19:18:34 <RRSAgent> RRSAgent has joined #webappsec
19:18:34 <RRSAgent> logging to http://www.w3.org/2015/02/09-webappsec-irc
19:18:36 <trackbot> RRSAgent, make logs world
19:18:36 <Zakim> Zakim has joined #webappsec
19:18:38 <trackbot> Zakim, this will be WASWG
19:18:38 <Zakim> ok, trackbot; I see SEC_WASWG()3:00PM scheduled to start in 42 minutes
19:18:39 <trackbot> Meeting: Web Application Security Working Group Teleconference
19:18:39 <trackbot> Date: 09 February 2015
19:19:00 <wseltzer> Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0129.html
19:19:10 <wseltzer> wseltzer has changed the topic to: Agenda 9 February: https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0129.html
19:25:34 <dveditz> dveditz has joined #webappsec
19:53:02 <tanvi> tanvi has joined #webappsec
19:58:01 <Zakim> SEC_WASWG()3:00PM has now started
19:58:02 <gmaone> gmaone has joined #webappsec
19:58:08 <Zakim> +[Microsoft]
19:58:55 <dwalp> dwalp has joined #webappsec
19:59:04 <Crispin> Crispin has joined #webappsec
19:59:05 <bhill2> bhill2 has joined #webappsec
19:59:14 <Zakim> +??P0
19:59:21 <francois> francois has joined #webappsec
19:59:33 <Zakim> + +1.206.348.aaaa
19:59:51 <bhill2> zakim, aaaa is bhill
19:59:51 <Zakim> +bhill; got it
19:59:57 <Zakim> + +1.418.907.aabb
20:00:16 <Zakim> + +1.646.821.aacc
20:00:20 <gmaone> Zakim, ??P0 is me
20:00:20 <Zakim> +gmaone; got it
20:00:31 <Zakim> + +49.162.102.aadd
20:00:46 <bhill2> zakim, who is here?
20:00:46 <Zakim> On the phone I see [Microsoft], gmaone, bhill, +1.418.907.aabb, +1.646.821.aacc, +49.162.102.aadd
20:00:48 <Zakim> On IRC I see francois, bhill2, Crispin, dwalp, gmaone, tanvi, dveditz, Zakim, RRSAgent, terri, renoirb, tobie, edulix, timeless, mkwst_afk, Josh_Soref, schuki, deian, wseltzer,
20:00:48 <Zakim> ... trackbot
20:00:48 <francois> zakim, aaab is francois
20:00:51 <Zakim> sorry, francois, I do not recognize a party named 'aaab'
20:00:56 <deian> Zakim, aacc is deian
20:00:56 <Zakim> +deian; got it
20:00:58 <francois> zakim, aabb is francois
20:00:58 <Zakim> +francois; got it
20:01:02 <mkwst_afk> zakim, aadd is mkwst
20:01:02 <Zakim> +mkwst; got it
20:01:13 <Zakim> + +1.503.712.aaee
20:01:49 <terri> Zakim, aaee is me
20:01:49 <Zakim> +terri; got it
20:01:50 <jww> jww has joined #webappsec
20:01:58 <Zakim> + +1.415.736.aaff
20:02:10 <Zakim> +[Mozilla]
20:02:21 <jww> zakim: jww is aaff
20:02:23 <dveditz> Zakim, Mozilla has dveditz
20:02:23 <Zakim> +dveditz; got it
20:02:36 <bhill2> zakim, aaff is jww
20:02:36 <Zakim> +jww; got it
20:02:47 <jww> darn, I always forget the syntax.
20:03:17 <dveditz> ckersch and tanvi send regrets
20:03:25 <jww> bhill2: thanks :-)
20:04:14 <bhill2> scribenick: dveditz
20:04:17 <mkwst> jww, bhill2: http://www.w3.org/2015/07/zakim.html <-- the countdown
20:04:43 <bhill2> TOPIC: Minutes Approval
20:04:49 <bhill2> http://www.w3.org/2015/01/12-webappsec-minutes.html
20:05:06 <dveditz> bhill2: any objections to the minutes from last month?
