IRC log of webappsec on 2014-04-23

Timestamps are in UTC.

14:38:45 [RRSAgent]
RRSAgent has joined #webappsec
14:38:45 [RRSAgent]
logging to
14:38:47 [trackbot]
RRSAgent, make logs world
14:38:47 [Zakim]
Zakim has joined #webappsec
14:38:49 [trackbot]
Zakim, this will be WASWG
14:38:49 [Zakim]
ok, trackbot; I see SEC_WASWG()11:00AM scheduled to start in 22 minutes
14:38:50 [trackbot]
Meeting: Web Application Security Working Group Teleconference
14:38:50 [trackbot]
Date: 23 April 2014
14:55:13 [glenn]
glenn has joined #webappsec
14:59:59 [terri]
terri has joined #webappsec
15:01:00 [grobinson]
grobinson has joined #webappsec
15:01:22 [Zakim]
SEC_WASWG()11:00AM has now started
15:01:29 [Zakim]
+ +1.866.294.aaaa
15:01:48 [klee]
klee has joined #webappsec
15:02:00 [Zakim]
+ +49.162.102.aabb
15:02:05 [bhill2]
bhill2 has joined #webappsec
15:02:05 [gmaone]
gmaone has joined #webappsec
15:02:21 [bhill2]
bhill2 has changed the topic to:
15:02:30 [Zakim]
15:02:39 [bhill2]
Meeting: WebAppSec WG Teleconference 23-April-2014
15:02:42 [Zakim]
15:02:49 [freddyb]
Zakim, I am P4
15:02:49 [Zakim]
sorry, freddyb, I do not see a party named 'P4'
15:02:55 [freddyb]
Zakim, I am ??P4
15:02:55 [Zakim]
+freddyb; got it
15:02:56 [Zakim]
+ +1.503.712.aacc
15:02:59 [Zakim]
15:03:06 [bhill2]
15:03:07 [terri]
Zakim: I am aacc
15:03:13 [terri]
Zakim, I am aacc
15:03:13 [Zakim]
+terri; got it
15:03:14 [Zakim]
15:03:24 [bhill2]
Chairs: bhill2 ekr
15:03:29 [Zakim]
15:03:39 [gmaone]
Zakim, I am ??P7
15:03:39 [Zakim]
+gmaone; got it
15:03:43 [Zakim]
15:04:06 [mkwst_]
Zakim, I am aabb
15:04:06 [Zakim]
+mkwst_; got it
15:04:18 [tanvi]
tanvi has joined #webappsec
15:04:24 [bhill2]
zakim, who is here?
15:04:24 [Zakim]
On the phone I see +1.866.294.aaaa, mkwst_, glenn, freddyb, terri, WSeltzer, BHill, gmaone, [GVoice]
15:04:26 [Zakim]
On IRC I see tanvi, gmaone, bhill2, klee, grobinson, terri, glenn, Zakim, RRSAgent, richt, timeless_, mkwst_, trackbot, wseltzer, freddyb, tobie__
15:04:38 [Zakim]
+ +1.310.597.aadd
15:04:42 [bhill2]
Glenn, will you be able to scribe today?
15:04:49 [richt]
richt has left #webappsec
15:04:53 [tanvi]
zakim, aadd is tanvi
15:04:54 [Zakim]
+tanvi; got it
15:05:09 [grobinson]
Zakim, I am [GVoice]
15:05:09 [Zakim]
ok, grobinson, I now associate you with [GVoice]
15:05:22 [glenn]
scribenick: glenn
15:05:31 [glenn]
chair: bhill2
15:06:55 [glenn]
bhill2: JS conf coming up in portland or, aug 1-2, testing CSP
15:07:24 [glenn]
... TTWF activity
15:07:53 [bhill2]
TTWF at CascadiaJS, August 2, focusing on CSP
15:08:10 [bhill2]
following Cascadia JS CascadiaJS 2014 | Portland, OR
15:08:17 [bhill2]
15:08:43 [glenn]
bhill2: minutes approval
15:08:50 [bhill2]
Draft minutes at:
15:09:02 [glenn]
... any objections to approve?
