20:49:47 <RRSAgent> RRSAgent has joined #webappsec
20:49:47 <RRSAgent> logging to http://www.w3.org/2013/06/04-webappsec-irc
20:50:12 <bhill2> rrsagent, set logs public visible
20:50:43 <bhill2> Meeting: WebAppSec WG Teleconference, 04-June-2013
20:50:47 <bhill2> Chair: bhill2, ekr
20:50:55 <bhill2> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013Jun/0022.html
20:56:28 <bhill> bhill has left #webappsec
20:59:56 <ccarson> ccarson has joined #webappsec
21:00:05 <bhill2> zakim, this is 92794
21:00:05 <Zakim> ok, bhill2; that matches SEC_WASWG()5:00PM
21:00:36 <Zakim> +ccarson
21:00:45 <Zakim> +??P2
21:00:49 <Zakim> +ekr
21:00:55 <Zakim> +bhill2
21:00:59 <gmaone> zakim, ??P2 is gioma1
21:00:59 <Zakim> +gioma1; got it
21:01:19 <dveditz> dveditz has joined #webappsec
21:01:20 <ekr> ekr has joined #webappsec
21:01:23 <Zakim> +Wendy
21:01:48 <Zakim> +[IPcaller]
21:01:58 <dveditz> Zakim, IPcaller is dveditz
21:01:58 <Zakim> +dveditz; got it
21:02:41 <Zakim> -gioma1
21:02:51 <Zakim> +gopal
21:02:52 <abarth> abarth has joined #webappsec
21:02:54 <Zakim> +??P2
21:03:07 <gmaone> zakim, ??P2 is gioma1
21:03:07 <Zakim> +gioma1; got it
21:03:35 <bhill2> zakim, who is here?
21:03:35 <Zakim> On the phone I see abarth, ccarson, ekr, bhill2, Wendy, dveditz, gopal, gioma1
21:03:37 <Zakim> On IRC I see abarth, ekr, dveditz, ccarson, RRSAgent, Zakim, bhill2, gmaone, timeless, mkwst_, odinho, trackbot, wseltzer
21:03:54 <gmaone> zakim, ??p2 is gmaone
21:03:54 <Zakim> I already had ??P2 as gioma1, gmaone
21:04:01 <Zakim> -gioma1
21:04:15 <Zakim> +??P2
21:04:21 <gmaone> zakim, ??P2 is gmaone
21:04:21 <Zakim> +gmaone; got it
21:04:57 <bhill2> Minutes from last month's call: http://www.w3.org/2013/05/07-webappsec-minutes.html
21:05:14 <bhill2> RESOLVED: minutes approved
21:05:50 <bhill2> scribenick: dvetitz
21:06:00 <bhill2> scribe: Dan Veditz
21:06:04 <dveditz> scribenick: dveditz
21:06:08 <puhley> puhley has joined #webappsec
21:06:31 <dveditz> minutes from last time (5/7/2013) is approved
21:06:32 <Zakim> + +1.415.832.aaaa
21:07:00 <bhill2> zakim, aaaa is puhley
21:07:00 <Zakim> +puhley; got it
21:07:11 <dveditz> bhill2: last minute agenda wrangling, abarth would like to discuss script nonce maturity
21:07:43 <dveditz> ...: if we have any more time we can add discussing the UI safety issues Peleus brought up on the list
21:07:47 <bhill2> Topic: tracker
21:07:48 <bhill2> https://www.w3.org/2011/webappsec/track/actions/open?sort=owner
21:07:59 <dveditz> ... topic tracker opened
21:08:15 <dveditz> ... abarth had an issue to check with accessibility team
21:08:32 <dveditz> abarth: not done
21:09:04 <dveditz> abarth: thought I had done content-types for reports, I'll do that right now
21:09:07 <ekr> bhill: do you want me to run the tracker?
21:09:36 <Zakim> +[Mozilla]
21:09:49 <dveditz> bhill2: assume dveditz has not done his since he just got editor access  [dveditz; yup]
21:10:02 <tanvi> tanvi has joined #webappsec
21:10:18 <tanvi> Zakim, who is here
21:10:18 <Zakim> tanvi, you need to end that query with '?'
21:10:24 <tanvi> Zakim, who is here?
21:10:24 <Zakim> On the phone I see abarth, ccarson, ekr, bhill2, Wendy, dveditz, gopal, gmaone, puhley, [Mozilla]
21:10:26 <Zakim> On IRC I see tanvi, puhley, abarth, ekr, dveditz, ccarson, RRSAgent, Zakim, bhill2, gmaone, timeless, mkwst_, odinho, trackbot, wseltzer
21:10:28 <dveditz> bhill2: action 130, referrer control policy -- is that in the spec?
