10:09:22 <RRSAgent> RRSAgent has joined #webappsec
10:09:22 <RRSAgent> logging to http://www.w3.org/2015/10/19-webappsec-irc
10:09:24 <trackbot> RRSAgent, make logs world
10:09:24 <Zakim> Zakim has joined #webappsec
10:09:26 <trackbot> Zakim, this will be WASWG
10:09:26 <Zakim> I do not see a conference matching that name scheduled within the next hour, trackbot
10:09:27 <trackbot> Meeting: Web Application Security Working Group Teleconference
10:09:27 <trackbot> Date: 19 October 2015
10:10:00 <wseltzer_transit> zakim, remind me in 12 hours
10:10:01 <Zakim> ok, wseltzer_transit
10:54:47 <jmajnert> jmajnert has joined #webappsec
12:16:11 <bblfish> bblfish has joined #webappsec
13:02:46 <wseltzer_transit> rrsagent, please stay
14:48:16 <wonsuk> wonsuk has joined #webappsec
18:05:17 <franziskus> franziskus has joined #webappsec
18:27:12 <francois> francois has joined #webappsec
18:51:37 <gmaone> gmaone has joined #webappsec
19:02:48 <mkwst> Kid has wonderful timing, sorry, need to run upstairs to get someone back into bed. :/
19:02:50 <estark> estark has joined #webappsec
19:02:57 <ckerschb> ckerschb has joined #webappsec
19:04:09 <dveditz> present+ dveditz
19:04:14 <dveditz> Zakim, who is here?
19:04:14 <Zakim> Present: dveditz
19:04:16 <Zakim> On IRC I see ckerschb, estark, gmaone, francois, bblfish, jmajnert, Zakim, RRSAgent, timeless, Josh_Soref, mkwst, tobie, slightlyoff, schuki, dveditz, terri, mounir, trackbot,
19:04:16 <Zakim> ... wseltzer_transit
19:04:25 <estark> present+ estark
19:04:37 <gmaone> present+ gmaone
19:05:01 <francois> present+ francois
19:05:07 <ckerschb> present+ ckerschb
19:05:46 <terri> present+ terri
19:05:55 <dveditz> can anyone here me on the phone?
19:06:03 <dveditz> s/here/hear/
19:06:53 <dveditz> misspoke, but thanks for confirming it's not just an empty void out there
19:07:32 <dveditz> Zakim, who is here?
19:07:32 <Zakim> Present: dveditz, estark, gmaone, francois, ckerschb, terri
19:07:34 <Zakim> On IRC I see ckerschb, estark, gmaone, francois, bblfish, jmajnert, Zakim, RRSAgent, timeless, Josh_Soref, mkwst, tobie, slightlyoff, schuki, dveditz, terri, mounir, trackbot,
19:07:34 <Zakim> ... wseltzer_transit
19:07:55 <tanvi> tanvi has joined #webappsec
19:08:29 <dveditz> TOPIC: Minutes Approval
19:08:38 <dveditz> http://www.w3.org/2011/webappsec/draft-minutes/2015-10-05-webappsec-minutes.html
19:08:42 <tanvi> zakim, who is here?
19:08:42 <Zakim> Present: dveditz, estark, gmaone, francois, ckerschb, terri
19:08:44 <Zakim> On IRC I see tanvi, ckerschb, estark, gmaone, francois, bblfish, jmajnert, Zakim, RRSAgent, timeless, Josh_Soref, mkwst, tobie, slightlyoff, schuki, dveditz, terri, mounir,
19:08:44 <Zakim> ... trackbot, wseltzer_transit
19:09:02 <dveditz> minutes approved
19:09:13 <dveditz> TOPIC: News
19:09:27 <tanvi> present+ tanvi
19:09:39 <tanvi> Zakim, present+ tanvi
19:09:39 <francois> TPAC is next week, the webappsec group is meeting thursday/friday and the plenary is wednesday
19:09:41 <dveditz>  https://lists.w3.org/Archives/Public/public-webappsec/2015Oct/0057.html
19:10:05 <mkwst> present+ mkwst
19:10:10 <francois> only 4-5 people have signed up on the official agenda in gdocs
19:10:27 <rbarnes> rbarnes has joined #webappsec
19:10:32 <francois> please fill in your name if you're planning on coming so that we know how to expect and how much space we have for observers
19:10:40 <rbarnes> link to this spreadsheet?
