16:03:13 <RRSAgent> RRSAgent has joined #webappsec
16:03:13 <RRSAgent> logging to http://www.w3.org/2014/02/26-webappsec-irc
16:03:20 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0128.html
16:03:33 <bhill2> Meeting: WebAppSec WG Teleconference 26-Feb-2014
16:03:37 <bhill2> Chairs: bhill2, ekr
16:03:40 <bhill2> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0128.html
16:03:53 <bhill2> zakim, who is here?
16:03:53 <Zakim> sorry, bhill2, I don't know what conference this is
16:03:54 <Zakim> On IRC I see RRSAgent, Zakim, bhill2, terri, gmaone, PeteF, glenn, anssik, timeless, mkwst, tobie__, wseltzer, trackbot
16:03:58 <bhill2> zakim, this is 92794
16:03:58 <Zakim> ok, bhill2; that matches SEC_WASWG()11:00AM
16:04:00 <Zakim> +??P22
16:04:03 <bhill2> zakim, who is here?
16:04:03 <Zakim> On the phone I see +49.162.102.aaaa, terri, BHill, +1.315.849.aabb, [Mozilla], [GVoice], ??P22
16:04:06 <Zakim> On IRC I see RRSAgent, Zakim, bhill2, terri, gmaone, PeteF, glenn, anssik, timeless, mkwst, tobie__, wseltzer, trackbot
16:04:11 <mkwst> zakim, who is talking?
16:04:18 <gmaone> Zakim, ??P22 is gmaone
16:04:18 <Zakim> +gmaone; got it
16:04:22 <ekr> ekr has joined #webappsec
16:04:23 <Zakim> mkwst, listening for 10 seconds I heard sound from the following: BHill (39%)
16:04:40 <bhill2> zakim, [Mozilla] has grobinson
16:04:40 <Zakim> +grobinson; got it
16:04:49 <Zakim> +glenn
16:05:06 <wuwei_> wuwei_ has joined #webappsec
16:05:15 <mkwst> zakim, aaaa is mkwst.
16:05:16 <Zakim> +mkwst; got it
16:05:52 <PeteF> +1.315.849.aabb is Pete Freitag... just listening in
16:06:15 <bhill2> zakim, who is here?
16:06:15 <Zakim> On the phone I see mkwst, terri, BHill, +1.315.849.aabb, [Mozilla], [GVoice], gmaone, glenn
16:06:17 <Zakim> [Mozilla] has grobinson
16:06:17 <Zakim> On IRC I see wuwei_, ekr, RRSAgent, Zakim, bhill2, terri, gmaone, PeteF, glenn, anssik, timeless, mkwst, tobie__, wseltzer, trackbot
16:06:22 <grobinson> grobinson has joined #webappsec
16:06:49 <ekr> [Mozilla] has ekr
16:06:56 <bhill2> zakim, [mozilla] has ekr
16:06:56 <Zakim> +ekr; got it
16:06:58 <gmaone> zakim, +1.315.849.aabb is PeteF
16:06:58 <Zakim> +PeteF; got it
16:07:51 <bhill2> Scribe: Mike West
16:07:58 <bhill2> Scribenick: mkwst
16:08:09 <bhill2> TOPIC: Minutes approval
16:08:15 <bhill2> http://www.w3.org/2014/02/12-webappsec-minutes.html
16:08:17 <Zakim> + +1.831.246.aacc
16:08:22 <mkwst> bhill: Objections to last time's minutes?
16:08:32 <mkwst> bhill: Approved!
16:08:40 <bhill2> zakim, aacc is dveditz
16:08:40 <Zakim> +dveditz; got it
16:08:48 <bhill2> TOPIC: Agenda Bashing
16:09:18 <mkwst> bhill: How do we get subint to FPWD?
16:09:40 <mkwst> dveditz: Is redirection part of the leakage discussion?
16:09:44 <mkwst> mkwst: yes.
16:09:54 <bhill2> TOPIC: Open Actions Reveiw
16:10:00 <bhill2> https://www.w3.org/2011/webappsec/track/actions/open?sort=owner
16:11:07 <mkwst> bhill: Blobs, dveditz?
16:11:23 <mkwst> mkwst: Current language is that blobs need to be whitelisted explicitly as 'blob:'.
16:11:30 <mkwst> dveditz: Should be ok.
16:11:38 <Zakim> +??P18
16:11:45 <mkwst> dveditz: One thing.
