IRC log of webappsec on 2014-01-14
Timestamps are in UTC.
- 21:56:06 [RRSAgent]
- RRSAgent has joined #webappsec
- 21:56:06 [RRSAgent]
- logging to http://www.w3.org/2014/01/14-webappsec-irc
- 21:56:14 [Zakim]
- Zakim has joined #webappsec
- 21:56:29 [bhill2]
- Meeting: WebAppSec Teleconference 14 Jan 2014
- 21:56:32 [bhill2]
- Chair: bhill2
- 21:56:36 [bhill2]
- Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0068.html
- 21:56:43 [bhill2]
- zakim, this will be 92794
- 21:56:43 [Zakim]
- ok, bhill2; I see SEC_WASWG()5:00PM scheduled to start in 4 minutes
- 21:58:10 [Zakim]
- SEC_WASWG()5:00PM has now started
- 21:58:17 [Zakim]
- +[IPcaller]
- 21:58:36 [Zakim]
- +BHill
- 21:58:58 [neilm]
- Zakim [IPcaller] is neilm
- 21:59:04 [neilm]
- Zakim, [IPcaller] is neilm
- 21:59:04 [Zakim]
- +neilm; got it
- 21:59:17 [freddyb]
- freddyb has joined #webappsec
- 22:00:07 [Zakim]
- +??P2
- 22:00:12 [Zakim]
- -??P2
- 22:00:28 [Zakim]
- +??P2
- 22:00:31 [dveditz]
- dveditz has joined #webappsec
- 22:01:12 [freddyb]
- I am this "??P2", Zakim reports...and have yet to find out how this all works :)
- 22:01:15 [terri]
- terri has joined #webappsec
- 22:01:27 [Zakim]
- +[IPcaller]
- 22:01:30 [Zakim]
- +??P5
- 22:01:31 [Zakim]
- +gopal
- 22:01:38 [Zakim]
- + +1.503.712.aaaa
- 22:01:38 [dveditz]
- Zakim, dveditz is IPcaller
- 22:01:40 [Zakim]
- sorry, dveditz, I do not recognize a party named 'dveditz'
- 22:01:47 [dveditz]
- Zakim, IPCaller is dveditz
- 22:01:47 [Zakim]
- +dveditz; got it
- 22:01:47 [gmaone]
- Zakim, ??P5 is gmaone
- 22:01:48 [Zakim]
- +gmaone; got it
- 22:01:52 [freddyb]
- Zakim: I am ??P2
- 22:01:53 [Zakim]
- +mkwst
- 22:02:06 [gmaone]
- Zakim, ??P2 is freddyb
- 22:02:06 [Zakim]
- +freddyb; got it
- 22:02:09 [Zakim]
- +Wendy
- 22:02:10 [freddyb]
- gmaone: thanks :)
- 22:02:21 [mkwst]
- mkwst has joined #webappsec
- 22:02:27 [terri]
- Zakim, I am aaaa
- 22:02:27 [Zakim]
- +terri; got it
- 22:02:33 [bhill2]
- Scribe: Neil Matatall
- 22:02:37 [bhill2]
- Scribenick: neilm
- 22:02:53 [bhill2]
- Regrets: ekr
- 22:03:02 [klee]
- klee has joined #webappsec
- 22:04:03 [terri]
- can't tell if the call dropped or what.
- 22:04:04 [freddyb]
- it's completely quiet for me
- 22:04:15 [dveditz]
- yes
- 22:04:31 [bhill2]
- http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0068.html
- 22:04:34 [bhill2]
- today's agenda
- 22:04:39 [bhill2]
- zakim, who is here?