19:10:54 <dveditz>  https://lists.w3.org/Archives/Public/public-webappsec/2015Oct/0057.html
19:11:01 <francois> rbarnes: it's in the list mail that dveditz linked to
19:11:05 <tanvi> https://docs.google.com/document/d/1h05daW54OA3-lqV2IbPA0otrQbkB9Ua8UXTj9Tm63Dg/edit#heading=h.kwsyc5wl8bzd
19:11:10 <tanvi> rbarnes: ^^
19:11:16 <rbarnes> thanks
19:11:18 <dveditz> TOPIC: CSP Pinning
19:12:20 <francois> status of the feature: mike hasn't touched it since the last time
19:12:36 <francois> if someone wants to pick it up, feel free, it's not currently a priority for mike
19:13:33 <francois> pinning v. manifest: it's not clear which is the better model yet
19:15:40 <jochen> jochen has joined #webappsec
19:15:47 <francois> mike will published a new "heartbeat" working draft for the spec
19:16:16 <dveditz> TOPIC: Entry Point Regulation
19:17:01 <francois> mike thinks it's probably worth doing, despite the controversy
19:17:22 <francois> david has an extension-based EPR prototype and was in the process of building it as a service worker
19:17:35 <francois> it could be done better inside the browser
19:17:50 <francois> since we could make more intelligent decisions
19:18:48 <francois> we need to decide as a group whether or not this is something that we want to put together
19:19:12 <francois> i.e. do we want to build things that restrict navigation
19:19:20 <francois> because it does break some forms of linking
19:19:51 <francois> it makes sense for applications to restrict their entry points but there's no way to prevent non-applications from abusing the feature
19:20:01 <rbarnes> that seems pretty bad
19:20:07 <rbarnes> (the evil nyt example)
19:20:16 <dveditz> zakim, who is here?
19:20:16 <Zakim> Present: dveditz, estark, gmaone, francois, ckerschb, terri, tanvi, mkwst
19:20:18 <Zakim> On IRC I see jochen, rbarnes, tanvi, ckerschb, estark, gmaone, francois, bblfish, jmajnert, Zakim, RRSAgent, timeless, Josh_Soref, mkwst, tobie, slightlyoff, schuki, dveditz,
19:20:18 <Zakim> ... terri, mounir, trackbot, wseltzer_transit
19:20:22 <dveditz> present+ devd
19:20:33 <dveditz> zakim, who is here?
19:20:34 <Zakim> Present: dveditz, estark, gmaone, francois, ckerschb, terri, tanvi, mkwst, devd
19:20:35 <Zakim> On IRC I see jochen, rbarnes, tanvi, ckerschb, estark, gmaone, francois, bblfish, jmajnert, Zakim, RRSAgent, timeless, Josh_Soref, mkwst, tobie, slightlyoff, schuki, dveditz,
19:20:35 <Zakim> ... terri, mounir, trackbot, wseltzer_transit
19:20:38 <rbarnes> zakim, who is speaking?
19:20:38 <Zakim> I am sorry, rbarnes; I don't have the necessary resources to track talkers right now
19:20:46 <dveditz> rbarnes: devdattae
19:20:50 <dveditz> rbarnes: devdatta
19:20:56 <rbarnes> dveditz: ack, thx
19:21:20 <terri> Thanks, I'd forgotten what the controversy was
19:21:44 <terri> we're sort of interested in it for certain types of apps and I wanted to know what I might be stepping in if I started working on it.
