19:00:42 RRSAgent has joined #webappsec 19:00:42 logging to http://www.w3.org/2015/06/29-webappsec-irc 19:01:14 tanvi has joined #webappsec 19:01:26 zakim, who is here? 19:01:26 sorry, tanvi, I don't know what conference this is 19:01:28 On IRC I see tanvi, RRSAgent, Zakim, gmaone, JonathanKingston, francois, renoirb, dveditz, trackbot, tobie, timeless, terri, manu, mounir, mkwst, piochu, Josh_Soref, wseltzer 19:01:45 Uh oh. No chair === confused Zakim. 19:02:24 we're supposed to be using something else now? 19:02:26 trackbot, prepare teleconf 19:02:27 webex? 19:02:28 RRSAgent, make logs world 19:02:30 Zakim, this will be WASWG 19:02:30 ok, trackbot, I see SEC_WASWG()3:00PM already started 19:02:31 Meeting: Web Application Security Working Group Teleconference 19:02:31 Date: 29 June 2015 19:02:31 RRSAgent, make logs world 19:02:32 deian has joined #webappsec 19:03:07 + +1.831.246.aadd 19:03:14 Zakim, aadd is me 19:03:14 +dveditz; got it 19:03:14 Zakim, who is here? 19:03:16 On the phone I see +1.503.712.aaaa, [IPcaller], +1.310.597.aabb, ??P3, +1.778.785.aacc, dveditz 19:03:16 On IRC I see deian, tanvi, RRSAgent, Zakim, gmaone, JonathanKingston, francois, renoirb, dveditz, trackbot, tobie, timeless, terri, manu, mounir, mkwst, piochu, Josh_Soref, 19:03:16 ... wseltzer 19:03:23 I'm on via Skype, sorry I couldn't sort a better line for today. 19:03:24 renoirb has left #webappsec 19:03:25 +??P6 19:03:32 Zakim, aaaa is me 19:03:32 +terri; got it 19:03:41 Zakim, ??P6 is me 19:03:41 +gmaone; got it 19:03:50 I'm one of those, but no idea which one. :) 19:04:14 - +1.778.785.aacc 19:04:25 + +1.646.355.aaee 19:04:33 zakim, aabb is tanvi 19:04:33 +tanvi; got it 19:04:42 + +1.778.785.aaff 19:04:43 zakim, aaee is deian 19:04:44 +deian; got it 19:04:54 zakim, aaff is me 19:04:54 +francois; got it 19:05:18 dveditz: Anything to add to the agenda? 19:05:38 scribenick: mkwst 19:05:51 http://www.w3.org/2011/webappsec/draft-minutes/2015-06-15-webappsec-minutes.html 19:06:24 TOPIC: Berlin F2F Update + Agenda Bashing 19:06:27 +Wendy 19:06:44 dveditz: July 13-14 at Mozilla. 19:07:00 ... Will send out a link to where exactly we'll be heading. It's on a Wiki somewhere. 19:07:14 https://www.mozilla.org/en-US/contact/spaces/berlin/ 19:07:25 ... Defined set of topics for that? 19:07:38 ... upgrade-insecure-requests, SRI, other specs related to HTTPS. 19:07:38 +1 to HTTPS switch 19:07:54 ... Switching to HTTPS. 19:08:09 ... Anything to add to that? Will overlap with the TAG on the 14th. 19:08:17 ... Some folks are concerned about breaking sites by migrating, etc. 19:08:40 mkwst: Good converation for the list over the next two weeks. 19:08:48 q+ 19:09:14 wseltzer: Any logistical things to do? Sign in in advance? Check in? 19:09:26 dveditz: I've never been there. francois probably hasn't either. 19:09:31 https://wiki.mozilla.org/Berlin_Office 19:09:36 ... Regular Mozilla badges don't work there. We're all on our own. 19:10:02 francois: I'll look into it. Think we just need to sign in and go. 19:10:13 dveditz: There's a sticky name badge. It's exciting. 19:10:19 ... Other than that, probably nothing. 19:10:32 ... Could be tight. Execs are visiting too. 19:10:38 ... Might get bumped to a smaller room. 19:10:44 q- 19:10:48 TOPIC: CSP Pinning 19:11:08 scribenick: dveditz 19:11:19 mkwst: there hasn't been a lot of change since the last discussion 19:11:29 mkwst: hasn't been something I've been actively working on lately 19:11:47 https://w3c.github.io/webappsec/specs/csp-pinning/ 19:11:53 mkwst: CSP pinning is a mechanism by which a site can declare a policy that should be applied to every page 19:12:11 mkwst: we discussed two possible ways -- a default policy