IRC log of webappsec on 2014-02-12

Timestamps are in UTC.

15:59:22 [RRSAgent]

RRSAgent has joined #webappsec

15:59:22 [RRSAgent]

logging to http://www.w3.org/2014/02/12-webappsec-irc

15:59:24 [trackbot]

RRSAgent, make logs world

15:59:24 [Zakim]

Zakim has joined #webappsec

15:59:26 [trackbot]

Zakim, this will be WASWG

15:59:26 [Zakim]

ok, trackbot, I see SEC_WASWG()11:00AM already started

15:59:27 [trackbot]

Meeting: Web Application Security Working Group Teleconference

15:59:27 [trackbot]

Date: 12 February 2014

16:00:10 [Zakim]

+Wendy

16:00:47 [hillbrad]

hillbrad has joined #webappsec

16:00:58 [mkwst]

huzzah.

16:01:00 [Zakim]

+BHill

16:01:13 [mkwst]

yeah, i can scribe. i think it's my turn anyway.

16:01:18 [hillbrad]

hillbrad has changed the topic to: http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0029.html

16:01:37 [richt]

richt has joined #webappsec

16:01:50 [terri]

terri has joined #webappsec

16:02:24 [Zakim]

+[IPcaller]

16:02:33 [gmaone]

Is anybody trying to call Zakim's VOIP and failing like me?

16:02:36 [gopal]

gopal has joined #webappsec

16:02:49 [richt]

Present+ Rich_Tibbett

16:02:52 [richt]

zakim, IPcaller is me

16:02:52 [Zakim]

+richt; got it

16:03:07 [Zakim]

+dveditz

16:03:08 [Zakim]

+terri

16:03:09 [hillbrad]

Meeting: WebAppSec WG Teleconference 12-Feb-2014

16:03:12 [hillbrad]

Chairs; bhill2, ekr

16:03:17 [hillbrad]

Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0029.html

16:03:45 [wseltzer]

zakim, mute Wendy

16:03:45 [Zakim]

Wendy should now be muted

16:03:57 [wseltzer]

zakim, I am Wendy

16:03:57 [Zakim]

ok, wseltzer, I now associate you with Wendy

16:04:27 [Zakim]

+ +1.781.369.aaaa

16:04:54 [wseltzer]

zakim, aaaa is gopal

16:04:54 [Zakim]

+gopal; got it

16:05:04 [mkwst]

wseltzer: the bot wasn't up when i dialed in; can i somehow ensure that i'm associated with whatever number i'm dialed in on?

16:05:12 [wseltzer]

zakim, who is on the call?

16:05:12 [Zakim]

On the phone I see mkwst, Wendy (muted), BHill, richt, dveditz, terri, gopal

16:05:18 [mkwst]

ah, sweet. :)

16:06:11 [Zakim]

+[Mozilla]

16:06:17 [ekr]

ekr has joined #webappsec

16:06:24 [wseltzer]

zakim, Mozilla has ekr

16:06:24 [Zakim]

+ekr; got it

16:06:39 [terri]

sorry, apparently I had the call muted. fixed

16:06:46 [ekr]

scribenick, ekr

16:06:55 [ekr]

scribenick: ekr

16:07:28 [hillbrad]

zakim, who is here?

16:07:28 [Zakim]

On the phone I see mkwst, Wendy (muted), BHill, richt, dveditz, terri, gopal, [Mozilla]

16:07:30 [Zakim]

[Mozilla] has ekr

16:07:30 [Zakim]

On IRC I see ekr, gopal, terri, richt, hillbrad, Zakim, RRSAgent, dom, gmaone, mkwst, timeless, tobie_, wseltzer, trackbot

16:07:46 [ekr]

Topic: Minutes approval: http://www.w3.org/2014/01/14-webappsec-minutes.html

16:08:05 [glenn]

glenn has joined #webappsec

16:08:21 [ekr]

No objections, minutes approved

16:09:20 [ekr]

bhill2: going to start a CfC for the FPWD of subresource integrity.

