20:33:44 RRSAgent has joined #webappsec 20:33:44 logging to http://www.w3.org/2013/10/22-webappsec-irc 20:33:46 RRSAgent, make logs world 20:33:46 Zakim has joined #webappsec 20:33:48 Zakim, this will be 20:33:48 I don't understand 'this will be', trackbot 20:33:49 Meeting: Web Application Security Working Group Teleconference 20:33:49 Date: 22 October 2013 20:34:13 zakim, this will be WASWG 20:34:13 ok, wseltzer; I see SEC_WASWG()5:00PM scheduled to start in 26 minutes 20:34:49 wseltzer has changed the topic to: Agenda 22 Oct: http://lists.w3.org/Archives/Public/public-webappsec/2013Oct/0092.html 20:51:15 SEC_WASWG()5:00PM has now started 20:51:17 +glenn 20:51:45 -glenn 20:51:46 SEC_WASWG()5:00PM has ended 20:51:46 Attendees were glenn 20:51:59 zakim, this will be WASWG 20:51:59 ok, glenn; I see SEC_WASWG()5:00PM scheduled to start in 9 minutes 20:55:47 bhill2 has joined #webappsec 20:56:06 ekr has joined #webappsec 20:56:13 test 20:56:32 bhill2: test received 20:56:36 I will be a few minutes 20:56:38 late 20:57:00 Meeting: WebAppSec WG Teleconference, 22-Oct-2013 20:57:05 Chairs: bhill2, ekr 20:57:13 Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013Oct/0092.html 20:57:27 zakim, this will be 92794 20:57:27 ok, bhill2; I see SEC_WASWG()5:00PM scheduled to start in 3 minutes 20:57:49 SEC_WASWG()5:00PM has now started 20:57:50 +BHill 20:58:41 +Wendy 20:58:43 -Wendy 20:58:43 +Wendy 20:59:30 Charter diff: https://cvs.w3.org/Team/WWW/2013/07/webappsec-charter.html.diff?r1=1.14;r2=1.12;f=h 20:59:41 +abarth 21:00:05 ccarson has joined #webappsec 21:00:16 +glenn 21:00:25 +??P4 21:00:41 abarth has joined #webappsec 21:00:43 Zakim, +??P4 is mkwst 21:00:43 sorry, mkwst, I do not recognize a party named '+??P4' 21:00:51 Zakim, ??P4 is mkwst 21:00:51 +mkwst; got it 21:01:19 +CCarson 21:02:04 +??P6 21:02:14 +gopal 21:02:20 is P6 giorgio? 21:02:32 zakim, ??P6 is gmaone 21:02:32 +gmaone; got it 21:02:50 jww has joined #webappsec 21:03:00 tanvi has joined #webappsec 21:03:10 + +1.650.386.aaaa 21:03:29 Zakim, aaaa is tanvi 21:03:29 +tanvi; got it 21:04:07 Zakim, who is here 21:04:07 tanvi, you need to end that query with '?' 21:04:11 Zakim, who is here? 21:04:11 On the phone I see BHill, Wendy, abarth, glenn, mkwst, CCarson, gmaone, gopal, tanvi 21:04:13 On IRC I see tanvi, jww, abarth, ccarson, ekr, bhill2, Zakim, RRSAgent, gmaone, neilm, glenn, trackbot, mkwst, timeless, wseltzer 21:04:25 klee has joined #webappsec 21:05:42 Gopal, are you able to scribe? JeffH sent his regrets today, you are next. 21:05:59 + +1.714.795.aabb 21:06:15 scribenick: mkwst 21:06:16 puhley has joined #webappsec 21:06:20 Zakim, aabb is neilm 21:06:20 +neilm; got it 21:06:35 zakim, who is here? 21:06:35 On the phone I see BHill, Wendy, abarth, glenn, mkwst, CCarson, gmaone, gopal, tanvi, neilm 21:06:37 On IRC I see puhley, klee, tanvi, jww, abarth, ccarson, ekr, bhill2, Zakim, RRSAgent, gmaone, neilm, glenn, trackbot, mkwst, timeless, wseltzer 21:06:51 TOPIC: Minutes approval 21:06:56 last meeting's draft at: http://www.w3.org/2013/10/08-webappsec-minutes.html 21:06:59 +ekr 21:07:09 bhill: Objections to approving minutes? 21:07:14 everyone: ... 21:07:18 bhill: approved. 21:07:19 TOPIC: Agenda Bashing 21:07:24 q+ 21:07:30 bhill: Any other business? 21:07:33 ack wseltzer 21:07:36 + +1.415.596.aacc 21:07:52 dveditz has joined #webappsec 21:08:14 wseltzer: Charter? Add to agenda, reps should comment. 21:08:29 zakim, aacc is puhley 21:08:29 +puhley; got it 21:08:35 s/reps should comment/thanks to those whose reps commented/ 21:08:40 TOPIC: tracker 21:08:41 https://www.w3.org/2011/webappsec/track/actions/open?sort=owner 21:11:05 bhill: delay ACTION-141 to mid-December. Not CSP 1.1. 21:11:14 bhill: ACTION-143 21:11:48 (sorry; missed a bit there. my network connection is poor.) 21:11:57 bhill: push ACTION-143 to next call. 21:12:07 bhill: ACTION-144. Not tackling that in 1.1. 21:12:26 bhill: ACTION-133. Consider that done. 21:12:38 bhill: Cannot normatively spec what's in xpath. 