18:18:22 <RRSAgent> RRSAgent has joined #webappsec
18:18:22 <RRSAgent> logging to http://www.w3.org/2015/06/15-webappsec-irc
18:18:24 <trackbot> RRSAgent, make logs world
18:18:24 <Zakim> Zakim has joined #webappsec
18:18:26 <trackbot> Zakim, this will be WASWG
18:18:26 <Zakim> ok, trackbot; I see SEC_WASWG()3:00PM scheduled to start in 42 minutes
18:18:27 <trackbot> Meeting: Web Application Security Working Group Teleconference
18:18:27 <trackbot> Date: 15 June 2015
18:51:10 <Zakim> SEC_WASWG()3:00PM has now started
18:51:17 <Zakim> +??P0
18:54:37 <gmaone> gmaone has joined #webappsec
18:55:05 <bhill2> bhill2 has joined #webappsec
18:56:59 <bhill2> zakim, this will be 92794
18:56:59 <Zakim> ok, bhill2; I see SEC_WASWG()3:00PM scheduled to start in 4 minutes
18:57:33 <bhill2> bhill2 has changed the topic to: https://lists.w3.org/Archives/Public/public-webappsec/2015Jun/0033.html
19:00:21 <jww> jww has joined #webappsec
19:00:27 <bhill2> zakim, who is here?
19:00:27 <Zakim> I notice SEC_WASWG()3:00PM has restarted
19:00:29 <Zakim> On the phone I see ??P0, +1.503.712.aabb, BHill
19:00:29 <Zakim> On IRC I see jww, bhill2, gmaone, Zakim, RRSAgent, JonathanKingston, franziskus, dveditz, renoirb, schuki, manu, tobie, timeless, Josh_Soref, mkwst, terri, trackbot, wseltzer
19:00:35 <Zakim> +mkwst
19:00:39 <francois> francois has joined #webappsec
19:00:41 <Zakim> +??P2
19:00:41 <terri> Zakim, aabb is me
19:00:42 <Zakim> +terri; got it
19:00:49 <renoirb> renoirb has left #webappsec
19:00:54 <Zakim> + +1.434.941.aacc
19:00:58 <gmaone> Zakim, ??P2 is me
19:00:58 <Zakim> +gmaone; got it
19:01:11 <Zakim> + +1.415.736.aadd
19:01:14 <rbarnes> rbarnes has joined #webappsec
19:01:17 <Zakim> +Wendy
19:01:22 <rbarnes> zakim, who is on the phone?
19:01:23 <Zakim> On the phone I see ??P0, terri, BHill, mkwst, gmaone, +1.434.941.aacc, +1.415.736.aadd, Wendy
19:01:26 <Zakim> +[Mozilla]
19:01:27 <bhill2> Meeting: WebAppSec WG Teleconference, 15-Jun-2015
19:01:29 <jww> Zakim, aadd is me
19:01:29 <Zakim> +jww; got it
19:01:31 <rbarnes> zakim, i am aacc
19:01:31 <bhill2> Chairs: bhill2, dveditz
19:01:32 <Zakim> +rbarnes; got it
19:01:36 <bhill2> Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2015Jun/0033.html
19:01:57 <jww> For the record, Emily Stark is also in the room with me here.
19:02:05 <Zakim> +[Mozilla.a]
19:02:15 <mkwst> Zakim, jww has estark.
19:02:15 <Zakim> +estark; got it
19:02:48 <bhill2> zakim, who is on the phone?
19:02:48 <Zakim> On the phone I see ??P0, terri, BHill, mkwst, gmaone, rbarnes, jww, Wendy, [Mozilla], [Mozilla.a]
19:02:50 <Zakim> jww has estark
19:02:51 <Zakim> +[IPcaller]
19:03:17 <estark> estark has joined #webappsec
19:03:29 <wseltzer> zakim, mute wendy
19:03:29 <Zakim> Wendy should now be muted
19:03:32 <wseltzer> zakim, I am wendy
19:03:32 <Zakim> ok, wseltzer, I now associate you with Wendy
19:03:34 <dveditz> Zakim: IPcaller is me
19:03:49 <wseltzer> ack me
19:03:54 <JonathanKingston> I'm on the phone via Skype
19:03:55 <francois> Mozilla.a is me
19:04:02 <dveditz> Zakim, [IPcaller] has me
19:04:02 <Zakim> +dveditz; got it
19:04:09 <Zakim> + +1.650.253.aaee
19:04:32 <wseltzer> [next call we'll be on webex]
19:04:33 <mkwst> JonathanKingston: Did you call in early?