16:09:35 [ekr]

zakim, who is talking?

16:09:45 [Zakim]

ekr, listening for 10 seconds I heard sound from the following: BHill (62%), [Mozilla] (15%)

16:10:03 [ekr]

mkwst: I will have a bunch of feedback on subresource integrity

16:10:16 [ekr]

bhill2: New CSP 1.1. WD published yesterday morning

16:11:23 [ekr]

Topic: CSP Formal Objection

16:11:24 [ekr]

http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0165.html

16:11:41 [ekr]

bhill2: as chair, I think we have rough consensus. don't need need to reopen the issue.

16:12:11 [ekr]

??? : as I understand it there are two objections

16:12:23 [mkwst]

ekr: s/???/dveditz/

16:12:44 [ekr]

bhill2: 1. Language -- we left it to implementors. 2. Objection to removal of language, but from Bjoern who is nit a wg member.

16:12:57 [ekr]

… can 't have two people have a tug of war preventing it from going forward

16:13:01 [wseltzer]

s/nit/not/

16:13:15 [ekr]

dveditz: objections are opposite, right?

16:14:05 [ekr]

bhill2: concerned here with issue glenn raised and that bjoern has responded to re: user-supplied modifications to page via extensions, bookmarks, etc.

16:14:39 [hillbrad]

hillbrad has joined #webappsec

16:14:40 [glenn]

in this case, it is better to not say anything in spec

16:14:58 [ekr]

dveditz: we have seen objections that are useful to users that may unwisely make changes to every page. might be reasonable to require an extension to explicitly override CSP.

16:15:09 [ekr]

… don't know how we would do that technically

16:15:14 [ekr]

… seems like a UA decision

16:15:36 [ekr]

mkwst: agreed. putting limitations on extensions/add-ons might be reasonable but it's not a spec issue

16:17:04 [ekr]

bhill2: a spec must have two interoperating implementations of each feature

16:17:28 [ekr]

… a normative requirement to turn reporting off would need to have implementations in both specs

16:18:06 [ekr]

… nothing stopping browsers from doing that, but it need not be in the spec

16:18:38 [glenn]

zakim, what is the code?

16:18:38 [Zakim]

the conference code is 92794 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), glenn

16:18:53 [ekr]

dveditz: what if firefox or torbrowser decides to have opt-in reporting, is it still conformant.

16:19:19 [Zakim]

+glenn

16:19:25 [ekr]

bhill2: yes

16:20:16 [ekr]

bhill2: has not seen a coherent threat model for why reporting makes things worse

16:22:12 [wseltzer]

->

16:22:26 [wseltzer]

http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html

16:23:49 [hillbrad]

noted for minutes: no objections to consensus on current language in the tip of the editor's draft, that is, no normative recommendations to user agent implelmenters regarding interaction of CSP and extensions or user-script

16:23:58 [hillbrad]

consensus previously established still stands

16:24:22 [wseltzer]

RESOLVED: previously-established consensus stands

16:24:47 [hillbrad]

mkwst: child-src and popups are 1.2 features

16:24:53 [ekr]

I am back

16:25:05 [hillbrad]

… referrer expressiveness is in current editor's draft

16:25:18 [ekr]

mkwst: processing of meta elements still needs discussion

16:25:23 [hillbrad]

… meta element needs discussing, are use cases current spec would disallow and questions about reasonableness

16:25:27 [hillbrad]

… beacon is not 1.1

16:25:34 [ekr]

hillbrad: I can take over

16:25:45 [ekr]

mkwst: two things I think are interesting, meta element and redirect

16:26:18 [ekr]

wseltzer(?): meta element… was that based on a request.

