IRC log of webappsec on 2014-02-26
Timestamps are in UTC.
- 16:03:13 [RRSAgent]
- RRSAgent has joined #webappsec
- 16:03:13 [RRSAgent]
- logging to http://www.w3.org/2014/02/26-webappsec-irc
- 16:03:20 [bhill2]
- http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0128.html
- 16:03:33 [bhill2]
- Meeting: WebAppSec WG Teleconference 26-Feb-2014
- 16:03:37 [bhill2]
- Chairs: bhill2, ekr
- 16:03:40 [bhill2]
- Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0128.html
- 16:03:53 [bhill2]
- zakim, who is here?
- 16:03:53 [Zakim]
- sorry, bhill2, I don't know what conference this is
- 16:03:54 [Zakim]
- On IRC I see RRSAgent, Zakim, bhill2, terri, gmaone, PeteF, glenn, anssik, timeless, mkwst, tobie__, wseltzer, trackbot
- 16:03:58 [bhill2]
- zakim, this is 92794
- 16:03:58 [Zakim]
- ok, bhill2; that matches SEC_WASWG()11:00AM
- 16:04:00 [Zakim]
- +??P22
- 16:04:03 [bhill2]
- zakim, who is here?
- 16:04:03 [Zakim]
- On the phone I see +49.162.102.aaaa, terri, BHill, +1.315.849.aabb, [Mozilla], [GVoice], ??P22
- 16:04:06 [Zakim]
- On IRC I see RRSAgent, Zakim, bhill2, terri, gmaone, PeteF, glenn, anssik, timeless, mkwst, tobie__, wseltzer, trackbot
- 16:04:11 [mkwst]
- zakim, who is talking?
- 16:04:18 [gmaone]
- Zakim, ??P22 is gmaone
- 16:04:18 [Zakim]
- +gmaone; got it
- 16:04:22 [ekr]
- ekr has joined #webappsec
- 16:04:23 [Zakim]
- mkwst, listening for 10 seconds I heard sound from the following: BHill (39%)
- 16:04:40 [bhill2]
- zakim, [Mozilla] has grobinson
- 16:04:40 [Zakim]
- +grobinson; got it
- 16:04:49 [Zakim]
- +glenn
- 16:05:06 [wuwei_]
- wuwei_ has joined #webappsec
- 16:05:15 [mkwst]
- zakim, aaaa is mkwst.
- 16:05:16 [Zakim]
- +mkwst; got it
- 16:05:52 [PeteF]
- +1.315.849.aabb is Pete Freitag... just listening in
- 16:06:15 [bhill2]
- zakim, who is here?
- 16:06:15 [Zakim]
- On the phone I see mkwst, terri, BHill, +1.315.849.aabb, [Mozilla], [GVoice], gmaone, glenn
- 16:06:17 [Zakim]
- [Mozilla] has grobinson
- 16:06:17 [Zakim]
- On IRC I see wuwei_, ekr, RRSAgent, Zakim, bhill2, terri, gmaone, PeteF, glenn, anssik, timeless, mkwst, tobie__, wseltzer, trackbot
- 16:06:22 [grobinson]
- grobinson has joined #webappsec
- 16:06:49 [ekr]
- [Mozilla] has ekr
- 16:06:56 [bhill2]
- zakim, [mozilla] has ekr
- 16:06:56 [Zakim]
- +ekr; got it
- 16:06:58 [gmaone]
- zakim, +1.315.849.aabb is PeteF
- 16:06:58 [Zakim]
- +PeteF; got it
- 16:07:51 [bhill2]
- Scribe: Mike West
- 16:07:58 [bhill2]
- Scribenick: mkwst
- 16:08:09 [bhill2]
- TOPIC: Minutes approval
- 16:08:15 [bhill2]
- http://www.w3.org/2014/02/12-webappsec-minutes.html
- 16:08:17 [Zakim]
- + +1.831.246.aacc
- 16:08:22 [mkwst]
- bhill: Objections to last time's minutes?