21:13:06 bhill: Structure changes dynamically. Implementers might want to include additional metadata, tagging ancestor elements. 21:13:16 bhill: Closing, comment directly on draft. 21:13:30 bhill: ACTION-146. 21:13:42 + +1.781.369.aadd 21:14:07 -gopal 21:14:10 zakim, aadd is gopal 21:14:10 +gopal; got it 21:14:16 bhill: Both of dveditz's actions are still open. 21:14:28 bhill: script interface? 21:15:03 mkwst: would like to get something into 1.1 if possible. 21:15:14 bhill: nice to have. can we get it done? 21:15:24 bhill: due date? help? 21:15:25 gopal has joined #webappsec 21:15:52 mkwst: probably. what's the 1.1 timeframe? 21:16:07 bhill: October. It would be nice not to slip. 21:16:40 mkwst: if i can't get it done this week, let's bump it. 21:16:46 bhill: updating due date. 21:16:59 bhill: referrer policy, closing. 21:17:23 bhill: new text for extension/CSP interaction. 21:17:49 mkwst: i thought dveditz was doing that. oops. will do that this week. 21:18:05 glenn: i'll work on that with mike. 21:18:11 bhill: updating due date. 21:18:30 TOPIC: UISecurity input protection algorithm 21:18:31 http://lists.w3.org/Archives/Public/public-webappsec/2013Oct/0062.html 21:18:46 bhill: posted a new draft of UISecurity spec. 21:18:54 https://dvcs.w3.org/hg/user-interface-safety/raw-file/43644c06b379/user-interface-safety.html#alt_heuristic 21:19:05 ACTION-134? 21:19:05 ACTION-134 -- Brad Hill to report dependencies on event types -- due 2013-05-25 -- PENDINGREVIEW 21:19:05 http://www.w3.org/2011/webappsec/track/actions/134 21:19:42 bhill: touch/pointer events might not be defined in all agents; 21:19:59 https://www.w3.org/2011/webappsec/track/actions/134 21:20:18 bhill: "should" requirement documented in http://www.w3.org/2011/webappsec/track/actions/134 21:20:35 bhill: does that avoid the dependencies, abarth? 21:20:41 abarth: looks fine. 21:20:46 bhill: closing. 21:21:06 bhill: compositing. 21:21:16 bhill: text to list, comments back from david. 21:21:29 bhill: new editor's draft. comments or questions? 21:22:02 bhill: new algorithm looks good. might even be faster than the previous. 21:22:29 bhill: looks like we could reuse some of the things coming up in webrtc; tab capture, etc. 21:22:58 bhill: tracking dynamic region of changes for input protection might be problematic. 21:23:23 bhill: remove ability to specify clipping rectangle around cursor? 21:23:51 bhill: if no clipping window, and specify document root, probably breaks things. 21:25:02 gmaone: is this a roadblock we can't work around? 21:25:15 bhill: leave them in for now. 21:25:24 bhill: if at risk, we can make a decision later. 21:25:46 TOPIC: frame-options location 21:25:47 http://lists.w3.org/Archives/Public/public-webappsec/2013Oct/0049.html 21:26:13 bhill: thoughts on moving frame-options out of UISecurity? 21:26:40 bhill: dveditz proposed it. ian liked it. 21:26:48 bhill: will this change the speed of adoption? 21:26:54 tanvi: why is it a bad idea? 21:27:19 bhill: collection of related functionality in UISecurity spec. about ready to go to last call there. 21:27:56 bhill: one cohesive document describing approach to securing UI. 21:28:02 tanvi: timelines will be fairly similar? 21:28:13 bhill: editorial timelines similar. 21:28:51 bhill: browser folks comment on implementations? 21:29:33 abarth: questions about how the whole thing would look in compositor model. 21:29:59 bhill: maybe talk to whitehat folks. they like security. and they have a browser. 21:30:25 tanvi: frame-options. firefox has frame-ancestors, which does more or less the same thing. 21:30:33 tanvi: kept in both prefixed and unprefixed header. 21:30:48 tanvi: folks can use it now, but we'd like to switch to the standard syntax. 21:31:07 bhill: input protection heuristic? 21:31:14 tanvi: don't know if anyone's looked at that. 21:31:41 bhill: let's revisit this before last call. 21:32:05 TOPIC: script hashes, inline and src'd 21:32:06 http://lists.w3.org/Archives/Public/public-webappsec/2013Oct/0070.html 21:32:37 bhill: inline content only seems to be the way the list is going. 