 [mkwst]
glenn: Should we update CSP 1.0 as well?
16:53:39 [mkwst]
glenn: We can edit CR before PR, yes?
16:54:14 [mkwst]
bhill: New topic. We have so far declared that we've got consensus on CSP 1.0, moved on. If we want to reopen that, take a poll on the list.
16:54:29 [mkwst]
bhill: Discussion has been in regards to 1.1. Let's bring it up on the list.
16:54:55 [mkwst]
glenn: Fine with that. Just want to point out, Cox will comment at the PR timeframe.
16:55:12 [mkwst]
bhill: Lightning round!
16:55:43 [mkwst]
bhill: Outstanding issues with regard to <meta>, terri?
16:55:57 [mkwst]
terri: If the answer is "nobody knows", that's an answer. We can discuss later.
16:56:22 [mkwst]
dveditz: We had policy-uri. Folks outside Mozilla hated it because of latency, and it was in an HTTP header anyway.
16:56:45 [mkwst]
terri: Brainstormed other ideas?
16:56:59 [mkwst]
terri: Link to discussion?
16:57:10 [mkwst]
dveditz: Before the WG.
16:57:19 [mkwst]
grobinson: policy-uri being removed from Firefox. Latency.
16:57:35 [mkwst]
bhill: search the list (sorry there's no pointer). There was discussion when opening 1.1.
16:57:48 [mkwst]
bhill: Application use cases were described.
16:58:48 [mkwst]
terri: I think I was around for that.
16:58:54 [mkwst]
bhill: Next call in two weeks!
16:59:08 [mkwst]
bhill: IETF meeting! Exciting! Security and privacy next week in London!
16:59:13 [freddyb_]
minor note about process: is it possible to send the notes (or a link to them) to the public-webappsec list?
16:59:15 [mkwst]
bhill: Participate remotely!
16:59:26 [Zakim]
16:59:27 [Zakim]
16:59:32 [freddyb_]
fwiw, I found them hard to google :-) maybe it's just me though
16:59:35 [Zakim]
16:59:35 [bhill2]
zakim, list attendees
16:59:36 [Zakim]
As of this point the attendees have been +49.162.102.aaaa, terri, BHill, [GVoice], gmaone, grobinson, glenn, mkwst, ekr, PeteF, +1.831.246.aacc, dveditz
16:59:41 [freddyb_]
but it would make the outcome of the call more transparent too
16:59:42 [bhill2]
rrsagent, make minutes
16:59:42 [RRSAgent]
I have made the request to generate bhill2
16:59:46 [freddyb_]
thanks bhill2
16:59:47 [Zakim]
16:59:49 [bhill2]
rrsagent, set logs public-visisible
16:59:59 [Zakim]
17:00:02 [bhill2]
rrsagent, set logs public-visible
17:00:05 [Zakim]
17:00:06 [Zakim]
17:00:14 [Zakim]
17:00:17 [Zakim]
17:00:24 [Zakim]
17:00:25 [Zakim]
SEC_WASWG()11:00AM has ended
17:00:25 [Zakim]
Attendees were +49.162.102.aaaa, terri, BHill, [GVoice], gmaone, grobinson, glenn, mkwst, ekr, PeteF, +1.831.246.aacc, dveditz
17:40:56 [ekr]
ekr has joined #webappsec
18:19:36 [terri]
terri has joined #webappsec
18:22:15 [ekr]
ekr has joined #webappsec
18:27:50 [gmaone]
gmaone has joined #webappsec
18:32:22 [glenn]
glenn has joined #webappsec
19:04:25 [ekr]
ekr has joined #webappsec
19:27:36 [Zakim]
Zakim has left #webappsec
19:32:48 [ekr]
ekr has joined #webappsec
20:12:06 [ekr]
ekr has joined #webappsec
20:33:38 [glenn]
glenn has joined #webappsec
20:54:40 [glenn]
glenn has joined #webappsec