15:35:01 <RRSAgent> RRSAgent has joined #webappsec
15:35:01 <RRSAgent> logging to http://www.w3.org/2016/03/23-webappsec-irc
15:35:03 <trackbot> RRSAgent, make logs world
15:35:03 <Zakim> Zakim has joined #webappsec
15:35:05 <trackbot> Zakim, this will be WASWG
15:35:05 <Zakim> I do not see a conference matching that name scheduled within the next hour, trackbot
15:35:06 <trackbot> Meeting: Web Application Security Working Group Teleconference
15:35:06 <trackbot> Date: 23 March 2016
15:37:45 <bhill2> bhill2 has joined #webappsec
15:38:09 <bhill2> bhill2 has joined #webappsec
15:47:08 <yoav> yoav has joined #webappsec
15:48:02 <ejcx_> ejcx_ has joined #webappsec
15:48:42 <francois> francois has joined #webappsec
15:51:16 <neilm> neilm has joined #webappsec
15:53:24 <bhill2> bhill2 has changed the topic to: https://lists.w3.org/Archives/Public/public-webappsec/2016Mar/0073.html
15:53:27 <freddyb> freddyb has joined #webappsec
15:54:12 <bhill2> bhill2 has joined #webappsec
15:58:27 <bhill2> scribenick: bhill2
15:59:00 <mkwst> present+ mkwst
15:59:16 <bhill2> present+ bhill2
15:59:55 <bhill2> Meeting: WebAppSec Teleconference, 23-Mar-2016
16:00:01 <bhill2> Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2016Mar/0073.html
16:00:06 <bhill2> Chairs: bhill2, dveditz
16:00:19 <freddyb> present+ freddyb
16:00:36 <gmaone> gmaone has joined #webappsec
16:01:32 <teddink> teddink has joined #webappsec
16:01:58 <mikeoneill> mikeoneill has joined #webappsec
16:02:21 <bhill2> zakim, who is here?
16:02:21 <Zakim> Present: mkwst, bhill2, freddyb
16:02:22 <francois> present+ francois
16:02:23 <Zakim> On IRC I see mikeoneill, teddink, gmaone, bhill2, freddyb, neilm, francois, ejcx_, yoav, Zakim, RRSAgent, Mek, terri, timeless, jochen__, schuki, mounir, MikeSmith, mkwst,
16:02:23 <Zakim> ... slightlyoff, dveditz, tobie, Josh_Soref, wseltzer, trackbot
16:02:33 <gmaone> present+ gmaone
16:02:41 <teddink> present+ teddink
16:02:52 <mikeoneill> Hi Im Mike O'Neill in webex
16:03:13 <mikeoneill> via webex I meant
16:03:27 <wseltzer> regrets+ wseltzer
16:03:52 <bhill2> wseltzer: can we chat about some document statuses later?
16:04:01 <dveditz> present+ dveditz
16:04:23 <bhill2> transition request for CORS to edited REC is stale as of Sep 9 (!) and SRI to Proposed REC from Jan 22...
16:05:31 <wseltzer> bhill2, yes, and about fetch dependencies.
16:05:56 <bhill2> yes, great
16:06:14 <bhill2> Agenda is here: https://lists.w3.org/Archives/Public/public-webappsec/2016Mar/0073.html
16:06:18 <terri> present+ terri
16:06:29 <bhill2> zakim, who is here?
16:06:29 <Zakim> Present: mkwst, bhill2, freddyb, francois, gmaone, teddink, dveditz, terri
16:06:32 <Zakim> On IRC I see mikeoneill, teddink, gmaone, bhill2, freddyb, neilm, francois, ejcx_, yoav, Zakim, RRSAgent, Mek, terri, timeless, jochen__, schuki, mounir, MikeSmith, mkwst,
16:06:32 <Zakim> ... slightlyoff, dveditz, tobie, Josh_Soref, wseltzer, trackbot
16:06:58 <bhill2> scribenick: bhill2
16:07:12 <bhill2> TOPIC: Agenda Bashing
16:07:58 <bhill2> TOPIC: Minutes Approval
16:08:03 <bhill2> https://www.w3.org/2011/webappsec/draft-minutes/2016-02-24-webappsec-minutes.html
16:08:16 <bhill2> Any objections to unanimous consent to approve prior minutes?
16:08:22 <bhill2> No objections, approved unanimously.
16:08:27 <bhill2> TOPIC: May F2F
16:08:31 <devd> devd has joined #webappsec
16:09:13 <bhill2> Thanks to Moz for volunteering space at Mountain View on May 16-17.
