14:57:48 RRSAgent has joined #webappsec 14:57:48 logging to http://www.w3.org/2014/07/02-webappsec-irc 14:58:02 zakim, this will be 92794 14:58:02 ok, bhill2; I see SEC_WASWG()11:00AM scheduled to start in 2 minutes 14:58:07 zakim, who is here? 14:58:07 SEC_WASWG()11:00AM has not yet started, bhill2 14:58:09 On IRC I see RRSAgent, Zakim, gopal, neilm, bhill2, gmaone, dveditz, wuwei, anssik, edulix, mkwst__, timeless_, terri, tobie, trackbot, wseltzer, freddyb 14:59:28 davewalp has joined #webappsec 15:00:09 I've been trying to dial in for a while now, but I'm in roaming with an Edge connection and not enough bandwidth for VOIP. Looks like I can only attend on IRC this time :( 15:00:15 Meeting: WebAppSec Teleconference, 02-July-2014 15:00:20 Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0007.html 15:00:27 Chairs: bhill2, dveditz 15:00:37 Scribe: Gopal Raghavan 15:00:41 Scribenick: gopal 15:00:52 zakim, who is here? 15:00:52 SEC_WASWG()11:00AM has not yet started, bhill2 15:00:54 On IRC I see davewalp, RRSAgent, Zakim, gopal, neilm, bhill2, gmaone, dveditz, wuwei, anssik, edulix, mkwst__, timeless_, terri, tobie, trackbot, wseltzer, freddyb 15:01:09 giorgio: we'll try to be good about scribing, thanks 15:01:41 zakim, who is here? 15:01:41 SEC_WASWG()11:00AM has not yet started, bhill2 15:01:43 On IRC I see davewalp, RRSAgent, Zakim, gopal, neilm, bhill2, gmaone, dveditz, wuwei, anssik, edulix, mkwst__, timeless_, terri, tobie, trackbot, wseltzer, freddyb 15:01:46 regrets+ wseltzer 15:02:19 thank you 15:02:23 zakim, this is 92794 15:02:23 ok, bhill2; that matches SEC_WASWG()11:00AM 15:02:35 thanks, wseltzer. :) 15:02:43 zakim, who is here? 15:02:43 On the phone I see [Microsoft], BHill, +1.781.369.aaaa, +49.162.102.aabb, +1.503.712.aacc, +1.831.246.aadd 15:02:45 On IRC I see davewalp, RRSAgent, Zakim, gopal, neilm, bhill2, gmaone, dveditz, wuwei, anssik, edulix, mkwst__, timeless_, terri, tobie, trackbot, wseltzer, freddyb 15:02:53 hi everyone 15:02:54 zakim, [Microsoft] has davewalp 15:02:54 +davewalp; got it 15:02:57 Zakim, dveditz is aadd 15:02:57 sorry, dveditz, I do not recognize a party named 'dveditz' 15:02:57 Zakim, aabb is mkwst__. 15:02:59 +mkwst__; got it 15:03:07 Zakim, aadd is dveditz 15:03:07 +dveditz; got it 15:03:13 zakim, who is here? 15:03:13 On the phone I see [Microsoft], BHill, +1.781.369.aaaa, mkwst__, +1.503.712.aacc, dveditz 15:03:15 [Microsoft] has davewalp 15:03:15 On IRC I see davewalp, RRSAgent, Zakim, gopal, neilm, bhill2, gmaone, dveditz, wuwei, anssik, edulix, mkwst, timeless_, terri, tobie, trackbot, wseltzer, freddyb 15:03:32 zakim, aaaa is gopal 15:03:32 +gopal; got it 15:03:37 I'm on IRC but zakim is failing me today *retrying* 15:03:47 zakim, aacc is terri 15:03:47 +terri; got it 15:03:51 klee has joined #webappsec 15:03:54 +??P13 15:03:57 + +1.559.927.aaee 15:04:14 -??P13 15:04:27 devd has joined #webappsec 15:04:30 zakim, who is here? 15:04:30 On the phone I see [Microsoft], BHill, gopal, mkwst__, terri, dveditz, +1.559.927.aaee 15:04:32 [Microsoft] has davewalp 15:04:32 On IRC I see devd, klee, davewalp, RRSAgent, Zakim, gopal, neilm, bhill2, gmaone, dveditz, wuwei, anssik, edulix, mkwst, timeless_, terri, tobie, trackbot, wseltzer, freddyb 15:04:36 zakim aaee is devd 15:04:41 zakim, aaee is devd 15:04:41 +devd; got it 15:05:16 TOPIC: Minutes approval 15:05:22 http://www.w3.org/2011/webappsec/draft-minutes/2014-06-18-webappsec-minutes.html 15:05:37 +??P13 15:05:39 RESOLVED: minutes approved 15:06:00 bhill2: minutes approved: no objections 15:06:03 TOPIC: Agenda bashing 15:06:08 Zakim, ??P13 is freddyb 15:06:08 +freddyb; got it 15:06:09 +EricP 15:06:12 tanvi has joined #webappsec 15:06:21 TOPIC: News 15:06:21 no additional topics 15:06:26 + +1.310.597.aaff 15:06:44 zakim, aaff is tanvi 15:06:44 +tanvi; got it 15:07:06 news: preparing lcwd cps2, scheduled to be published tomorrow 15:07:42 + +1.949.273.aagg 15:08:12 zakim, aaaa is neilm 15:08:13 sorry, neilm, I do not recognize a party named 'aaaa' 15:08:19 zakim, aagg is neilm 15:08:20 +neilm; got it 15:09:00 ... last call end period is aug-13, encourage to submit comments 15:09:18 TPAC registration open, 27-31 Oct, WebAppSec