20:05:17 <bhill2> TOPIC: Agenda Bashing
20:05:17 <dveditz> ... hearing none minutes are approved by unanimous consent
20:05:38 <francois> can we add a quick topic to "go around the table" and check whether or not anybody wants to keep NI URIs in the SRI spec?
20:05:41 <dveditz> dwalp: can we swap CSP and MIX?
20:05:52 <dveditz> bhill2: any objections?..... ok, we can do that
20:05:57 <bhill2> TOPIC:  Rechartering & Mozilla's formal objection
20:06:22 <francois> ah, sorry, missed it
20:06:37 <dveditz> bhill2: the ni:// topic is already on the agenda
20:07:01 <dveditz> bhill2: we've been working on rechartering for a while. at 11th hour we got an objection from Mozilla
20:07:14 <dveditz> ... others have chimed in to support those concerns
20:07:22 <bhill2> https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0066.html
20:07:25 <dveditz> ... I have posted a diff
20:07:26 <bhill2> <- Moz's objections
20:07:33 <bhill2> https://w3c.github.io/webappsec/admin/webappsec-charter-2015.html
20:07:33 <puhley> puhley has joined #webappsec
20:08:23 <bhill2> https://github.com/w3c/webappsec/commit/433dcc996c092309b88c4e1ecad425ea80a49aed
20:09:01 <Zakim> + +1.415.596.aagg
20:09:25 <dveditz> ... we have room to figure out what those specs are going to look like
20:09:28 <bhill2> zakim, aagg is puhley
20:09:28 <Zakim> +puhley; got it
20:10:56 <dveditz> ... [reads the diff of clarification around COWL spec]
20:11:52 <dveditz> ... objection from mozilla was that they couldn't support it without further clarity.
20:12:20 <dveditz> deian: I made a comment on the change... looking for link
20:12:55 <bhill2> https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0114.html
20:12:56 <dveditz> ... dev brought up the thought we coiuld say @@ labels rather than origin labels but I don't know if he still thinks that
20:12:57 <deian> https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0114.html
20:13:23 <dveditz> bhill2: here's a note from anne, not sure if it's an official mozilla response
20:14:40 <dveditz> bhill2: next objection was about EPR spec, breaking the ability of the web to link.
20:15:25 <dveditz> ... [reads clarification diff for charter]
20:15:37 <dveditz> ... one response on the list saying that may not be strong enough
20:16:00 <Zakim> + +1.310.597.aahh
20:17:10 <mkwst> dveditz: Sounds good to me, personally. EPR isn't terrible, real security benefits.
20:17:20 <mkwst> dveditz: similar to x-frame-options, who gets to control framing, etc.
20:17:36 <mkwst> dveditz: hope we can make a spec that satisfies folks in Mozilla.
20:17:45 <mkwst> dveditz: working on behalf of user to protect user.
20:18:03 <dveditz> thx mkwst
20:18:05 <mkwst> bhill2: Can you round-trip that back to Mozilla?
20:19:16 <dveditz> bhill2: next objection... unclear what the high-level wording about powerful features meant. removed from the summary but added the Powerful Features spec as an explicit deliverable
20:20:42 <dveditz> ... the updated charter description says "The recommendation will include non-normative advice on when a feature might designate itself as requiring a secure context and provide a normative algorithm for determining if a given context is sufficiently secure"
20:21:00 <dveditz> ... Mike, does that wording work?