15:09:10 [glenn]
... none, minutes approved
15:09:15 [glenn]
topic: agenda bashing
15:09:28 [Zakim]
15:09:52 [bhill2]
TOPIC: Review of Open Actions in the Tracker
15:09:57 [bhill2]
15:10:23 [glenn]
... no owners here ... should we reassign?
15:10:43 [glenn]
mkwst_: sounds reasonable
15:10:51 [bhill2]
Github repo for SRI:
15:11:04 [glenn]
bhill2: we have an alternate issues tracked on SRI on above repo
15:11:27 [glenn]
mkwst_: important topic
15:11:51 [puhley]
puhley has joined #webappsec
15:11:52 [glenn]
bhill2: any thoughts?
15:12:03 [wseltzer]
15:12:05 [glenn]
tanvi: fine with either
15:12:23 [glenn]
... didn't include in prev mtgs
15:12:31 [freddyb]
s/tanvi/freddyb :-)
15:12:41 [glenn]
bhill2: wrote new agenda generator
15:12:57 [glenn]
... will come up regularly from now on
15:13:08 [glenn]
... do we want to migrate action items? issues?
15:13:30 [glenn]
mkwst_: can assign milestones
15:13:36 [glenn]
... can use one or the other
15:13:53 [glenn]
... github issues more likely to be seen outside WG
15:14:02 [glenn]
... OTOH W3C integrates better with zakim
15:14:21 [glenn]
... vague pref for github, but either way is ok
15:14:49 [glenn]
bhill2: for now, cont fwd with both
15:14:57 [glenn]
... sync up with doc edits
15:15:17 [glenn]
... may be a little extra work
15:15:36 [glenn]
wseltzer: could have a script to sync?
15:15:42 [wseltzer]
15:15:50 [terri]
that was me
15:15:59 [wseltzer]
15:15:59 [glenn]
15:16:32 [glenn]
wseltzer: we don't care which tools are used, but do want to make clear IP commitments on contributions
15:16:53 [glenn]
... further vetting needed on input from outside WG
15:17:07 [Zakim]
+ +1.831.246.aaee
15:17:56 [glenn]
?: ietf has similar issues
15:18:21 [bhill2]
ekr: suggests any substantive issue must also be raised to the list to make IPR commitments clear
15:19:16 [glenn]
15:20:29 [bhill2]
zakim, aaee is dveditz
15:20:29 [Zakim]
+dveditz; got it
15:20:56 [bhill2]
TOPIC: [CSP] SVG-in-img implementation difference
15:21:08 [glenn]
bhill2: new recent questions
15:21:12 [bhill2]
15:21:38 [glenn]
... CSP rules should cascade into SVG
15:21:53 [glenn]
... e.g., img src=svg with embedded image in svg
15:22:37 [glenn]
?: diff between FF and CHROME
15:22:47 [glenn]
... svg as an image vs svg as inline
15:23:10 [glenn]
... what FF does is render SVG in own doc, sort of like an iframe
15:23:26 [glenn]
... regardless what CSP says, then incorporate results into page
15:24:26 [glenn]
?: supposes inline styles should be allowed for SVG
15:24:40 [bhill2]
New draft from last week:
15:24:40 [freddyb]
1st "?" was dveditz, 2nd was me
15:24:47 [bhill2]
15:24:57 [wseltzer]
s/?: diff/dveditz: diff/
15:25:08 [glenn]
s/?: diff/dveditz: diff/
15:25:16 [wseltzer]
s/?: supposes/freddyb: supposes/
15:25:49 [glenn]
bhill2: how CSP policies apply to incorporating SVG
15:26:19 [glenn]
... should arrange a call with SVG WG to discuss
15:26:54 [bhill2]
ISSUE clarify SVG rules for CSP in 1.1
15:27:31 [glenn]
terri: really need to treat SVG as active content
15:28:03 [bhill2]
ACTION bhill2 to arrange some joint meeting time with SVG WG
15:28:03 [trackbot]
Created ACTION-170 - Arrange some joint meeting time with svg wg [on Brad Hill - due 2014-04-30].