M+Tu: 15:09:18 15:09:18 http://www.w3.org/2014/11/TPAC/ 15:09:29 TPAC registration open, scheduled to meet M,Tue 15:09:34 Test the Web Forward CSP event, August 3: 15:09:34 15:09:34 http://testthewebforward.org/events/2014/portland.html 15:10:08 TOPIC: CSP wildcard host matching 15:10:15 http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0005.html 15:10:29 glenn has joined #webappsec 15:11:12 (reading http://www.w3.org/2001/12/zakim-irc-bot.html etc) 15:11:34 edulix: If you'd like to talk, talk. 15:12:41 devd: should we reference https://tools.ietf.org/html/rfc6125 15:12:50 daved: is there a spec talk about public suffix 15:13:02 ok, I'll talk about the isolated web components a bit: basically, the idea is to say "hey, we have a problem here, there are some things that people are doing as browser extensions because using the web is not secure enough". I don't know what would be the best way (though I did a proposal, it was just to provide an example) 15:13:08 gmaone2 has joined #webappsec 15:13:15 mkwst: don't think csp should be one of them, 15:13:16 let me quote something interesting from that thread: "The reason e2e is a Chrome Extension is because we (I'm the Tech Lead of End-To-End) didn't want Google to have access to secret key material. As such, we had to make sure the UI was separate from the GMail UI." 15:13:18 edulix: let's wait until that's the current topic 15:13:20 ok 15:13:30 it's on the agenda in a few minutes 15:13:40 dane: agree, public suffix list is ugly and prefers to avoid 15:14:15 bhill2: yeah, sorry 15:14:29 daved: concern is regex, restricting capabilities currently. May cause problems with *.com 15:15:01 zakim, who is here 15:15:01 tanvi, you need to end that query with '?' 15:15:07 zakim, who is here? 15:15:07 On the phone I see [Microsoft], BHill, gopal, mkwst__, terri, dveditz, devd, freddyb, wuwei (muted), tanvi, neilm 15:15:09 [Microsoft] has davewalp 15:15:09 On IRC I see gmaone, glenn, tanvi, devd, klee, davewalp, RRSAgent, Zakim, gopal, neilm, bhill2, dveditz, wuwei, anssik, edulix, mkwst, timeless_, terri, tobie, trackbot, wseltzer, 15:15:09 ... freddyb 15:15:44 in general would use csp to increase power of page, but strictly used for security policy 15:15:59 davd: should this be explicitly stated in spec 15:16:59 mkwst: dont' believe either of them add power, but worth adding this in spec somewhere. 15:18:06 bhill2: consensus on wild card *.com 15:18:24 ... should not match downward across 15:18:38 *.example matches everything in *.com 15:18:47 consensus is that wildcards should not match downward across DNS label separators ( *.example.com DOES NOT match example.com), but PSL is not relevant to the CSP heuristic 15:19:07 is that "down" or "up" ? 15:19:34 downward == rightward 15:19:35 davd: clarify downward 15:19:49 https://tools.ietf.org/html/rfc6125#section-6.4 15:19:57 gopal: s/davd/devd/ 15:20:53 don't want the RFC6125 semantics - wildcard must be the sole character in a label component 15:21:08 TOPIC: CSP: 'no-external-navigation'? 15:21:15 http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0000.html 15:21:38 mkwst: worth exploring, 15:23:11 dveditz: sandbox, prevents attacks the parent context 15:23:27 .. people in html should look at not csp 15:23:59 bhill2: could rewrite content of page with two different behavior 15:24:23 devd: someone should suggest recommend solution 15:24:38 TOPIC: Isolated Web Components for a more secure web 15:24:39 15:24:39 http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0006.html 15:24:44 edulix: you're up 15:24:47 thanks 15:25:15 more than isolated web components which was one idea of a specs-newbie (me) on how this might be doable, what I want is to improve end-to-end security in the web, minimizing the trust needed in third parties, including servers. Currently what you end up doing is creating a browser plugin, like for "cryptocat" or "end-to-end" from Google. Each use case is a bit different but the idea is the same: limit the trust on the webserver. subresources integrity 15:25:15 helps, iframe helps, but I think that we might need a way to do something like "resource client-side pinning", so that if a new