19:04:35 <mounir> mounir has joined #webappsec
19:04:37 <Zakim> +[Microsoft]
19:04:50 <bhill2> zakim P0 is jonathanKingston
19:04:52 <dwalp> dwalp has joined #webappsec
19:04:54 <JonathanKingston> mkwest: yup
19:04:56 <mkwst> Zakim, ??P0 is JonathanKingston
19:04:56 <Zakim> +JonathanKingston; got it
19:05:07 <francois> Zakim, [Mozilla.a] is francois
19:05:07 <Zakim> +francois; got it
19:05:22 <bhill2> scribenick: mkwst
19:05:28 <mkwst> bhill: Welcome!
19:05:42 <mkwst> ... Welcome JonathanKingston, joining the group as an invited expert.
19:06:18 <JonathanKingston> Hello all, sorry
19:06:20 <mkwst> JonathanKingston: [hard to hear]
19:06:27 <mkwst> bhill: Try something other than Skype?
19:06:31 <mkwst> bhill2: mounir?
19:06:34 <mkwst> mounir: Hi.
19:06:36 <bhill2> TOPIC: Agenda bashing
19:06:46 <mkwst> bhill: Anything to add to the agenda today?
19:06:57 <mkwst> bhill: No additions.
19:06:58 <bhill2> TOPIC: Minutes approval
19:07:04 <bhill2> http://www.w3.org/2011/webappsec/draft-minutes/2015-05-18-webappsec-minutes.html
19:07:13 <mkwst> bhill2: Objections?
19:07:16 <bhill2> TOPIC: News
19:07:17 <mkwst> ... No objections.
19:07:27 <mkwst> ... Berlin F2F.
19:07:56 <mkwst> ... STREWS workshop. European research. Security arch. of the web. TAG wanted to discuss similar issues.
19:08:12 <mkwst> ... Rigo has had difficulty securing a venue.
19:08:33 <mkwst> ... Plan at the moment (won't shift by more than a day) is to have webappsec meet on 13th and 14th of July.
19:08:42 <mkwst> ... Monday/Tuesday @ Mozilla Berlin office.
19:08:50 <mkwst> ... TAG meeting on 15th and 16th.
19:08:58 <mkwst> ... Inviting TAG on the 14th.
19:09:07 <mkwst> ... Will dive in on HTTPS-related specs.
19:09:25 <mkwst> ... Discuss the broader picture (all HTTPS) with the TAG on Tuesday.
19:09:36 <mkwst> ... Possibly a STREWS meeting on the weekend prior.
19:09:52 <mkwst> ... Talk to TAG folks if you'd like to join their meeting (limited space).
19:10:11 <mkwst> dveditz: Need to book travel. Hard to be too flexible.
19:10:14 <wseltzer> q+
19:10:31 <wseltzer> [let's say 13-14, and not wait on STRES]
19:10:35 <wseltzer> q-
19:10:38 <mkwst> bhill2: Month out, can't count on STREWS.
19:10:42 <wseltzer> s/STRES/STREWS/
19:10:46 <francois> we have monday to wednesday booked at the mozilla office, just in case
19:10:46 <mkwst> ... Plan on Monday and Tuesday.
19:10:51 <dveditz> francois: hi! I thought you were PTO today
19:11:02 <dveditz> guess that was NZ monday (yesterday)
19:11:13 <francois> dveditz: yes, timezones ;)
19:11:16 <mkwst> bhill2: Permissions API.
19:11:16 <bhill2> TOPIC: The Permissions API
19:12:15 <mkwst> bhill: Editor will introduce the spec. Field questions, point out questions. Discuss moving towards next step.