that individual pages could tighten, but not remove 19:12:39 ... the other option would be to set a policy that applies only if there are no policies from the page itself, such as for error pages 19:12:58 ... the spec currently goes with the former -- policy is always applied -- but there are good arguments on both sides 19:13:28 ... what makes sense to me is to have the default be a policy that applies if no page policy, with an option to make a blanket policy 19:13:39 ... the other open question is the delivery mechanism 19:14:20 ... the spec has one mechanism, there are two other ways... 1) would be a manifest, which fits with the concept of a web "application" 19:14:55 ... but the manifest has a different scope than CSP (which would be origin-wide) and manifests can also be scoped to @@ which doesn't fit with an origin-wide setting 19:15:21 ... a manifest can also sometimes define policy for other domains (if installed from that domain) 19:15:57 ... 2) someone also suggested a file on disk (e.g. under /.well-known) similar to a manifest, but separate to avoid the above concerns 19:16:39 ... biggest question is whether we can allow this to apply to more than just one domain -- such as HSTS's includeSubdomains feature 19:16:59 ... but HSTS has a self-verification mechanism (if the site isn't tls it fails miserably) 19:17:19 q+ 19:18:07 wseltzer: I'm interested in thinking about the "include subdomains" bit... are there places it could go wrong? clearly there are 19:18:30 ... yet it seems useful for sites using subdomains as an isolation mechanism 19:18:48 mkwst: the question is what extent we can treat subdomains as the same entity 19:19:00 q+ 19:19:05 ... in the sense of having administrator control 19:19:18 ... we're forced to to some extent due to cookies, but that's a bad reason 19:19:42 wseltzer: this is related to the work by @@? talking about the public suffix list 19:20:05 ... at the highest level "is this a domain delegated by a registry or by a private entity?" 19:20:26 s/@@?/dbound at IETF/ 19:20:36 ... if a university sets subdomains for all of its students how much control should the university have over them? 19:20:52 mkwst: I'd like to stay away from the PSL discussions as far as possible 19:21:08 ... it's a complicated problem. there are areas it works well and areas it does not 19:21:57 ... to take your last example the university has complete control over those machine (most likely) and if they don't they certainly have control over the dns 19:22:18 Resold domains match this case, like .co.com domains are not normal domains for example 19:22:27 wseltzer: it would be interesting to describe some of these things in DNS -- same level of granularity-- but previous efforts along those lines have been unsuccessful 19:22:49 https://tools.ietf.org/wg/dbound/ 19:22:51 mkwst: that's about it, but I haven't worked on it lately and not the top of my priority list 19:23:22 ... have taken feedback to heart and have focused on finishing other specs first 19:23:48 ... if we need to update things for heartbeat requirements I can push an update 19:23:58 wseltzer: every 3 months is recommended 19:24:00 http://www.w3.org/2014/Process-20140801/#three-month-rule 19:24:29 mkwst: ok, then I'll publish a new WD based on what's there right now, but otherwise I think other work in our queue is more important 19:24:34 scribenick:mkwst 19:24:37 scribenick: mkwst 19:24:46 deian: Delayed with the COWL spec. 19:24:48 q- 19:24:51 Confinement with Web Origin Labels (COWL) 19:24:55 ... Getting close to something like a working draft. 19:24:57 TOPIC: Confinement with Web Origin Labels (COWL 19:25:03 ... Not sure if folks have looked at it yet. 19:25:04 http://cowl.ws/spec.html 19:25:28 ... Pushing it out now for discussion. 