17:00:09 <RRSAgent> RRSAgent has joined #webappsec
17:00:09 <RRSAgent> logging to http://www.w3.org/2016/02/10-webappsec-irc
17:00:10 <bhill2> Meeting: WebAppSec Teleconference 10-Feb-2016
17:00:11 <trackbot> RRSAgent, make logs world
17:00:13 <trackbot> Zakim, this will be WASWG
17:00:13 <Zakim> I do not see a conference matching that name scheduled within the next hour, trackbot
17:00:14 <trackbot> Meeting: Web Application Security Working Group Teleconference
17:00:14 <trackbot> Date: 10 February 2016
17:00:20 <bhill2> Chairs: dveditz, bhill2
17:00:22 <wseltzer> zakim, who is here?
17:00:22 <Zakim> Present: mkwst, gmaone, bhill2, wseltzer, dveditz, francois, teddink, terri, jochen, MikeSmith
17:00:25 <Zakim> On IRC I see RRSAgent, ckerschb_, gmaone, bhill2, francois, yoav, bblfish_, MikeSmith, slightlyoff, mkwst, jochen__, dveditz, schuki, ejcx_, tobie, wseltzer, Mek, trackbot, Zakim,
17:00:25 <Zakim> ... timeless, Josh_Soref, mounir, terri_offline, xiaoqian
17:00:28 <bhill2> scribe: Brad Hill
17:00:30 <wseltzer> present=bhill2, francois, MikeSmith, wseltzer
17:00:31 <dveditz> I'm not here yet
17:00:33 <bhill2> scribenick: bhill2
17:00:38 <wseltzer> zakim, who is here?
17:00:38 <Zakim> Present: bhill2, francois, MikeSmith, wseltzer
17:00:39 <Zakim> On IRC I see RRSAgent, ckerschb_, gmaone, bhill2, francois, yoav, bblfish_, MikeSmith, slightlyoff, mkwst, jochen__, dveditz, schuki, ejcx_, tobie, wseltzer, Mek, trackbot, Zakim,
17:00:39 <Zakim> ... timeless, Josh_Soref, mounir, terri_offline, xiaoqian
17:00:53 <wseltzer> zakim, code?
17:00:53 <Zakim> no conference has been identified yet, wseltzer
17:01:16 <teddink> teddink has joined #webappsec
17:01:18 <ckerschb_> present+ ckerschb
17:01:20 <wseltzer> zakim, this is webex +1-617-324-0000,,,641834499# webappsec
17:01:20 <Zakim> got it, wseltzer
17:01:26 <wseltzer> zakim, code?
17:01:26 <Zakim> I have been told this is webex +1-617-324-0000,,,641834499# webappsec
17:01:35 <dveditz> present+ dveditz
17:02:00 <gmaone> present+ gmaone
17:02:28 <Kate> Kate has joined #webappsec
17:03:33 <timeless> present+ timeless
17:04:43 <wseltzer> zakim, who is here?
17:04:43 <Zakim> Present: bhill2, francois, MikeSmith, wseltzer, ckerschb, dveditz, gmaone, timeless
17:04:45 <Zakim> On IRC I see Kate, teddink, RRSAgent, ckerschb_, gmaone, bhill2, francois, yoav, bblfish_, MikeSmith, slightlyoff, mkwst, jochen__, dveditz, schuki, ejcx_, tobie, wseltzer, Mek,
17:04:45 <Zakim> ... trackbot, Zakim, timeless, Josh_Soref, mounir, terri_offline, xiaoqian
17:05:28 <teddink> Ted Dinklocker here - I am on the clal, but not sure if my microphone will work well.