- 22:04:39 [Zakim]
- On the phone I see neilm, BHill, freddyb, dveditz, gmaone, gopal, terri, mkwst, Wendy
- 22:04:41 [Zakim]
- On IRC I see klee, mkwst, terri, dveditz, freddyb, Zakim, RRSAgent, bhill2, neilm, gmaone, timeless, wseltzer, trackbot
- 22:04:45 [Zakim]
- -terri
- 22:05:10 [bhill2]
- TOPIC: minutes approval
- 22:05:22 [bhill2]
- http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0003.html
- 22:05:39 [bhill2]
- http://www.w3.org/2013/12/17-webappsec-minutes.html < - real minutes link
- 22:05:51 [bhill2]
- TOPIC: Agenda bashing
- 22:06:33 [Zakim]
- +terri
- 22:10:56 [bhill2]
- TOPIC: New conference call time
- 22:11:45 [bhill2]
- http://doodle.com/qrrdy4qe2a5kdi3b
- 22:12:05 [neilm]
- bhill2: not going to close voting today, perhaps 8 or 9 PST
- 22:12:20 [freddyb]
- I considered this a representative week, fwiw
- 22:12:51 [neilm]
- ... Monday 8:30 PST and Friday ??? likely candidates
- 22:13:36 [neilm]
- ... who is security lover? Speak up :)
- 22:13:54 [klee]
- 8:30 pm or am?
- 22:14:11 [neilm]
- klee: AM PST
- 22:14:21 [klee]
- I'd be down with that
- 22:15:30 [bhill2]
- TOPIC: Open Actions
- 22:15:31 [bhill2]
- https://www.w3.org/2011/webappsec/track/actions/open?sort=owner
- 22:16:20 [Zakim]
- + +1.415.832.aabb
- 22:17:03 [puhley]
- puhley has joined #webappsec
- 22:20:32 [bhill2]
- TOPIC: CSP 1.1 updates
- 22:20:38 [bhill2]
- http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0001.html
- 22:21:22 [neilm]
- mkwst: 1. removed most of script interface, needs to be reworked
- 22:21:43 [neilm]
- ... suggested push out to 1.2 (policy violation event still exists)
- 22:22:34 [neilm]
- ... 2. meta element changes converting todos
- 22:23:12 [neilm]
- ... 3: Workers no longer inherit policy automatically, rather when generated from origins w/ unique urls.
- 22:23:57 [neilm]
- ... 4: new child-src directive, default context source list, used for frame/worker/popup-src directives
- 22:24:25 [neilm]
- ... and child-src inherits from default-src
- 22:26:13 [neilm]
- ... nothing governs window.open
- 22:29:27 [freddyb]
- in general, if you're not talking: please mute. the feedback is indeed annoying
- 22:29:35 [Zakim]
- -gopal
- 22:29:37 [Zakim]
- -Wendy
- 22:29:49 [terri]
- I'm having trouble hearing much of anything because of it.
- 22:29:51 [grobinson|laptop]
- grobinson|laptop has joined #webappsec
- 22:29:55 [Zakim]
- +Wendy
- 22:30:02 [bhill2]
- zakim, who is making noise?
- 22:30:15 [Zakim]
- bhill2, listening for 10 seconds I heard sound from the following: BHill (14%), dveditz (73%), mkwst (31%)
- 22:31:36 [freddyb]
- on a sidenote, when it comes to directives: was it discussed in this WG whether it makes sense to put html imports into script-src?
- 22:31:55 [bhill2]
- freddy: yes, that was the conclusion we came to
- 22:31:57 [Zakim]
- +[Mozilla]
- 22:32:08 [neilm]
- dveditz: potential issues around workers [noise]
- 22:32:48 [freddyb]
- bhill2: thanks. I'll read up first then
- 22:32:49 [neilm]
- ... no need for child-src && worker-src, or just have separate frame/worker-src
- 22:33:52 [neilm]
- [noise]
- 22:33:58 [grobinson|laptop]
- dveditz: is there a cell phone nearby? sometimes they create interference that sounds like that
- 22:34:29 [neilm]
- ???: complexity is a leading blocker for adoption
- 22:34:30 [dveditz]
- who is speaking? apf?
- 22:34:52 [bhill2]
- was that terri oda speaking?
- 22:35:05 [terri]
- yes, I'm the former academic on the call
- 22:37:53 [Zakim]
- -mkwst
- 22:38:15 [mkwst]
- bah. dialing back in.
- 22:39:25 [Zakim]
- + +49.162.102.aacc
- 22:39:25 [neilm]
- bhill2: Ian's ideas around CSSOM appear to have no objections and decent support
- 22:39:59 [mkwst]
- zakim, i am aacc
- 22:39:59 [Zakim]
- +mkwst; got it
- 22:40:54 [neilm]
- bhill2: frame-ancestors in 1.1 (not frame-options)
- 22:41:32 [neilm]
- github ftw
- 22:41:39 [bhill2]
- TOPIC: Back compat in CSP
- 22:41:40 [bhill2]
- http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0002.html
- 22:43:05 [neilm]
- bhill2: requiring eval for cssom might break things
- 22:43:31 [neilm]
- mkwst: if we feel it's an issue, we need to base decisions on data
- 22:44:17 [neilm]
- ... adding eval to style-src
- 22:45:36 [neilm]
- bhill2: does this impact chrome extensions and the like?