version of cryptocat is going to be used, user can now, and the browser can explore which version is in use and in which part of the page. Anyway, I know this is a bit vague, and maybe it's just me :-P but feedback is welcome 15:25:42 this is a topic we've explored a little bit previously 15:25:42 bhill2: topic explored previously 15:26:01 component model is not same as script source model 15:26:32 dveditz: not sure why this is csp issue 15:26:48 (as opposed to the web components people) 15:26:55 part of the issue here is that this is the Web App Security WG, but we're not in charge of the security model for other specs 15:27:15 really this topic should probably go to webapps, or web security IG, or even TAG 15:27:23 so maybe we should think if this relavant here? 15:27:27 bhill2: part of the issue here, we are not in charge of security model for other group 15:28:33 dveditz: there were several other proposals before, interesting concept. If someone is interested in model we could look at that. 15:28:57 I don't think Web Security IG. they seem to be focused on reviewing existing specs, not creating new ones at this time. 15:29:05 (there was XBL (=XML Binding Language)) 15:29:24 at the last WebApps face-to-face meeting which I attended as a guest, Maciej and Alex Russell were discussing how to do this, and provide a security model and barrier between components and the including page. it doesn't seem like that has progressed much, and I am concerned that as deployment starts it will be very hard to change the security model once they become widely used without breaking lots of resources 15:29:29 gopal: what do you mean with "interested in model", what model? 15:29:43 gmaone has joined #webappsec 15:29:55 bhill2: that's interesting 15:30:20 edulix: can you join the call by voice? I think you will find it easier to follow 15:30:23 edulix: gopal is the scribe at today's meeting. he notes what other people currently say during the teleconference :-) 15:31:18 bhill2: uhm I'll try to do that in the next meeting maybe? I'm new here 15:31:37 i.e. I don't have the setup 15:32:10 bhill2: we should take this to webapps group 15:32:32 dveditz: will talk to web apps group 15:32:32 -freddyb 15:33:18 dveditz: that'd be nice. I tried to collect in my original post a set of examples to set what we are really trying to do 15:34:11 or more like, what people are doing right now and what are the possible uses-cases 15:34:26 I think the issue is not a lack of desire to have better security properties, but difficulty in deciding on a good model that can be well implemented 15:34:35 TOPIC: [blink-dev] Proposal: Prefer secure origins 15:34:35 for powerful new web platform features 15:34:35 15:34:35 http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0234.html 15:34:37 dveditz: no end of bugs in xpl context was isolated so then go privilege things, so they can get to different context, it can be a tricky implementation in browser. 15:35:01 I'm sorry, I have to run to another meeting. I'll try to stay on IRC, but my attention will be a bit divided. 15:35:08 -terri 15:35:41 bhill2: how webappsec should engage with this discussion 15:36:27 dveditz: websock allows sockets from insecure page, not from secure pages.... 15:38:18 mkwst: https only or secure origin only, worth looking at spec, differs from mixed content. Not specific for this WG. 15:38:20 mkwst: +1 to that 15:38:29 gmaone has joined #webappsec 15:38:36 TOPIC: [CSP] Additional report field: report-only: 15:38:36 "true|false" 15:38:36 15:38:36 http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0221.html 15:39:05 bhill2: additional flag for report only 15:39:29 neilm: convinced this is not important 15:39:40 TOPIC: [integrity] The noncanonical-src attribute 15:39:40 15:39:40 http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0176.html 15:40:18 bhill2: non-canonical-src attribute 15:40:39 freddyb: still here? 15:41:21 mkwst: suggestion non-canonical src as specified in current draft is not clear, lot of hand waving 15:42:00 bhill2: agreed, action item to update usecase 15:42:06 ACTION bhill2 to suggest more clear use case and language around exact behavior for noncanonical-src 15:42:07 Created ACTION-181 - Suggest more clear use case and language around exact behavior for noncanonical-src [on Brad Hill - due 2014-07-09]. 