IRC log of webappsec on 2013-09-10

Timestamps are in UTC.

20:57:15 [RRSAgent]

RRSAgent has joined #webappsec

20:57:15 [RRSAgent]

logging to http://www.w3.org/2013/09/10-webappsec-irc

20:57:22 [bhill2]

zakim, this will be 92794

20:57:23 [Zakim]

ok, bhill2; I see SEC_WASWG()5:00PM scheduled to start in 3 minutes

20:57:44 [bhill2]

Meeting: WebAppSecWG Teleconference, 9-Sep-2013

20:57:49 [bhill2]

Chair: bhill2

20:57:55 [bhill2]

Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0020.html

20:58:08 [bhill2]

regrets: ekr

20:58:33 [gmaone]

gmaone has joined #webappsec

20:59:18 [Zakim]

SEC_WASWG()5:00PM has now started

20:59:19 [Zakim]

+ +1.303.229.aaaa

21:00:35 [bhill2]

zakim, aaaa is bhill2

21:00:35 [Zakim]

+bhill2; got it

21:00:40 [Zakim]

+ +1.415.832.aabb

21:00:42 [Zakim]

- +1.415.832.aabb

21:00:42 [Zakim]

+ +1.415.832.aabb

21:00:58 [bhill2]

zakim, aabb is peleus

21:00:58 [Zakim]

+peleus; got it

21:01:15 [Zakim]

+??P2

21:01:18 [Zakim]

+ +1.866.294.aacc

21:01:22 [Danesh]

Danesh has joined #webappsec

21:01:33 [gmaone]

zakim, ??P2 is gmaone

21:01:33 [Zakim]

+gmaone; got it

21:01:37 [klee]

klee has joined #webappsec

21:02:01 [Zakim]

+[Google]

21:02:12 [dveditz]

dveditz has joined #webappsec

21:02:26 [puhley]

puhley has joined #webappsec

21:03:00 [Zakim]

+[IPcaller]

21:03:10 [dveditz]

zakim, dveditz is ipcaller

21:03:10 [Zakim]

sorry, dveditz, I do not recognize a party named 'dveditz'

21:03:19 [bhill2]

zakim, Google has danesh

21:03:19 [Zakim]

+danesh; got it

21:03:26 [dveditz]

zakim, IPcaller is dveditz

21:03:26 [Zakim]

+dveditz; got it

21:03:54 [neilm]

neilm has joined #webappsec

21:04:12 [neilm]

sorry, i'll be a little late

21:04:24 [klee]

hi, i'm the 866 number

21:04:58 [dveditz]

zakim, who is here?

21:04:58 [Zakim]

On the phone I see bhill2, peleus, gmaone, +1.866.294.aacc, [Google], dveditz

21:05:00 [Zakim]

[Google] has danesh

21:05:00 [Zakim]

On IRC I see neilm, puhley, dveditz, klee, Danesh, gmaone, RRSAgent, Zakim, bhill2, bhill, odinho, tlr, wseltzer, timeless, mkwst_, trackbot

21:05:08 [dveditz]

zakim, aacc is klee

21:05:08 [Zakim]

+klee; got it

21:05:59 [Zakim]

+[Mozilla]

21:06:21 [tanvi]

tanvi has joined #webappsec

21:06:27 [tanvi]

Zakim, who is here?

21:06:27 [Zakim]

On the phone I see bhill2, peleus, gmaone, klee, [Google], dveditz, [Mozilla]

21:06:29 [Zakim]

[Google] has danesh

21:06:29 [Zakim]

On IRC I see tanvi, neilm, puhley, dveditz, klee, Danesh, gmaone, RRSAgent, Zakim, bhill2, bhill, odinho, tlr, wseltzer, timeless, mkwst_, trackbot

21:06:42 [dveditz]

zakim, Mozilla has tanvi

21:06:42 [Zakim]

+tanvi; got it

21:06:42 [tanvi]

Zakim, [Mozilla] is tanvi_grobinson

21:06:43 [Zakim]

+tanvi_grobinson; got it

21:07:03 [grobinson]

grobinson has joined #webappsec

21:07:31 [bhill2]

scribenick: dveditz

21:07:47 [bhill2]

http://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0020.html

21:08:00 [bhill2]

Topic: Minutes Approval

21:08:01 [bhill2]

http://www.w3.org/2013/08/27-webappsec-minutes.html

21:08:12 [dveditz]

bhill2: approval of the minutes? any objections?

