14:40:32 RRSAgent has joined #webappsec 14:40:32 logging to http://www.w3.org/2014/07/16-webappsec-irc 14:40:34 RRSAgent, make logs world 14:40:34 Zakim has joined #webappsec 14:40:36 Zakim, this will be WASWG 14:40:36 ok, trackbot; I see SEC_WASWG()11:00AM scheduled to start in 20 minutes 14:40:37 Meeting: Web Application Security Working Group Teleconference 14:40:38 Date: 16 July 2014 14:41:07 glenn has joined #webappsec 14:51:18 bhill2 has joined #webappsec 14:53:11 bhill2 has changed the topic to: http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0070.html 14:53:26 gmaone has joined #webappsec 14:58:04 freddyb has joined #webappsec 14:58:37 dveditz has joined #webappsec 14:59:47 tanvi has joined #webappsec 14:59:58 wuwei has joined #webappsec 15:00:09 davidwalp has joined #webappsec 15:00:19 neilm has joined #webappsec 15:00:41 SEC_WASWG()11:00AM has now started 15:00:41 thanks, wendy 15:00:48 + +1.310.597.aaaa 15:01:02 + +1.425.391.aabb 15:01:12 + +1.949.273.aacc 15:01:14 +BHill 15:01:36 zakim, aaaa is tanvi 15:01:36 +tanvi; got it 15:01:40 +??P8 15:01:44 +??P10 15:01:54 Meeting: WebAppSec WG Teleconference, 16-Jul-2014 15:01:57 Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0070.html 15:01:59 zakim, aacc is neilm 15:01:59 +neilm; got it 15:02:02 Chairs: bhill2, dveditz 15:02:12 -??P10 15:02:33 zakim, ??P8 is me 15:02:33 +gmaone; got it 15:02:50 + +1.503.712.aadd 15:02:51 + +1.720.897.aaee 15:02:58 Zakim, 503 is me 15:02:58 sorry, terri, I do not recognize a party named '503' 15:03:04 zakim, aaee is me 15:03:04 +glenn; got it 15:03:12 Zakim, aadd is me 15:03:12 +terri; got it 15:03:21 Scribe: Brad Hill 15:03:28 Scribenick: bhill2 15:03:28 + +49.162.102.aaff 15:03:38 zakim, who is here? 15:03:38 On the phone I see tanvi, +1.425.391.aabb, neilm, BHill, gmaone, terri, glenn, +49.162.102.aaff 15:03:41 On IRC I see neilm, davidwalp, wuwei, tanvi, dveditz, freddyb, gmaone, bhill2, glenn, Zakim, RRSAgent, terri, anssik_, timeless___, mkwst___, tobie, wseltzer_PETS, trackbot 15:03:42 Zakim, aaff is me 15:03:43 +mkwst___; got it 15:04:04 +??P10 15:04:08 Zakim, I am P10 15:04:09 sorry, freddyb, I do not see a party named 'P10' 15:04:13 Zakim, I am ??P10 15:04:13 +freddyb; got it 15:04:38 + +1.415.596.aagg 15:05:32 zakim, who is here? 15:05:32 On the phone I see tanvi, +1.425.391.aabb, neilm, BHill, gmaone, terri, glenn, mkwst___, freddyb, +1.415.596.aagg 15:05:34 On IRC I see neilm, davidwalp, wuwei, tanvi, dveditz, freddyb, gmaone, bhill2, glenn, Zakim, RRSAgent, terri, anssik_, timeless___, mkwst___, tobie, wseltzer_PETS, trackbot 15:05:57 zakim, aabb is davidwalp 15:05:57 +davidwalp; got it 15:06:28 + +1.831.246.aahh 15:06:37 echo echo echo... 15:06:44 Zakim, i am aahh 15:06:44 +dveditz; got it 15:06:44 I hear it too, bhill2. 15:06:48 zakim who is making noise? 15:07:05 zakim, who is making noise? 15:07:15 Zakim is picky. 15:07:15 bhill2, listening for 10 seconds I heard sound from the following: BHill (15%), freddyb (14%) 15:07:27 sorry 15:08:11 scribenick: neilm 15:08:16 puhley has joined #webappsec 15:08:19 Scribe: Neil Matatall 15:08:26 Scribenick: neilm 15:08:54 agenda http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0070.html 15:09:04 zakim, list attendees 15:09:04 As of this point the attendees have been +1.310.597.aaaa, +1.425.391.aabb, +1.949.273.aacc, BHill, tanvi, neilm, gmaone, +1.503.712.aadd, +1.720.897.aaee, glenn, terri, 15:09:08 ... +49.162.102.aaff, mkwst___, freddyb, +1.415.596.aagg, davidwalp, +1.831.246.aahh, dveditz 15:09:41 dveditz: no objections to minutes 15:10:32 zakim, aagg is puhley 15:10:32 +puhley; got it 15:11:13 TOPIC: Mixed Content Spec feedback (Microsoft) 15:13:14 dveditz: microsoft has concerns around video content/xhr mixed content 15:13:25 davidwalp (?): we can begrudgingly move on 15:13:59 (correction: partners willing to move on_) 15:14:28 dveditz: inifinite scroll sites use this a lot 15:14:33 TOPIC: blob origins in MIX and CSP 15:15:10 dveditz: specification for blob has recently changed to include origin. rather than assume it's same origin, we will know where it comes from 15:16:36 mkwst___: csp: maybe push to next version with better integration fetch 15:17:18 ... [mix] tied to fetch, content in blobs would have already gone through a check. insecure data couldn't be used to construct the blob 15:19:11 dveditz thinks we could use the blob: origin instead of requiring blob: be an explicit src list 15:19:55 -gmaone 15:19:57 bhill2 is concerned that blob: is not the same as 'self', it's really unsafe eval since it might be constructed 15:20:13 +??P8 15:20:28 zakim, mute P8 15:20:29 sorry, bhill2, I do not know which phone connection belongs to P8 15:20:30 Zakim, who is making noise? 