15:42:23 mkwst: usecase is ok, language needs clarification 15:42:46 TOPIC: [MIX] blob URLs 15:42:46 15:42:46 http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0235.html 15:43:36 unique vs opaque identifier 15:44:47 bhill2: if blobs can have origin that is not self, we may need to take an action to see how this impacts handling of a blob 15:45:17 devd: how origin of blob is url of scheme data? 15:46:26 we need to discuss more on list 15:46:37 ACTION bhill2 to make sure blob origin is discussed further on list 15:46:37 Created ACTION-182 - Make sure blob origin is discussed further on list [on Brad Hill - due 2014-07-09]. 15:46:47 TOPIC: CfC to publish FPWD of Mixed Content. 15:46:47 15:46:47 http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0217.html 15:48:22 davewalp: should go forward with FPWD 15:48:37 bhill2: not objections 15:48:43 no objections to unanimous approval 15:48:50 RESOLVED: publish [MIX] as FPWD 15:49:15 TOPIC: PFWG comments on User Interface Security 15:49:15 Directives for Content Security Policy 15:49:15 15:49:15 http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0256.html 15:49:35 ... last call expired for user interface security directive 15:50:06 ... any concerns or changes to spec, what our next steps might be 15:50:41 ... partial implementation in existing spec, no one has additional plans to implement 15:50:52 TOPIC: Reducing reporting noise 15:50:52 15:50:52 http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0216.html 15:51:24 http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0187.html 15:52:07 gmaone has joined #webappsec 15:53:16 dveditz; 3 ideas outlined, per web page to be able to specify "i am only interested in certain amount of reports" 15:53:36 ... some people concerned the reporting interface will be overwhelmed 15:55:07 ... attacker could theoritcally take advantage of reporting interface 15:55:59 devd: ok to add wording, are any user agents planning to add this 15:56:45 +terri 15:57:05 ACTION mkwst to add language that user-agent may decline to send reports for priority of constituency reasons and still be conforming 15:57:06 Created ACTION-183 - Add language that user-agent may decline to send reports for priority of constituency reasons and still be conforming [on Mike West - due 2014-07-09]. 15:57:38 interest in max-reports-per-page syntax? 15:57:58 + 0.5 ? 15:58:08 interest in throttling reports with a frequency parameter? 15:58:11 +1 15:58:14 +0.2 15:58:18 :-) 15:58:19 bhill2: add +1 to channel if you are interested to max-repots-per-page 15:58:29 gmaone has joined #webappsec 15:58:43 devd: all this should be possible with js interface 15:59:22 mkwst; difficult to do real sampling across the page 16:00:01 dveditz; don't think you might want to sample within the reports of the single page 16:01:09 zakim, list attendees 16:01:09 As of this point the attendees have been BHill, +1.781.369.aaaa, +49.162.102.aabb, +1.503.712.aacc, +1.831.246.aadd, davewalp, mkwst__, dveditz, gopal, terri, +1.559.927.aaee, 16:01:12 ... devd, freddyb, +1.310.597.aaff, wuwei, tanvi, +1.949.273.aagg, neilm 16:01:12 -dveditz 16:01:18 -mkwst__ 16:01:19 -BHill 16:01:20 -neilm 16:01:23 -[Microsoft] 16:01:23 rrsagent, make minutes 16:01:23 I have made the request to generate http://www.w3.org/2014/07/02-webappsec-minutes.html bhill2 16:01:24 -tanvi 16:01:26 -devd 16:01:28 -terri 16:01:29 rrsagent, set logs public-visible 16:01:34 -wuwei 16:02:41 -gopal 16:02:43 SEC_WASWG()11:00AM has ended 16:02:43 Attendees were BHill, +1.781.369.aaaa, +49.162.102.aabb, +1.503.712.aacc, +1.831.246.aadd, davewalp, mkwst__, dveditz, gopal, terri, +1.559.927.aaee, devd, freddyb, 16:02:43 ... +1.310.597.aaff, wuwei, tanvi, +1.949.273.aagg, neilm 16:02:46 glenn has joined #webappsec 16:26:44 tanvi has joined #webappsec 18:06:24 gopal has joined #webappsec 18:42:13 Zakim has left #webappsec 19:03:03 glenn has joined #webappsec 19:11:35 glenn has joined #webappsec 19:20:54 glenn has joined #webappsec 21:54:21 glenn has joined #webappsec