- 16:08:32 [mkwst]
- bhill: Approved!
- 16:08:40 [bhill2]
- zakim, aacc is dveditz
- 16:08:40 [Zakim]
- +dveditz; got it
- 16:08:48 [bhill2]
- TOPIC: Agenda Bashing
- 16:09:18 [mkwst]
- bhill: How do we get subint to FPWD?
- 16:09:40 [mkwst]
- dveditz: Is redirection part of the leakage discussion?
- 16:09:44 [mkwst]
- mkwst: yes.
- 16:09:54 [bhill2]
- TOPIC: Open Actions Reveiw
- 16:10:00 [bhill2]
- https://www.w3.org/2011/webappsec/track/actions/open?sort=owner
- 16:11:07 [mkwst]
- bhill: Blobs, dveditz?
- 16:11:23 [mkwst]
- mkwst: Current language is that blobs need to be whitelisted explicitly as 'blob:'.
- 16:11:30 [mkwst]
- dveditz: Should be ok.
- 16:11:38 [Zakim]
- +??P18
- 16:11:45 [mkwst]
- dveditz: One thing.
- 16:12:13 [mkwst]
- dveditz: 'data:' should not match '*'.
- 16:12:32 [mkwst]
- dveditz: 'blob:' too. They should be treated as 'unsafe-inline'.
- 16:12:53 [freddyb_]
- freddyb_ has joined #webappsec
- 16:13:13 [mkwst]
- mkwst: Propose some text?
- 16:13:21 [mkwst]
- dveditz: Sure, where?
- 16:13:33 [mkwst]
- mkwst: In the matching algorithm section. Could add a note anywhere thought.
- 16:13:42 [mkwst]
- dveditz: Intent is to include blob and data.
- 16:14:17 [mkwst]
- mkwst: will find some language for you.
- 16:14:44 [bhill2]
- TOPIC: Call for consensus on UI Security LCWD
- 16:14:45 [bhill2]
- http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0092.html
- 16:15:07 [mkwst]
- bhill: CfC for UI Security to LCWD last week.
- 16:15:14 [mkwst]
- bhill: Moved frame-options out into mainline CSP 1.1
- 16:15:31 [mkwst]
- bhill: Push previous spec with that bit removed.
- 16:15:37 [mkwst]
- bhill: No objections to CfC.
- 16:16:10 [mkwst]
- bhill: Motion to move UI Security to LCWD?
- 16:16:32 [mkwst]
- ekr: So moved.
- 16:16:38 [gmaone]
- second
- 16:16:46 [mkwst]
- gmaone: seconded.
- 16:17:06 [mkwst]
- bhill: Objection to unanimous consent?
- 16:17:17 [mkwst]
- bhill: None heard. LCWD!
- 16:17:32 [bhill2]
- RESOLVED: UI Security to be advanced to Last Call Working Draft
- 16:17:51 [bhill2]
- TOPIC: Paths, Redirects and information leakage in CSP
- 16:17:52 [bhill2]
- http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0127.html
- 16:18:38 [mkwst]
- bhill: Proposals from Mike, Michal, etc.
- 16:18:44 [mkwst]
- bhill: summarize?
- 16:19:09 [mkwst]
- dveditz: Summary is that we're screwed. Need to either lose functionality, or live with a bad feature.
- 16:21:18 [glenn]
- zakim, who's noisy?
- 16:21:28 [bhill2]
- option 1: (Egor's proposal) only enforce policy on initial fetch, not on subsequent redirects
- 16:21:30 [Zakim]
- glenn, listening for 11 seconds I heard sound from the following: mkwst (41%)
- 16:22:13 [mkwst]
- mkwst: Summary.
- 16:23:04 [mkwst]
- mkwst: Two options: 1. Allow redirects for source expressions with paths. This would avoid the biggest problem (reading paths cross-origin via brute force).
