16:38:51 <RRSAgent> RRSAgent has joined #webappsec
16:38:51 <RRSAgent> logging to http://www.w3.org/2016/02/24-webappsec-irc
16:38:53 <trackbot> RRSAgent, make logs world
16:38:55 <trackbot> Zakim, this will be WASWG
16:38:55 <Zakim> I do not see a conference matching that name scheduled within the next hour, trackbot
16:38:56 <trackbot> Meeting: Web Application Security Working Group Teleconference
16:38:56 <trackbot> Date: 24 February 2016
16:50:53 <francois_> francois_ has joined #webappsec
16:51:22 <gmaone> gmaone has joined #webappsec
16:53:42 <tanvi> tanvi has joined #webappsec
16:53:49 <tanvi> i will be 10 minutes late today
16:54:11 <wseltzer> regrets+ wseltzer
16:59:39 <teddink> teddink has joined #webappsec
17:00:32 <dveditz> dveditz has changed the topic to: https://lists.w3.org/Archives/Public/public-webappsec/2016Feb/0104.html
17:01:40 <dveditz> present+ dveditz
17:02:08 <francois_> present+ francois
17:02:26 <teddink> present+ Ted
17:02:38 <KingstonTime> present+ KingstonTime
17:02:46 <francois_> present+ francois_
17:02:47 <dveditz> regrets+ bhill2
17:03:01 <terri> I have overlapping meetings and will be irc-only for at least the beginning of this one
17:03:01 <mkwst> present+ mkwst
17:03:03 <gmaone> present+ gmaone
17:04:22 <estark> estark has joined #webappsec
17:04:52 <dveditz> Zakim, who is here?
17:04:52 <Zakim> Present: bhill2, francois, MikeSmith, wseltzer, ckerschb, dveditz, gmaone, timeless, teddink, kmckinley, terri, tanvi, KingstonTime, francois_, mkwst
17:04:55 <Zakim> On IRC I see estark, teddink, tanvi, gmaone, francois_, RRSAgent, KingstonTime, bhill2, yoav, bblfish, wseltzer, terri, Mek_, tobie, dveditz, kmckinley, slightlyoff, mkwst,
17:04:55 <Zakim> ... jochen__, mounir, schuki, ejcx_, trackbot, Zakim, timeless, Josh_Soref, xiaoqian
17:05:02 <estark> present+ estark
17:05:14 <teddink> present+ teddink
17:05:38 <dveditz> TOPIC: Agenda Bashing
17:05:59 <JeffH> JeffH has joined #webappsec
17:06:04 <wseltzer> present- wseltzer
17:06:10 <dveditz> scribenick:francois
17:06:16 <dveditz> scribenick: francois
17:06:29 <francois_> I don't know the magic zakim commands though, so you'll have to do that bit :)
17:06:38 <dveditz> scribenick: francois_
17:06:47 <JeffH> +
17:06:57 <dveditz> present: JeffH
17:07:01 <JeffH> heh
17:07:02 <dveditz> present+ JeffH
17:07:43 <francois_> TOPIC: agenda bashing
17:08:10 <francois_> dveditz: a few topics haven't made it to the schedule yet because i wasn't sure they were ready to be dicussed here
17:09:15 <francois_> dveditz: for example, the security ui thread and the meta tag to lock away code (which nobody on this group seems to have interest in), also the long discussion on the topic of client certs (doesn't feel like it belongs to our group)
17:10:10 <francois_> TOPIC: Minutes approval
17:10:20 <francois_> https://www.w3.org/2011/webappsec/draft-minutes/2016-02-10-webappsec-minutes.html
17:10:23 <dveditz> TOPIC: Minutes Approval
17:10:23 <dveditz> https://www.w3.org/2011/webappsec/draft-minutes/2016-02-10-webappsec-minutes.html
17:10:49 <teddink> No objeciton
17:11:05 <francois_> dveditz: minutes are approved unanymously
17:11:11 <dveditz> TOPIC: WASWG Face-to-face in May!
17:11:47 <francois_> dveditz: poll results: first half of May won
17:12:01 <francois_> dveditz: proposal is May 16-17 at Mozilla Mountain View
17:12:06 <dveditz> Tentatively May 16-17 at Mozilla in Mountain View, California
17:12:06 <dveditz> Who does that work for, who does it not?