17:05:37 <wseltzer> present+ teddink
17:05:38 <bhill2> (minutes are fixed now, Dan)
17:05:47 <bhill2> (forgot to run my script after last week's call)
17:06:26 <bhill2> TOPIC: Agenda Bashing
17:07:16 <wseltzer> q+
17:07:16 <MikeSmith> q+ to comment
17:07:19 <wseltzer> q-
17:07:33 <bhill2> bhill2: still planning to do the interest matrix discussed on last week's call
17:07:41 <bhill2> ack MikeSmith
17:07:41 <Zakim> MikeSmith, you wanted to comment
17:08:26 <bhill2> MikeSmith: I work for w3c along with Wendy
17:08:43 <bhill2> ... 1st: heads up on recent addition of CSP support to the syntax checker
17:09:01 <kmckinley> present+ kmckinley
17:09:20 <bhill2> ... 2nd: relatively recently we deployed TLS support to w3c with HSTS and some CSP stuff and wanted to propose that on a future call we get Jose from the systems team to give some feedback
17:09:34 <bhill2> ... as a site administrator on deployment of some of that stuff, esp in respect to information sources used
17:10:06 <bhill2> ... Last agenda proposal: interested in hoping some CSP related specs move along, e.g. SRI and referrer policy
17:10:19 <bhill2> ... anything I can do to help those move along faster
17:10:37 <dveditz> TOPIC: Minutes Approval
17:10:50 <terri> present+ terri
17:10:53 <bhill2> https://www.w3.org/2016/01/27-webappsec-minutes.html
17:11:11 <bhill2> also now at the usual spot: https://www.w3.org/2011/webappsec/Minutes.html
17:11:20 <dveditz> TOPIC: WASWG Face-to-face in May?
17:12:14 <wseltzer> q+
17:12:58 <bhill2> bhill2: 1st half of May, Bay Area South is winning with 9 votes, including likely visitor from Apple/Safari
17:13:02 <bhill2> ack wseltzer
17:13:14 <dveditz> bhill2: poll shows early May winning (9) followed by early April and late May (8)
17:13:29 <bhill2> wseltzer: procedural matters are that we need to get notice 8 weeks before it is scheduled to take place
17:13:32 <dveditz> ... silicon valley the runaway winner
17:14:09 <bhill2> wseltzer: anyone willing to host?
17:14:17 <bhill2> dveditz: Mozilla can perhaps host in Mountain View
17:14:32 <bhill2> tanvi: we can probably get enough space in Mozilla Mtn View
17:15:09 <wseltzer> present+ tanvi
17:15:26 <bhill2> bhill2: I will reach out to Apple and PayPal and see if they might want to host south
17:15:55 <bhill2> bhill2: and thank you to Mozilla for volunteering and kind and fun hosting in the past of this group
17:18:08 <bhill2> bhill2: Mike West's responses indicate that 1H May in Bay Area works for him
17:18:09 <dveditz> TOPIC: Referrer policy affect on Origin: header
17:18:55 <bhill2> dveditz: should referrer policy impact Origin header? recently started doing so in Chrome, in particular if referrer policy is none
17:19:15 <bhill2> zakim, who is here?
17:19:15 <Zakim> Present: bhill2, francois, MikeSmith, wseltzer, ckerschb, dveditz, gmaone, timeless, teddink, kmckinley, terri, tanvi
17:19:17 <Zakim> On IRC I see kmckinley, teddink, RRSAgent, ckerschb_, gmaone, bhill2, francois, yoav, bblfish_, MikeSmith, slightlyoff, mkwst, jochen__, dveditz, schuki, ejcx_, tobie, wseltzer,
17:19:17 <Zakim> ... Mek, trackbot, Zakim, timeless, Josh_Soref, mounir, terri, xiaoqian
17:19:39 <bhill2> dveditz: if doing CORS, have to send Origin header
17:19:59 <bhill2> ... other spec suggests sending it all the time, but then some servers think this is a CORS request
17:21:26 <bhill2> bhill2: we found this at Facebook, specifically with same-origin requests where null Origin header was being sent
17:21:36 <wseltzer> tanvi: what happens if the user decides to suppress the referrer?
17:21:43 <bhill2> tanvi: also need to decide what to do with Origin header if user sets a preference to not send referrers
17:21:54 <bhill2> dveditz: moz has that in buried prefs somewhere but no standard
17:22:08 <bhill2> ... would treat it as if page set no-referrer, should probably resolve it the same
17:23:12 <bhill2> ... leaving aside Mozilla's hidden preference switch, extensions, etc.
