23:40:19 <RRSAgent> RRSAgent has joined #webappsec
23:40:19 <RRSAgent> logging to http://www.w3.org/2015/10/29-webappsec-irc
23:40:21 <trackbot> RRSAgent, make logs world
23:40:21 <Zakim> Zakim has joined #webappsec
23:40:23 <trackbot> Zakim, this will be WASWG
23:40:23 <Zakim> I do not see a conference matching that name scheduled within the next hour, trackbot
23:40:24 <trackbot> Meeting: Web Application Security Working Group Teleconference
23:40:24 <trackbot> Date: 29 October 2015
23:40:27 <wseltzer> rrsagent, this meeing spans midnight
23:40:27 <RRSAgent> I'm logging. I don't understand 'this meeing spans midnight', wseltzer.  Try /msg RRSAgent help
23:40:36 <wseltzer> rrsagent, this meeting spans midnight
23:46:44 <wonsuk> wonsuk has joined #webappsec
23:53:51 <jungkees> jungkees has joined #webappsec
00:06:24 <rbarnes> rbarnes has joined #webappsec
00:08:46 <francois> francois has joined #webappsec
01:05:14 <wonsuk> wonsuk has joined #webappsec
01:09:31 <rbarnes> rbarnes has joined #webappsec
01:18:55 <bhill2> bhill2 has joined #webappsec
01:21:07 <yoav> yoav has joined #webappsec
01:30:22 <mnot> mnot has joined #webappsec
01:33:11 <bhill2> bhill2 has joined #webappsec
01:35:02 <kiyoung> kiyoung has joined #webappsec
01:35:11 <barryleiba> barryleiba has joined #webappsec
01:35:13 <Yoshi> Yoshi has joined #webappsec
01:35:56 <rbarnes> rbarnes has joined #webappsec
01:36:44 <yoav> yoav has joined #webappsec
01:39:04 <bhill2> present+ bhill2
01:39:08 <francois> present+ francois
01:39:09 <barryleiba> present+ BarryLeiba
01:39:13 <dveditz> present+ dveditz
01:39:32 <wseltzer> present+ wseltzer
01:39:40 <Melinda> Melinda has joined #webappsec
01:39:42 <Mek> present+ mek
01:40:35 <Melinda> present+ Melinda
01:42:08 <bhill2> scribe: bhill2
01:42:32 <bhill2> deian: SOP/CSP/CORS are discretionary access control
01:43:01 <wseltzer> [Deian will share slides after]
01:44:01 <bhill2> ... mashup use cases and data sharing cases are difficult with DAC
01:44:50 <bhill2> ... libraries are over-permissioned, credentials are over-delegated and there are mashup scenarios we can't easily build between mutually distrusting services
01:47:31 <wonsuk> wonsuk has joined #webappsec
01:48:27 <hwlee> hwlee has joined #webappsec
01:50:14 <jgraham> jgraham has joined #webappsec
01:53:44 <JeffH> JeffH has joined #webappsec
01:56:52 <annevk> annevk has joined #webappsec
01:57:19 <annevk> (window.location.origin should be document.origin)
02:00:55 <bhill2> what stops a context from stringifying the data and postMessaging a string with no label
02:01:04 <bhill2> s/what/dveditz: what/
02:01:20 <bhill2> deian: there should be no definition for stringifying a labeled object
02:01:27 <bhill2> dveditz: would have to be opaque?
02:01:45 <bhill2> deian: there is a definition for how to structurally clone, which is to clone the label and then the opaque object
02:02:27 <bhill2> ... have to use a getter to open the opaque object, which taints your context when used
02:02:45 <bhill2> ... and who you can communicate with is then restricted
02:07:45 <bhill2> bhill2: what about navigating other contexts you have a handle to?
02:08:00 <bhill2> deian: you can't do that because of information flow policies
02:08:07 <bhill2> annevk: do you taint all the children?
02:09:53 <bhill2> deian: no.. mods to html5
02:10:01 <bhill2> bhill2: what about workers?
02:10:13 <bhill2> deian: only talk to workers through postMessage, so tainted
02:10:17 <bhill2> annevk: do you block push?