- 16:23:14 [bhill2]
- option 1 engenders some concern due to widespread presence of open redirectors on many domains
- 16:24:06 [mkwst]
- mkwst: 2. drop reporting, drop the DOM event, pretend that a resource failed to load just as if a network error occurred.
- 16:24:19 [bhill2]
- option 1 also doesn't really solve the problem, it just rate-limits or makes the attacker use tactics like using a frame-per path tested
- 16:25:11 [mkwst]
- dveditz: Reporting isn't the problem. Can tell from the page whether or not the resource loaded.
- 16:27:24 [mkwst]
- mkwst: 'script-src example.com/js'. would allow example.com/js/redirect -> evil.com
- 16:27:33 [bhill2]
- option 3: fallback to checking only at domain granularity on redirects
- 16:27:35 [mkwst]
- dveditz: why wouldn't we fall back to domain level granularity?
- 16:28:30 [mkwst]
- mkwst: Complexity. Seems reasonable to have distinct behavior for paths/no-paths.
- 16:31:18 [mkwst]
- bhill: <individual> Option #1 probably isn't so bad.
- 16:31:26 [mkwst]
- bhill: Part of the trust decision for an origin.
- 16:31:38 [mkwst]
- bhill: less likely that there's redirects past a whitelisted path
- 16:31:41 [bhill2]
- I think that option 1 is the best... <hat = individual>
- 16:31:43 [mkwst]
- bhill: not that complicated.
- 16:31:59 [bhill2]
- simple to implement, explain, trust decision is obvious (including implication of possibility of redirects)
- 16:32:03 [mkwst]
- dveditz: Require paths to be a full match for a path segment?
- 16:32:24 [bhill2]
- and trust / risk of including a redirector can be reduced by specifying a path instead of a full host
- 16:34:12 [mkwst]
- dveditz: Suggested that we not report redirects, report more information about the URL in the document.
- 16:34:23 [mkwst]
- dveditz: Want to drop that suggestion.
- 16:35:48 [mkwst]
- dveditz: Shouldn't report URL for same-origin redirects.
- 16:36:50 [mkwst]
- dveditz: No. I'm saying dont' change the stripping aspect of the spec.
- 16:38:09 [mkwst]
- dveditz: One more question: has the reporting turned out to be useful for real-world use cases?
- 16:38:23 [mkwst]
- dveditz: Twitter?
- 16:38:57 [glenn]
- q+
- 16:39:23 [mkwst]
- bhill: Folks I've talked to find reporting useful.
- 16:39:48 [mkwst]
- bhill: Report-only is useful. Anomaly detection, etc.
- 16:40:03 [mkwst]
- bhill: Thought-leader with regard to reporting in the security space.
- 16:40:24 [bhill2]
- TOPIC: Extension note text in CSP
- 16:40:27 [mkwst]
- dveditz: Reporting isn't always awesome.
- 16:40:42 [mkwst]
- ekr: Might not be a Mozilla consensus.
- 16:41:03 [bhill2]
- ack glenn
- 16:41:08 [mkwst]
- glenn: Worked with a spec that's making reporting optional, except when report-only is used. Might be reasonable to look at.
- 16:41:34 [mkwst]
- glenn: Not yet public.
- 16:41:49 [mkwst]
- bhill: Reporting does have users. Would make folks unhappy to lose it.
- 16:42:00 [bhill2]
- looks like approaching something like:
- 16:42:14 [mkwst]
- bhill: Extension note discussion.
- 16:42:26 [mkwst]
- glenn: New information, reopening for discussion?
- 16:42:48 [mkwst]
- bhill: Groundswell of interest. Folks expressing concern at the resolution of the objection.
- 16:42:59 [bhill2]
- "User agents may allow users to modify or bypass CSP enforcement, through user preferences and/or third-party additions to the user-agent" so that we're not tied to specifically bookmarklets and extensions."
- 16:43:16 [gopal]
- gopal has joined #webappsec
- 16:43:22 [bhill2]
- or rather "User agents may allow users to modify or bypass CSP enforcement, through user preferences and/or third-party additions to the user-agent."