17:23:32 <bhill2> ... if a page said no referrer, that page is also the one trying to get a service from a page that wants an Origin
17:23:44 <bhill2> ... should be up to the page author to resolve it with referrer policy
17:24:15 <bhill2> ... otherwise no meaning to ability to set no-referrer
17:24:45 <bhill2> bhill2: origin-when-cross-origin is sort of ok here
17:25:09 <bhill2> ... probably should put together a table describing the states
17:25:41 <bhill2> ... maybe add none-when-cross-origin
17:25:53 <bhill2> dveditz: there are 10 or so possible states, only 4 expressed by policy
17:26:03 <bhill2> tanvi: would like to extend, maybe should discuss on a github issue
17:26:36 <bhill2> dveditz: then maybe flexible enough to suppress Origin as well
17:26:56 <bhill2> bhill2: and should call out that CORS-mode requests still send origin
17:27:23 <bhill2> dveditz: also maybe indicate suppression vs. null (distinguish from redirect)
17:28:04 <bhill2> dveditz: is there a spec for the Origin header
17:28:38 <wseltzer> https://tools.ietf.org/html/rfc6454
17:28:59 <adamm> adamm has joined #webappsec
17:29:36 <yoav> yoav has joined #webappsec
17:29:59 <bhill2> bhill2: but this RFC is not in sync with what CORS does
17:30:26 <wseltzer> q+
17:30:39 <wseltzer> q-
17:30:53 <dveditz> TOPIC: "require integrity" directive
17:30:55 <bhill2> (and this mozilla bug: https://bugzilla.mozilla.org/show_bug.cgi?id=446344)
17:31:24 <bhill2> dveditz; a recurring topic is a way to indicate that SRI is required
17:31:31 <bhill2> ... doesn't look like we have the editors on this call today
17:31:48 <bhill2> ... I would like to reject a global flag that says "require this for everything"
17:32:04 <bhill2> ... pages that say this would then break if we extend the applicability of the attribute to e.g. images
17:32:26 <bhill2> ... could add keywords to directives, e.g. 'require-integrity' to script-src
17:32:33 <bhill2> ... worry that sites may not want to do that
17:32:40 <bhill2> ... may be sites they don't want to require integrity for
17:33:03 <bhill2> ... e.g. not for same-origin
17:33:22 <francois> so maybe something like "script-src sri+https://cdn.example.com"?
17:33:25 <bhill2> ... starts to get complex, difficult to fit into CSP syntax
17:34:51 <bhill2> bhill2: we already can express this by using hash syntax, but gets unweildy
17:35:01 <bhill2> ... maybe proposals to support signing keys make this simpler to express
17:35:27 <bhill2> ... so, like francois' suggestion but <key>+https://cdn.example.com/
17:37:07 <bhill2> bhill2: Adding, e.g. a key in the header provides stronger injection defense
17:37:17 <bhill2> ... whereas an adversary that can inject also knows the hash value
17:37:38 <francois> q+
17:37:43 <bhill2> dveditz: thinks people who wanted it wanted to not forget to add it themselves
17:37:58 <bhill2> ... no signing mechanism yet, though people are experimenting with it
17:38:02 <bhill2> ack francois
17:38:30 <bhill2> francois: in my mind, signatures are separate from require integrity proposals
17:38:47 <bhill2> ... proposed by GitHub, want to make sure they don't accidentally add things outside of policy
17:38:54 <bhill2> ... or forget to add SRI hash
17:39:08 <bhill2> (francois - you are breaking up)
17:39:14 <bhill2> (garbled)
17:40:09 <bhill2> ... sounds a lot like CSP, restrict accidentally introduced things
17:40:17 <bhill2> ... more unknowns around signatures
17:40:47 <bhill2> ... require integrity may be easier to get done and can be integrated into CSP in a good way, also get reporting with it
17:41:26 <bhill2> bhill2: I think this is a great place to experiment and prototype ahead of spec text
17:41:53 <dveditz> TOPIC: HSTS priming vs preloading
17:42:17 <bhill2> dveditz: one of the more active threads on the list
17:43:22 <bhill2> ... unless anyone has something to say, should move on
17:43:30 <dveditz> TOPIC: "Safe Node" vs "a better toStaticHTML"
17:44:11 <bhill2> dveditz: proposal from David Ross, "Safe Node", Mario Heidrich gave a talk at Enigma Conf on a similar idea
17:45:06 <bhill2> ... toStaticHTML is in IE, was at one point w/ a WHATWG spec
17:45:33 <bhill2> ... is our WG the appropriate place for it, or should we leave it to the platform group?