15:28:22 [bhill2]
TOPIC: [Integrity] Comments/Questions on Subresource Integrity spec
15:28:30 [bhill2]
15:28:59 [glenn]
terri: default should be fallback mode
15:29:06 [terri]
15:30:05 [glenn]
tanvi: 2nd item was non-canonical src
15:30:19 [glenn]
... if fails should fallback be over https? brad says no
15:30:41 [glenn]
... agrees should not require... let author decide
15:31:37 [glenn]
mkwst_: pushback in chrome team on doing some integrity tests
15:32:05 [glenn]
... specifically for resources served by means other than https
15:32:20 [glenn]
... push for using https everywhere
15:32:31 [glenn]
... see blink-dev
15:33:04 [glenn]
ekr: is this chrome or google position?
15:33:25 [ekr]
ekr has joined #webappsec
15:33:49 [glenn]
mkwst_: some diffs in opinion; chrome infrastructure team more interested
15:33:59 [ekr]
mkwst: can you repost that link....
15:34:02 [tanvi]
in the spec in general?
15:34:30 [glenn]
?: should forbid fallback to protocols other than https?
15:34:43 [glenn]
... how should UAs regard fallback
15:34:43 [tanvi]
15:34:47 [mkwst_] is the thread I'm thinking about.
15:34:53 [glenn]
15:35:34 [glenn]
bhill2: separate UI impact
15:35:54 [glenn]
ekr: lot of discussion of this topic in london
15:36:11 [glenn]
... worried about pushback from chrome
15:36:32 [glenn]
mkwst_: intent to implement was approved, but only for https
15:36:40 [glenn]
... see how it works on a small sample
15:37:04 [glenn]
... wants basic checks on functionality ... wants data to proceed with further issues
15:37:23 [glenn]
... blink pos at moment is: let's see if it works
15:37:26 [glenn]
... then we
15:37:35 [glenn]
... we will look further
15:38:55 [glenn]
terri: could be used to test for lib version change then fallback to known version
15:39:27 [glenn]
bhill2: further comments? tanvi?
15:39:36 [glenn]
tanvi: not now
15:40:03 [terri]
15:40:13 [glenn]
TOPIC: what to hash?
15:40:25 [glenn]
terri, tanvi: sorry haven't registered voices yet
15:40:33 [bhill2]
TOPIC: CSP no-external-navigation
15:40:40 [terri]
glenn, don't worry, I had the same problem scribing last week!
15:40:44 [bhill2]
15:41:38 [glenn]
mkwst_: sounds reasonable (no-external-navigation)
15:41:48 [glenn]
... first concern is nav by script injection
15:41:54 [glenn]
... meta redirects not covered
15:42:03 [glenn]
... talked about before but not much support then
15:42:09 [glenn]
... e.g., redirect to JS url
15:42:22 [glenn]
... didn't talk about meta redirects at that time
15:42:37 [glenn]
... worried about one thread dan pointed to (blocking from pages maliciously)
15:42:49 [glenn]
... but NOT FOR 1.1
15:43:53 [glenn]
dveditz: CSP currently does nothing to prevent injecting links or clickable images (possibly image)
15:44:01 [glenn]
... folks concerned about these cases
15:44:08 [glenn]
... who would use this?
15:44:29 [Zakim]
15:44:32 [glenn]
mkwst_: some would use to hold user on page
15:44:48 [glenn]
bhill2: some confusion on what CSP is trying to do
15:44:59 [glenn]
... possibly beyond scope
15:45:19 [glenn]
... maybe "meta" is interesting case
15:45:40 [glenn]
... think more about meta in 1.2?