16:09:14 <bhill2> http://doodle.com/poll/38uhygx3wtg3ax3f
16:09:33 <KingstonTime> KingstonTime has joined #webappsec
16:09:37 <tanvi> tanvi has joined #webappsec
16:10:02 <bhill2> Agenda bashing for F2F
16:10:03 <bhill2> https://docs.google.com/document/d/1KQ_TWHBc1QBn4Xf2yJ7AYDQumuJioaGDfxbzwIJjxOI/edit
16:13:28 <bhill2> mkwst: implementer interest is most important topic, and threat model discussion flows nicely into that
16:13:40 <bhill2> ... what do various vendors actually care about and where should we be investing our effort
16:14:09 <bhill2> dveditz: agreed on that, a few things not mentioned
16:14:30 <bhill2> ... like CSP2.  Let's go through all specs and what next steps are, where are we in the process for each one.
16:14:59 <mkwst> bhill: Removing barriers is on the list. But doing inventory seems like it makes sense.
16:15:10 <mkwst> ... Very close on CSP2.
16:15:22 <mkwst> ... One or two features (`form-action`) that don't have two implementations.
16:15:29 <mkwst> ... Remove those features? Make them optional?
16:15:34 <mkwst> ... Want to get to REC.
16:15:53 <bhill2> TOPIC: Finalizing Mixed Content to Proposed Recommendation
16:16:08 <bhill2> https://lists.w3.org/Archives/Public/public-webappsec/2016Mar/0067.html
16:16:43 <ckerschb_> ckerschb_ has joined #webappsec
16:16:57 <bhill2> Mike said on the list that if the context isn't secure, the content isn't mixed.
16:17:14 <bhill2> tanvi: thought there was discussion that directive and UIR should work on insecure pages, too
16:17:28 <bhill2> mkwst: UIR works on insecure pages and still tries to upgrade insecure requests
16:17:32 <tanvi> present+ tanvi
16:17:53 <bhill2> ... but block all mixed exits early if not in a secure context because content isn't actually mixed
16:18:02 <bhill2> tanvi: sounds fine, actually how our implementation works
16:18:29 <bhill2> dveditz: if you are an insecure page and framed a secure page then you would have strict blocking for the secure frame, yes?
16:18:32 <bhill2> mkwst: that is correct
16:18:41 <bhill2> dveditz: should make sure we have a test case for that
16:18:48 <bhill2> mkwst: I don't feel strongly about that behavior
16:19:06 <ckerschb_> present+ ckerschb
16:19:06 <bhill2> ... fine to change to indicate that the directive only works in a secure context
16:19:26 <bhill2> dveditz: I care that FF, Chrome and other browsers are consistent in cases like that
16:20:01 <bhill2> mkwst: fairly certain that behavior is well-defined.  flag set on document that propagates down into iframes
16:20:17 <bhill2> ... will test this
16:20:47 <bhill2> TOPIC: sri source expressions
16:20:58 <mkwst> bhill: Will hold off on officially doing anything until tested. Sounds like it'll be quick.
16:22:15 <bhill2> neilm: idea is to add another directive to CSP to indicate that resources must have integrity tags
16:22:51 <bhill2> seems to be pretty good consensus on this...
16:23:18 <bhill2> neilm: there is some contention on whether we want a directive to require on all resources, e.g. * as an equivalent to default-src: none
16:24:07 <bhill2> dev: I prefer a new keyword expression for each individual -src directive rather than a new CSP directive
16:24:17 <bhill2> ... for forwards/backwards compatibility reasons
16:24:42 <bhill2> francois: I'm fine with either a global keyword or something in each -src directive
16:25:03 <bhill2> ... I think that '*' is likely to cause problems in the future when browsers implement at a different pace
16:25:19 <bhill2> neilm: would become a big problem if things were wildly all over the place
16:25:45 <bhill2> ... don't know it will be that disjoint.  some of that already with things like nonces that some browsers don't understand
16:26:14 <bhill2> francois: I fear that lots of devs will use * because it is shorter, and it only applies to styles, scripts, site will break in the future as new tags are supported
16:27:14 <bhill2> dveditz: or require an integrity attribute on everything with a href and break even if we don't check it
16:27:25 <bhill2> dev: so many tags...
16:27:42 <bhill2> francios: still an issue if we invent a new type of subresource
16:27:48 <bhill2> neilm: and pretty long
16:28:18 <freddyb> I suggest we don't support * but allow shorthands for sets of subresources by spec version, i.e. v1 = scripts & styles
16:29:07 <bhill2> bhill2: I would lean towards not giving developers a footgun, we had to scramble at Facebook to fix when data: and blob: were no longer implicitly part of *
16:30:11 <bhill2> dev: I vote for not including a *
16:30:33 <bhill2> francois: bring up the github discussion to the list
16:30:36 <bhill2> neilm: will do it
16:30:42 <bhill2> TOPIC: permissions delegation
16:31:41 <bhill2> https://lists.w3.org/Archives/Public/public-webappsec/2016Mar/0036.html
16:31:50 <bhill2> https://lists.w3.org/Archives/Public/public-webappsec/2016Mar/0034.html
16:31:56 <bhill2> https://noncombatant.github.io/permission-delegation-api/
16:32:02 <bhill2> https://docs.google.com/document/d/1iaocsSuVrU11FFzZwy7EnJNOwxhAHMroWSOEERw5hO0/edit
16:32:22 <bhill2> tanvi: I've commented on the proposal, but don't think that Raymes is here
16:32:30 <bhill2> mkwst: neither Raymes or Chris is on the call...
