IRC log of webappsec on 2014-05-07

Timestamps are in UTC.

14:50:20 [RRSAgent]
RRSAgent has joined #webappsec
14:50:20 [RRSAgent]
logging to
14:50:22 [trackbot]
RRSAgent, make logs world
14:50:22 [Zakim]
Zakim has joined #webappsec
14:50:24 [trackbot]
Zakim, this will be WASWG
14:50:24 [Zakim]
ok, trackbot; I see SEC_WASWG()11:00AM scheduled to start in 10 minutes
14:50:25 [trackbot]
Meeting: Web Application Security Working Group Teleconference
14:50:25 [trackbot]
Date: 07 May 2014
14:55:28 [neilm]
neilm has joined #webappsec
14:55:39 [bhill2]
bhill2 has joined #webappsec
14:55:44 [terri]
terri has joined #webappsec
14:55:59 [bhill2]
bhill2 has changed the topic to:
14:56:08 [wseltzer]
14:58:02 [Zakim]
SEC_WASWG()11:00AM has now started
14:58:10 [Zakim]
+ +1.949.273.aaaa
14:58:24 [neilm]
zakim, aaaa is neilm
14:58:24 [Zakim]
+neilm; got it
14:59:11 [Zakim]
14:59:23 [Zakim]
14:59:25 [Zakim]
14:59:50 [bhill2]
Meeting: WebAppSec WG Teleconference, 7-May-2014
14:59:55 [bhill2]
Chairs: bhill2, dveditz
15:00:04 [bhill2]
15:01:13 [Zakim]
15:01:24 [gmaone]
Zakim, ??P14 is gmaone
15:01:24 [Zakim]
+gmaone; got it
15:01:52 [mkwst_]
zakim's being weird. :(
15:02:05 [Zakim]
15:02:16 [devd]
devd has joined #webappsec
15:02:20 [grobinson]
grobinson has joined #webappsec
15:02:49 [Zakim]
+ +1.559.927.aabb
15:03:46 [bhill2]
zakim, aabb is devdatta
15:03:46 [Zakim]
+devdatta; got it
15:04:16 [wseltzer]
some scribe instructions:
15:05:41 [bhill2]
zakim, who is here?
15:05:41 [Zakim]
On the phone I see neilm, BHill, terri, Wendy, gmaone, mkwst_, devdatta
15:05:44 [Zakim]
On IRC I see grobinson, devd, terri, bhill2, neilm, Zakim, RRSAgent, gmaone, mkwst_, tobie, timeless_, trackbot, wseltzer, freddyb
15:06:46 [tanvi]
tanvi has joined #webappsec
15:07:48 [wseltzer]
Topic: Welcome Dan Veditz as co-chair
15:07:56 [Zakim]
15:08:31 [grobinson]
zakim, [GVoice] is grobinson
15:08:32 [Zakim]
+grobinson; got it
15:09:25 [Zakim]
15:09:50 [tanvi]
Zakim, who is here
15:09:50 [Zakim]
tanvi, you need to end that query with '?'
15:09:57 [tanvi]
Zakim, who is here?
15:09:57 [Zakim]
On the phone I see neilm, BHill, terri, Wendy, gmaone, mkwst_, devdatta, grobinson, tanvi
15:09:59 [Zakim]
On IRC I see tanvi, grobinson, devd, terri, bhill2, neilm, Zakim, RRSAgent, gmaone, mkwst_, tobie, timeless_, trackbot, wseltzer, freddyb
15:09:59 [Zakim]
15:10:08 [devd]
bhill: EKR steps down after years of work as chair. Thanks to EKR for all his good work over the years! congrats to dveditz for being new chair and thanks to dveditz.
15:10:19 [devd]
bhill: TPAC is end of October in San Jose/bayarea. Call for exclusions still open on UI Security and SRI
15:10:29 [bhill2]
TOPIC: Minutes Approval
15:10:36 [bhill2]
15:10:53 [bhill2]
minutes approved
15:11:03 [bhill2]
TOPIC: Tracker actions
15:11:04 [bhill2]
15:11:36 [bhill2]
zakim, who is making noise?