19:25:35 ... To summarize: 19:25:42 ... Want to extend the web model with labels. 19:25:58 ... Confidentiality labels and integity labels. 19:26:05 did the call get cut off? 19:26:07 ... Should associate a label whenever you share data (postMessage, etc). 19:26:22 -tanvi 19:26:25 ... Compliments the existing model, share data, determine with whom it can be further shared. 19:26:49 ... Labels and priviliges are main concepts. 19:26:52 +tanvi 19:26:56 ... Once I read data, I'm tainted. 19:27:02 ... based on labels. 19:27:22 ... Privileges gives you ownership over your own origin, declassify/endorse data for this origin. 19:27:39 ... Because conjunction/disjunction, can delegate privilege. 19:28:04 ... In the current draft, have described the concepts and interfaces. 19:28:13 ... Introduced a new primitive, labeled objects. 19:28:26 ... Can send object over, policy is imposed at that point. 19:28:34 ... Anything that's structurally clonable. 19:28:45 ... Also a header mechanism. 19:29:00 ... Extending XHR/Fetch to return labeled objects. 19:29:39 ... Labels are enforced at context boundary. IFrames are a natural choice. 19:29:40 Mike could you mute your mic please? 19:29:52 ... Spec also introduces lightweight workers. 19:29:59 (JonathanKingston: Sorry!) 19:30:06 ... Can delegate privilege to the workers. 19:30:17 ... Should that concept be part of the spec? Moved to v2? 19:30:38 q+ 19:30:40 ... All specified now? Rip out bits for draft? 19:30:50 q+, smaller is better. 19:30:58 q+ to say smaller is better. 19:31:19 wseltzer: To advance a spec, you need two independent implementations of all the key features. 19:31:30 ... If things will lag behind, then subsets make sense as a v1. 19:31:43 ... Could be faster than labeling things as "at risk" and taking them out. 19:31:50 ... Easier to wrap hands around a smaller spec. 19:32:06 q- 19:32:11 q- 19:32:20 mkwst: Ditto. 19:32:35 deian: Enforcement. Specified in terms of CSP? 19:32:42 ... New directive into CSP. 19:33:11 mkwst: What do you mean by "enforcement"? 19:33:24 deian: We perform the checks ourselves. 19:33:33 ... current context has a label, which could map to a CSP. 19:33:49 ... Say you have "example.com". You can talk to "example.com", but no one else. 19:34:45 ... Still need label checks in the spec, but when contexts talk to other contexts or to servers, that maps well to CSP. 19:35:56 mkwst: CSP only allows tightening. 19:36:15 deian: Would have to keep track of policy set by COWL vs header. But would want the union. 19:36:45 q+ 19:36:58 mkwst: CSP is already pretty far out of date 19:37:04 ... with respect to Fetch 19:37:10 ... so CSP3 will be rewriting a lot 19:37:18 deian: Ok. Will look at fetch too. 19:37:28 ... Will chat with mkwst later. 19:38:28 JonathanKingston: If I load Stripe on a website, how do I restrict Stripe to sending data to stripe.com, without restricting the parent page? 19:38:52 ... Site shouldn't own the data the user typed in. 19:39:07 deian: Would help to have lightweight workers. Or an IFrame. 19:39:27 ... Set the label of the frame to "stripe.com", it can only talk to stripe.com without restricting the parent. 19:39:45 JonathanKingston: I'd prefer the embedding site not to see what's put into the Stripe IFrame. 19:40:28 deian: Labeled objects: unless you inspect the data, it won't taint your context. 19:40:45 ... Stripe could give you an object, you could hold onto it. It won't effect your ability to communicate until you look at the data. 19:41:10 JonathanKingston: Ok. 19:41:16 deian: will add that as a use case into the spec. 19:41:24 q+ 19:41:28 ack J 19:41:36 ack dv 19:41:43 dveditz: Have you given thought to how sites could misuse this for evil? 19:41:50 deian: Yes. 19:42:15 ... Navigation source === can't navigate away if you fully taint your context. 