14:45:36 RRSAgent has joined #webappsec 14:45:36 logging to http://www.w3.org/2014/08/27-webappsec-irc 14:45:38 RRSAgent, make logs world 14:45:38 Zakim has joined #webappsec 14:45:40 Zakim, this will be WASWG 14:45:40 ok, trackbot; I see SEC_WASWG()11:00AM scheduled to start in 15 minutes 14:45:41 Meeting: Web Application Security Working Group Teleconference 14:45:41 Date: 27 August 2014 14:51:02 bhill2 has joined #webappsec 14:56:23 dveditz has joined #webappsec 14:59:20 Meeting: WebAppSec Teleconference 27-August-2014 14:59:29 Chairs: Brad Hill, Dan Veditz 14:59:38 Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0142.html 15:00:28 SEC_WASWG()11:00AM has now started 15:00:35 +glenn 15:00:55 + +1.503.712.aaaa 15:00:57 gmaone has joined #webappsec 15:01:05 Zakim, aaaa is me 15:01:05 freddyb has joined #webappsec 15:01:05 +terri; got it 15:01:06 +BHill 15:01:33 +??P6 15:01:40 Zakim: ??P6 is freddyb 15:01:52 +??P13 15:01:58 Zakim, ??P6 is freddyb 15:01:58 +freddyb; got it 15:02:14 one of these days... 15:02:27 +Wendy 15:02:35 zakim, ??P13 is me 15:02:35 +gmaone; got it 15:03:42 + +1.831.246.aabb 15:03:49 Zakim, aabb is dveditz 15:03:49 +dveditz; got it 15:04:54 is anyone talking? very silent, no background hiss 15:04:58 +[Microsoft] 15:05:06 ah, noise. guess it's working :-) 15:05:27 :) 15:05:42 DavidWalp has joined #webappsec 15:05:53 zakim, who is here? 15:05:53 On the phone I see glenn, terri, BHill, freddyb, gmaone, Wendy, dveditz, [Microsoft] 15:05:55 On IRC I see DavidWalp, freddyb, gmaone, dveditz, bhill2, Zakim, RRSAgent, wuwei, libpcap, anssik, glenn_, timeless, mkwst___, tobie, terri, wseltzer, trackbot 15:06:26 zakim, Microsoft has DavidWalp 15:06:26 +DavidWalp; got it 15:09:12 + +1.973.634.aacc 15:09:30 + +1.415.596.aadd 15:10:16 scribenick: dveditz 15:10:25 zakim, aacc is puhley 15:10:26 +puhley; got it 15:10:34 TOPIC: minutes approval 15:10:35 http://www.w3.org/2011/webappsec/draft-minutes/2014-08-13-webappsec-minutes.html 15:10:43 scribe: Dan Veditz 15:10:49 puhley has joined #webappsec 15:11:16 zakim, aadd is puhley 15:11:16 +puhley; got it 15:11:23 zakim, aacc is Evan 15:11:23 sorry, wseltzer, I do not recognize a party named 'aacc' 15:11:36 present+ Evan 15:11:44 bhill2: any objections to the minutes from last time (link posted in channel) 15:11:44 RESOLVED: prior minutes approved 15:11:52 Agenda Bashing 15:11:53 q+ 15:12:00 TOPIC: Agenda Bashing 15:12:50 wseltzer: two notes -- WASWG charter set to expire at the end of September, and we also have a workshop coming up on WebCrypto which might have impact on this group 15:13:11 http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/#schedule 15:13:21 ... we thought we would extend the charter for 3 months to see if there is before officially rechartering 15:13:33 bhill2: will that be problematic? 15:13:49 wseltzer: no, it's pretty easy to do a charter with no change for a short extension 15:14:47 bhill2: I also noticed a community group on credentials was just formed, will be interesting to see what they do 15:15:00 TOPIC: Review of Open Actions in the Tracker 15:15:04 wseltzer: we also have a group forming on web payments that will clearly have some security implications 15:15:14 q- 15:15:47 bhill2: see I have one in the list, I will send a comment on frame-ancestors 15:16:04 https://github.com/w3c/webappsec/issues 15:16:06 ... other items related to SRI but I don't see devd on the call 15:16:11 ... moving on to issues 15:16:18 ... on github 15:18:44 +1 to waiting to add new issues until there's been group discussion 15:19:39 bhill2: we should try to keep specific issues in the w3c tracker rather than github, and reserve github for technical specification changes 15:19:51 s/technical/editorial/ 15:21:59 dveditz: the only CSP2 issue on github is the CH-CSP header issue raised by mnot 15:22:10 bhill2: should we add that to the agenda today 15:22:26 ISSUE: disposition of CH-CSP client hint 15:22:26 Created ISSUE-63 - Disposition of ch-csp client hint. Please complete additional details at . 