17:47:09 <wseltzer> q+ in AOB
17:47:16 <bhill2> bhill2: happy to have the discussion on this list with the right experts but would want to see stronger prototyping and feedback cycle before I'd support an official WG draft
17:47:17 <dveditz> TOPIC: CSP Syntax checking and the W3 validator
17:47:22 <wseltzer> q- in
17:47:25 <wseltzer> q- AOB
17:47:57 <wseltzer> https://validator.w3.org/
17:47:58 <bhill2> MikeSmith: recently I deployed CSP syntax checking support in the W3C validator that checks the value of the meta http-equiv
17:48:25 <bhill2> ... content attribute if the value is content-security-policy and also checks the csp header if document is delivered with a header
17:48:33 <bhill2> ... using library called Salvation from Shape Security
17:49:16 <bhill2> ... wasn't completely up to date with current spec, gave some patches and seems to be correct now
17:49:22 <bhill2> ... e.g. support for upgrade-insecure-requests
17:49:58 <bhill2> ... was important for us at w3c as we deploy TLS with otherwise millions of instances of mixed content
17:50:05 <bhill2> ... aligns with current CSP3 spec and also related specs
17:50:41 <bhill2> ... validator sees on order of 12-15 requests / second
17:50:51 <bhill2> ... lots are requests from normal devs trying to check their content
17:51:06 <bhill2> ... has potential to get a lot of awareness raised about CSP and get a lot of people using it and fixing problems
17:51:23 <bhill2> ... mostly an FYI, one open issue
17:51:50 <MikeSmith> https://github.com/validator/validator/issues/207
17:51:51 <bhill2> ... sergei is ambitious about not only doing syntax checking but also doing real CSP checking against document content and CSP requirements
17:53:14 <bhill2> ... take a look, get in touch with me if you are interested in refining or improving it
17:54:18 <bhill2> (timeless: yes, someone has their hangouts or similar making noise)
17:54:55 <bhill2> MikeSmith: don't have information to summarize our deployment in detail
17:55:02 <dveditz> TOPIC: W3 deployed TLS, HSTS, and CSP with upgrade-insecure-requests-- Feedback
17:55:07 <bhill2> ... but one thing I have from Jose - he was confused and frustrated by state of CSP spec
17:55:20 <bhill2> ... had difficulty being able to determine which spec to work from
17:55:27 <bhill2> ... as a normal site admin trying to do a deployment
17:55:32 <bhill2> ... what should he conform to
17:55:38 <bhill2> ... CSP 1/2/3
17:55:47 <bhill2> ... I got it, but I'm not him
17:56:00 <bhill2> ... would be good if we could setup something to that Jose could join a call and give the group feedback
17:56:33 <dveditz> q+
17:57:10 <bhill2> ... always good to get a chance to get real feedback on issues folks are facing
17:57:25 <dveditz> ack dveditz
17:58:21 <bhill2> dveditz: would be good to send an email first so we can use that to guide discussion on the call
17:59:11 <wseltzer> q+
17:59:22 <wseltzer> https://www.w3.org/Webauthn/
18:00:31 <bhill2> zakim, list attendees
18:00:31 <Zakim> As of this point the attendees have been bhill2, francois, MikeSmith, wseltzer, ckerschb, dveditz, gmaone, timeless, teddink, kmckinley, terri, tanvi
18:00:33 <dveditz> thanks for coming MikeSmith
18:00:44 <bhill2> yes, thanks much MikeSmith, awesome developments
18:00:49 <bhill2> rrsagent, make minutes
18:00:49 <RRSAgent> I have made the request to generate http://www.w3.org/2016/02/10-webappsec-minutes.html bhill2
18:00:50 <dveditz> real-world implementation feedback is very helpful, keeps the specs grounded in reality
18:00:51 <MikeSmith> cheers
18:00:54 <bhill2> rrsagent, set logs world
18:06:20 <ckerschb_> ckerschb_ has left #webappsec
18:09:23 <bhill2> bhill2 has joined #webappsec
19:02:00 <bhill2> bhill2 has joined #webappsec
20:07:11 <bhill2> bhill2 has joined #webappsec
20:07:16 <bhill2> bhill2 has joined #webappsec
20:22:24 <bblfish> bblfish has joined #webappsec
23:07:27 <bhill2> bhill2 has joined #webappsec
23:07:59 <bhill2> bhill2 has joined #webappsec