- 16:43:38 [mkwst]
- glenn: Trying to be accommodating of new suggestions. Last suggestions seems close to something we could accept.
- 16:43:56 [mkwst]
- dveditz: Normative or non-normative.
- 16:44:15 [gmaone]
- What about "User agents should not prevent users from modifying or bypass etc..."?
- 16:44:18 [mkwst]
- dveditz: Suggestions for UA should not be normative.
- 16:44:22 [glenn]
- q+
- 16:44:22 [mkwst]
- (or Should? :) )
- 16:44:38 [mkwst]
- grobinson: Third-party additions?
- 16:44:59 [mkwst]
- grobinson: Don't want to tacitly accept malware.
- 16:45:07 [mkwst]
- grobinson: "User-instigated third-party additions"?
- 16:45:18 [mkwst]
- bhill: Wide leeway, non-normative.
- 16:45:29 [mkwst]
- bhill: Chrome doesn't allow side-loaded extensions, for example.
- 16:45:49 [mkwst]
- bhill: Don't want to ask for special treatment in that sideloading sense.
- 16:46:36 [mkwst]
- bhill: Can the editors add that language to the spec? Seems satisfactory to everyone in the community who has expressed interest and concern.
- 16:46:41 [mkwst]
- glenn: Ok with this.
- 16:46:54 [mkwst]
- glenn: Neglected to remove a related piece of language in 3.2.5.17.
- 16:47:02 [mkwst]
- glenn: "ignore this step" bookmarklets.
- 16:47:07 [mkwst]
- glenn: Should be remove as well.
- 16:48:01 [mkwst]
- glenn: Falls into the category of "user preferences" or "third-party additions".
- 16:48:25 [mkwst]
- glenn: But tied to the earlier language. Haven't looked at the editing history, but seem closely related.
- 16:48:31 [mkwst]
- glenn: Suggesting that this one should be removed as well.
- 16:48:38 [bhill2]
- "User agents may allow users to modify or bypass CSP enforcement, through user preferences, bookmarklets, and/or third-party additions to the user-agent"
- 16:48:39 [mkwst]
- glenn: New language covers both.
- 16:49:05 [mkwst]
- mkwst: fine with that.
- 16:51:22 [mkwst]
- ekr: I don't care. SHOULD vs MAY vs SHOULD NOT. Not useful.
- 16:51:29 [mkwst]
- bhill: This text seems reasonable. Let's do it.
- 16:51:41 [mkwst]
- bhill: Reflects the consensus. May choose to do this, but not required to.
- 16:52:04 [mkwst]
- bhill: Not going to satisfy everyone, but we can live with it. Should close it and move on.
- 16:52:13 [mkwst]
- wseltzer: Won't be surprised if we see more argument next week.
- 16:52:21 [terri]
- that was me, actually
- 16:52:26 [mkwst]
- bhill: Not everyone's ever going to be happy about anything.
- 16:52:41 [terri]
- (not wseltzer, who I haven't heard today)
- 16:52:45 [mkwst]
- (Sorry, Terri! Bad with voices...)
- 16:52:57 [bhill2]
- ACTION: mkwst to remove 3.2.5.17
- 16:52:57 [mkwst]
- bhill: Should remove the 3.2.5.17 text as well.
- 16:52:57 [trackbot]
- Error finding 'mkwst'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.
- 16:53:15 [mkwst]
- (bhill: I'm mwest2)
- 16:53:26 [mkwst]
- glenn: Should we update CSP 1.0 as well?
- 16:53:39 [mkwst]
- glenn: We can edit CR before PR, yes?
- 16:54:14 [mkwst]
- bhill: New topic. We have so far declared that we've got consensus on CSP 1.0, moved on. If we want to reopen that, take a poll on the list.
- 16:54:29 [mkwst]
- bhill: Discussion has been in regards to 1.1. Let's bring it up on the list.
- 16:54:55 [mkwst]
- glenn: Fine with that. Just want to point out, Cox will comment at the PR timeframe.