15:22:27 dveditz: I'd love to but without mkwst here I'm not sure we can have a productive conversation 15:22:49 TOPIC: [CSP] Dynamic CSP 15:22:55 http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0021.html 15:22:57 bhill2: removing something after last call is less problematic than adding it 15:24:54 bhill2: Dynamic CSP would obviously be a future (not CSP2) feature, but do people think this is worth discussing or is it completely crazy 15:25:38 dveditz: I am sympathetic to the use case, maybe we can come up with something? 15:26:24 ISSUE: CSP3 How to deal with large policies needed by single-page webapps (http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0021.html) 15:26:25 Created ISSUE-64 - Csp3 how to deal with large policies needed by single-page webapps (http://lists.w3.org/archives/public/public-webappsec/2014aug/0021.html). Please complete additional details at . 15:26:29 bhill2: sounds like worth talking in CSP.next 15:26:50 TOPIC: [CSP] feedback report-uri directive and report-only header 15:27:09 http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0085.html 15:27:48 bhill2: do we want to specify a limit on the number of report-uris? is there a practical limit in the browser implementations? 15:28:12 bhill2: could be a DOS amplifier, but a web application could do that anyway 15:28:28 wseltzer: there might be an issue depending on how you cut it off so it might be worth adding to the spec 15:28:34 s/wseltzer/terri/ 15:29:58 dveditz: if you have multiple CSP headers, each with only 1 report-uri you could get around the limit 15:30:31 bhill2: you wouldn't want to allow injected headers or to be able to push the legit report-uris off a stack or anything like that 15:30:43 bhill2: we currently don't have limits in the spec, doesn't sound like there's a strong need for that 15:30:57 bhill2: sounds like not important enough to add at this time 15:31:12 TOPIC: [CSP] images loaded in object and embed 15:31:18 http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0054.html 15:31:25 terri: agreed, we could discuss this in csp.next 15:31:51 bhill2: sounds like we have clarity on the image loading but I wanted to check with the Microsoft folks that they are happy with the resolution 15:32:00 ... and got the answers they needed 15:32:05 TOPIC: [CSP] prevent 401 attach 15:32:12 http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0016.html 15:32:15 DavidWalp: yes, I am 15:35:39 bhill2: anyone interested in tackling this in csp.next? 15:36:30 ACTION: bhill2 to do more research on preventing 401 attach http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0016.html 15:36:30 Created ACTION-186 - Do more research on preventing 401 attach http://lists.w3.org/archives/public/public-webappsec/2014aug/0016.html [on Brad Hill - due 2014-09-03]. 15:36:42 bhill2: paypal had problems with this, and chrome tried to fix it by suppressing the dialogs, and later jeremiahg and rsnack found a way to use that suppression to test usernames on intr-A-net sites. 15:36:48 TOPIC: [CSP] Section 5.1 Workers, is this missing a case? 15:36:52 http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0109.html 15:36:56 bhill2: I'll take an action item to investigate options here. 15:39:09 dveditz: I think Mike clarified the difference in the spec but it's unclear from the thread whether Kevin [from MS] is happy with the answer 15:39:15 TOPIC: [REFERRER] Naming none and null policies 15:39:18 DavidWalp: I don't know where kevin is on this 15:39:20 http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0072.html 15:39:53 bhill2: looks like it has already been changed to update the name used int he Referrer spec (from 'none' to 'no-referrer') 15:40:54 -terri 15:41:48 dveditz: maybe inconsistencies over whether it's "no referrer" or "no-referrer" in the two specs 15:44:56 ISSUE: does "no referrer" specify a state or is it a token? Is a token with a space problematic? 