21:08:23 [dveditz]

bhill2: consider the minutes approved

21:08:31 [dveditz]

bhill2: additional business to add?

21:08:49 [dveditz]

bhill2: none, ok.... open issues review

21:08:50 [bhill2]

Topic: Actions Review

21:08:51 [bhill2]

https://www.w3.org/2011/webappsec/track/actions/open?sort=owner

21:09:07 [dveditz]

bhill2: UI security is still backburnered

21:09:52 [Zakim]

+ +1.714.488.aadd

21:10:16 [neilm]

Zakin, aadd is neilm

21:10:21 [dveditz]

bhill2: dveditz is the only other one with an item

21:10:26 [bhill2]

Topic: blob, etc. urls

21:10:27 [bhill2]

http://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0010.html

21:10:32 [dveditz]

dveditz: nothing new to report, investigating implementation

21:10:47 [neilm]

Zakin, aadd is neilm

21:10:52 [neilm]

Zakim, aadd is neilm

21:10:52 [Zakim]

+neilm; got it

21:10:57 [dveditz]

bhill2: currently have inconsistent behavior with data: and blob: between Firefox and chrome

21:11:11 [dveditz]

bhill: chome always treats as equiv and same as "self" and *

21:11:24 [dveditz]

bhill: firefox excludes from * and treats a little differently

21:11:54 [dveditz]

bhill: proposal to list was to exclude all schemes for inline content from matching *

21:12:29 [dveditz]

bhill: dan proposed broadening, * should only match self's scheme (or allow https "upgrade" for http: self)

21:12:59 [bhill2]

http://*

21:13:01 [bhill2]

https://*

21:13:32 [dveditz]

bhill: reason to exclude inline content because they aren't being retrieved, they are repackages

21:16:29 [bhill2]

If you want all schemes - e.g. img-src may not be considered security sensitive, no way to specify that

21:16:39 [bhill2]

dveditz: yes, unless we introduce a *://* token... ugly

21:17:03 [dveditz]

dveditz: but * meaning all schemes means safe policies must use the verbose http://* https://*

21:18:07 [dveditz]

bhill: treating inline schems as 'self' opens up xss-like (or eval-like) problems

21:18:41 [tanvi]

bhill2 - proposal - for everything but script-src, we consider data/blob to be equivalent to self. for script-src we consider it equivalent to eval. because you can take string content anywhere in the dom and create a blob uri for it and inject a script element into the dom and set the source to be that blob uri.

21:19:56 [tanvi]

dveditz - that is complex. it may be more safe but it seems like we should treat data/blob consistently one way or another.

21:20:38 [tanvi]

dveditz - if you allow blob everywhere except in script-src and object-src (probably), then people have to ask a question every time they use as to whether they need to add it to csp

21:21:04 [tanvi]

dveditz - maybe more consistent to just say inline data chunks need to be explicitly allowed if you want to use them

21:21:57 [tanvi]

dveditz- Neal, does twitter use data/blob and have any thoughts? Neal - only use data urls for images. dont think use any blobs.

21:22:52 [tanvi]

Neal - if its a blob, whether or not it should execute, shoudl be dependent on the uri used. if throw in script-src, wont' work unless you whitelist it specifically

21:23:12 [dveditz]

bhill: one of the core rules is no code from strings. this is a clear and obvious bypass

21:23:27 [dveditz]

dveditz: I agree

21:27:05 [bhill2]

action dveditz to document proposal of simply excluding blob:, data:, etc from matching * everywhere, no explicit tie to unsafe-eval

21:27:05 [trackbot]

Created ACTION-149 - Document proposal of simply excluding blob:, data:, etc from matching * everywhere, no explicit tie to unsafe-eval [on Daniel Veditz - due 2013-09-17].