19:12:28 <mkwst> mounir: Idea of the API is to have one place where developers can check permissions before using APIS.
19:12:47 <mkwst> mounir: Many APIs don't provide permission entry point right now.
19:12:51 <mkwst> mounir: bad UX.
19:13:04 <mkwst> mounir: Go to google.com on the mobile, always asks for location.
19:13:15 <mkwst> mounir: want to add value, don't know whether they have access without prompt.
19:13:25 <mkwst> mounir: if they can't, they might change UI to ask in a reasonable way.
19:14:25 <mkwst> mounir: A few issues in Chrome. How granular should permission descriptions be?
19:15:27 <mkwst> mounir: "requestAndCheck" in the API?
19:15:46 <mkwst> mounir: Add a "request and revoke call"?
19:15:55 <mkwst> mounir: Today, it's simple for developers to mimic a request method.
19:16:52 <mkwst> mounir: would be better for browser UI to request permissions through a request method.
19:16:57 <mkwst> mounir: could combine permissions that way.
19:17:11 <mkwst> mounir: app can say "I'd like to use X and Y" in one step
19:17:18 <mkwst> mounir: had experiments in Chrome to do that.
19:17:37 <mkwst> mounir: if permissions requested before pageload, we'd show them in one permision request
19:17:45 <mkwst> mounir: felt@ is working on that kind of UI exploration.
19:17:54 <mkwst> bhill2: I have questions... anyone want to go first?
19:18:21 <mkwst> ... In the initial enumeration of permissions, getUserMedia isn't there.
19:18:55 <mkwst> mounir: getUserMedia should be in that list. Only not added because gUM was talking about a permission status method in their own API. Didn't want to force them to move to our way.
19:19:18 <mkwst> mounir: API at that point was really new. We could probably go back to them now to see what they'd like the API to look like.
19:19:39 <mkwst> mounir: on GitHub there's a document describing the APIs that aren't in the API right now. Talks about getUserMedia
19:19:46 <mounir> https://github.com/w3c/permissions/blob/gh-pages/extensibility.md
19:20:00 <mkwst> bhill2: localStorage quota as an argument, not as per
19:20:12 <mkwst> bhill2: Worth creating a registry for the names rather than an enum?
19:20:18 <rbarnes> +1 to a registry
19:20:20 <mkwst> ... Could update without revising the specification directly.
19:20:53 <mkwst> mounir: Simple to use the API, have a catch that says "This permission isn't supported".
19:21:08 <mkwst> ... A registry adds a little bit of fingerprinting for no good use case.
19:21:20 <mkwst> ... compared to "try to use it, if it fails do something else."
19:21:34 <mkwst> bhill2: API discussion point: multiple permissions at once, good for UX.
19:21:51 <mkwst> ... But bundles permissions together. What about selectively declining permissions?
19:21:59 <mkwst> ... Sounds all-or-nothing, which is bad for users.
19:22:28 <mkwst> ... If we extend in that direction, the shape of the Promise resolution shouldn't prohibit users from granting permissions selectively.
19:22:41 <mkwst> mounir: Permission-wall in front of websites?
19:22:54 <mkwst> bhill2: Asked for 10 permissions, have to accept/deny all of them?
19:23:11 <mkwst> mounir: User-agent issue. That [no granularity] would be a terrible implementation.
19:23:27 <mkwst> ... In Chrome today, you can answer each request individually.
19:23:32 <mkwst> ... Even Android is moving out of that system.
19:23:57 <mkwst> dveditz: If a page wants to insist on permissions, they can. There's nothing the API can do to prevent that.
19:24:15 <mkwst> ... Big wall with a single answer, then sites will expect they get everything.
19:24:37 <mkwst> ... As long a sites know that they have to check everything they requested, then that will keep reasonable sites from making unreasonable assumptions.
19:24:52 <JonathanKingston> bhill2: There seems to be an open related issue for this -  https://github.com/w3c/permissions/issues/8
19:24:53 <mkwst> mounir: Vision is pass in an array of requests, get back an array of grants/denials.
19:25:03 <terri> q+
19:25:17 <bhill2> ack terri
19:25:26 <mkwst> terri: Related question: is there any intention to include permission management in this?