15:11:44 [wseltzer]
15:11:44 [trackbot]
action-167 -- Devdatta Akhawe to Respond to list queries about hints for content-addressable storage -- due 2014-04-16 -- OPEN
15:11:44 [trackbot]
15:11:47 [Zakim]
bhill2, listening for 10 seconds I heard sound from the following: grobinson (81%), devdatta (4%)
15:12:00 [bhill2]
zakim, mute grobinson
15:12:00 [Zakim]
grobinson should now be muted
15:12:02 [grobinson]
muted, sorry
15:12:13 [wseltzer]
15:12:13 [trackbot]
action-169 -- Devdatta Akhawe to Read and respond to use of sri hashes for caching/alternate locations: -- due 2014-04-16 -- OPEN
15:12:13 [trackbot]
15:13:04 [devd]
I will just go ahead and change the due dates
15:13:10 [bhill2]
actions 167 and 169, regarding content-addressable-storage with SRI, will update due-dates
15:13:10 [devd]
for action 167 and 169
15:13:18 [wseltzer]
15:13:18 [trackbot]
action-168 -- Brad Hill to Raise to the list handling of csp associated with installed apps as possible spec note -- due 2014-04-16 -- OPEN
15:13:18 [trackbot]
15:15:11 [Zakim]
15:16:08 [bhill2]
mkwst: the issue with ServiceWorker isn't mutation of the policy per-se, but differnent resolution of resource loads associated with a different policy
15:17:10 [bhill2]
devd: there are issues over on GitHub for ServiceWorker to review on this
15:17:24 [bhill2]
ACTION mkwst to review ServiceWorker issues relevant to CSP
15:17:24 [trackbot]
Error finding 'mkwst'. You can review and register nicknames at <>.
15:17:48 [bhill2]
ACTION mwest2 to review ServiceWoker issues relevant to CSP from GitHub
15:17:48 [trackbot]
Created ACTION-172 - Review servicewoker issues relevant to csp from github [on Mike West - due 2014-05-14].
15:18:18 [Zakim]
15:18:27 [devd]
mkwst_: Mike will talk about ServiceWorker + Security at the Blink conference next week
15:20:10 [devd]
bhill2: mkwst_ Recommendation that CSP policy in manifest file and HTTP header for packaged apps should be the same
15:20:21 [bhill2]
15:20:21 [trackbot]
Sorry, but ACTION-180 does not exist.
15:20:25 [bhill2]
15:20:25 [trackbot]
ACTION-170 -- Brad Hill to Arrange some joint meeting time with svg wg -- due 2014-04-30 -- OPEN
15:20:25 [trackbot]
15:21:51 [bhill2]
15:21:51 [trackbot]
ACTION-166 -- Mike West to to add an explicit "privacy considerations" section to sri -- due 2014-03-19 -- OPEN
15:21:51 [trackbot]
15:22:29 [bhill2]
TOPIC: Spec issues in Github
15:22:30 [bhill2]
15:23:51 [devd]
No updates
15:24:09 [devd]
TOPIC: ISSUE-58, late-binding of policies
15:24:23 [devd]
discussed in review of action items
15:24:24 [devd]
TOPIC: [CSP] SVG-in-img implementation difference
15:24:37 [devd]
bhill2: waiting for input for svg wg
15:25:04 [devd]
bhill2: if SVG is isolated, then we don't need to worry about internal image loaded.
15:25:14 [bhill2]
TOPIC: CSP and mixed content
15:25:18 [bhill2]
15:25:48 [bhill2]
devd: there is considerable difference in browsers about treatment of mixed-content and they are strengthening it
15:26:12 [bhill2]
mkwst: annevk would like fetch to explain the behavior of browsers, current behavior is unspecified
15:27:49 [bhill2]
devd: don't want use of CSP to be inconsistent with existing behavior in non-CSP
15:27:58 [bhill2]
dveditz: user has option to override blocking
15:28:17 [bhill2]
mkwst: for active mixed content,behavior today in chrome is just to block
15:28:36 [bhill2]
... and a warning in developer tools, gives user option to turn off blocking in UI
15:28:40 [bhill2]
... not compatible with CSP
15:28:46 [bhill2]
... suggested a different keyword
15:30:19 [bhill2]
... spec should not prevent user from turning this off
15:30:51 [bhill2]
devd: agree this may be needed, not sure why it belongs in CSP
15:31:32 [bhill2]
tanvi: CSP is about expressed intent by author, mixed content blocking is about protecting users from possibly mistakes by authors, with an out
15:31:44 [bhill2]
... no way to override for CSP
15:31:59 [bhill2]
... no way to override with HSTS, either
15:32:25 [devd]
bhill2: wonder what's the behavior we will get that is not already expressible via HSTS + default-source
15:32:57 [devd]
mkwst_: Anne wants a mechanism to explain what browsers do today
15:33:01 [bhill2]
bhill2: what is the behavior we want that is not implied by HSTS or default-src: https
15:33:24 [bhill2]
there is also this:
15:33:47 [bhill2]
15:34:33 [bhill2]
dveditz: seems to make more sense to define it as part of Fetch, not as part of CSP
15:34:54 [devd]
tanvi: we definitely should define it, regardless of where it goes
15:35:04 [devd]
mkwst_: is there a w3c plan for FETCH ?
15:35:18 [wseltzer]
15:35:34 [devd]
mkwst_: the SRI spec also references SRI
15:36:05 [devd]
wseltzer: we should talk to philip gregory for HTML5 WG to talk about fetch
15:36:14 [devd]
mkwst_: The SRI spec also references FETCH
15:36:29 [wseltzer]
s/philip gregory/Philippe Le Hegaret/
15:37:15 [bhill2]
TOPIC: CSP, Fetch, and frame-ancestors
15:37:20 [bhill2]
15:37:25 [wseltzer]
action: wseltzer to talk with plh about FETCH and CSP, invite conversation with WebAppSec
15:37:25 [trackbot]
Created ACTION-173 - Talk with plh about fetch and csp, invite conversation with webappsec [on Wendy Seltzer - due 2014-05-14].