20:21:56 <dveditz> mkwst: I believe there's a W3 group making a recommendation this week, it's important that someone has oversight on this area if not the WebAppSec WG
20:22:24 <deian> +1 I agree with mkwst
20:23:13 <dveditz> bhill2: I tend to agree with you, Mike, that rather than taking this out or moving it to the TAG calling it non-normative may allow us to make a strong recommendation that can be used by other WGs without dictating to them
20:23:31 <dveditz> mkwst: my concern is groups who don't consider security until it's too late. I hope we can stop that from happening
20:24:26 <dveditz> bhill2: if you can live with this language, Mike, and if Mozilla can live with it then I hope we can move forward with something the TAG can reference
20:24:40 <dveditz> mkwst: [didn't catch]
20:25:03 <dveditz> bhill2: so noted. we are presenting the technical recommendation we are just not making it mandatory
20:25:06 <tanvi> zakim, aahh is tanvi
20:25:06 <Zakim> +tanvi; got it
20:25:07 <bhill2> mkwst: notes that the recent TAG finding on securing the web explicitly delegated the technical bits to this group
20:25:55 <dveditz> bhill2: the last section was about asynchronous decision making, explicitly referencing the WebApps charter
20:26:08 <mkwst> bhill2: perhaps we can skip to MS's concerns around MIX? I think Dave(?) has ~5m left before his next call.
20:26:26 <dveditz> ... that group doesn't have regular meetings so what we've been doing works well for us in ways that wouldn't for them
20:26:39 <dveditz> ... [reads updated wording in charter]
20:28:48 <dveditz> ... are there any further comments on the charter update or on the formal objection?
20:29:21 <dveditz> ... I like to ask you, Dan, to take this back to the Mozilla folks and round trip this ASAP. the sooner we can have this resolved the sooner we can get on to the rest of the stuff we have to do
20:29:25 <dveditz> dveditz: I will do that
20:29:44 <bhill2> TOPIC: Strict mixed content checking (was Re: MIX: Exiting
20:29:52 <bhill2> https://lists.w3.org/Archives/Public/public-webappsec/2015Jan/0148.html
20:31:35 <dveditz> bhill2: we have agreement from Tanvi from the Mozilla side to the late breaking changes, we were waiting for input from Microsoft
20:31:44 <dveditz> dwalp: no objections from MS
20:31:51 <dveditz> tanvi: none from Mozilla
20:32:07 <dveditz> mkwst: the only concern I'm aware of is from TBL posted to the list a few weeks back
20:32:33 <dveditz> bhill2: I asked him explicitly about that and have not received a response. Think we should call for consensus and take it to CR
20:32:34 <bhill2> ACTION bhill2 to issue CfC to take Mixed Content to CR
20:32:34 <trackbot> Created ACTION-212 - Issue cfc to take mixed content to cr [on Brad Hill - due 2015-02-16].
20:32:48 <dveditz> ... congratulations Mike
20:32:57 <bhill2> TOPIC: IP matching (URI/IRI normalization) in CSP
20:33:03 <dveditz> ... jumping back to CSP
20:33:30 <dveditz> ... URI/IRI normalization threads, can we come to an agreement on how we support these sources?
20:34:07 <dveditz> mkwst: also wrt normalization bsmith raised whether we should support unicode in the context of the <meta> tags
20:34:11 <bhill2> raise ISSUE should CSP support unicode, at least within the context of meta tags
20:34:42 <dveditz> tanvi: wrt IP addresses have you, Mike, found out whether there are addresses used in practice?
20:34:58 <dveditz> mkwst: takes time to get data back, I've put in the request
20:35:23 <dveditz> tanvi: would be good to restrict to localhost only (for compat reasons) and not add others
20:36:07 <dveditz> bhill2: I think the proposal on the table is to remove IP address support from CSP spec but not necessarily rip it out immediately from implementations
20:36:46 <dveditz> terri: is there a way to make it an option for later? I'm afraid we'll hit IoT situations later where devices can't use CSP because they only have addresses
20:37:16 <dveditz> mkwst: moving from not supporting to adding it back in later is easier than vice versa
20:37:39 <dveditz> terri: agreed, but I don't want the language to imply "this is a terrible ideal that no one should use ever"
20:38:02 <dveditz> bhill2: I'm sure we'll want to allow 'self' to refer to the device even if it only has an address
20:38:19 <dveditz> ... is there someone else they'd want to refer to?