19:25:33 <mkwst> ... Seems like that's going to be necessary.
19:25:39 <mkwst> mounir: What do you mean?
19:25:54 <mkwst> terri: Any way to build things that allow users to change their permissions later on if they change their minds?
19:26:03 <mkwst> ... Right now that's locked into the browser.
19:26:23 <mkwst> ... Apps with no browser (just a webview), no mechanism by which permissions could be dropped.
19:26:46 <mkwst> dveditz: This API is content-facing. User managing the API wouldn't do so through the API, but some other mechainsm.
19:27:05 <mkwst> terri: Would need to be a matching API. Is that out of scope? We're going to need that for work I'm doing.
19:27:32 <mkwst> mkwst: Would dropping via the API be enough?
19:27:41 <mkwst> terri: Would need to regain as well as dropping.
19:27:59 <mkwst> mounir: Dropping is something we can add. Good citizens could revoke the permission themselves.
19:28:31 <mkwst> ... One big problem is that users will say "No", but will come back to the website .. Happening with Hangouts. Some users will deny usage of the microphone.
19:28:49 <mkwst> ... But they'll come back, and have no way of reverting their decision.
19:29:01 <mkwst> ... API to make that easier sounds scary/annoying.
19:29:23 <mkwst> terri: Yes. That would be obnoxious. Might be better as a parallel API that isn't public-facing.
19:29:32 <mkwst> mounir: Discussed at TPAC with Microsoft.
19:29:38 <mkwst> ... Browser could be smart in that situation.
19:30:04 <mkwst> ... If I go to that website often, maybe the UA should ask again. "6 months ago you said no, would you like to revisit that decision?"
19:30:10 <mkwst> ... Shouldn't be triggered by the content.
19:30:31 <mkwst> jww: Issues are UA design decisions. Space for exploration, but seems like a feature to leave those decisions open.
19:30:55 <mkwst> dveditz: as terri was saying, she expects browsers to do the right thing, but other non-browser things don't always give users control.
19:31:08 <mkwst> ... Perhaps "SHOULD allow users to manage these permissions"?
19:31:41 <mkwst> terri: I'm at Intel, working on crosswalk, IoT teams.
19:31:49 <mkwst> ... Browser isn't always an option.
19:32:05 <mkwst> dveditz: On devices like that, we have an API, but the device may choose the permission for the user.
19:32:30 <mkwst> terri: Sometimes. IoT is pretty broad. Sometimes there's an interface. Sometimes the manufacture will make the decision.
19:32:42 <mkwst> ... Would be nice to be able to build apps against an API.
19:32:47 <gmaone> q+
19:32:49 <mkwst> ... Will need to do something in this space.
19:33:22 <bhill2> ack gmaone
19:33:42 <mkwst> gmaone: Would it be a good idea to give user a chance to define permission as temporary?
19:34:08 <mkwst> mounir: I think the UA can decide. The API doesn't make any assumption about the permission being persistent.
19:34:18 <mkwst> ... expected that the website checks the permission before using it.
19:34:25 <Zakim> + +49.162.212.aaff
19:34:27 <mkwst> ... should be possible to make the permission temporary.
19:34:33 <mkwst> Zakim, aaff is jochen
19:34:33 <Zakim> +jochen; got it
19:34:46 <mkwst> bhill: Are these changes v2 or v1?
19:34:56 <mkwst> mounir: planning to add these features to v1.
19:35:08 <mkwst> ... keeping as WD, adding new permissions.
19:35:20 <mkwst> bhill2: Great, keep it open. Looking forward to future work.
19:35:22 <bhill2> TOPIC: Referrer Policy
19:35:28 <bhill2> scribenick: bhill2
19:35:47 <Zakim> - +1.650.253.aaee
19:36:42 <bhill2> jochen: summarizes the purpose of the Referrer Policy spec
19:37:10 <bhill2> ... open questions: how to interact with fetch, e.g. as a service worker for an individual request, change hostname
19:37:25 <bhill2> ... another issue is to differentiate between subresource loads and navigation in general
19:38:09 <bhill2> devditz: not all those issues are in webappsec github
19:38:17 <bhill2> jochen: discussion on fetch integration is happening with fetch spec
19:39:03 <dveditz> s/devditz/dveditz/
19:39:12 <mkwst> bhill2: Any questions? I have a few.