02:10:49 <bhill2> @@: how does this work with message ports?  no concept of origins
02:11:05 <bhill2> deian: only allow sending messages when you know the origin at the other end
02:11:11 <bhill2> @@: but you can't know until too late
02:12:02 <bhill2> annevk: mostly have message ports for shared workers, apple just removed them, msft has no plans to support, and mostly never used - maybe they can go away
02:12:15 <bhill2> @@: used to queue tasks quickly or structured clone things
02:12:34 <bhill2> deian: maybe can look and decide when receiving message, not sure where to specify that
02:13:28 <wseltzer> s/@@:/Mek:/
02:13:37 <bhill2> thx wseltzer
02:14:29 <bhill2> deian: prototype was done in terms of CSP hooks
02:14:53 <bhill2> annevk: for navigation you need to hook directly into navigation to avoid traversing history
02:15:17 <bhill2> deian: maybe navigation source directive into CSP would make it a natural place to work
02:15:29 <bhill2> annevk: once you are confined you no longer have an active server connection
02:15:39 <bhill2> deian: yes, but it gets revoked once your confidentiality label changes
02:15:46 <bhill2> annevk: once you're confined, then things drop
02:16:05 <bhill2> dveditz: what happens to service worker?  do you skip or drop if it's not an appropriate service worker?
02:16:48 <bhill2> annevk: might have to disable notifications, too, to avoid waking up service worker
02:18:21 <bhill2> deian: also, server-supplied labels for XHR
02:20:56 <bhill2> annevk: look at fetch since we've stopped adding features to XHR
02:21:59 <bhill2> deian: wanted to do this, but fetch made it awkward to look at response type to deal with labeled JSON
02:24:00 <bhill2> annevk: you can't extract an origin from a cowl:// URL, it is null / unique because that's not on the whitelist of schemes that have hierarchical authority
02:24:06 <bhill2> dveditz: we could add that....
02:24:31 <bhill2> some discussion w/dveditz and annevk about suborigins, not yet defined
02:24:59 <bhill2> dveditz: some way of making a suborigin look like a url would be useful
02:26:20 <bhill2> annevk: you could just compare literals
02:26:35 <bhill2> dveditz: if literals, don't make it look like an origin, maybe even reject anything with a colon
02:27:40 <bhill2> annevk: CORS just uses string literal
02:27:58 <bhill2> deian: was a reason to extract origin, to send servers you're communicating with your context information
02:28:05 <bhill2> ... so for cross-origin requests, that is useful
02:28:29 <bhill2> dveditz: so this creates a leakage if you've blocked referrer
02:29:22 <bhill2> dveditz: like idea of signaling, because tells server more about how to answer a request
02:29:37 <bhill2> ... but it also leaks information you may not want to leak across origins, need to think about it and get wide review
02:30:22 <bhill2> annevk: use of commas in header may be a problem
02:30:54 <bhill2> dveditz: doesn't need to be json, could just be WSP delimited
02:31:11 <bhill2> ... what do brackets do for you?  difference between AND and OR?
02:31:19 <bhill2> deian: yes, conjunction vs. disjunction
02:34:34 <bhill2> deian: header and js api has some mismatch- js api lets you specify in any format, but representation is always canonical ndis format
02:38:28 <bhill2> ... firefox patch in the works
02:38:41 <bhill2> ... also a subset we could do with a polyfill + CSP + 3rd party server
02:41:10 <mkwst> bhill2: It seems to me that suborigins overlaps.
02:41:19 <mkwst> ... Where does this fit in relation to that spec?
02:41:38 <mkwst> ... Suborigins are not about confinement, they want a public label for postmessage, normal cross-origin communication.
02:41:48 <mkwst> ... They need to be able to live as a top-level application.
02:42:05 <mkwst> ... Splitting out applications that happen to be deployed on the same domain without a synthetic domain.
02:42:13 <mkwst> deian: Disjunction does that.
02:42:35 <mkwst> ... No labeled cookies, etc.
02:42:55 <mkwst> bhill2: Seems like an explicit goal of suborigins that you could have localstorage and cookies and etc. Looks like a regular origin label.