21:27:29 [bhill2]

Topic: Close feature set of CSP 1.1?

21:27:30 [bhill2]

http://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0019.html

21:27:31 [dveditz]

bhill: if blob must be specified everywhere then putting it in default-src is the equivalent of unsafe-eval. need to put a warning in the spec at least

21:28:20 [dveditz]

bhill: need to specify/adjust our schedule again as part of coming up for consideration by the board group

21:28:30 [dveditz]

bhill: so should we declare the feature set closed for 1.1

21:29:22 [dveditz]

bhill: I've put a proposal on the mailing list

21:30:08 [dveditz]

bhill: not a complete proposal, assuming the more settled new features are part of it

21:30:25 [dveditz]

bhill: haven't heard any calls to remove any of those other features

21:31:10 [dveditz]

bhill: group 1) resolved/settled and in the spec, group 2) mostly settled, in process, and 3) new proposals

21:33:08 [dveditz]

bhill: do people think it's an appropriate time to close the feature set

21:33:38 [neilm]

+1 (avoiding muting/unmuting)

21:33:40 [dveditz]

dveditz: yes, it's a good time to draw lines

21:34:03 [dveditz]

bhill: will move call for consensus for the features on the bubble to the list

21:36:46 [neilm]

bye!

21:36:49 [Zakim]

-peleus

21:36:50 [dveditz]

dveditz: probably don't need both the SOS and cookie scope feature

21:36:51 [Danesh]

thx!

21:36:52 [Zakim]

-neilm

21:36:53 [Zakim]

-[Google]

21:36:57 [klee]

bye

21:37:03 [Zakim]

-gmaone

21:37:04 [dveditz]

bhill: the cookie scope proposal was more CSP-like

21:37:15 [bhill2]

action bhill2 to post a CfC to the list on closing the CSP 1.1 feature set

21:37:15 [trackbot]

Created ACTION-150 - Post a cfc to the list on closing the csp 1.1 feature set [on Brad Hill - due 2013-09-17].

21:37:22 [bhill2]

rrsagent, set logs public-visible

21:37:25 [Zakim]

-tanvi_grobinson

21:37:26 [bhill2]

rrsagent make minutes

21:37:26 [Zakim]

-dveditz

21:37:35 [bhill2]

rrsagent, make minutes

21:37:35 [RRSAgent]

I have made the request to generate http://www.w3.org/2013/09/10-webappsec-minutes.html bhill2

21:37:41 [bhill2]

rrsagent, set logs public-visible

21:37:45 [Zakim]

-klee

21:37:48 [Zakim]

-bhill2

21:37:50 [Zakim]

SEC_WASWG()5:00PM has ended

21:37:50 [Zakim]

Attendees were +1.303.229.aaaa, bhill2, +1.415.832.aabb, peleus, +1.866.294.aacc, gmaone, danesh, dveditz, klee, tanvi, tanvi_grobinson, +1.714.488.aadd, neilm

21:37:50 [dveditz]

tanvi: thanks for scribing while I was talking

21:38:05 [dveditz]

bhill2: is there a retroactive way to include those bits?

21:38:16 [neilm]

neilm has joined #webappsec

21:39:37 [tanvi]

dveditz: no problem

21:41:24 [bhill2]

bhill2 has left #webappsec

21:48:30 [bhill]

bhill has left #webappsec

21:56:42 [neilm]

neilm has joined #webappsec

21:58:55 [neilm_]

neilm_ has joined #webappsec

22:08:10 [neilm_]

neilm_ has left #webappsec

22:12:34 [grobinson]

grobinson has left #webappsec

22:15:33 [bhill]

bhill has joined #webappsec

22:15:44 [bhill]

bhill has left #webappsec

22:38:35 [gmaone]

gmaone has joined #webappsec

23:00:53 [neilm]

neilm has joined #webappsec

23:42:48 [tanvi]

tanvi has left #webappsec