19:39:31 <bhill2> dveditz: question from implementation: ability to put referrer attribute on individual elements?
19:39:43 <bhill2> ... once something is in cache, can we use the cached copy?
19:39:52 <bhill2> ... should we load as many times as we have different attributes?
19:40:26 <bhill2> jochen: regular implementation of the cache does not take this into account
19:40:44 <bhill2> ... think we should not mandate behavior that makes performance worse
19:41:01 <bhill2> ... related to interaction with preload, which might trigger loads before a meta referrer header is processes
19:41:15 <mkwst> s/preload/preload scanner/
19:41:22 <bhill2> ... I think the preload scanner should to a best effort, if site really cares should send referrer policy by CSP
19:41:33 <bhill2> ... should not require discarding of an already loaded network response
19:41:55 <bhill2> mkwst: if a site explicitly wants different content based on referrer it should also send a "Vary: Referer" header to indicate this
19:42:23 <bhill2> bhill2: Dan, this looks like issue #2 here: https://lists.w3.org/Archives/Public/public-webappsec/2015Jun/0043.html
19:43:14 <bhill2> ... issue #1 here?  is it ok to modify the policy with script that sets attributes that seem to take precedence over a header/meta
19:43:28 <bhill2> mkwest, your audio is gone
19:43:34 <dveditz> mkwst: come back to us!
19:44:01 <bhill2> mkwst: we have stats on this in chrome, looks like 11.3% of sites use referrer policy
19:44:11 <mkwst> https://www.chromestatus.com/metrics/feature/popularity#SetReferrerPolicy
19:44:17 <bhill2> ... around 0.1% of pages change referrer policy on the fly to a different value
19:44:21 <dveditz> 11% !
19:44:29 <mkwst> https://www.chromestatus.com/metrics/feature/popularity#ResetReferrerPolicy
19:44:32 <bhill2> ... about 1% of pages that use referrer policy rely in some way on current chrome behavior
19:45:12 <bhill2> ... 0.1% of page views is above the threshold where we are comfortable deprecating so we may want to revisit the CSP interaction to be less draconian
19:45:35 <bhill2> jochen: for CSP we usually say you can go to a more strict setting, but not clear what is more strict in this context
19:46:18 <bhill2> ... some policies send less information in some ways, more in others (e.g. with downgrade in origin-when-crossorigin)
19:46:37 <bhill2> ... would rather stay with allowing it to change on the fly
19:47:05 <mkwst> bhill2: Can control injection risk via CSP.
19:47:07 <bhill2> bhill2: can also use CSP script controls to mitigate risk of injected inline scripts
19:47:24 <bhill2> jochen: can also measure how referrer policy is being changed
19:47:34 <bhill2> mkwst: our numbers don't split out CSP vs. meta tag
19:47:42 <bhill2> ... suspect most use meta tag
19:47:57 <bhill2> ... know that google, facebook, some others do
19:47:59 <bhill2> q+
19:48:29 <bhill2> ack bhill
19:48:34 <mkwst> bhill2: 2 related questions.
19:48:58 <mkwst> ... Currently link rel=noreferrer has side-effects for `window.opener` property.
19:49:13 <mkwst> ... Disowns `window.opener`. Should we preserve that behavior?
19:49:23 <mkwst> ... Should include functionality as part of the spec?
19:49:39 <mkwst> ... Of interest to Facebook, because of phishing and other types of attacks.
19:49:56 <bhill2> dveditz: someone was proposing a separate rel, maybe not in our group, maybe in webapps
19:50:05 <bhill2> ... rel=noopener, nocontext or something similar
19:50:33 <bhill2> ... don't fell comfortable changing the behavior of rel=noreferrer, because people rely on that already
19:50:50 <bhill2> jochen: also one of the signals used to decide if a new process is needed
19:52:11 <bhill2> mkwst: conflating these going forward is a recipe for confusion, rather have a separate attribute
19:52:23 <bhill2> ... whether referrer policy is the right place,  we should mention it
19:52:36 <bhill2> ... but would be good to define a new attribute and to define it somewhere other than referrer policy spec
19:53:04 <bhill2> dveditz: not supporting conflation originally, but support continuing it, but not propagating it further
19:54:27 <bhill2> bhill2: is it worth having the ABNF support multiple tokens for future extensibility?
