15:56:00 RRSAgent has joined #webappsec 15:56:00 logging to http://www.w3.org/2014/01/29-webappsec-irc 15:56:01 RRSAgent, make logs world 15:56:01 Zakim has joined #webappsec 15:56:03 Zakim, this will be WASWG 15:56:03 ok, trackbot; I see SEC_WASWG()11:00AM scheduled to start in 4 minutes 15:56:04 Meeting: Web Application Security Working Group Teleconference 15:56:05 Date: 29 January 2014 15:56:21 Chairs: bhill2, ekr 15:56:45 SEC_WASWG()11:00AM has now started 15:56:52 +??P6 15:57:15 Zanon, i am ??P6 15:57:27 +terri 15:57:33 freddyb has joined #webappsec 15:57:41 zakim, ??p6 is gmaone 15:57:41 +gmaone; got it 15:58:13 +??P10 15:58:15 Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0175.html 15:58:19 hillbrad has changed the topic to: http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0175.html 15:58:52 +Wendy 15:59:09 wseltzer, thanks, goddamn virtual kb autocomplete :( 15:59:11 Zakim: I am ??p10 15:59:23 The bot wants commas, doesnt it? 15:59:34 Zakim, ??p10 is freddyb 15:59:34 +freddyb; got it 15:59:43 + +1.650.214.aaaa 16:00:08 bots should listen to people, not the other way around :-) 16:00:28 aaaa is mkwst 16:00:36 zakim, aaaa is mkwst 16:00:36 +mkwst; got it 16:00:37 +BHill 16:00:44 Ah, right. I need to talk to Zakim. :) 16:00:57 should and will are such different things ;) 16:01:52 I propose the use of Universal Greeting Time ;) http://www.total-knowledge.com/~ilya/mips/ugt.html 16:02:09 neilm has joined #webappsec 16:02:20 :) 16:03:56 +[IPcaller] 16:04:19 Zakim, IPcaller is neilm 16:04:19 +neilm; got it 16:05:23 Scribe: Wendy Seltzer 16:05:29 ScribeNick: wseltzer 16:05:31 +ekr 16:05:42 ekr has joined #webappsec 16:05:52 zakim, who is here? 16:05:53 On the phone I see gmaone, terri, freddyb, Wendy, mkwst, BHill, neilm, ekr 16:05:53 On IRC I see ekr, neilm, freddyb, Zakim, RRSAgent, hillbrad, gmaone, terri, glenn, tobie_, timeless, mkwst, wseltzer, trackbot 16:06:40 Topic: Minutes Approval 16:06:42 http://www.w3.org/2014/01/14-webappsec-minutes.html 16:06:50 hillbrad: Any objections? 16:06:59 ... Approved. 16:06:59 Topic: Agenda Bashing 16:07:08 http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0175.html 16:07:15 hillbrad: Any additions to the agenda? 16:07:22 @@: Next steps for moving to last call 16:07:40 wseltzer: that was me 16:07:42 hillbrad: That fits into the CfC results, along with formal objection 16:07:47 s/@@/mkwst/ 16:07:55 Topic: Tracker actions 16:08:02 https://www.w3.org/2011/webappsec/track/actions/open?sort=owner 16:08:32 hillbrad: Adam has a number of actions, but isn't on the call 16:08:57 mkwst: I'll take a look at some of the actions 16:09:25 hillbrad: I owe Jonas a note to say we won't do that 16:09:33 ccarson has joined #webappsec 16:09:58 ... action-161 will prepare new WD with reduced feature set 16:10:13 + +1.425.234.aabb 16:10:18 Topic: Integrity and Latency Tradeoffs 16:10:20 http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0088.html 16:10:23 zakim, aabb is ccarson 16:10:23 +ccarson; got it 16:10:59 hillbrad: initial proposals for subresource integrity envisioned a single hash function 16:11:10 ... there was interest in streaming-friendly integrity to reduce latency 16:11:19 ... agl proposed unbalanced Merkle trees 16:11:44 ... looks as though list consensus: cool idea but hold off for future version 16:12:11 ... Anyone think we need stream-friendly integrity in v1? 16:12:30 mkwst: Think it's useful, but pushing off to a later version makes sense 16:12:49 ... make sure we're not making bad security choices with integrity overall 16:13:10 @@: Agree, it sounds neat, but we don't have a good way to serialize trees 16:13:22 ^-- that was me 16:13:24 s/@@/freddyb/ 16:13:34 ekr: parallel or serial? 