17:12:25 <francois_> https://www.mozilla.org/en-US/contact/spaces/mountain-view/
17:13:28 <estark> I think I can make it
17:13:28 <JeffH> i think i can make it
17:13:35 <KingstonTime> I'm not sure as I don't know what my status will be and what Mozilla is doing etc :D
17:13:50 <francois_> dveditz: We will need a hand count at some point so that we can order lunch for people.
17:14:04 <teddink> I am working with folks at Microsoft to decide who should attend, I would expect at least 1 attendee.
17:14:05 <JeffH> just verified that week is clear on my calendar
17:14:30 <tanvi> i will be there
17:14:45 <francois_> dveditz: this is the same week as Google IO, but IO is at the end of the week
17:15:03 <dveditz> TOPIC: RFC 7762 -- an IANA registry of CSP directives
17:15:35 <terri> I will make a travel request, not sure if I will be able to get a flight or not yet
17:15:52 <francois_> dveditz: mkwst work with mark nottingham to set up this registry at the IETF. it currently has CSP 2 directives. doesn't have strict mixed content blocking or referrer policy directive, or upgrade insecure request
17:16:27 <francois_> dveditz: this will enable CSP3 to be more of a framework and let other specs easily declare extra directives
17:16:45 <dveditz> TOPIC: Toward a minimum-viable Credential Management API
17:17:20 <francois_> dveditz: mkwst took a stab at the credential management API to come up with a more limited spec that we're more likely to agree on and implement
17:18:04 <francois_> dveditz: we'll need to coordinate with the web auth group to find out whether or not they can build on this
17:18:24 <francois_> dveditz: the mozilla folks working on web auth aren't in this group
17:19:03 <dveditz> mailing list message: https://lists.w3.org/Archives/Public/public-webappsec/2016Feb/0046.html
17:19:04 <francois_> mkwst: the current api does three things: let websites integrate with the password manager
17:19:32 <francois_> mkwst: 2- hook into account creation / registration
17:19:46 <francois_> mkwst: 3- framework for other groups to build stuff on top of
17:20:23 <francois_> mkwst: of those things, chrome has implemented the first 2. based on their data, the first use case makes a lot of sense. it makes the password manager work better
17:20:50 <francois_> mkwst: the sign up case (#2) was much harder
17:21:20 <francois_> mkwst: in chrome we have not found a good way to make that work well
17:22:03 <francois_> mkwst: e.g. if you logged using a password you don't save, the browser might prompt you to use facebook login next time
17:22:54 <francois_> mkwst: the plan for chrome is to ship #1 in Chrome 50 or 51
17:23:18 <francois_> mkwst: feedback is welcome on this plan
17:24:25 <francois_> mkwst: we'll keep the ability for websites to tell the browser that a user logged in using facebook connect, but we're taking out the part where we synthesize credentials on the user's behalf
17:25:00 <francois_> dveditz: is an updated spec coming to the proper channels?
17:25:24 <francois_> mkwst: i'm waiting on some bikeshed work to happen and make that automatic
17:25:48 <francois_> dveditz: there is a concern that our specs look stale from the w3c point of view, despite the github ones looking fine
17:26:13 <francois_> mkwst: there is a large gap between github and w3c at the moment, my hope is that it will change soon
17:27:17 <francois_> tanvi: mozilla hasn't currently prioritized that spec yet
17:27:39 <dveditz> TOPIC: Making it easier to deploy CSP ('unsafe-dynamic')
17:27:43 <JeffH> mike's plan for cred mgmt sounds fine by me
17:28:03 <dveditz> https://lists.w3.org/Archives/Public/public-webappsec/2016Feb/0048.html
17:28:17 <francois_> dveditz: mkwst's proposal comes from Google's experience trying to implement CSP
17:28:55 <francois_> mkwst: it seems like a valuable thing that would enable the google infra team to put CSP on more Google properties.
17:29:16 <francois_> mkwst: dev was raising some issues asking whether or not the polyfill would be enough
17:29:39 <francois_> mkwst: that requires nonces though and on some Google properties they would be using hashes because the pages are totally static
17:30:07 <francois_> mkwst: it looks pretty sane from my point of view (and google's). i have an action item to draft a spec change for this
17:30:29 <francois_> dveditz: it's a weaker form of csp, but it's still better than not using CSP at all
17:31:16 <francois_> mkwst: the current practice of whitelisting origins is, for google, not as strong as we though it was. there are a lot of endpoints on ajax.google.com for example that enable JS injections (e.g. through old angular JS)
17:31:57 <francois_> mkwst: the infra sec team is of the opinion that every large origin will run into this problem
17:32:30 <francois_> mkwst: unless you whitelist individual files, you're going to have a bad day. and whitelisting individual files has proven too brittle to be deployed in practice
17:33:09 <francois_> (see the thread on the list for the details of the proposal)
17:34:41 <francois_> mkwst: we audit the scripts we know we're including on the webpages. we're ok with those scripts doign whatever they need to do (including loading more scripts that they need)
17:35:33 <francois_> dveditz: are nonces allowed on script-src that's an actual script-src rather than inline scripts?