15:44:56 Created ISSUE-65 - Does "no referrer" specify a state or is it a token? is a token with a space problematic?. Please complete additional details at . 15:45:16 TOPIC: CSP: 'no-external-navigation'? 15:45:20 http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0053.html 15:46:16 bhill2: revisit as a potential CSP.next feature 15:46:32 ISSUE: no-external-navigation as potential CSP3 feature http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0053.html 15:46:32 Created ISSUE-66 - No-external-navigation as potential csp3 feature http://lists.w3.org/archives/public/public-webappsec/2014aug/0053.html. Please complete additional details at . 15:46:52 TOPIC: Paths and Redirects 15:46:58 http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0048.html 15:48:26 dveditz: the specific suggestion from Antonio (no cross-origin report-uri) won't solve the data-leak issue 15:49:00 dveditz: the problem is the fact that resources are blocked, and that can be detected in multiple ways 15:49:33 dveditz: using report-uri was just a simple way to do it in the initial POC 15:52:29 bhill2: do we need to resolve this or can we move into last call? 15:53:09 TOPIC: Last call CSP Level 2 15:53:13 dveditz: I don't think Antonio raises anything new that wasn't considered in the current design. we can address it later if he can come up with a better description of his proposal 15:53:16 http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0027.html 15:54:43 DavidWalp: I need to talk to Kevin, he's doing the CSP side. my interest is more in the referrer spec 15:56:33 features to mark as AT RISK: client hint, child-src 15:56:38 dveditz: Mozilla is unconvinced of the need for child-src if it no longer covers workers 15:57:07 dveditz: and a client hint could be useful but we're not convinced the CH-CSP/unsafe-redirect proposal has gotten enough discussion 15:57:59 bhill2: raised ABNF issue about frame-ancestors on the list 15:58:18 bhill2: apart from those issues are we ready to call for the end of Last Call 15:58:38 dveditz: I propose a motion for the end of last call 15:58:50 PROPOSED: End the last-call comment period 15:58:59 ... for CSP2 15:59:10 wseltzer: clarification... end the comment period for last call? 15:59:24 dveditz: yes, end the last call comment period for CSP2 15:59:29 uh, my mic seems to have an issue 15:59:30 I second that 16:00:08 bhill2: two mozilla folks... do we need folks from other orgs to make this official? 16:00:09 no objection 16:00:33 wseltzer: more typically people request +1/-1 responses 16:00:42 +1 16:00:50 bhill2: any objections to ending the comment period for last call on CSP2? 16:01:14 bhill2: I would say we have a "soft consensus" and we're out of time. will send to mail to the list requesting feedback 16:01:19 RESOLVED: Chair will send one last email to the list re LC Comment Period 16:01:20 bhill2: by the end of the day 16:01:27 -[Microsoft] 16:01:32 -puhley.a 16:01:34 -glenn 16:01:36 -dveditz 16:01:37 -Wendy 16:01:38 zakim, list attendees 16:01:38 As of this point the attendees have been glenn, +1.503.712.aaaa, terri, BHill, freddyb, Wendy, gmaone, +1.831.246.aabb, dveditz, DavidWalp, +1.973.634.aacc, +1.415.596.aadd, puhley 16:01:38 -freddyb 16:01:47 rrsagent, make minutes 16:01:47 I have made the request to generate http://www.w3.org/2014/08/27-webappsec-minutes.html bhill2 16:01:54 rrsagent, set logs public-visible 16:02:00 -BHill 16:02:02 -puhley 16:04:36 -gmaone 16:04:37 SEC_WASWG()11:00AM has ended 16:04:37 Attendees were glenn, +1.503.712.aaaa, terri, BHill, freddyb, Wendy, gmaone, +1.831.246.aabb, dveditz, DavidWalp, +1.973.634.aacc, +1.415.596.aadd, puhley 16:09:25 libpcap has left #webappsec 17:26:15 neilm has joined #webappsec