16:13:50 @@: currently one hash per resource 16:14:06 ^-- that was mkwst 16:14:14 ekr: If we supported multiple hash algorithms, it would be simple to add 16:14:19 s/@@/mkwst/ 16:15:10 mkwst: figure out how to specify multiple integrity checks; should have a syntax for that in v1 16:15:34 (sorry, I need to step out for 5-10 minutes) 16:15:37 one more topic: http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0154.html 16:15:54 hillbrad: should talk about use cases 16:16:20 ... stream-friendly opens up some use cases; others don't require streaming, such as content-addressable storage 16:16:36 ... Concern raised about attacks on content-addressable storage, latency 16:17:11 ... use-case includes local storage for users on low bandwidth connections 16:17:43 mkwst: Don't think that's a crazy use case; but content-addressable storage has properties interesting to attackers 16:17:52 ... cache poisoning, timing attacks 16:18:37 ... e.g. create a resource with the same hash as jQuery, then replace it in all webpages 16:19:10 if you can get 2nd preimage, all of the software update mechanisms in the world break 16:19:15 so your browser gets pwned before jquery 16:19:42 freddyb: also assure it aligns with CSP 16:20:15 ... and other origin-based security 16:20:36 mkwst: assure that things introduced into content-addressable storage are public 16:20:59 ... access via URL 16:21:42 freddyb: scripts, distinguish between access-control: allow * and include wherever 16:22:10 mkwst: consider how origin-based controls work where origins aren't delivering the resource 16:22:39 ... we could be draconian, say if you care about origin, verify before looking at the cache 16:22:55 If the concern is protecting against hash collisions, why not allow webapp to whitelist which hash algorithms are accepted? 16:23:13 ccarson: I don't think this is a main concern, actually. 16:23:29 Topic: Length extension 16:23:30 http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0170.html 16:23:53 freddyb: might be resolved on list from agl 16:24:26 hillbrad: since we're not using HMAC, no impact 16:24:44 or rather, a concatenated MAC (HMAC is safe, too) 16:24:48 mkwst: it would be interesting if length could be added to hash 16:25:27 ekr: not sure 2d preimage is substantially harder if lenght is added 16:25:56 ... if we need to, should respond with new set of hash algorithms with different properties 16:26:41 ... not sure there's a use for generic inputs of functions 16:27:12 mkwst: conversations about ways headers are used; how do we handle mis-matches regarding integrity 16:27:49 ... holding off posting before we get done with CSP 16:28:06 hillbrad: also document in spec what properties of hash fns we're relying on; what happens if they fail 16:29:44 terri: describe a plan for how it might work if hash fn is compromised 16:30:16 Topic: Beacon and CSP 16:30:17 http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0135.html 16:30:18 hillbrad: section describing how properties relate to security can help to preempt future discussion 16:30:40 hillbrad: Beacon is a new spec allowing for triggering of async post 16:30:51 ... what CSP directives should apply? 16:30:59 + +1.831.246.aacc 16:31:10 ... 