17:35:39 <francois_> mkwst: yes
17:36:15 <francois_> dveditz: interesting proposal adressing real-life pain that a large implementer is facing
17:36:25 <dveditz> TOPIC: Github issues and updates:
17:37:01 <francois_> dveditz: reminder that a lot is happening on our github repos
17:37:21 <francois_> dveditz: there was a good "issue" thread on cowl, one about null on the referrer policy
17:38:19 <francois_> dveditz: there was a good discussion clarifying things about suborigins. it was probably the most active topic / spec since the last meeting
17:39:18 <francois_> dveditz: interesting CSP discussion. apparently in Firefox, script hashes only apply to script tags, not onclick handlers
17:40:01 <francois_> dveditz: it could be dangerous to allow these because attackers could copy these handlers and make them fire in other places on the page
17:40:22 <francois_> dveditz: the alternative is to programmatically add the event handler from within the script
17:41:27 <francois_> dveditz: if the mailing list seems quiet, that's because half of the conversation is happening on github
17:42:44 <teddink> Thanks!
17:42:53 <KingstonTime> Thanks all!
17:43:02 <JeffH> thx!
17:43:35 <dveditz> zakim, list attendees
17:43:35 <Zakim> As of this point the attendees have been JeffH
17:43:42 <dveditz> rrsagent, make minutes
17:43:42 <RRSAgent> I have made the request to generate http://www.w3.org/2016/02/24-webappsec-minutes.html dveditz
17:43:49 <gmaone> gmaone has joined #webappsec
17:44:12 <dveditz> hm, well _that_ didn't work right.
17:44:57 <dveditz> rrsagent, set logs world
17:45:10 <dveditz> wseltzer: wondering why Zakim thinks only jeffH was here
17:45:40 <dveditz> zakim, who is here?
17:45:40 <Zakim> Present: JeffH
17:45:42 <Zakim> On IRC I see gmaone, estark, teddink, tanvi, francois_, RRSAgent, KingstonTime, bhill2, yoav, bblfish, wseltzer, terri, Mek_, tobie, dveditz, kmckinley, slightlyoff, mkwst,
17:45:42 <Zakim> ... jochen__, mounir, schuki, ejcx_, trackbot, Zakim, timeless, Josh_Soref, xiaoqian
17:46:07 <dveditz> earlier there was a much larger "present" list
17:46:25 <wseltzer> present+ dveditz, francois, KingstonTime, mkwst, gmaone, estark, teddink, JeffH
17:46:40 <wseltzer> rrsagent, make minutes
17:46:40 <RRSAgent> I have made the request to generate http://www.w3.org/2016/02/24-webappsec-minutes.html wseltzer
17:47:02 <dveditz> oh! at one point I mistyped "present: " instead of "present+ "
17:47:09 <dveditz> does that cancel everything prior?
17:47:38 <dveditz> kind of makes sense to read that as declarative, but seems like a footgun if so
17:48:01 <dveditz> anyway, seems like the logs were made so that'll cover it
17:50:00 <wseltzer> dveditz: yes, present: clears the prior list
17:50:17 <dveditz> oops. sorry
17:50:32 <dveditz> mystery solved, though
17:50:41 <dveditz> thanks
17:56:12 <gmaone_> gmaone_ has joined #webappsec
17:58:32 <bhill2> bhill2 has joined #webappsec
18:25:03 <ejcx_> hello all. re: the face to face. Is anyone allowed to attend, or only specific people?
18:28:50 <ejcx_> I'm a long time reader and a never participant. I work at CloudFlare in the bay area
18:33:43 <wseltzer> ejcx_, thanks. If you want to attend, please send a note to the chairs and me (dveditz, bhill, and wseltzer@w3.org)
18:56:28 <bhill2> bhill2 has joined #webappsec
19:02:29 <bhill2> bhill2 has joined #webappsec