15:45:44 [glenn]
mkwst_: yes
15:46:24 [bhill2]
TOPIC: CSP, Blob Workers, and Firefox
15:46:30 [bhill2]
15:46:41 [glenn]
bhill2: have talked about this a number of times
15:46:45 [glenn]
... but keeps coming up
15:46:58 [glenn]
... make sure we have consensus reflected in 1.1 spec text
15:47:46 [glenn]
... what made it into spec text was that blob uris and similar file uris must be explicitly listed: won't match * policy
15:47:46 [Zakim]
15:48:04 [glenn]
... does that reflect consensus?
15:48:19 [glenn]
... no objections, will stand as specified
15:48:32 [glenn]
mkwst_: keeps coming up because chrome doesn't implement this yet
15:48:48 [bhill2]
TOPIC: webappsec-ISSUE-58 (Late binding of CSP): Late binding of CSP policies [CSP 1.1]
15:48:58 [bhill2]
15:49:29 [glenn]
bhill2: mutability after doc load
15:49:37 [glenn]
... current policy is NOT MUTABLE
15:49:56 [glenn]
... but may need to revisit, as keeps coming up: service workers, installable webapps
15:50:18 [glenn]
... e.g., policy to take effect after service worker launched
15:50:28 [glenn]
... may differ from initial policy
15:50:45 [glenn]
... possible inconsistency between policies
15:50:59 [glenn]
dveditz: is that really late binding?
15:51:07 [glenn]
... one visit and a later visit?
15:51:15 [glenn]
bhill2: depends on model of doc life cycle
15:51:36 [glenn]
... is an installed app a single resource, or for each instantiation a new life cycle?
15:52:04 [glenn]
dveditz: page might bounce around server farms on different visits
15:52:11 [glenn]
... could get diff CSP on diff visits
15:52:16 [glenn]
... may be bug or intentional
15:52:27 [glenn]
... what is in spec doesn't prevent or allow...
15:53:00 [glenn]
?: no guarantee that diff loads produce same content or same policy
15:54:13 [bhill2]
ACTION bhill2 to propose text to list on ISSUE-58
15:54:13 [trackbot]
Created ACTION-171 - Propose text to list on issue-58 [on Brad Hill - due 2014-04-30].
15:54:22 [glenn]
topic: AOB
15:54:29 [glenn]
bhill2: aob?
15:54:37 [glenn]
topic: Adjournment
15:54:44 [Zakim]
15:54:45 [Zakim]
15:54:46 [bhill2]
rrsagent, make minutes
15:54:46 [RRSAgent]
I have made the request to generate bhill2
15:54:48 [glenn]
bhill2: adjourned, next meeting in 2 weeks
15:54:52 [Zakim]
15:54:53 [bhill2]
rrsagent, set logs public-visible
15:54:54 [Zakim]
15:54:57 [Zakim]
15:54:59 [Zakim]
15:55:01 [Zakim]
15:56:00 [Zakim]
15:58:12 [Zakim]
15:58:17 [Zakim]
15:58:22 [Zakim]
15:58:35 [Zakim]
- +1.866.294.aaaa
15:58:36 [Zakim]
SEC_WASWG()11:00AM has ended
15:58:36 [Zakim]
Attendees were +1.866.294.aaaa, +49.162.102.aabb, glenn, freddyb, +1.503.712.aacc, WSeltzer, terri, BHill, gmaone, [GVoice], mkwst_, +1.310.597.aadd, tanvi, ekr, +1.831.246.aaee,
15:58:36 [Zakim]
... dveditz
17:10:51 [tanvi]
tanvi has joined #webappsec
17:41:00 [Zakim]
Zakim has left #webappsec
17:52:11 [tanvi]
tanvi has left #webappsec
18:07:56 [puhley]
puhley has left #webappsec