15:37:45 [Zakim]
15:37:47 [wseltzer]
15:38:25 [grobinson]
Did anyone else just get booted from the call?
15:38:48 [grobinson]
will do
15:39:30 [Zakim]
15:39:46 [grobinson]
zakim, [GVoice] is grobinson
15:39:46 [Zakim]
+grobinson; got it
15:40:00 [bhill2]
dveditz: like X-Frame-Options, may not be modeled in terms of Fetch, which is document-based, and doesn't have a notion of nested browsing contexts
15:41:55 [devd]
bhill2: XFO/frame-ancestors happens after the document is in the browser and we walk up the tree
15:42:08 [devd]
mkwst_: so maybe this needs to be part of the HTML spec
15:42:20 [bhill2]
mkwst: if we define failure of frame-ancestors as throwing a network error, that comes from fetch today
15:42:21 [devd]
mkwst_: but the problem is that we treat frame-ancestors/XFO as network error
15:43:25 [devd]
bhill2: maybe the more analagous behavior is how to deal with broken XML
15:43:38 [devd]
bhill2: because we got the content but the client can't render it
15:43:51 [devd]
action: bhill2 raise frame-ancestors/fetch/neterror on list
15:43:52 [trackbot]
Created ACTION-174 - Raise frame-ancestors/fetch/neterror on list [on Brad Hill - due 2014-05-14].
15:44:12 [devd]
08:049 - 08:054 TOPIC: CSP, Fetch, and Service Workers
15:44:15 [bhill2]
TOPIC: CSP, Fetch, and Service Workers
15:44:20 [bhill2]
15:46:31 [bhill2]
devd: issue here is that names of contexts are now surfaced to developers rather than just being browser-internal
15:46:36 [bhill2]
... so we should pick good names
15:47:53 [bhill2]
15:49:14 [devd]
dveditz: popups are just like navigations. people have wanted CSP to talk about navigations and maybe some day we will handle that too
15:50:13 [devd]
dveditz: we should worry about adding those exact sort of escape hatches as for onbeforeunload
15:50:24 [bhill2]
in current CSP 1.1 we already say popups are controlled by child-src
15:52:18 [bhill2]
does the handle/reference between a script-opened popup and a user-opened one make a security difference?
15:52:56 [mkwst_]
(we pulled popups out of CSP 1.1 in; punted to 1.2 for discussion around ``)
15:53:43 [mkwst_]
ISSUE-57 for CSP 1.2
15:53:47 [mkwst_]
15:55:00 [bhill2]
ACTION bhill2 to post TPAC dates to list for next F2F
15:55:01 [trackbot]
Created ACTION-175 - Post tpac dates to list for next f2f [on Brad Hill - due 2014-05-14].
15:55:50 [Zakim]
15:55:52 [Zakim]
15:55:53 [Zakim]
15:55:56 [bhill2]
rrsagent, make minutes
15:55:56 [RRSAgent]
I have made the request to generate bhill2
15:55:56 [Zakim]
15:55:58 [Zakim]
15:56:00 [Zakim]
15:56:01 [Zakim]
15:56:02 [Zakim]
15:56:05 [bhill2]
zakim, list attendees
15:56:05 [Zakim]
As of this point the attendees have been +1.949.273.aaaa, neilm, BHill, terri, Wendy, gmaone, mkwst_, +1.559.927.aabb, devdatta, grobinson, tanvi, dveditz
15:56:12 [bhill2]
rrsagent, make minutes
15:56:12 [RRSAgent]
I have made the request to generate bhill2
15:56:17 [bhill2]
rrsagent, set logs public-visible
15:56:18 [Zakim]
15:56:24 [Zakim]
15:56:25 [Zakim]
SEC_WASWG()11:00AM has ended
15:56:25 [Zakim]
Attendees were +1.949.273.aaaa, neilm, BHill, terri, Wendy, gmaone, mkwst_, +1.559.927.aabb, devdatta, grobinson, tanvi, dveditz
16:00:03 [bhill2]
bhill2 has left #webappsec
16:00:56 [terri]
terri has joined #webappsec
16:06:40 [terri]
terri has joined #webappsec
16:10:10 [terri]
terri has joined #webappsec
16:10:59 [terri_]
terri_ has joined #webappsec
16:17:25 [terri]
terri has joined #webappsec
16:31:49 [gmaone]
gmaone has joined #webappsec
18:19:00 [Zakim]
Zakim has left #webappsec
18:54:52 [tanvi]
tanvi has joined #webappsec
20:09:57 [terri]
terri has joined #webappsec
22:32:11 [tanvi]
tanvi has joined #webappsec