- 22:45:38 [neilm]
- mkwst: no
- 22:46:35 [bhill2]
- TOPIC: Sub-Resource Integrity Strawman and Use-Cases
- 22:46:38 [bhill2]
- http://w3c.github.io/webappsec/specs/subresourceintegrity/
- 22:47:22 [dveditz]
- FIrefox OS privileged apps have a default CSP of "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'"
- 22:47:47 [dveditz]
- but we could easily add "unsafe-eval' to the style-src if we make this change
- 22:48:07 [freddyb]
- certified apps (internal things like dialer, sms, ..) don't have 'unsafe-inline' for styles yet
- 22:48:12 [freddyb]
- privileged do
- 22:49:57 [neilm]
- 1) pros: ensure unauth'd code alerts, cons: might slow things down, might break things
- 22:50:59 [neilm]
- terri: intro needs to be clarified to distinguish from what CSP does
- 22:52:01 [Zakim]
- -gmaone
- 22:52:12 [neilm]
- 2) "cdn integrity" pros: no brainer, cons:
- 22:53:22 [Zakim]
- +??P5
- 22:53:40 [gmaone]
- Zakim, I am ??P5
- 22:53:40 [Zakim]
- +gmaone; got it
- 22:53:42 [neilm]
- 3) "integrity for downloads" cons: result of navigation before direct download might cause issues in a new context
- 22:54:22 [neilm]
- bhill2: is this meaningful? copy/pasting urls is a workaround as well
- 22:56:52 [neilm]
- 4) "Ensure UI elements aren't manipulated before being displayed"
- 22:57:30 [neilm]
- interaction with about:// could be controlled
- 22:58:08 [neilm]
- mkwst: chrome new tab page is another example
- 22:58:35 [neilm]
- freddyb: some of these pages are privileged as well
- 22:59:35 [neilm]
- mkwst: 1, 2, 4, 5 can probably be consolidated
- 23:02:02 [Zakim]
- - +1.415.832.aabb
- 23:03:00 [puhley]
- zakim, I am aabb
- 23:03:00 [Zakim]
- sorry, puhley, I do not see a party named 'aabb'
- 23:05:36 [Zakim]
- -neilm
- 23:05:38 [Zakim]
- -[Mozilla]
- 23:05:39 [Zakim]
- -Wendy
- 23:05:40 [Zakim]
- -mkwst
- 23:05:41 [Zakim]
- -freddyb
- 23:05:43 [Zakim]
- -terri
- 23:05:44 [Zakim]
- -gmaone
- 23:05:48 [Zakim]
- -dveditz
- 23:05:49 [bhill2]
- next call will probably be Friday, Jan 31
- 23:05:55 [bhill2]
- zakim, list attendees
- 23:05:55 [Zakim]
- As of this point the attendees have been BHill, neilm, gopal, +1.503.712.aaaa, dveditz, gmaone, mkwst, freddyb, Wendy, terri, +1.415.832.aabb, [Mozilla], +49.162.102.aacc
- 23:06:04 [bhill2]
- rrsagent, make minutes
- 23:06:04 [RRSAgent]
- I have made the request to generate http://www.w3.org/2014/01/14-webappsec-minutes.html bhill2
- 23:06:10 [bhill2]
- rrsagent, set logs public-visible
- 23:06:17 [Zakim]
- -BHill
- 23:06:18 [Zakim]
- SEC_WASWG()5:00PM has ended
- 23:06:18 [Zakim]
- Attendees were BHill, neilm, gopal, +1.503.712.aaaa, dveditz, gmaone, mkwst, freddyb, Wendy, terri, +1.415.832.aabb, [Mozilla], +49.162.102.aacc
- 23:33:01 [terri]
- terri has joined #webappsec
- 23:33:39 [terri_]
- terri_ has joined #webappsec