19:42:25 ... Not too worried about misuse of the rest. 19:42:39 ... Should be using this _in addition to_ everything else, though. 19:42:49 ... Tempting to loosen CORS, for instance, but need to be careful about doing so. 19:43:19 dveditz: For navigations, maybe if user agents obey what a user says (address bar, bookmarklet, etc). 19:43:36 ... Some sites will say "paste this!", so that's not a guarantee. 19:44:00 deian: Bookmarklets are injected into the page, so maybe they should be governed by COWL... 19:44:10 ... Will further explain the guarantees this provides. 19:44:12 q- 19:44:29 deian: Question for FPWD. 19:44:35 ... How complete does it need to be? 19:45:02 wseltzer: Idea is to have a scaffolding that's enough to show people what's going to be there, and for the group to agree that it should go out as an FPWD. 19:45:16 ... When you think it's ready, send a signal, we'll start the process moving. 19:45:29 deian: Great! Might be ready by the end of the week. 19:45:43 dveditz: Ok. That seems to have covered the two topics we had for this call. 19:45:49 ... Close it up? 19:46:11 mkwst: CfC on Mixed Content to Proposed Rec. Please send comments/feedback 19:46:37 wseltzer: Looking forward to talking at the F2F about all the good work we're doing here. 19:46:48 ... Telling the broader story about the things we're doing to help secure the web. 19:46:55 dveditz: Thanks everyone. 19:47:11 ... Next call would have been during the F2F. Maybe we'll have a call? Will check with Brad. 19:47:21 ... May call in for folks. Might be an odd schedule for that. 19:47:47 ... Will send out a mail. 19:47:58 wseltzer: thanks! :) 19:48:01 wseltzer: Will be bidding farewell to Zakim. Next time, new numbers anyhow. 19:48:18 dveditz: Is there a phone number for the new thing? 19:48:30 wseltzer: Yup. You can dial it from a telephone. 19:48:55 dveditz: See you in Berlin! 19:49:03 -Wendy 19:49:05 -francois 19:49:06 -??P3 19:49:06 -dveditz 19:49:10 -gmaone 19:49:12 -tanvi 19:49:13 -[IPcaller] 19:49:58 wseltzer: does RRSAgent go away at the same time? if so how is IRC logging going to be handled? 19:50:29 rrsagent, make minutes 19:50:29 I have made the request to generate http://www.w3.org/2015/06/29-webappsec-minutes.html wseltzer 19:50:30 -deian 19:50:30 ok, thanks 19:50:36 bhill2 has joined #webappsec 19:50:45 s/wseltzer: does RRSAgent go away at the same time? if so how is IRC logging going to be handled? 19:50:57 s/wseltzer: does RRSAgent go away at the same time? if so how is IRC logging going to be handled?// 19:51:42 I don't think I had two spaced in "be handled" 19:51:56 s/wseltzer: does RRSAgent go away at the same time? if so how is IRC logging going to be handled?// 19:52:01 s/wseltzer: does RRSAgent go away at the same time? if so how is IRC logging going to be handled?// 19:52:14 :-) thanks 19:53:20 -terri 19:53:21 SEC_WASWG()3:00PM has ended 19:53:21 Attendees were +1.503.712.aaaa, [IPcaller], +1.310.597.aabb, +1.778.785.aacc, +1.831.246.aadd, dveditz, terri, gmaone, +1.646.355.aaee, tanvi, +1.778.785.aaff, deian, francois, 19:53:21 ... Wendy 19:56:51 rrsagent, make minutes 19:56:51 I have made the request to generate http://www.w3.org/2015/06/29-webappsec-minutes.html bhill2 19:56:55 rrsagent, set logs public-visible 20:02:00 bhill2 has joined #webappsec 20:04:47 bhill2 has joined #webappsec 21:05:46 bhill2 has joined #webappsec 21:42:18 deian has joined #webappsec 22:39:57 deian has left #webappsec 23:59:44 bhill2 has joined #webappsec