2 camps: ConnectSource and Form-Action 16:31:42 zakim, aacc is dveditz 16:31:42 +dveditz; got it 16:31:44 @@: @@ don't care so long as it's covered by something 16:31:58 s/@@/mkwsr 16:32:02 s/@@/mkwst/ 16:33:23 mkwst: it can trigger CORS preflight and push arbitrary data to a POST endpoint 16:33:37 ... so incline to put it into same camp as XHR. ie ConnectSource 16:33:46 s/ConnectSource/connect-src/g 16:34:21 ... if form changes, perhaps make sense to merge form-action with connect-src 16:35:20 @@: main reason for including connect-src is because we include data back into document 16:35:49 ... connect-src could also be used to block data exfiltration 16:36:03 hillbrad: interesting argument to include beacon as form-action 16:36:14 ... only sending data away, not changing document 16:36:35 s/@@/dveditz/ 16:36:54 mkwst: question what you're able to do to external endpoint. Sending to a server that would do interesting things based on your authenticated input 16:37:16 dveditz: it would be great if we could address CSRF 16:37:34 ... but likely take a more unified effort than adding things piecemeal to CSP 16:37:47 mkwst: maybe in CSP 1.2 16:38:12 mkwst: do we want form-action in 1.1? does it solve a problem we care about? 16:38:23 ... is it same as connect-src? 16:38:31 ... I think y, y, no 16:38:58 dveditz: I think we care about it, should be distinct from connect-src, but not necessarily in 1.1 16:39:04 ... don't want to delay 1.1 16:39:46 hillbrad: document the difference. form-action is data gets sent away; connect-src includes reference to data in document 16:39:59 mkwst: beacon stuff should be included in beacon, not CSP 16:40:05 ACTION: bhill2 to propose to list text on form-action vs. connect-src re: sending data vs. receiving it 16:40:05 Created ACTION-162 - Propose to list text on form-action vs. connect-src re: sending data vs. receiving it [on Brad Hill - due 2014-02-05]. 16:40:58 @@: Beacon gives a mechanism for async before-unload 16:41:07 Topic: CSP and Fetch 16:41:15 http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0161.html 16:41:31 hillbrad: back-and-forth on whether to integrate CSP in fetch mechanism 16:42:13 mkwst: concern that fetch isn't part of W3C 16:42:27 ... makes sense to move some of this processing into fetch spec 16:42:45 ... but unclear on the politics 16:43:08 hillbrad: I tend to say work should be done where the people willing to do the work are 16:43:20 ... don't lose momentum to fragmentation 16:43:39 ... keep an eye on it for context and momentum 16:43:53 mkwst: for 1.1, don't think it makes a difference 16:44:08 ... for 1.2, think about organization and structure of spec 16:44:24 ... to push pieces that make sense to fetch 16:44:59 ... Believe we'd define what CSP means, push the policy out as an argument to fetch 16:45:14 ... happening in service worker 16:45:33 ... we should have more conversations with service worker folks 16:45:57 Topic: CfC on new CSP 1.1 WD 16:45:58 http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0148.html 16:46:11 hillbrad: Mike issued a call for consensus 16:46:24 ... about a week ago. More positive responses than any previous call 16:46:28 ... and no objections. 16:46:38 ... Unless we have any objections here. 16:46:50 ... Unanimous approval to push the WD 16:47:09 ... I'll work with W3C to publish (tues/thurs) 16:47:24 ... Next steps for Last Call WD 16:47:42 mkwst: I sent a couple emails to the list asking what else we need to do 16:47:54 ... response makes me believe there's nothing left 16:48:09 ... I think the spec is relatively stable and agreed upon. 16:48:17 i'm closing https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357, removing Cox' objection 16:48:17 ... the one formal objection aside 16:48:38 [Here's the W3C process: http://www.w3.org/2005/10/Process-20051014/tr.html#last-call] 16:48:38 we are satisfied with the resolution; thanks mike 16:48:43 glenn: thanks. 