16:32:40 <bhill2> ... not sure how much value there is in discussion without either proposer
16:32:53 <mikeoneill> q
16:32:53 <bhill2> ... I like it, think it's good and some tweaks proposed are interesting
16:33:10 <mikeoneill> +q
16:33:58 <bhill2> mikeoneill: I quite like it, also interested in the cookie control and embedded CSP thing from December
16:34:09 <bhill2> ... seem to be addressing the same issue, would be good to discuss at the same time
16:34:48 <mkwst> bhill: Yes. Fits in with the conversation around threat models.
16:35:03 <mkwst> ... embedded widgets, ads. What control do we want to give to the embedder.
16:35:27 <mkwst> bhill: AOB?
16:35:35 <mkwst> ... Need to update CORS to point at Fetch.
16:35:43 <mkwst> ... Transition requests gone stale.
16:36:03 <mkwst> ... Need to talk with Web Platform WG to see what's going on with references to HTML.
16:36:07 <mkwst> ... WHATWG, etc.
16:36:14 <mkwst> ... mkwst is interested. Anyone else?
16:36:17 <mkwst> <crickets>
16:36:22 <mkwst> ... Will get that on the calendar.
16:36:54 <bhill2> mkwst: issued an intent to ship same site attribute for cookies
16:37:08 <bhill2> ... want to bring it to the attention of other browser vendors, please take a look
16:37:27 <bhill2> ccowan: can you give us the elevator pitch?
16:38:00 <bhill2> mkwst: if a cookie is marked as same-site, it will only be sent if the request is initiated by the same site
16:38:20 <bhill2> ... example.com requesting something from example.com will send the cookie, evil.com requesting something from example.com won't have it
16:39:48 <mkwst> bhill: How to feature-detect?
16:39:55 <mkwst> ... would love to use this if we know it'll be respected.
16:40:09 <mkwst> ... Want to know if the semantics will be forced or not.
16:40:19 <mkwst> dveditz: Looking at it as an opportunistic improvement.
16:40:25 <bhill2> bhill2: would be good to know if the semantics are enforced without having to do UA string assessment
16:40:25 <mkwst> ... What would you do in a UA that doesn't support?
16:40:44 <mkwst> ... Works on browsers that don't support, but get more protection on browsers that do.
16:40:44 <bhill2> dveditz: think of it as an opportunistic improvement
16:41:12 <mkwst> bhill: Some scenarios where you're trying to protect against CSRF'd login into some arbitrary account.
16:41:27 <mkwst> ... Might want to take other measures depending on the capability of UA.
16:41:41 <mkwst> dveditz: Would have to signal in the cookie itself
16:41:49 <mkwst> ... can't really decorate the cookie header without breaking soething.
16:41:53 <mkwst> ... could add a signaling header.
16:42:10 <mkwst> devd: Prefixes?
16:42:15 <bhill2> dev: what about prefixes as a secondary mechanism?
16:42:54 <mkwst> mkwst: That would mean we'd need to signal support for prefixes.
16:43:01 <mkwst> bhill: DOM attribute would be enough for me.
16:43:14 <mkwst> ... `document.cookies.supportsSameSite`, etc.
16:43:26 <mkwst> ... Will think on it some more.
16:44:07 <ckerschb_> ckerschb_ has left #webappsec
16:45:28 <bhill2> bhill2 has joined #webappsec
16:50:53 <wonsuk_> wonsuk_ has joined #webappsec
17:40:00 <wonsuk> wonsuk has joined #webappsec
17:46:38 <tanvi> tanvi has joined #webappsec
18:35:12 <yoav> yoav has joined #webappsec
18:38:16 <Zakim> Zakim has left #webappsec
19:19:28 <yoav> yoav has joined #webappsec
19:21:18 <bblfish> bblfish has joined #webappsec
20:22:15 <wonsuk_> wonsuk_ has joined #webappsec
20:42:45 <bhill2> bhill2 has joined #webappsec
20:44:45 <bhill2> bhill2 has joined #webappsec
20:57:01 <bhill2> bhill2 has joined #webappsec
20:59:05 <tanvi> tanvi has joined #webappsec
22:06:34 <wonsuk> wonsuk has joined #webappsec
23:16:40 <yoav> yoav has joined #webappsec
23:52:44 <bblfish> bblfish has joined #webappsec