21:10:34 <tanvi> Zakim, [Mozilla] is tanvi
21:10:34 <Zakim> +tanvi; got it
21:10:52 <dveditz> bhill2: don't see it, going to assume all the open actions are going to remain open
21:11:03 <bhill2> https://www.w3.org/2011/webappsec/track/issues/raised
21:11:05 <dveditz> bhill2: raised issues
21:11:20 <dveditz> ... 7 at this point
21:12:08 <dveditz> ... issue 44, can table that for now until we discuss how script-hash interacts with script nonce
21:12:29 <dveditz> ... wait on issue 47, dveditz's addition of spec language for meta header
21:12:38 <ekr> willdo
21:12:45 <dveditz> ... ekr can you close issue 48 since we have spec text to address it?
21:13:05 <dveditz> ... issue 49, add http response code to report. anyone want to take that?
21:13:12 <bhill2> https://www.w3.org/2011/webappsec/track/issues/49
21:13:32 <dveditz> ... neil had asked if it would be possible to add this
21:13:49 <dveditz> abarth: you can give that to me
21:13:59 <bhill2> ACTION abarth to add HTTP response code to reports in CSP 1.1
21:13:59 <trackbot> Created ACTION-139 - Add HTTP response code to reports in CSP 1.1 [on Adam Barth - due 2013-06-11].
21:14:10 <ekr> dan: you can make actions the way bhill just did
21:14:12 <dveditz> ... also a bug filed into the tracker about specifying best practices, you can give that to me as well
21:14:23 <bhill2> https://www.w3.org/Bugs/Public/show_bug.cgi?id=22256
21:14:41 <bhill2> ACTION abarth to add text addressing https://www.w3.org/Bugs/Public/show_bug.cgi?id=22256
21:14:41 <trackbot> Created ACTION-140 - Add text addressing https://www.w3.org/Bugs/Public/show_bug.cgi?id=22256 [on Adam Barth - due 2013-06-11].
21:15:41 <dveditz> bhill2: issue 51  	How to handle externally defined <element> with <link rel=import> -- is it worth defining an "import-src"?
21:16:05 <dveditz> ... or treat custom elements as a constellation where yiou have to specify script-src, style-src, etc
21:16:34 <dveditz> abarth: i think we should use script-src, if we use something new people who are trying to control scripts could be bypassed by this new thing
21:16:55 <dveditz> abarth: I'd like to make it possible for the spec that defines this thing to specify which policy it falls under
21:17:22 <dveditz> ... I want to get away from use defining everything under the sun but allow other specifications to reference how they are covered by CSP
21:17:33 <dveditz> bhill2: last two rae issues for me and I have not looked into those
21:18:14 <bhill2> Topic: Script API to CSP
21:18:19 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0000.html         http://infrequently.org/2013/05/use-case-zero/
21:18:25 <bhill2> http://yehudakatz.com/2013/05/24/an-extensible-approach-to-browser-security-policy/
21:18:45 <dveditz> ... next item is looking at the security policy script interface based on the responses on the mailing list, discussion involving alex russel and edward vela
21:19:18 <dveditz> abarth: I think there are 2 parts of this -- some object that corresponds to the parsed representation of the policy string, and .... ?
21:20:05 <dveditz> ... the original api we had was a way to query an effective policy, the second one, but didn't provide a string representation of the parsed policy
21:20:16 <dveditz> ... I think if we separate those we can address alex's issues
21:20:26 <dveditz> bhill2: anyone else have any comments?
21:21:11 <dveditz> ... I think we still have an open question of how to give an advanced user fined-grained control and I'd like to continue to explore that beyond CSP 1.1
21:21:39 <dveditz> abarth: I think we can talk when I make my proposal, how to incrementally grow the capabilities
21:21:51 <dveditz> bhill2: next topic, security model for SVG components
21:22:27 <dveditz> ... haven't had the time to really grok what this is about -- seems like it would take a deep understanding of the issues to address
21:22:48 <dveditz> ... we don't seem to have the right people involved on the call, does anyone here feel they could summarize?
21:23:38 <dveditz> abarth: issue is that some oc the SVG mechanisms are mediated by CSS and some aren't. what should the policy be for these loads?
