W3C

- DRAFT -

Web Application Security Working Group Teleconference

16 Dec 2015

Agenda

See also: IRC log

Attendees

Present
wseltzer, francois, bhill2, estark, terri, gmaone, Michael_Irwin, Ted_Dinklocker, dveditz, mkwst
Regrets
Chair
bhill2, dveditz
Scribe
bhill2

Contents

<scribe> Meeting: WebAppSec Teleconference 16-Dec-2015

<scribe> Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0035.html

<mkwst> In another meeting, will be dialing in fairly soon.

<teddink_> Good morning

<scribe> scribenick: bhill2

Agenda bashing

no new agenda topics

Minutes approval

http://www.w3.org/2011/webappsec/draft-minutes/2015-11-16-webappsec-minutes.html

<dveditz> http://www.w3.org/2011/webappsec/draft-minutes/2015-11-16-webappsec-minutes.html

dveditz: any objection to unanimous consent to approve?

no objections

dveditz: minutes approved

News

dveditz: CSP Cookie Controls and CSP Embedded Enforcement specs started calls for exclusions this week

bhill2: FIDO Alliance has made it's member submission of their 2.0 APIs

wseltzer: and we will shortly be sending a proposed charter for review for web authentication related to this

dveditz: different from credential WG?

wseltzer: entirely separate

<wseltzer> https://w3c.github.io/websec/web-authentication-charter

dveditz: seems like overlapping concerns

bhill2: I don't think it does overlap much, but a good reason for people here who know and care about security to take a look at the charter

wseltzer: also want to thank the group for lots of good work over the year

Teleconference 2016 meta

Continue with a spec rotation schedule or go to an "as-needed"

schedule like WebApps/WebPlatform?

mkwst: seems nice to have a forcing function to ensure that specs are acutally moving, there are a few that have not moved in a long time
... valuable to revisit on a periodic basis
... not clear we need to structure our calls around that, things may pop up that are more important
... but at some point it is helpful to have a forcing function to ensure we still want to be doing something

terri: agree, also easier to justify to my management all the specs we are working on, appreciate even null update

bhill2: those were some of my motivations for the approach, I will nominate the specs that have gone the longest time for the early part of next year and fill out the calendar from there

dveditz: seems like unanimous agreement and that as we work on more specs that approach has helped

UI Security

<dveditz> https://w3c.github.io/webappsec-uisecurity/

bhill2: will send a CfC after making some typo corrections, would hope that Googlers can encourage the folks working on Intersection Observer to give feedback

mkwst: working to ensure that there is a single point of contact at Google for brad and dan on this topic

CSP Level 3

mkwst: would be nice if folks would look at it
... very few behavioral changes
... lots of clarifications re: integration of spec with other specifications like fetch and html to make it clear how it integrates with browser internals
... what hooks are necessary and where those hooks are called
... need to upstream some hooks to WHATWG and W3C, but most are present in the CSP3 spec already as a sort of todo list
... need to know how that will work for HTML at the W3C

wseltzer: maybe we can arrange a chat with Web Platform WG chairs

<dveditz> https://w3c.github.io/webappsec-csp/

mkwst: other set of changes is to make CSP more modular

<wseltzer> ACTION: wseltzer to schedule conversation with Web Platform WG chairs and WebAppSec re CSP3 [recorded in http://www.w3.org/2015/12/16-webappsec-minutes.html#action01]

<trackbot> Created ACTION-215 - Schedule conversation with web platform wg chairs and webappsec re csp3 [on Wendy Seltzer - due 2015-12-23].

mkwst: CSP2 took an incredibly long time to move, would like CSP3 to move faster

<wseltzer> trackbot, action-215 due 2016-01-15

<trackbot> Set action-215 Schedule conversation with web platform wg chairs and webappsec re csp3 due date to 2016-01-15.

mkwst: at TPAC, discussed breaking out features so things can move quickly, independently of the core
... mostly directives and algorithms associated with directives
... and CSP algorithm will call it at the right time
... hopeful it will also work for new kinds of directives we are coming up with

teddink_: hello from Microsoft Edge team, taking over for Kevin Hill
... also looking forward to some quality time with CSP3 spec and getting up to speed

mkwst: also working with Ilya Grigorik and web performance WG to define a more generic reporting mechanism
... not specified inside CSP for broader set of things like xss auditor, error reporting, perf, etc.
... this is important to Google because we are DDoSing google front end servers with CSP violation reports
... want to be able to coalesce requests at a minimum and hope it will be a one stop shop for this kind of reporting

bhill2: Web Telemetry WG?