16:26:29 [ekr]

mkwst: some cases where you can't control HTTP headers

16:26:31 [fjh]

fjh has joined #webappsec

16:26:34 [fjh]

ec

16:27:03 [ekr]

wseltzer: maybe we should consider other options. probably wouldn't be too hard for github or such to allow people to provide meta

16:27:14 [wseltzer]

s/wseltzer:/terri:/

16:27:21 [ekr]

s/provide meta/to provide the content that would be in meta/

16:27:30 [ekr]

mkwst: I don't see a threat here.

16:27:50 [ekr]

… I don't understand what the problem is

16:28:04 [Zakim]

+[IPcaller]

16:28:05 [fjh]

zakim, IPcaller is me

16:28:05 [Zakim]

+fjh; got it

16:28:19 [ekr]

dveditz: what are you not concerned about? header? script element after the page is loaded

16:28:22 [fjh]

s/^ec$//

16:28:30 [fjh]

zakim, who is here?

16:28:30 [Zakim]

On the phone I see mkwst, Wendy (muted), BHill, richt, dveditz, terri, gopal, [Mozilla], glenn, fjh

16:28:32 [Zakim]

[Mozilla] has ekr

16:28:32 [Zakim]

On IRC I see fjh, hillbrad, glenn, ekr, gopal, terri, richt, Zakim, RRSAgent, dom, gmaone, mkwst, timeless, tobie_, wseltzer, trackbot

16:28:55 [ekr]

mkwst: given that we restrict reporting, etc. by policy, so how is this different than if I could inject a non-CSP meta tag

16:29:11 [ekr]

terri: I'm not convinced. let me see if we can figure out how to attack this here.

16:29:44 [ekr]

dveditz: can't I also use this to block other things on the page

16:29:59 [ekr]

mkwst: wouldn't this already be worse with non-CSP mechanisms if you could already inject meta

16:30:20 [ekr]

dveditz: having scripts mess with meta tags is not good. an API would be better

16:30:41 [ekr]

… implementation concerns here as well

16:31:23 [ekr]

mkwst: let's take this to the list

16:32:10 [ekr]

bhill2: last major 1.1. Mike, you mentioned referer?

16:32:18 [ekr]

mkwst: my impression is that it is fine

16:32:44 [ekr]

bhiill2: can you get dan and other mozillans to express any concerns with meta asap.

16:32:55 [ekr]

… start CfC for last call on next telecon

16:33:46 [ekr]

Topic: f CORS and whitelisting, exposure of local network IP address

16:33:47 [ekr]

information in URLs,

16:33:57 [ekr]

Editors draft: https://dvcs.w3.org/hg/dap/raw-file/default/discovery-api/Overview.html

16:33:57 [ekr]

Issues: http://www.w3.org/2009/dap/track/products/31

16:34:13 [wseltzer]

s/f CORS/DAP WG, re: CORS/

16:34:22 [dom]

Zakim, code?

16:34:22 [Zakim]

the conference code is 92794 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), dom

16:34:38 [Zakim]

+??P11

16:34:45 [ekr]

… services currently advertising in network via bonjour, etc.

16:34:46 [dom]

Zakim, ??P11 is me

16:34:46 [Zakim]

+dom; got it

16:35:37 [ekr]

… browser gets handle to devices in network

16:36:09 [richt]

NSD discussions on implementer lists: http://lists.w3.org/Archives/Public/public-device-apis/2013Sep/0029.html

16:36:14 [ekr]

… some reviews have already happend

16:36:29 [ekr]

… have added CORS support to API.

16:37:13 [ekr]

… also get user opt-in

16:37:52 [ekr]

… user opt-in is extremely important

16:38:27 [ekr]

… don't want to expose routers, etc.

16:38:33 [ekr]

… but we want to expose TVs, etc.

16:38:41 [ekr]

… this why CORS is relevant here.

16:38:55 [ekr]

… here to talk about some of the security concerns

16:39:13 [fjh]

q+ to mention whitelisting and URLs

16:39:18 [ekr]

… wanted to get this group's feedback

16:39:44 [ekr]

fjh: CORS opt-in is a quite reasonable response. why is it should but not must.