- 16:55:12 [mkwst]
- bhill: Lightning round!
- 16:55:43 [mkwst]
- bhill: Outstanding issues with regard to <meta>, terri?
- 16:55:57 [mkwst]
- terri: If the answer is "nobody knows", that's an answer. We can discuss later.
- 16:56:22 [mkwst]
- dveditz: We had policy-uri. Folks outside Mozilla hated it because of latency, and it was in an HTTP header anyway.
- 16:56:45 [mkwst]
- terri: Brainstormed other ideas?
- 16:56:59 [mkwst]
- terri: Link to discussion?
- 16:57:10 [mkwst]
- dveditz: Before the WG.
- 16:57:19 [mkwst]
- grobinson: policy-uri being removed from Firefox. Latency.
- 16:57:35 [mkwst]
- bhill: search the list (sorry there's no pointer). There was discussion when opening 1.1.
- 16:57:48 [mkwst]
- bhill: Application use cases were described.
- 16:58:48 [mkwst]
- terri: I think I was around for that.
- 16:58:54 [mkwst]
- bhill: Next call in two weeks!
- 16:59:08 [mkwst]
- bhill: IETF meeting! Exciting! Security and privacy next week in London!
- 16:59:13 [freddyb_]
- minor note about process: is it possible to send the notes (or a link to them) to the public-webappsec list?
- 16:59:15 [mkwst]
- bhill: Participate remotely!
- 16:59:26 [Zakim]
- -glenn
- 16:59:27 [Zakim]
- -dveditz
- 16:59:32 [freddyb_]
- fwiw, I found them hard to google :-) maybe it's just me though
- 16:59:35 [Zakim]
- -[Mozilla]
- 16:59:35 [bhill2]
- zakim, list attendees
- 16:59:36 [Zakim]
- As of this point the attendees have been +49.162.102.aaaa, terri, BHill, [GVoice], gmaone, grobinson, glenn, mkwst, ekr, PeteF, +1.831.246.aacc, dveditz
- 16:59:41 [freddyb_]
- but it would make the outcome of the call more transparent too
- 16:59:42 [bhill2]
- rrsagent, make minutes
- 16:59:42 [RRSAgent]
- I have made the request to generate http://www.w3.org/2014/02/26-webappsec-minutes.html bhill2
- 16:59:46 [freddyb_]
- thanks bhill2
- 16:59:47 [Zakim]
- -gmaone
- 16:59:49 [bhill2]
- rrsagent, set logs public-visisible
- 16:59:59 [Zakim]
- -??P18
- 17:00:02 [bhill2]
- rrsagent, set logs public-visible
- 17:00:05 [Zakim]
- -[GVoice]
- 17:00:06 [Zakim]
- -mkwst
- 17:00:14 [Zakim]
- -PeteF
- 17:00:17 [Zakim]
- -BHill
- 17:00:24 [Zakim]
- -terri
- 17:00:25 [Zakim]
- SEC_WASWG()11:00AM has ended
- 17:00:25 [Zakim]
- Attendees were +49.162.102.aaaa, terri, BHill, [GVoice], gmaone, grobinson, glenn, mkwst, ekr, PeteF, +1.831.246.aacc, dveditz
- 17:40:56 [ekr]
- ekr has joined #webappsec
- 18:19:36 [terri]
- terri has joined #webappsec
- 18:22:15 [ekr]
- ekr has joined #webappsec
- 18:27:50 [gmaone]
- gmaone has joined #webappsec
- 18:32:22 [glenn]
- glenn has joined #webappsec
- 19:04:25 [ekr]
- ekr has joined #webappsec
- 19:27:36 [Zakim]
- Zakim has left #webappsec
- 19:32:48 [ekr]
- ekr has joined #webappsec
- 20:12:06 [ekr]
- ekr has joined #webappsec
- 20:33:38 [glenn]
- glenn has joined #webappsec
- 20:54:40 [glenn]
- glenn has joined #webappsec