<mkwst> webperf

+1 universal telemetry/reporting system would be awesome

dveditz: folks at Mozilla are unhappy about deprecating frame-src, want separate control from workers

mkwst: I want to do the same thing
... know brad had qualms about that, would be good to revisit

well, not happy, b/c it would've created a lot of work :(

hta: has been approved and is just waiting for publication process to complete

(hta is Harald Alvestrand)

Signatures

dveditz: Sean Palmer has proposed a mechanism to support detached signatures for SRI
... proposed mechanism was in a separate attribute, not sure how he thought they would be combined
... signatures and an integrity check seem fairly distinct

bhill2: there is also a third proposal that was floated by Dev about using keys where we currently specify hashes in CSP to shorten policy declarations
... another distinct use case from trusting a remote signing key but yet another approach to trusting content with keys

mkwst: suggest poking SRI editors in new year is a good way, volunteer them for the next call ;)

francois: the Martin Thompson proposal is being implemented at Mozilla for internal purposes (not exposed to web content yet)
... but will get some implementation experience and be able to talk about it later if it's appropriate

dveditz: should we resume in the new year on the 6th or the 13th?

thanks wseltzer

mkwst; suggest 4 weeks is better, not much will happen

more comfy chair time

WebRTC/MediaCapture permissions

https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0030.html

https://docs.google.com/document/d/13c4hTlm2XgVYpxfGL1a8fcvI1CAUdIgd662DfElk_ow/edit

hta: some background, when we were doing WebRTC and especially data capture
... a number of places where we say " and then you grant permission "
... very ad-hoc
... questioned why not use the permissions manager module?
... WebRTC and MediaCapture groups favorably received the idea

dveditz: we want the Permissions spec to be extensible and voluntary, in general happy you've come to us

mkwst: things being done with WebRTC seems very much in the same vein as what else is happening in this document
... would be a good idea to talk directly with the editors of that document. Mounir and Marcos

dveditz: technically we own the spec but are sort of midwife for WebAPI group but didn't fit their charter

mkwst: convince implementers it makes sense and you are good to go

wseltzer: if anyone is willing to take on some description and evangelism of the work happening here
... particularly developer focused and success stories that we can share to get these technologies into broader circulation, that would be fantastic
... also TAGs documentation of "what's next after Keygen" is also looking for a home

bhill2: I've looked at that, joined the last TAG call and owe some PRs there
... think API work that comes out of that doc maybe ends up in proposed Web AuthN WG

terri: I'm working on getting approval to do developer docs
... will have a better idea in january

yay!

wseltzer: more groups are requiring security and privacy considerations explicitly in charters now

dveditz: adjourned, see you all on Jan 13

<dveditz> Thanks for the questionnaire link, mkwst, I hadn't noticed that came out

<mkwst> dveditz: Nick put together a blog post as well with some links to the PING work.

<mkwst> I can't find that at the moment, but perhaps wseltzer has a link?

<wseltzer> https://www.w3.org/blog/2015/12/tools-to-ensure-security-and-privacy-of-the-open-web-platform/

<wseltzer> thanks mkwst

<wseltzer> trackbot, end teleconf

Summary of Action Items

[NEW] ACTION: wseltzer to schedule conversation with Web Platform WG chairs and WebAppSec re CSP3 [recorded in http://www.w3.org/2015/12/16-webappsec-minutes.html#action01]
 

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.144 (CVS log)
$Date: 2015/12/16 20:33:57 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.144  of Date: 2015/11/17 08:39:34  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/francios/francois/
Found ScribeNick: bhill2
Inferring Scribes: bhill2
Default Present: wseltzer, francois, bhill2, estark, terri, gmaone, Michael_Irwin, Ted_Dinklocker, dveditz, mkwst
Present: wseltzer francois bhill2 estark terri gmaone Michael_Irwin Ted_Dinklocker dveditz mkwst
Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0035.html
Found Date: 16 Dec 2015
Guessing minutes URL: http://www.w3.org/2015/12/16-webappsec-minutes.html
People with action items: wseltzer
[End of scribe.perl diagnostic output]