21:24:14 <dveditz> ... some of them want it to be simple like image loads, and some thought it should use CORS because of possible information leaks
21:25:53 <dveditz> ekr: it was hard to tell if there was any real risk here
21:26:28 <dveditz> abarth: even if you make things public with CORS it's better than not using CORS because it divorces cookies from the request and makes it less likely a server will leak personal/private data
21:27:04 <dveditz> ekr: I promised to loop bz in because he's not on the call.... do we have a clear statement of position we can give him?
21:27:26 <Zakim> -gopal
21:27:28 <dveditz> abarth: I'm happy to write it. I'd write it "this is my opinion" not the sense of the call thouigh
21:28:00 <dveditz> bhill2: I like that statement of CORS... should it apply to link rel=import too?
21:28:05 <dveditz> abarth: yes it should
21:28:31 <dveditz> bhill2: ... this is general advice not just how it applies to CSP, that would be a good thing to have a discussion on
21:28:54 <bhill2> Topic: broadening default-src semantics
21:28:58 <dveditz> ... moving on. broadening default-src semantics
21:29:01 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Jun/0000.html
21:29:48 <dveditz> abarth: summary-- Yehuda Katz cornered me that we shouldn't have to update the CSP spec every time the "web" spec gets updated
21:30:14 <dveditz> ... he was focusing on default-src, but really it was about writing the spec more generally
21:30:33 <dveditz> ... there might be some loads that are not specifically controllable that would fall back to default-src
21:30:44 <dveditz> bhill2: anyone object to that
21:31:16 <bhill2> ACTION abarth to update CSP 1.1 default-scr language to be more general, including coverage of areas not specified by other directives
21:31:16 <trackbot> Created ACTION-141 - Update CSP 1.1 default-scr language to be more general, including coverage of areas not specified by other directives [on Adam Barth - due 2013-06-11].
21:31:35 <bhill2> Topic: nonce-source
21:31:36 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Jun/0013.html
21:31:39 <dveditz> bhill2: last topic, nonce-source
21:32:47 <dveditz> ... email says currently nonce is only defined for script-src and style-src -- should it be more general (any directive) or does it only make sense for those two directives
21:33:11 <dveditz> dveditz: I'm inclinced to limit it to script and style, which are the ones with unsafe-inline
21:33:51 <dveditz> bhill2: should we say it can't be used in default-src ?
21:34:26 <dveditz> abarth: the way it's in the spec right now it's very much like "unsafe-inline" -- you can put it in default-src currently, but it only take effect in the directives that understand it
21:34:36 <dveditz> ... nonce is currently written the sme way
21:35:10 <dveditz> bhill2: we had this discussion about data: and things as well, are those useful to think about in these terms?
21:35:39 <dveditz> abarth: the interesting one there is data: because if you whitelist data: you're sort of whitelisting script injection so there nonce might make sense
21:36:54 <dveditz> abarth: the people I talk to who want to use nonce it's overwhelmingly for inline scripts which can't be removed for various reasons like performance
21:37:07 <dveditz> ... haven't heard anyone complain about not being able to use data: uris
21:37:41 <dveditz> bhill2: ok, we'll limit it to script and style for now since that's been the focus and people can bring up broadening it later if they like
21:37:57 <dveditz> abarth: I've been talking to a number of people considering CSP who have gotten somewhat through their implementation
21:38:14 <dveditz> ... they're running up agains the inline-script problem -- where there are a couple they can't remove
21:38:27 <dveditz> ... they got really interested in nonce-src
21:38:50 <dveditz> ... how far are we from candidate recommendation, maybe for all of CSP 1.1 or something with "strong consensus"
21:39:11 <dveditz> ... how would the working group feel if chrome implemented nonce-src ahead of the standards
21:39:49 <dveditz> bhill2: my feel as the chair is that we're getting close to feature complete on 1.1, maybe a few things we've discussed that aren't in there
21:40:10 <dveditz> bhill2: referrer tag, return status code
21:41:08 <dveditz> ... to move beyond (??) we have to have a reasonable demonstration that we have compatible implementations, not a complete test suite necessarily, but can't mark 2/3 incomplete or unready
21:41:20 <dveditz> abarth: the biggest risk you didn't mention was the script interface
21:41:45 <dveditz> ... can the WG push forward with what we have and put the script interface into a later version of CSP?
21:42:06 <dveditz> bhill2: we could do that, but the biggest hurdle is interoperable implementations
21:42:45 <dveditz> ... since mozilla is the only other one with a CSP 1.0 implementation this will largely depend on when Mozilla can get CSP 1.1 features implemented
21:42:58 <dveditz> tanvi: our CSP 1.0 implementation will be in Firefox 23
21:43:08 <dveditz> bhill2: congratulations
21:43:20 <dveditz> ... do you know when you're going to have CSP 1.1 stuff implemented?