19:22:10 <francois> chrome is not going to get to EPR in Q4 but might start in Q1
19:23:02 <francois> sites are already restricting their entry points using referrer checking
19:23:32 <dveditz> scribenick: francois
19:23:37 <dveditz> scribe: francois
19:26:33 <dveditz> TOPIC: Referrer Policy
19:26:53 <mkwst> jochen: Three open issues.
19:27:12 <mkwst> jochen: 1. Adding spec text about `referrerpolicy` attribute on `<a>`, etc.
19:27:21 <mkwst> ... Agreement about how to implement, but needs to get into the spec.
19:27:34 <mkwst> ... 2. `Ping-From` needs to be associated with a referrer policy.
19:27:41 <mkwst> ... Need to update this in HTML.
19:27:51 <mkwst> ... 3. Need to add spec text about CSS stylesheets.
19:28:00 <mkwst> ... How do they get a referrer?
19:28:09 <mkwst> ... CSS doesn't currently spec this. Doesn't interact with Fetch.
19:28:17 <mkwst> ... Talked with Tab. Asked for input.
19:28:33 <mkwst> ... Differences between Chrome and Firefox. Neither really consistent.
19:28:47 <mkwst> ... Chrome takes the referrer policy from when the stylesheet was created rather than when the resource is loaded.
19:29:07 <mkwst> ... Firefox takes the referrer from the stylesheet and the policy from when the resource is loaded.
19:29:45 <mkwst> ... Right now you can set the policy from CSP, which is strange from CSP's point of view, because it's non-restrictive in the `unsafe-url` case.
19:29:55 <tanvi> what about francois proposal on more policies?  is that for v2?
19:30:01 <mkwst> ... mkwst proposed splitting it out into a separate header.
19:30:15 <mkwst> ... Do we need new kinds of policies? Change default behavior? Etc. Ongoing discussion.
19:30:56 <dveditz> scribenick: mkwst
19:31:00 <mkwst> jochen: My goal at the moment is to make the spec reflect reality, not radically change.
19:31:06 <dveditz> scribe: mkwst
19:31:16 <mkwst> ... Can be a goal, but at this point for stylesheets we don't even have a spec that explains anything.
19:31:23 <mkwst> ... Let's explain before we attempt broader change.
19:31:46 <mkwst> dveditz: Is there a test suite?
19:31:51 <mkwst> ... Or just ad-hoc?
19:32:02 <mkwst> jochen: Bunch of layout tests in Blink.
19:32:13 <mkwst> ... Ran them on Firefox to discover differences.
19:32:41 <mkwst> ... The layout tests I've looked at are only touching on some of the specs, only looking at one level of indirection.
19:32:50 <mkwst> dveditz: Tests check for the referrer?
19:33:09 <mkwst> jochen: Stylesheet loads an image, image is different color based on referrer.
19:33:17 <mkwst> ... Also inspect network traffic.
19:33:36 <mkwst> ... Modify URL with history API. Should get updated URL in theory.
19:33:51 <mkwst> ... Both Firefox and Chrome use the document's URL at the time the stylesheet was created.
19:34:11 <mkwst> ... Chrome uses the policy from that time as well, Firefox uses the current policy at the time of the request.
19:34:33 <mkwst> ... Anne argues that both should come at the point in time where the resource is loaded.
19:34:48 <mkwst> ... I think I agree, checking with Tab to make sure that this behavior is consistent in CSS, doesn't break anything.
19:35:11 <mkwst> dveditz: We don't yet support meta CSP, can you change the policy?
19:35:19 <mkwst> dev: You support the <meta name> method.
19:35:29 <mkwst> dveditz: Kind of a mess that there are two ways to do that.
19:35:42 <mkwst> jochen: If I could go back in time, I wouldn't have done the <meta> thing.
19:35:50 <mkwst> ... Interacts strangely with the preload scanner.
19:36:11 <mkwst> ... But <meta> is supported cross-browser, is actually used.
19:36:20 <mkwst> dev: Same problem with content encoding, right?
19:36:37 <mkwst> ... Some folks can't modify the header. Service Workers tried really hard to avoid headers.