20:38:56 <dveditz> terri: there may be associated devices that talk to each other, it's not unreasonable that one device would include data/graphs from another
20:39:17 <dveditz> ... I don't know if any of them will ever use CSP, but we do have people working on things like that
20:39:44 <dveditz> ... I don't know what the reason not to support IPv6 other than convenience
20:40:19 <dveditz> jww: I think it was more that we couldn't come up with a good syntax to support it yet, rather than the concept
20:40:43 <dveditz> bhill2: we don't want to hold up CSP2 while we try to come up with normalization rules for it
20:41:02 <dveditz> terri: that's fine, especially if we add a note that we're working on it for CSP 3
20:41:28 <dveditz> bhill2: do we want to commit now to a feature in a future spec?
20:41:48 <dveditz> terri: we don't have to commit, can we just say we think it's possible in the future?
20:42:20 <dveditz> bhill2: that's sort of committing. we're close to CR I'd like to avoid changes to the text
20:42:38 <dveditz> terri: I'm fine with it not being in CSP2 explicitly as long as we know it's in our heads
20:42:40 <bhill2> TOPIC: 'self' in sandboxed contexts for CSP
20:42:45 <bhill2> https://lists.w3.org/Archives/Public/public-webappsec/2015Jan/0084.html
20:42:47 <dveditz> jww: I'll file an issue on it
20:43:18 <dveditz> bhill2: concern was that in some cases sandboxed iframes CSPs with 'self' don't refer to anything reasonable
20:43:50 <dveditz> ... diff of opinion about whether 'self' refers to the "effective script origin" or whether self should disappear if the document goes into the sandbox
20:45:04 <dveditz> jww: sandbox already breaks stuff if the content isn't aware of it
20:46:11 <dveditz> mkwst: sandbox breaks things like local storage, if the content isn't aware it's being sandboxed then it won't work
20:46:46 <dveditz> @@: that means you can only use CSP if you specify full origins, not 'self'
20:47:12 <dveditz> bhill2: also depends on when the sandbox is applied wrt CSP
20:48:19 <dveditz> mkwst: a good counter example from my point is frame-ancestor. it needs to know what the origin is before the sandbox is applied in order to specify it
20:48:43 <dveditz> mkwst: I would be hard pressed to write an exception to make this case easier to understand
20:49:25 <dveditz> jww: is it an intended consequence of a sanbox? we agree that scripts may not run, fine, that's why you sandbox. is this like that or is it surprising?
20:50:12 <dveditz> mkwst: I can see both sides. I can see it would be useful to be able to grab a real resource origin in some cases. what do we do with paths especially if they're set by pushstate?
20:50:33 <dveditz> ... do those match a source expression? seems problematic
20:50:47 <dveditz> ... I think there are more impt topics to attend to
20:51:25 <dveditz> jww: I think anne was on oyour side, too. I'm not sure we should be adding a 3rd origin type
20:52:03 <bhill2> TOPIC: CfC: Transition CSP2 to CR.
20:52:08 <bhill2> https://lists.w3.org/Archives/Public/public-webappsec/2015Jan/0266.html
20:52:09 <dveditz> bhill2: I was on the side of not breaking but have been won over, Dan how about you?
20:52:21 <Zakim> +WSeltzer
20:52:39 <dveditz> dveditz: I will answer on the list, unable to scribe and think here. I may be won over
20:53:06 <dveditz> ... is the unicode issue the only remaining issue?
20:53:17 <dveditz> deian: I think brian's point about nonces are too
20:53:46 <bhill2> https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0116.html
20:53:53 <dveditz> mkwst: brian had a couple of concerns. referrer directives, unicode, ..... [?] those are the 5 issues
20:54:17 <dveditz> bhill2: you already moved the referrer directive into the referrer spec right?
20:54:19 <dveditz> mkwst: yes
20:54:37 <dveditz> bhill2: the xss filter directive was moved to CSP3?