15:20:39 zakim, mute ??P8 15:20:39 ??P8 should now be muted 15:20:42 freddyb, listening for 11 seconds I could not identify any sounds 15:21:17 blob is a DOMXSS sink, can be used to pull content out of DOM and turn into script, same as eval 15:21:37 TOPIC: CSP frame-ancestors and unique origins 15:22:13 zakim, ??P8 is me 15:22:13 +gmaone; got it 15:23:36 mkwst___: frame-ancentors, we want to use the location of the document and not the origin for sandboxed frames 15:23:50 I think we *don't* want it to traverse sandboxed frames 15:24:04 dveditz: sandboxed frames might need special treatment (diff from the about: case) 15:24:23 sites would want to use sandboxed frames to host user-content, it shouldn't be able to re-frame other content and mount clickjacking attacks 15:24:29 we are talking about a csp protected document iframed in an iframe sandbox? 15:25:20 mkwst___: can't say: i want this to be framed by certain sites, or anything in a sandbox 15:26:25 dveditz: spec implies, a sandboxed frame is a unique origin and can't be whitelisted (and this is how firefox is implemented?) 15:26:54 ACTION: mkwst to make sure the spec says frame-ancestors uses the origin rather than the URL 15:26:54 Created ACTION-184 - Make sure the spec says frame-ancestors uses the origin rather than the url [on Mike West - due 2014-07-23]. 15:27:45 tanvi: yes... a csp-protected doc using frame-ancestors framed by an iframe-sandbox with a unique origin 15:28:15 ACTION bhill2 to make sure that frame-ancestors is relative to origin, not url and without path components 15:28:15 Created ACTION-185 - Make sure that frame-ancestors is relative to origin, not url and without path components [on Brad Hill - due 2014-07-23]. 15:28:20 TOPIC: [SRI] What should we hash redux 15:29:16 freddyb do you have thoughts on this if you're thinking of implementing SRI on top of SW? 15:29:31 I have some audio input problems, but I just read up on the thread before the call. I agree with devd that the changes to hash seem to address our previous concerns 15:29:47 what do you think, mkwst___? 15:31:42 resolution: wait until we have an implementation without worrying about gzip to discuss further 15:32:08 +1 15:32:13 (sorry about the audio issue) 15:32:30 TOPIC: SRI and CORS 15:36:30 leave issue for later, after we have basic implementations 15:37:07 TOPIC: [MIX] Consider all CORS requests "active" 15:37:49 q+ 15:38:48 mkwst___: get us closer to blocking mixed content 15:40:05 ack glenn 15:40:15 sounds good, tnx 15:40:16 mkwst___: "blockable mixed content" vs "optionally ..." (in response to glenn's request to stop using "active" vs "passive") 15:44:51 -mkwst___ 15:44:53 -BHill 15:44:54 -davidwalp 15:44:54 -tanvi 15:44:56 -glenn 15:44:58 -neilm 15:44:59 -puhley 15:44:59 -freddyb 15:45:00 -gmaone 15:45:00 -terri 15:47:27 RRSAgent, set logs public 15:47:43 RRSAgent, please create the minutes 15:47:43 I have made the request to generate http://www.w3.org/2014/07/16-webappsec-minutes.html dveditz 15:48:11 bhill2: is there anything else I need to do to close the meeting? 15:48:16 -dveditz 15:48:18 SEC_WASWG()11:00AM has ended 15:48:18 Attendees were +1.310.597.aaaa, +1.425.391.aabb, +1.949.273.aacc, BHill, tanvi, neilm, gmaone, +1.503.712.aadd, +1.720.897.aaee, glenn, terri, +49.162.102.aaff, mkwst___, freddyb, 15:48:19 ... +1.415.596.aagg, davidwalp, +1.831.246.aahh, dveditz, puhley 15:55:15 rrsagent, make minutes 15:55:15 I have made the request to generate http://www.w3.org/2014/07/16-webappsec-minutes.html bhill2 15:55:21 rrsagent, set logs public-visible 16:32:17 wuwei has joined #webappsec 17:16:53 wuwei has joined #webappsec 17:55:30 Zakim has left #webappsec 18:00:57 tanvi has joined #webappsec 19:34:32 bhill2 has joined #webappsec 21:25:23 glenn has joined #webappsec 21:30:01 bhill2 has joined #webappsec 21:30:59 tanvi has left #webappsec 21:47:18 glenn_ has joined #webappsec 22:03:57 glenn has joined #webappsec 22:15:15 glenn has joined #webappsec 22:20:48 glenn_ has joined #webappsec 22:27:08 glenn has joined #webappsec 22:36:14 glenn_ has joined #webappsec 23:58:01 glenn has joined #webappsec