19:36:51 <mkwst> jochen: Right. Can't talk about the preload scanner in the spec, as it's an implementation detail.
19:37:10 <mkwst> ... Firefox will discard the initial response, whereas Chrome will take the response from the memory cache, etc.
19:37:36 <mkwst> dev: That's weird. If the referrer has leaked, we're already beyond the point where discarding is useful.
19:37:47 <mkwst> jochen: Yup.
19:38:01 <mkwst> dev: Spec should talk about best practice for developers.
19:38:15 <mkwst> jochen: If you rely on <meta> to protect the referrer, the preload scanner will ruin your day.
19:38:30 <mkwst> dev: Firefox reads referrer policy during scan, right?
19:38:38 <mkwst> jochen: Kinda. <reexplains above>
19:38:58 <mkwst> dveditz: Well, the spec lists different reasons why you might want to change the referrer. Privacy is the first one.
19:39:12 <mkwst> dveditz: Might be some use to throwing away the content if the referrer results in different content.
19:39:23 <mkwst> jochen: I would hope that a developer would send a header.
19:39:32 <mkwst> dveditz: Should probably add that as a recommended practice.
19:39:45 <mkwst> ... Security considerations section, which this document doesn't appear to have.
19:39:51 <mkwst> jochen: Sure.
19:40:21 <mkwst> ... Also, `referrerpolicy` attribute helps with the typical case in which <meta> is injected to change the policy for a specific navigation.
19:40:39 <mkwst> dveditz: Once Firefox closes the <head>, I'm pretty sure that you can't change the policy.
19:40:51 <mkwst> jochen: Works in Blink and Safari, it's what Google search uses.
19:40:56 <mkwst> dveditz: Should add to the spec?
19:41:08 <mkwst> jochen: Ideally, folks would use the header and `referrerpolicy` attribute, and not <meta>.
19:41:12 <ckerschb> ckerschb: confirms what deveditz says about <meta> referrer
19:41:21 <mkwst> rbarnes: Should we deprecate the <meta> tag?
19:41:29 <mkwst> jochen: It's the only thing in Safari. Kind of a hard sell.
19:41:47 <mkwst> dev: Should recommend using the header. Don't see what we achieve by deprecating.
19:43:06 <mkwst> (https://www.chromestatus.com/metrics/feature/timeline/popularity/243 shows the number of page views that reset the <meta> referrer policy dynamically after it's been set)
19:43:20 <mkwst> (~0.08% of page views)
19:43:32 <tanvi> link to francois' proposal with more finer grained referrer policies: https://lists.w3.org/Archives/Public/public-webappsec/2015Aug/0074.html
19:43:34 <mkwst> dveditz: Issues haven't been moved. Just noting in case folks are looking for them,
19:44:57 <mkwst> https://github-issue-mover.appspot.com/
19:45:18 <mkwst> ^^^ is a nice tool to move issues from one repo to the other.
19:45:19 <devd> devd has joined #webappsec
19:46:14 <dveditz> TOPIC: AOB
19:49:38 <mkwst> jochen: Reasonable to update the spec to define fallback behavior for unknown policies.
19:49:41 <mkwst> dev: Hooray.
19:51:19 <mkwst> dveditz: Will probably cancel the call after TPAC (Nov 2nd). Will bump those to the next call after that (Nov 16th).
19:51:45 <mkwst> ... Will send a mail from TPAC about the call on Nov 2nd. Let's see how it goes.
19:51:51 <ckerschb> ckerschb has left #webappsec
19:51:53 <mkwst> ... Thanks! See you next time!
20:26:49 <rbarnes> rbarnes has joined #webappsec
20:51:49 <bblfish> bblfish has joined #webappsec
22:01:03 <bblfish> bblfish has joined #webappsec
22:10:01 <Zakim> wseltzer_transit, you asked to be reminded at this time
23:16:42 <bblfish> bblfish has joined #webappsec
23:58:53 <wseltzer_transit> RRSAgent, make minutes
23:58:53 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/19-webappsec-minutes.html wseltzer_transit