16:49:01 hillbrad: I'd like to be sure we've closed the open issues, even if that's a matter of moving them to 1.2 16:49:14 ... we need to formally respond to all comments in LC period 16:49:32 ACTION: bhill2 give language on how frame-ancestors interacts with XFO 16:49:33 Created ACTION-163 - Give language on how frame-ancestors interacts with xfo [on Brad Hill - due 2014-02-05]. 16:49:36 ... so it's best resolve the discussions in the group first 16:50:03 hillbrad: Ask everyone here to review doc as though it were Last Call doc 16:50:13 ... and prepare to move forward within a monht 16:50:17 s/monht/month/ 16:50:32 mkwst: working to set up a call with Adam on his actions 16:50:38 ... most can be moved to 1.2 16:50:53 ... want to look at error-handling on blocked resources 16:51:04 ... also 149, talking about blob data 16:51:57 ... rest seem push-able to 1.2 16:52:38 hillbrad: that matches reasonably with approach to working with Fetch 16:52:57 mkwst: assume we'll be able to close or push these items relatively quickly 16:53:07 terri_ has joined #webappsec 16:53:20 Topic: Formal Objection re: user extensions and CSP 16:53:21 http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0165.html 16:53:40 hillbrad: I see in irc that glenn has closed the bug and removed the formal objection 16:53:54 ... sounds as though everyone could live with removing the language 16:54:03 ... leaving it to browsers to handle extensions 16:54:47 mkwst: some argument from Anne and others that we shouldn't have language that's vendor-specific 16:55:06 ... if others aren't happy, we can have more discussion 16:55:16 hillbrad: Can everybody live with that? 16:55:18 ... Great 16:55:22 thanks 16:55:34 ... Can everyone live with making that change to CSP 1.0, currently in CR? 16:55:50 ... because working on test-suite for script-src, haven't been able to write tests 16:56:27 +1 16:56:40 ... you can make small edits for things at-risk, or that don't pass conformance 16:57:06 mkwst: perfectly happy removing it 16:57:12 hillbrad: I'll make those edits 16:57:27 hillbrad: AOB? 16:57:37 [adjourned] 16:57:46 -ekr 16:57:48 rrsagent, make minutes 16:57:48 I have made the request to generate http://www.w3.org/2014/01/29-webappsec-minutes.html hillbrad 16:57:49 -ccarson 16:57:52 sorry for the keyboard :( 16:57:57 zakim, list attendees 16:57:57 As of this point the attendees have been terri, gmaone, Wendy, freddyb, +1.650.214.aaaa, mkwst, BHill, neilm, ekr, +1.425.234.aabb, ccarson, +1.831.246.aacc, dveditz 16:58:00 -neilm 16:58:00 -mkwst 16:58:02 -Wendy 16:58:02 trackbot, end teleconf 16:58:02 Zakim, list attendees 16:58:03 -gmaone 16:58:03 As of this point the attendees have been terri, gmaone, Wendy, freddyb, +1.650.214.aaaa, mkwst, BHill, neilm, ekr, +1.425.234.aabb, ccarson, +1.831.246.aacc, dveditz 16:58:05 -terri 16:58:05 rrsagent, make minutes 16:58:05 I have made the request to generate http://www.w3.org/2014/01/29-webappsec-minutes.html hillbrad 16:58:05 -freddyb 16:58:06 -dveditz 16:58:10 RRSAgent, please draft minutes 16:58:10 I have made the request to generate http://www.w3.org/2014/01/29-webappsec-minutes.html trackbot 16:58:11 RRSAgent, bye 16:58:11 I see 2 open action items saved in http://www.w3.org/2014/01/29-webappsec-actions.rdf : 16:58:11 ACTION: bhill2 to propose to list text on form-action vs. connect-src re: sending data vs. receiving it [1] 16:58:11 recorded in http://www.w3.org/2014/01/29-webappsec-irc#T16-40-05 16:58:11 ACTION: bhill2 give language on how frame-ancestors interacts with XFO [2] 16:58:11 recorded in http://www.w3.org/2014/01/29-webappsec-irc#T16-49-32 16:58:14 rrsagent, set logs public-visible 16:58:16 freddyb has left #webappsec