02:43:04 <mkwst> ... Could have origin-labeled access to standard platform features.
02:43:23 <mkwst> deian: We could probably have some sort of labeled storage?
02:43:36 <mkwst> bhill2: Maybe suborigins are just the privilege part of this.
02:43:59 <mkwst> ... Privileges you expect. Reaching into other document contexts being considered cross-origin, etc. Doesn't imply navigation.
02:44:09 <mkwst> ... Would like to separate these concerns.
02:44:32 <mkwst> deian: Labels would do confinement, suborigins could do privileges.
02:45:53 <mkwst> bhill2: Header is the only way to enter suborigins, doesn't change state dynamically.
02:46:09 <mkwst> ... Forces isolation for the page from other things on the "same" origin.
02:47:37 <bhill2> annevk: what about permissions?
02:47:57 <bhill2> mkwst: "parent" origin permissions might cascade into suborigins, or it might be distinct - JoelW needs to decide this
02:48:21 <bhill2> ... might need to ask users more often and store it internally - can't put any more info into URL bar, probably not putting suborigin there
02:48:49 <bhill2> ... user would be confused why "google.com" keeps asking for permissions because the suborigin abstraction is not exposed
02:50:30 <mkwst> bhill2: Do I have to ask for permission every time for new disjunction states?
02:50:35 <mkwst> deian: Yes.
02:50:43 <mkwst> annevk: Since you're sandboxed, maybe the permissions are gone?
02:51:01 <mkwst> bhill2: You couldn't keep that up to date unless you were continually receiving messages from someone.
02:52:01 <mkwst> deian: But you couldn't receive messages unless you accepted the label.
02:52:15 <mkwst> annevk: Sensor API? Maybe you couldn't leak information that way.
02:52:19 <mkwst> deian: Open question!
02:52:29 <JeffH> http://www.chromium.org/developers/design-documents/per-page-suborigins
02:54:29 <mkwst> deian: If I have an iframe, I read something from somewhere else, I get tainted.  But I still might have a handle to objects in the iframe.
02:54:36 <mkwst> ... Need to wipe out those references somehow.
02:54:39 <mkwst> ... Easy to do in Firefox.
02:54:48 <mkwst> ... Harder in Chrome.
02:55:07 <mkwst> ... Can we lock this to secure contexts?
02:55:13 <mkwst> dveditz: Yes. That's the whole point of that spec.
02:55:25 <mkwst> ... Browsers are generally moving towards locking things to secure contexts.
02:55:39 <mkwst> ... Only makes sense to talk about tainting if you know who you are to begin with.
02:55:45 <mkwst> ... So should require secure contexts.
02:55:53 <mkwst> deian: Future directions:
02:56:05 <mkwst> ... (More important to get v1 hammered out)
02:56:16 <mkwst> ... (Should talk to Joel to see what the overlap with suborigins might be)
02:57:11 <mkwst> bhill2: Yes. Would be nice if these were built on the same primitives.
03:10:24 <bblfish> bblfish has joined #webappsec
03:17:17 <rbarnes> rbarnes has joined #webappsec
03:29:45 <jyasskin> jyasskin has joined #webappsec
03:43:51 <Zakim> Zakim has left #webappsec
03:58:57 <rbarnes> rbarnes has joined #webappsec
04:01:32 <barryleiba> barryleiba has joined #webappsec
04:05:55 <mnot> mnot has joined #webappsec
04:09:46 <Melinda> Melinda has joined #webappsec
04:10:04 <rbarnes> rbarnes has joined #webappsec
04:11:50 <bblfish> bblfish has joined #webappsec
04:15:46 <Zakim> Zakim has joined #webappsec
04:23:57 <rbarnes> rbarnes has joined #webappsec
04:28:40 <npdoty> npdoty has joined #webappsec
04:31:43 <rbarnes> rbarnes has joined #webappsec
04:34:50 <deian> deian has joined #webappsec
04:36:05 <bhill2> TOPIC: Agenda bashing
04:38:44 <bhill2> TOPIC: containers
04:38:49 <bhill2> https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
04:39:19 <bhill2> rbarnes: additional labels applied to contexts, local storage, etc. to prevent sharing state between e.g. two logins to Twitter with different accounts
04:39:25 <bhill2> dveditz: are these created by user or site?