20:54:45 <dveditz> mkwst: I wasn't against it, haven't yet
20:57:17 <dveditz> mkwst: dev's suggestions for nonces ....
20:57:22 <mkwst> dev's suggestions are at https://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0076.html
20:58:01 <dveditz> deian: maybe we could just note the potential for problematic uses of nonces
20:59:28 <dveditz> bhill2: nonces were never intended to be super secure, they were inteded to be more secure than not using CSP or using 'unsafe-inline'
21:00:03 <dveditz> ... given we have two implementations already we would require a strong evidence of potential misuse to make a change at this point
21:01:14 <dveditz> ... if brian is the only one with a strong objection to how nonces work and there are no formal objections, and strong support for moving CSP2 ahead I would like to make a call for consensus that nonces will work the way they work in the current implementations.
21:01:18 <Zakim> -jww
21:01:24 <bhill2> ACTION bhill2 to reply to brian smith re: CSP2 to CR
21:01:25 <trackbot> Created ACTION-213 - Reply to brian smith re: csp2 to cr [on Brad Hill - due 2015-02-16].
21:02:04 <dveditz> ... I appreciate brian's attention to the spec and smart comments, but we'll have to leave some of this for the next version of CSP
21:02:33 <dveditz> ... I apologize to the SRI folks we didn't get to their issues
21:02:41 <dveditz> ... thanks everyone, talk in 2 weeks
21:02:45 <Zakim> -mkwst
21:02:47 <Zakim> -gmaone
21:02:47 <Zakim> -[Microsoft]
21:02:49 <Zakim> -tanvi
21:02:51 <Zakim> -puhley
21:02:51 <Zakim> -deian
21:02:52 <bhill2> zakim, list attendees
21:02:53 <Zakim> -terri
21:02:53 <Zakim> As of this point the attendees have been [Microsoft], +1.206.348.aaaa, bhill, +1.418.907.aabb, +1.646.821.aacc, gmaone, +49.162.102.aadd, deian, francois, mkwst, +1.503.712.aaee,
21:02:53 <Zakim> ... terri, +1.415.736.aaff, dveditz, jww, +1.415.596.aagg, puhley, +1.310.597.aahh, tanvi, WSeltzer
21:02:54 <Zakim> -[Mozilla]
21:02:54 <Zakim> -francois
21:02:56 <Zakim> -WSeltzer
21:03:00 <bhill2> rrsagent, make minutes
21:03:00 <RRSAgent> I have made the request to generate http://www.w3.org/2015/02/09-webappsec-minutes.html bhill2
21:03:07 <bhill2> rrsagent, set logs world
21:03:09 <dveditz> have to run
21:03:18 <bhill2> I'll do the wrap up, thanks Dan
21:03:27 <wseltzer> Chair: bhill2, dveditz
21:03:30 <Zakim> -bhill
21:03:31 <Zakim> SEC_WASWG()3:00PM has ended
21:03:31 <Zakim> Attendees were [Microsoft], +1.206.348.aaaa, bhill, +1.418.907.aabb, +1.646.821.aacc, gmaone, +49.162.102.aadd, deian, francois, mkwst, +1.503.712.aaee, terri, +1.415.736.aaff,
21:03:31 <Zakim> ... dveditz, jww, +1.415.596.aagg, puhley, +1.310.597.aahh, tanvi, WSeltzer
21:03:46 <wseltzer> rrsagent, draft minutes
21:03:46 <RRSAgent> I have made the request to generate http://www.w3.org/2015/02/09-webappsec-minutes.html wseltzer
21:07:24 <tanvi> tanvi has left #webappsec
21:31:58 <dveditz> dveditz has joined #webappsec
22:53:38 <mkwst> mkwst has joined #webappsec
23:09:06 <Zakim> Zakim has left #webappsec
23:25:28 <mkwst> mkwst has joined #webappsec
23:42:10 <Josh_Soref> Josh_Soref has joined #webappsec
23:42:24 <timeless> timeless has joined #webappsec