21:43:26 <dveditz> tanvi: I don't know the timeline
21:44:16 <dveditz> bhill2: you (abarth) suggested moving nonce out from behind the flags.... if we have two implementations of that specific feature and it seems solid and not likely to change then that seems possible
21:45:00 <dveditz> ... right now you have to turn the features on using command-line flags. nonce is so useful for implementers that chrome would like to enable it without having to do that
21:45:18 <dveditz> tanvi: I don't know how long it will take for us to get to that
21:45:57 <dveditz> abarth: we're going to drop support for the prefixed header, they're not healthy for the web. We're adding new stuff to the official header, but only if you specify a runtime flag
21:46:53 <dveditz> ... I'd like to get people using CSP, and the last blocker for some of these groups is support for nonce-src. I don't want to end-run the W3C process, but I'd like to get this feature out there
21:47:18 <dveditz> bhill2: if you want to ride the bleeding edge in your product there are ways to do that that are less risky
21:47:39 <dveditz> ... joel weinberger has volunteered testcases for that feraturte that will help ensure interoperability
21:48:19 <dveditz> ... that will help answer whether this is stable and ready for use. that's better than fragmenting the spec into more subversions to get this feature rolling
21:49:00 <dveditz> ... I'll end with a plug for testing: anyone out there a github wizard and can help us move the testcases from mercurial to github?
21:49:21 <dveditz> ... there's currently a one month lag between me checking in a testcase and it showing up in public
21:49:38 <wseltzer> q+
21:49:42 <dveditz> ... have heard that github will make this process better but i'm a total github noob
21:50:00 <dveditz> ekr: what's he wanting to do, import the history from mercurial?
21:50:18 <wseltzer> q-
21:50:29 <dveditz> bhill2: there's some particular way to set up github for that kind of access
21:51:19 <dveditz> ekr: wendy can you help us find out what the requirements for that would be? I don't want to import it all and find out it has to have special directory names or files
21:51:26 <dveditz> wseltzer: I can do that
21:51:56 <dveditz> ekr: does w3c have a github account? if not I can do it under mozilla. I don't want to do it under my name in case I get hit by a bus and then no one can access it
21:52:11 <dveditz> wseltzer: yes, we do but I don't know the process yet
21:52:37 <dveditz> bhill2: I want to host a "test the web forward" here in seattle. would like someone to do that in the bay area too
21:52:45 <wseltzer> ACTION wseltzer to email bhill, ekr, and tobie re github setup
21:52:45 <trackbot> Created ACTION-142 - Email bhill, ekr, and tobie re github setup [on Wendy Seltzer - due 2013-06-11].
21:52:51 <dveditz> ... have script-src completely covered, but there's more to do
21:52:55 <Zakim> -puhley
21:53:10 <Zakim> -ekr
21:53:11 <dveditz> thanks.
21:53:11 <Zakim> -Wendy
21:53:26 <bhill2> rrsagent, make minutes
21:53:26 <RRSAgent> I have made the request to generate http://www.w3.org/2013/06/04-webappsec-minutes.html bhill2
21:53:30 <Zakim> -tanvi
21:53:32 <Zakim> -ccarson
21:53:32 <Zakim> -dveditz
21:53:36 <bhill2> rrsagent, set logs public visible
21:53:42 <bhill2> zakim, list attendees
21:53:42 <Zakim> As of this point the attendees have been abarth, ccarson, ekr, bhill2, gioma1, Wendy, dveditz, gopal, gmaone, +1.415.832.aaaa, puhley, tanvi
21:53:44 <Zakim> -gmaone
21:53:55 <bhill2> rrsagent, make minutes
21:53:55 <RRSAgent> I have made the request to generate http://www.w3.org/2013/06/04-webappsec-minutes.html bhill2
21:53:56 <Zakim> -abarth
21:54:03 <Zakim> -bhill2
21:54:04 <Zakim> SEC_WASWG()5:00PM has ended
21:54:04 <Zakim> Attendees were abarth, ccarson, ekr, bhill2, gioma1, Wendy, dveditz, gopal, gmaone, +1.415.832.aaaa, puhley, tanvi
21:56:39 <bhill2> bhill2 has left #webappsec
22:00:33 <puhley> puhley has left #webappsec
22:08:23 <tanvi> tanvi has left #webappsec
22:16:29 <neilm> neilm has joined #webappsec
23:07:49 <neilm_> neilm_ has joined #webappsec
23:17:56 <neilm> neilm has joined #webappsec