04:39:31 <bhill2> rbarnes: user in current implementation
04:40:04 <bhill2> ... when you load something in a container, everything is in that container
04:40:30 <bhill2> ... effectively lightweight profiles
04:40:34 <masato> masato has joined #webappsec
04:40:59 <bhill2> ... in chrome each profile gets its own history, bookmarks, etc.
04:41:11 <bhill2> ... containers only are for page created state, share user-created state
04:41:29 <bhill2> mkwst: interested in extracting some of the features out and giving them to sites, not just to users
04:42:04 <bhill2> ... some projects in google are using chrome apps to get these properties
04:42:26 <bhill2> dveditz: firefox apps used to have that property and now they share cookies, etc.
04:42:46 <bhill2> annevk: because you don't want to have to login to Facebook 100 times
04:42:49 <bhill2> mkwst: but you do
04:43:45 <bhill2> mkwst: a site might not want to share by default that a facebook user is at the bank without that user's choice
04:44:07 <bhill2> ... boils down to double-keying for all storage in a secure origins context
04:44:33 <bhill2> ... tor browser has proven this is doable; breaks some things - if you opt-in, we can probably guarantee that it doesn't break things for those who opt-in
04:46:05 <bhill2> ... loaded in separate process, subframes in separate process, separate cookie jar and all things I load use that new cookie jar, and identity is distinct in different embedding contexts even if same-origin
04:46:20 <bhill2> .... only works in top-level contexts as a straw-man
04:46:50 <bhill2> dveditz: would this be site-wide?
04:47:16 <bhill2> mkwst: yes like hsts, with maybe a mandatory includessubdomain-like effect and locked to the topmost registerable domain
04:49:14 <bhill2> ... like first-party only cookies.  If you're embedded your embeddor has no power over you, no ambient authority associated with the origin in another origin's context
04:49:35 <bhill2> dvetditz: e.g. a womans' shelter might use this so embedded trackers can't know the user's been there
04:49:58 <bhill2> mkwst: private mode is different about not leaving traces locally....
04:50:44 <bhill2> rbarnes: this includes aspects of private browsing mode in terms of trackers, sharing, etc.
04:51:11 <bhill2> francois: primarily about preventing CSRF.
04:51:16 <rbarnes> rbarnes has joined #webappsec
04:51:33 <bhill2> mkwst: primarily, but also if you know it is isolated it can be in a separate process, renderer can be hardened.
04:55:18 <bhill2> ... might be a different way of solving some of the problems that EPR is trying to tackle
04:55:20 <wonsuk> wonsuk has joined #webappsec
04:55:52 <bhill2> ... example use case is to build as a web application, delivered through a browser, very sensitive things that are by-design not meant to be connected with the open web
04:56:05 <bhill2> ... say, to manage virtual machines
04:57:08 <bhill2> deian: what if the browser tells the user about this...
04:57:14 <bhill2> dveditz: then we would be triple keyed
04:57:27 <bhill2> mkwst: in my use cases I care about there is no need to tell the user
04:58:07 <bhill2> ... mozilla implementation requires user to know and decide what is sensitive
04:58:22 <bhill2> ... different properties if a site can opt in
04:59:24 <rbarnes> q+
04:59:50 <bhill2> wseltzer: how does a user do something with isolated bank?
05:00:12 <bhill2> mkwst: if isolated bank gives you a means of logging in outside the isolated context, you can do what you want normally
05:00:20 <bhill2> ... it might choose not to interact with you in those contexts
05:00:21 <mnot> mnot has joined #webappsec
05:00:42 <bhill2> dveditz: firefox apps had this, chrome has this, tor browser is adding htis
05:00:47 <bhill2> s/htis/this/
05:01:22 <bhill2> wseltzer: yes, but I think it is interesting and useful for the user to be able to interact with a site that declares itself this way
05:01:58 <bhill2> mkwst: interesting paper by Charlie Reis, et al. about multiple browsers
05:02:06 <bhill2> ... epr is one implementation of an idea in there, this is another
05:02:08 <bhill2> q+
05:02:27 <bhill2> dveditz: I like what david is trying to do with EPR but manifest seems icky
05:02:34 <wseltzer> http://www.collinjackson.com/research/papers/appisolation.pdf
05:02:42 <bhill2> mkwst: I suspect he will still want EPR
05:02:48 <bhill2> ack rbarnes
05:03:11 <bhill2> rbarnes: if we have a way for sites to opt out of containers, change or refresh container, overlaps nicely with clear site data ideas
05:03:21 <bhill2> ... if all site data is containerized and you can throw it away...