16:12:13 <mkwst> dveditz: 'data:' should not match '*'.
16:12:32 <mkwst> dveditz: 'blob:' too. They should be treated as 'unsafe-inline'.
16:12:53 <freddyb_> freddyb_ has joined #webappsec
16:13:13 <mkwst> mkwst: Propose some text?
16:13:21 <mkwst> dveditz: Sure, where?
16:13:33 <mkwst> mkwst: In the matching algorithm section. Could add a note anywhere thought.
16:13:42 <mkwst> dveditz: Intent is to include blob and data.
16:14:17 <mkwst> mkwst: will find some language for you.
16:14:44 <bhill2> TOPIC: Call for consensus on UI Security LCWD
16:14:45 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0092.html
16:15:07 <mkwst> bhill: CfC for UI Security to LCWD last week.
16:15:14 <mkwst> bhill: Moved frame-options out into mainline CSP 1.1
16:15:31 <mkwst> bhill: Push previous spec with that bit removed.
16:15:37 <mkwst> bhill: No objections to CfC.
16:16:10 <mkwst> bhill: Motion to move UI Security to LCWD?
16:16:32 <mkwst> ekr: So moved.
16:16:38 <gmaone> second
16:16:46 <mkwst> gmaone: seconded.
16:17:06 <mkwst> bhill: Objection to unanimous consent?
16:17:17 <mkwst> bhill: None heard. LCWD!
16:17:32 <bhill2> RESOLVED: UI Security to be advanced to Last Call Working Draft
16:17:51 <bhill2> TOPIC: Paths, Redirects and information leakage in CSP
16:17:52 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0127.html
16:18:38 <mkwst> bhill: Proposals from Mike, Michal, etc.
16:18:44 <mkwst> bhill: summarize?
16:19:09 <mkwst> dveditz: Summary is that we're screwed. Need to either lose functionality, or live with a bad feature.
16:21:18 <glenn> zakim, who's noisy?
16:21:28 <bhill2> option 1: (Egor's proposal) only enforce policy on initial fetch, not on subsequent redirects
16:21:30 <Zakim> glenn, listening for 11 seconds I heard sound from the following: mkwst (41%)
16:22:13 <mkwst> mkwst: Summary.
16:23:04 <mkwst> mkwst: Two options: 1. Allow redirects for source expressions with paths. This would avoid the biggest problem (reading paths cross-origin via brute force).
16:23:14 <bhill2> option 1 engenders some concern due to widespread presence of open redirectors on many domains
16:24:06 <mkwst> mkwst: 2. drop reporting, drop the DOM event, pretend that a resource failed to load just as if a network error occurred.
16:24:19 <bhill2> option 1 also doesn't really solve the problem, it just rate-limits or makes the attacker use tactics like using a frame-per path tested
16:25:11 <mkwst> dveditz: Reporting isn't the problem. Can tell from the page whether or not the resource loaded.
16:27:24 <mkwst> mkwst: 'script-src example.com/js'. would allow example.com/js/redirect -> evil.com
16:27:33 <bhill2> option 3: fallback to checking only at domain granularity on redirects
16:27:35 <mkwst> dveditz: why wouldn't we fall back to domain level granularity?
16:28:30 <mkwst> mkwst: Complexity. Seems reasonable to have distinct behavior for paths/no-paths.
16:31:18 <mkwst> bhill: <individual> Option #1 probably isn't so bad.
16:31:26 <mkwst> bhill: Part of the trust decision for an origin.
16:31:38 <mkwst> bhill: less likely that there's redirects past a whitelisted path
16:31:41 <bhill2> I think that option 1 is the best... <hat = individual>
16:31:43 <mkwst> bhill: not that complicated.
16:31:59 <bhill2> simple to implement, explain, trust decision is obvious (including implication of possibility of redirects)
16:32:03 <mkwst> dveditz: Require paths to be a full match for a path segment?
16:32:24 <bhill2> and trust / risk of including a redirector can be reduced by specifying a path instead of a full host
16:34:12 <mkwst> dveditz: Suggested that we not report redirects, report more information about the URL in the document.
16:34:23 <mkwst> dveditz: Want to drop that suggestion.
16:35:48 <mkwst> dveditz: Shouldn't report URL for same-origin redirects.
16:36:50 <mkwst> dveditz: No. I'm saying dont' change the stripping aspect of the spec.