19:54:44 <bhill2> mkwst: we have a bug for this in CSP3 already, on a page-wide
19:55:06 <bhill2> ... for referrer we want to change the syntax to allow multiple tokens to be set
19:56:14 <bhill2> jochen: meta delivery has lots of drawbacks, would rather extend other means we have like CSP than dumping more into meta referrer spec
19:56:30 <Zakim> -rbarnes
19:57:08 <bhill2> bhill2: reporting on sandbox?
19:57:15 <bhill2> mkwst: its already there
19:57:59 <bhill2> dveditz: so this works as expected for e.g. about:blank that has content written to it, has origin of script that opened it
19:58:24 <bhill2> mkwst: some differences in chrome and firefox behavior for something other than a document, e.g. a stylesheet loading an image
19:58:35 <bhill2> ... ff sends stylesheet's URL, chrome sends docuennt's
19:58:38 <bhill2> ack jochen
19:59:19 <bhill2> dveditz: maybe css or html people should figure how that should work
19:59:50 <bhill2> jochen: do you use referrer policy at time stylesheet was loaded or at time subresource referred to by stylesheet is loaded?
20:00:35 <Zakim> -[Microsoft]
20:01:04 <mkwst> https://www.w3.org/Bugs/Public/show_bug.cgi?id=24613 is the stylesheet question.
20:01:16 <bhill2> rrsagent, make minutes
20:01:16 <RRSAgent> I have made the request to generate http://www.w3.org/2015/06/15-webappsec-minutes.html bhill2
20:01:17 <Zakim> -mkwst
20:01:18 <Zakim> -francois
20:01:19 <Zakim> -jochen
20:01:19 <Zakim> -gmaone
20:01:21 <Zakim> -[Mozilla]
20:01:21 <Zakim> -[IPcaller]
20:01:22 <bhill2> rrsagent, set logs public visible
20:01:24 <Zakim> -Wendy
20:01:26 <Zakim> -terri
20:01:27 <Zakim> -jww
20:01:27 <bhill2> zakim, list attendees
20:01:28 <Zakim> As of this point the attendees have been [Mozilla], +1.503.712.aaaa, +1.503.712.aabb, BHill, mkwst, terri, +1.434.941.aacc, gmaone, +1.415.736.aadd, Wendy, rbarnes, estark,
20:01:28 <Zakim> ... dveditz, +1.650.253.aaee, [Microsoft], JonathanKingston, francois, +49.162.212.aaff, jochen
20:01:31 <franziskus> franziskus has left #webappsec
20:01:35 <bhill2> rrsagent, make miutes
20:01:35 <RRSAgent> I'm logging. I don't understand 'make miutes', bhill2.  Try /msg RRSAgent help
20:01:40 <bhill2> rrsagent, make minutes
20:01:40 <RRSAgent> I have made the request to generate http://www.w3.org/2015/06/15-webappsec-minutes.html bhill2
20:01:42 <Zakim> -JonathanKingston
20:01:44 <bhill2> rrsagent, set logs world
20:06:43 <Zakim> disconnecting the lone participant, BHill, in SEC_WASWG()3:00PM
20:06:44 <Zakim> SEC_WASWG()3:00PM has ended
20:06:44 <Zakim> Attendees were [Mozilla], +1.503.712.aaaa, +1.503.712.aabb, BHill, mkwst, terri, +1.434.941.aacc, gmaone, +1.415.736.aadd, Wendy, rbarnes, estark, dveditz, +1.650.253.aaee,
20:06:44 <Zakim> ... [Microsoft], JonathanKingston, francois, +49.162.212.aaff, jochen
22:27:28 <bhill2> bhill2 has joined #webappsec