21:33:01 bhill: external script via separate spec; subresource integrity. 21:33:16 bhill: no objection to script hashes apply only to inline content. 21:33:23 TOPIC: referrer control strawman 21:33:24 http://lists.w3.org/Archives/Public/public-webappsec/2013Oct/0086.html 21:34:23 mkwst: more or less direct relationship to referrer control meta implemented in webkit browsers 21:34:44 three questions: 21:34:55 mkwst: ... 1: a good idea? 21:35:16 ... 2: how integration with Fetch should work or refer to / integrate with W3C spec? 21:35:23 ... 3. never mind.. 21:35:53 mkwst: 3. multiple policies? 21:35:55 ... 3. multiple policies? 21:38:18 mkwst: questions around whether conflict resolution is reasonable. use-cases for single-page applications to inject policy for various views. 21:38:25 abarth: this is where a DOM API would be good, to set/unset it 21:39:37 mkwst: allowing loosening referrer policy would be different than other directives. 21:39:55 abarth: we could be in a better place in the future when better at mutating policies 21:39:56 abarth: might have some sort of mutable vs. immutable policy distinction. 21:40:28 bhill: could specify something around the api such that headers are immutable, but api-settings might be more flexible. 21:40:47 abarth: setting via api when views change. 21:41:23 mkwst: wait? 21:41:33 abarth: we might address use cases in a different way. 21:42:29 mkwst: a little concerned about having differing behaviors for vs CSP. 21:43:27 abarth: introduces complexity to referrer policy for a document. if it comes from one, mutable, from the other, immutable. 21:44:03 -ekr 21:44:13 sorry had to go 21:44:27 mkwst: will ask for feedback on the list with a more clear description of the problem. 21:44:35 bhill: other business? charter update. 21:44:40 TOPIC: Charter update, AOB 21:44:50 http://www.w3.org/2013/07/webappsec-charter.html 21:45:16 https://www.w3.org/2002/09/wbs/33280/security2013/results 21:45:27 wseltzer: proposed charter, went to advisory committee, members indicated support. 21:45:59 wseltzer: comments: perhaps the group should add something about CSP for the legacy web, and for established frameworks like jQuery. 21:46:22 wseltzer: is there anything we might want to clarify, respond to those comments about the scope> 21:46:46 bhill: script hash/nonce are the major attempt in 1.1 to deal with legacy. 21:47:08 bhill: not problematic to add that to scope explicitly. 21:47:21 bhill: legacy libraries, eval is probably the main problem. 21:47:42 bhill: is CSP the right place to tackle that? perhaps tainting would be better? 21:47:47 bhill: more fundamental change. 21:48:30 bhill: think we're getting good traction, actually. 21:48:51 ??: feature detection would be useful. 21:49:06 bhill: yes, that's certainly an interesting part of 1.1. 21:49:08 q+ 21:49:17 ack wseltzer 21:49:22 bhill: objections to adding language to charter to deal with legacy? 21:49:47 wseltzer: would also be fine to respond that we're working on that, without making any changes to charter. 21:50:06 wseltzer: next step is to present to tomorrow's w3c meeting. 21:50:41 -glenn 21:50:43 -neilm 21:50:44 -CCarson 21:50:45 bhill: thanks, and good night! 21:50:45 -puhley 21:50:46 rrsagent, make logs public-visible 21:50:47 -Wendy 21:50:49 -tanvi 21:50:49 -gmaone 21:50:50 -abarth 21:50:52 rrsagent, make minutes 21:50:52 I have made the request to generate http://www.w3.org/2013/10/22-webappsec-minutes.html bhill2 21:50:52 -gopal 21:50:57 -mkwst 21:51:08 gopal has left #webappsec 21:51:09 rrsagent, set logs public-visible 21:51:30 bhill2 has left #webappsec 21:54:28 trackbot, end teleconf 21:54:28 Zakim, list attendees 21:54:28 As of this point the attendees have been BHill, Wendy, abarth, glenn, mkwst, CCarson, gopal, gmaone, +1.650.386.aaaa, tanvi, +1.714.795.aabb, neilm, ekr, +1.415.596.aacc, puhley, 21:54:31 ... +1.781.369.aadd 21:54:36 RRSAgent, please draft minutes 21:54:36 I have made the request to generate http://www.w3.org/2013/10/22-webappsec-minutes.html trackbot 21:54:37 RRSAgent, bye 21:54:37 I see no action items