16:38:09 <mkwst> dveditz: One more question: has the reporting turned out to be useful for real-world use cases?
16:38:23 <mkwst> dveditz: Twitter?
16:38:57 <glenn> q+
16:39:23 <mkwst> bhill: Folks I've talked to find reporting useful.
16:39:48 <mkwst> bhill: Report-only is useful. Anomaly detection, etc.
16:40:03 <mkwst> bhill: Thought-leader with regard to reporting in the security space.
16:40:24 <bhill2> TOPIC: Extension note text in CSP
16:40:27 <mkwst> dveditz: Reporting isn't always awesome.
16:40:42 <mkwst> ekr: Might not be a Mozilla consensus.
16:41:03 <bhill2> ack glenn
16:41:08 <mkwst> glenn: Worked with a spec that's making reporting optional, except when report-only is used. Might be reasonable to look at.
16:41:34 <mkwst> glenn: Not yet public.
16:41:49 <mkwst> bhill: Reporting does have users. Would make folks unhappy to lose it.
16:42:00 <bhill2> looks like approaching something like:
16:42:14 <mkwst> bhill: Extension note discussion.
16:42:26 <mkwst> glenn: New information, reopening for discussion?
16:42:48 <mkwst> bhill: Groundswell of interest. Folks expressing concern at the resolution of the objection.
16:42:59 <bhill2> "User agents may allow users to modify or bypass CSP enforcement, through user preferences and/or third-party additions to the user-agent" so that we're not tied to specifically bookmarklets and extensions."
16:43:16 <gopal> gopal has joined #webappsec
16:43:22 <bhill2> or rather "User agents may allow users to modify or bypass CSP enforcement, through user preferences and/or third-party additions to the user-agent."
16:43:38 <mkwst> glenn: Trying to be accommodating of new suggestions. Last suggestions seems close to something we could accept.
16:43:56 <mkwst> dveditz: Normative or non-normative.
16:44:15 <gmaone> What about "User agents should not prevent users from modifying or bypass etc..."?
16:44:18 <mkwst> dveditz: Suggestions for UA should not be normative.
16:44:22 <glenn> q+
16:44:22 <mkwst> (or Should? :) )
16:44:38 <mkwst> grobinson: Third-party additions?
16:44:59 <mkwst> grobinson: Don't want to tacitly accept malware.
16:45:07 <mkwst> grobinson: "User-instigated third-party additions"?
16:45:18 <mkwst> bhill: Wide leeway, non-normative.
16:45:29 <mkwst> bhill: Chrome doesn't allow side-loaded extensions, for example.
16:45:49 <mkwst> bhill: Don't want to ask for special treatment in that sideloading sense.
16:46:36 <mkwst> bhill: Can the editors add that language to the spec? Seems satisfactory to everyone in the community who has expressed interest and concern.
16:46:41 <mkwst> glenn: Ok with this.
16:46:54 <mkwst> glenn: Neglected to remove a related piece of language in 3.2.5.17.
16:47:02 <mkwst> glenn: "ignore this step" bookmarklets.
16:47:07 <mkwst> glenn: Should be remove as well.
16:48:01 <mkwst> glenn: Falls into the category of "user preferences" or "third-party additions".
16:48:25 <mkwst> glenn: But tied to the earlier language. Haven't looked at the editing history, but seem closely related.
16:48:31 <mkwst> glenn: Suggesting that this one should be removed as well.
16:48:38 <bhill2> "User agents may allow users to modify or bypass CSP enforcement, through user preferences, bookmarklets, and/or third-party additions to the user-agent"
16:48:39 <mkwst> glenn: New language covers both.
16:49:05 <mkwst> mkwst: fine with that.
16:51:22 <mkwst> ekr: I don't care. SHOULD vs MAY vs SHOULD NOT. Not useful.
16:51:29 <mkwst> bhill: This text seems reasonable. Let's do it.
16:51:41 <mkwst> bhill: Reflects the consensus. May choose to do this, but not required to.
16:52:04 <mkwst> bhill: Not going to satisfy everyone, but we can live with it. Should close it and move on.
16:52:13 <mkwst> wseltzer: Won't be surprised if we see more argument next week.
16:52:21 <terri> that was me, actually
16:52:26 <mkwst> bhill: Not everyone's ever going to be happy about anything.
16:52:41 <terri> (not wseltzer, who I haven't heard today)
16:52:45 <mkwst> (Sorry, Terri! Bad with voices...)