16:40:02 [ekr]

sorry, I assumed it was cause you were in queue. Who was that?

16:40:13 [hillbrad]

fjh: this is mike west speaking

16:40:14 [wseltzer]

zakim, who is speaking?

16:40:23 [ekr]

sorry, I am terrible at voices.

16:40:25 [Zakim]

wseltzer, listening for 11 seconds I heard sound from the following: gopal (29%), richt (18%)

16:40:44 [ekr]

richt: we have implementations outside the browser.

16:41:02 [wseltzer]

s/fjh: CORS/mkwst: CORS/

16:41:27 [ekr]

mkwst: these should be a requirement

16:41:44 [dom]

[the editors draft has " A user agent SHOULD only allow web pages to connect with Local-networked Services that have passed a preliminary CORS check indicating they support Cross-Origin Resource Sharing [CORS]"]

16:41:56 [fjh]

https://dvcs.w3.org/hg/dap/raw-file/default/discovery-api/Overview.html

16:42:14 [fjh]

https://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html

16:42:23 [ekr]

richt: browser can blacklist device types

16:42:28 [ekr]

… and users could whitelist devices

16:42:52 [ekr]

mkwst: might be good to put that in this section

16:44:16 [ekr]

richt: you request a service type, you then broadcast a request and the device responds with a CORS header

16:50:48 [ekr]

[…] long colloquy about the strength of the mechanism for verifying CORS consent

16:51:00 [ekr]

to summarize, this is just a mechanism for discovery.

16:51:14 [ekr]

but any actual requests go through their own CORS checks

16:52:03 [ekr]

richt: you get a list of endpoint URLs. These will be local IP addresses.

16:52:04 [fjh]

q-

16:52:11 [fjh]

q+ to ask mike about action

16:52:21 [ekr]

… you don't want to expose local IPs to the Web.

16:52:24 [dom]

[more importantly, we want to filter what requests can be made on these end points]

16:53:44 [ekr]

ekr: webrtc already exposes the local IP address ranges

16:53:58 [ekr]

mkwst: chrome already obfuscates this

16:54:11 [ekr]

… you could have a different scheme

16:54:41 [ekr]

… the communication can contain the local IP addresses

16:55:04 [dom]

[one of the issue is that you want to follow links exposed by the local network services, e.g. link to an image or a video]

16:55:06 [ekr]

btw, you don't need a different scheme

16:55:56 [ekr]

just a different domain

16:56:11 [ekr]

richt: I am worried about whether this stuff is going to leak anyway

16:57:00 [ekr]

mkwst: this is intermediated by the user

16:57:47 [ekr]

richt: user has to consent to discover and then the user can filter the list back

16:57:54 [ekr]

… at the end the web page gets the filtered list

16:58:14 [ekr]

… main concerns are local IP and CORS

16:58:28 [ekr]

fjh: I might raise an issue about whitelisting along with cors.

16:58:33 [ekr]

mkwst: what actions do you have in mind

16:58:51 [ekr]

s/mkwst:/fjh:/

16:59:14 [ekr]

mkwst: I think this is OK now that we have discussed

17:00:08 [Zakim]

-glenn

17:00:26 [ekr]

dom: what are the next steps? how can the webappsec guys help?

17:00:28 [fjh]

q-

17:00:30 [hillbrad]

sorry folks, I gotta go - wseltzer can you close the channel, prep logs, etc, please?

17:00:54 [ekr]

mkwst: I think you have been working with security team too

17:00:59 [wseltzer]

hillbrad, sure

17:00:59 [ekr]

sorry, me too...

17:01:04 [hillbrad]

thanks all

17:01:06 [ekr]

bye

17:01:08 [fjh]

much thanks!