05:03:37 <bhill2> dveditz: label containers?
05:04:21 <bhill2> rbarnes: hsts like semantics with max-age would create auto-expiring state
05:05:29 <rbarnes> q+
05:05:38 <rbarnes> ack bhill
05:06:18 <bhill2> mkwst: would not want subresources to opt you in, maybe only from the root of the registerable domain
05:07:02 <bhill2> bhill2: can you tie this to a manifested web app
05:07:11 <bhill2> mkwst: easier to do at domain level because cookies are broken
05:07:20 <bhill2> annevk: you need a cache for this to persist the state
05:07:26 <bhill2> ack rbarnes
05:08:05 <bhill2> rbarnes: having a label might let different origins 'hold hands' in their own universe
05:08:25 <bhill2> bhill2: you can use a public key like android apps
05:09:12 <bhill2> mkwst: would like to think about it with regard to syntax
05:10:25 <bhill2> deian: I'd help write it up
05:11:37 <xiaoqian> xiaoqian has joined #webappsec
05:11:54 <bhill2> wseltzer: can a user opt a site into this for themselves?
05:12:09 <bhill2> rbarnes: yes, it's already doing that, or could inject a header, or configure an origin by name...
05:12:13 <bhill2> ... tor browser already doing this
05:14:06 <bhill2> TOPIC: timing attacks
05:14:08 <Kepeng> Kepeng has joined #webappsec
05:14:24 <bhill2> deian: aware of researchers that can do these kinds of leaks exfiltrating data with SVG by blurring an iframe
05:14:45 <bhill2> ... would be good to have guidance for spec authors on side channels and info leaks
05:16:46 <bhill2> ... even implementations-wise, e.g. a cache is likely to result in attacks if it is shared cross-origin
05:18:25 <bhill2> TOPIC: COWL non-origin labels
05:20:44 <bhill2> deian: maybe namespaces?
05:21:02 <bhill2> ... only thing that can mint privileges is the browser
05:21:08 <bhill2> ... mint a.com and give it to a.com page
05:21:25 <bhill2> ... but if we had something labeled geolocation: and we knew that only the browser could do that
05:21:37 <bhill2> ... only kinds are unique or delegated privileges
05:22:39 <bhill2> dveditz: could have a colon if it had, e.g. a character illegal in scheme names to disambiguate it from scheme names, or a fixed name like cowl:, but would have to register it
05:23:18 <bhill2> annevk: need to be serialized to go over the network
05:23:48 <bhill2> ... on network you could have a disambiguator when serialized, but object model would have different flags for origin vs. name
05:25:21 <rbarnes> annevk: filed Fetch issue: https://github.com/whatwg/fetch/issues/150
05:25:37 <bhill2> origin label; suborigin label - can't be minted by page; application label - can be created by any JS; "permission" label (result of an API call, unforgable); fresh
05:26:15 <bhill2> annevk: could we start out a lot simpler if we only had a separate instance of a service worker that we can give some labeled object it can compute on and return the result to its caller
05:26:25 <bhill2> ... don't have to think about the interaction with as many things as browsing contexts
05:26:58 <bhill2> ... for service workers we're also considering cross-origin cases, haven't explored that for normal workers
05:28:16 <bhill2> annevk: thinking: a.com gives some data to b.com's service worker, b.com can't communicate back to b.com once it opens the labeled object
05:28:23 <bhill2> ... could make the draft much simpler
05:28:35 <bhill2> deian: but today you have UI
05:29:35 <bhill2> bhill2: UI seems like most interesting case to me, provide experience to user of composite information but not leak that back to remote servers
05:38:39 <bhill2> deian: what to do when label provided by server doesn't match what it is allowed to provide?