16:52:57 <bhill2> ACTION: mkwst to remove 3.2.5.17
16:52:57 <mkwst> bhill: Should remove the 3.2.5.17 text as well.
16:52:57 <trackbot> Error finding 'mkwst'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.
16:53:15 <mkwst> (bhill: I'm mwest2)
16:53:26 <mkwst> glenn: Should we update CSP 1.0 as well?
16:53:39 <mkwst> glenn: We can edit CR before PR, yes?
16:54:14 <mkwst> bhill: New topic. We have so far declared that we've got consensus on  CSP 1.0, moved on. If we want to reopen that, take a poll on the list.
16:54:29 <mkwst> bhill: Discussion has been in regards to 1.1. Let's bring it up on the list.
16:54:55 <mkwst> glenn: Fine with that. Just want to point out, Cox will comment at the PR timeframe.
16:55:12 <mkwst> bhill: Lightning round!
16:55:43 <mkwst> bhill: Outstanding issues with regard to <meta>, terri?
16:55:57 <mkwst> terri: If the answer is "nobody knows", that's an answer. We can discuss later.
16:56:22 <mkwst> dveditz: We had policy-uri. Folks outside Mozilla hated it because of latency, and it was in an HTTP header anyway.
16:56:45 <mkwst> terri: Brainstormed other ideas?
16:56:59 <mkwst> terri: Link to discussion?
16:57:10 <mkwst> dveditz: Before the WG.
16:57:19 <mkwst> grobinson: policy-uri being removed from Firefox. Latency.
16:57:35 <mkwst> bhill: search the list (sorry there's no pointer). There was discussion when opening 1.1.
16:57:48 <mkwst> bhill: Application use cases were described.
16:58:48 <mkwst> terri: I think I was around for that.
16:58:54 <mkwst> bhill: Next call in two weeks!
16:59:08 <mkwst> bhill: IETF meeting! Exciting! Security and privacy next week in London!
16:59:13 <freddyb_> minor note about process: is it possible to send the notes (or a link to them) to the public-webappsec list?
16:59:15 <mkwst> bhill: Participate remotely!
16:59:26 <Zakim> -glenn
16:59:27 <Zakim> -dveditz
16:59:32 <freddyb_> fwiw, I found them hard to google :-) maybe it's just me though
16:59:35 <Zakim> -[Mozilla]
16:59:35 <bhill2> zakim, list attendees
16:59:36 <Zakim> As of this point the attendees have been +49.162.102.aaaa, terri, BHill, [GVoice], gmaone, grobinson, glenn, mkwst, ekr, PeteF, +1.831.246.aacc, dveditz
16:59:41 <freddyb_> but it would make the outcome of the call more transparent too
16:59:42 <bhill2> rrsagent, make minutes
16:59:42 <RRSAgent> I have made the request to generate http://www.w3.org/2014/02/26-webappsec-minutes.html bhill2
16:59:46 <freddyb_> thanks bhill2
16:59:47 <Zakim> -gmaone
16:59:49 <bhill2> rrsagent, set logs public-visisible
16:59:59 <Zakim> -??P18
17:00:02 <bhill2> rrsagent, set logs public-visible
17:00:05 <Zakim> -[GVoice]
17:00:06 <Zakim> -mkwst
17:00:14 <Zakim> -PeteF
17:00:17 <Zakim> -BHill
17:00:24 <Zakim> -terri
17:00:25 <Zakim> SEC_WASWG()11:00AM has ended
17:00:25 <Zakim> Attendees were +49.162.102.aaaa, terri, BHill, [GVoice], gmaone, grobinson, glenn, mkwst, ekr, PeteF, +1.831.246.aacc, dveditz
17:40:56 <ekr> ekr has joined #webappsec
18:19:36 <terri> terri has joined #webappsec
18:22:15 <ekr> ekr has joined #webappsec
18:27:50 <gmaone> gmaone has joined #webappsec
18:32:22 <glenn> glenn has joined #webappsec
19:04:25 <ekr> ekr has joined #webappsec
19:27:36 <Zakim> Zakim has left #webappsec
19:32:48 <ekr> ekr has joined #webappsec
20:12:06 <ekr> ekr has joined #webappsec
20:33:38 <glenn> glenn has joined #webappsec
20:54:40 <glenn> glenn has joined #webappsec