17:01:10 [Zakim]

-[Mozilla]

17:01:41 [wseltzer]

unmute me

17:01:47 [wseltzer]

s/unmute me//

17:01:49 [fjh]

feedback on the mail list would be very welcome or additional ideas

17:01:51 [wseltzer]

zakim, unmute me

17:01:51 [Zakim]

Wendy should no longer be muted

17:02:21 [Zakim]

-gopal

17:02:53 [Zakim]

-dveditz

17:02:55 [Zakim]

-dom

17:02:57 [Zakim]

-richt

17:02:58 [Zakim]

-fjh

17:02:59 [Zakim]

-BHill

17:03:05 [Zakim]

-mkwst

17:03:10 [Zakim]

-terri

17:03:15 [wseltzer]

wseltzer: Thanks to Rich and Frederick from DAP; we'll figure out where to continue the discussion.

17:03:18 [wseltzer]

[adjourned]

17:03:23 [wseltzer]

trackbot, end teleconf

17:03:23 [trackbot]

Zakim, list attendees

17:03:23 [Zakim]

As of this point the attendees have been mkwst, Wendy, BHill, richt, dveditz, terri, +1.781.369.aaaa, gopal, ekr, glenn, fjh, dom

17:03:31 [Zakim]

-Wendy

17:03:31 [trackbot]

RRSAgent, please draft minutes

17:03:31 [RRSAgent]

I have made the request to generate http://www.w3.org/2014/02/12-webappsec-minutes.html trackbot

17:03:32 [trackbot]

RRSAgent, bye

17:03:32 [RRSAgent]

I see no action items

17:03:32 [Zakim]

SEC_WASWG()11:00AM has ended

17:03:32 [Zakim]

Attendees were mkwst, Wendy, BHill, richt, dveditz, terri, +1.781.369.aaaa, gopal, ekr, glenn, fjh, dom

17:04:12 [RRSAgent]

RRSAgent has joined #webappsec

17:04:12 [RRSAgent]

logging to http://www.w3.org/2014/02/12-webappsec-irc

17:04:17 [wseltzer]

rrsagent, make logs public

17:04:32 [wseltzer]

rrsagent, make minutes

17:04:32 [RRSAgent]

I have made the request to generate http://www.w3.org/2014/02/12-webappsec-minutes.html wseltzer

17:04:57 [dom]

dom has left #webappsec

17:04:59 [fjh]

fjh has left #webappsec

17:05:09 [wseltzer]

Chair: bhill2, ekr

17:05:11 [wseltzer]

rrsagent, make minutes

17:05:11 [RRSAgent]

I have made the request to generate http://www.w3.org/2014/02/12-webappsec-minutes.html wseltzer

17:08:38 [hillbrad]

hillbrad has joined #webappsec

17:17:33 [hillbrad]

hillbrad has joined #webappsec

17:17:42 [hillbrad]

hillbrad has left #webappsec

17:25:26 [richt_]

richt_ has joined #webappsec

19:03:07 [glenn]

glenn has joined #webappsec

19:32:25 [Zakim]

Zakim has left #webappsec

19:33:52 [richt]

richt has joined #webappsec

20:13:06 [glenn_]

glenn_ has joined #webappsec

20:32:44 [mkwst]

mkwst has joined #webappsec

20:32:54 [timeless]

timeless has joined #webappsec

20:32:57 [glenn]

glenn has joined #webappsec

20:33:22 [tobie__]

tobie__ has joined #webappsec

20:37:35 [glenn]

glenn has joined #webappsec

20:39:03 [ekr]

ekr has joined #webappsec

21:22:17 [ekr]

ekr has joined #webappsec

21:53:13 [ekr]

ekr has joined #webappsec

22:01:33 [ekr]

ekr has joined #webappsec

22:18:45 [terri]

terri has joined #webappsec

22:33:18 [ekr]

ekr has joined #webappsec

22:51:08 [ekr]

ekr has joined #webappsec