05:38:45 <bhill2> ... taking approach of not warning user about this
05:38:59 <bhill2> dveditz: should fail closed to the extent we can
05:39:58 <bhill2> ... what if we just drop it, call it a network error
05:40:04 <bhill2> ... new stuff nobody is using, we can check and be strict
05:41:09 <bhill2> mkwst: if we're going to be parsing, maybe extract this out to someplace where parsing happens
05:41:20 <bhill2> annevk: order matters, COWL before cookies
05:41:35 <bhill2> mkwst: have at least two blocks parsing CSP
05:41:48 <bhill2> annevk: that's because of service workers, but COWL is only right from the network
05:42:31 <bhill2> annevk: can a service worker add these labels....does it do the right thing
05:42:53 <bhill2> deian: service worker would have to abide by confinement
05:43:01 <bhill2> mkwst: would that mean you can find where redirects go?
05:43:21 <bhill2> ... if not-example.com returns labeled responses, I can read that cross-origin?
05:43:32 <bhill2> annevk: labeled data has to be CORS accessible
05:43:43 <bhill2> ... there is a problem with confining service workers because they are shared
05:44:12 <bhill2> ... to instances of b.com sharing a service worker, then a.com communicates with one in a way that introduces confinement, the other tabs stop working
05:44:28 <bhill2> ... if you want fetching to work offline, going to involve service workers, and foreign fetch is coming
05:44:57 <bhill2> ... so you'd have to have multiple instances of service workers
05:45:18 <bhill2> deian: may be able to think of service worker as extending the authority of the server and may not need to confine it
05:45:28 <bhill2> annevk: sw also has access to storage and other stuff
05:49:04 <bhill2> annevk thinks that chrome doesn't have wrappers, so existing references to a node in a different document that depended on being same origin won't be broken by setting the sandboxing flag
05:49:24 <bhill2> mkwst: true today, but not forever, eventually we will implement something like membranes...
05:49:24 <virginie> virginie has joined #webappsec
05:50:02 <bhill2> annevk: maybe we should standardize membranes then...
06:00:45 <wseltzer> Topic: AOB
06:01:57 <wseltzer> Melinda: We presented some work on DNS API previously; we've continued work and have Firefox and Chrome extensions
06:02:38 <wseltzer> ... work going into TLS after 1.3
06:03:07 <wseltzer> [discussion of uses of DNSSEC, additional information, isolation modes, supplementing CA info]
06:03:39 <wseltzer> bhill2: DNSSEC as a transport for policy
06:03:56 <wseltzer> rbarnes: also cache priming
06:04:11 <wseltzer> Melinda: Paul Wouters work
06:04:24 <wseltzer> ... establishing authority
06:04:51 <wseltzer> ... OpenSSL 1.2 implementation
06:06:48 <bhill2> rrsagent, make minutes
06:06:48 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/29-webappsec-minutes.html bhill2
06:06:54 <bhill2> rrsagent, set logs public-visible
06:07:10 <bhill2> meeting adjourned, transitioning to non-minuted unofficial security BoF in this room following the break
06:07:42 <bhill2> bhill2 has joined #webappsec
06:20:24 <npdoty> npdoty has joined #webappsec
06:37:29 <rbarnes> rbarnes has joined #webappsec
07:01:33 <barryleiba> barryleiba has joined #webappsec
07:02:38 <wonsuk> wonsuk has joined #webappsec
07:15:07 <barryleiba> barryleiba has left #webappsec
07:15:33 <Zakim> Zakim has left #webappsec
07:17:18 <Melinda> Melinda has joined #webappsec
07:25:20 <bblfish> bblfish has joined #webappsec
08:00:45 <rbarnes> rbarnes has joined #webappsec
08:19:44 <bblfish> bblfish has joined #webappsec
08:23:33 <bblfish> bblfish has joined #webappsec
08:23:37 <mnot> mnot has joined #webappsec
08:24:51 <deian> deian has joined #webappsec