12:59:06 RRSAgent has joined #svg 12:59:06 logging to http://www.w3.org/2014/06/05-svg-irc 12:59:08 RRSAgent, make logs public 12:59:08 Zakim has joined #svg 12:59:10 Zakim, this will be GA_SVGWG 12:59:10 ok, trackbot, I see GA_SVGWG()9:00AM already started 12:59:11 Meeting: SVG Working Group Teleconference 12:59:11 Date: 05 June 2014 12:59:36 +BHill 12:59:39 Zakim, who is on the call? 12:59:39 On the phone I see [IPcaller], BHill 12:59:53 +Rich_Schwerdtfeger 13:00:04 +[IPcaller.a] 13:00:10 zakim, [ipcaller] is me 13:00:10 +cabanier; got it 13:00:15 Zakim, [IP is me 13:00:15 +ed; got it 13:00:34 +terri 13:00:50 Agenda: http://lists.w3.org/Archives/Public/www-svg/2014Jun/0005.html 13:01:18 +??P20 13:01:39 Zakim, ??P20 is mkwst__. 13:01:39 +mkwst__; got it 13:01:43 +[IPcaller] 13:01:45 Zakim, [ is me 13:01:45 +heycam; got it 13:02:05 +??P24 13:02:09 +??P21 13:02:14 +krit 13:02:20 zakim, ??P24 is me 13:02:20 +stakagi; got it 13:02:33 zakim, ??P21 is me 13:02:33 +nikos_; got it 13:03:04 Zakim, pick a scribe 13:03:04 Not knowing who is chairing or who scribed recently, I propose mkwst__ 13:03:53 +Doug_Schepers 13:03:58 Zakim, pick a scribe 13:03:58 Not knowing who is chairing or who scribed recently, I propose Rich_Schwerdtfeger 13:04:13 scribe: Rich 13:04:36 scribenick: richardschwerdtfeger 13:04:37 Topic: How SVG and CSP can play nicely together. 13:04:54 +Tav 13:05:29 mkwst: SVG poses an interesting set of questions 13:05:53 mkwst: generally speaking security policy is devided into a number of directives 13:06:53 mkwst: these directives control resource types where SVG falls into the cracks 13:07:02 mkwst: may be loaded as an image 13:07:17 mkwst: an SVG document can load other images 13:07:40 mkwst: if example.com loads an SVG image what should we do with the resources loaded with that image 13:08:05 ed: Do you want an answer now to your questions? 13:08:13 s/ed/krit/ 13:08:20 mkwst: it would be awesome but I don’t expect them. 13:08:37 mkwst: Does the group have questions about common security policy? 13:08:58 mkwst: since you are having a meeting I thought I would crash it to start the discussion 13:09:20 krit: in the case of loading an image we don’t load any resources in SVG. 13:09:29 krit: an SVG image has its own content 13:10:01 q+ 13:10:04 mkwst: so one additional publication. SVG has the ability to control inline style and script 13:10:07 s/ its own content/ its own context/ 13:10:51 mkwst: if pushes .. down into an SVG document what are the implications? 13:10:58 mkwst: then there are IFrames 13:11:09 krit: IFrames are a different discussion 13:11:34 mkwst: Authors needs to limit the SVG document 13:11:47 q+ 13:11:53 mkwst: are there features that are not covered by the current set of directives. 13:12:12 shepazu: so there are a couple of things. Are you aware of the element 13:12:26 shapazu: use allows you to clone an element in line 13:13:02 shapazue: say you have a circle and a rectangle. define that once. Then you can use that element throughout the document in that it clones the element. 13:13:33 shepazu: SVG allows you to use an external resource 13:13:51 shepazu: people have called this a security issue 13:14:08 shepazu: The element being used could include script 13:14:31 shepazu: say a have a person icon in document 2 13:14:40 shepazu: the person icon could have script 13:15:02 shepazu: in any case the use element would allow you to use static images. 13:15:49 krit: For the use element within a document, there is no policy yet, 13:16:11 krit: We don’t define restrictions as of yet. 13:17:13 q+ 13:17:13 mkwt: it looks like from the integration spec draft you can reference external documents. Can we shoehorn this into image. 13:17:36 s/mkwt/bhill/ 13:17:41 krit: we should restrict with CSP 13:18:05 shepazu: we should be true to the same. We might run into an exception but I don’t anticipate doing so 13:18:25 shepazu: what is the security issue with inline styles and is this applicable to any CSS or other CSS properties? 13:18:44 bhill: We would inject CSS that could infiltrate data about the web site 13:19:06 bhill: we could determine whether content was on the page and ping that to an external server 13:19:19 krit: for images we don’t allow any requests 13:19:28 s/bhill/mkwst 13:19:48 shepazu: this is about fetching external resources across domain 13:20:03 mkwst: fetches is a vehicle for exfiltration 13:20:24 mkwst: the way that a page is constructed is certainly useful to a hacker 13:20:50 krit: What is the pattern for using selctors to get … 13:21:24 mkwst: if you can inject HTML into the page you can use CSS to make it look like part of the page and direct you to another page. This would make phishing easier 13:21:57 krit: fill, stroke, are properties. So setting these on an SVG image is not a problem. 13:22:38 shepazu: we have things called presentation attributes. If I can say fill blue in CSS I can also say fill as an attribute (fill=“blue”) on the element. It roughly has the same effect. 13:23:18 shepazu: so, in that sense SVG does not need CSS to do inline styles. People would need to manipulate the DOM to provide these CSS attributes 13:23:35 shepazu: when they get to the point to change the DOM this is an issue 13:24:02 shepazu: you can use presentation attributes vs. presenation attributes. I don’t see this is an issue. 13:24:33 shepazu: I am saying that if the style element disabled you could use presentation attributes vs. CSS properties 13:24:55 bhill: isn’t it hard to avoid to inject content? 13:25:19 bhill: the thing is you can use selective loading into the document to exfiltrate data out. 13:26:04 cam: you want to inject content into the style attribute of the element which is more like than injecting content in where you can make any changes you want 13:26:53 mkwst: you can use CSS to modify the look with out content injection. 13:27:27 cam: a hacker can change the style on a given element using an external style sheet. 13:27:32 mkwst: yes 13:27:48 mkwst: you can inject a link element. 13:28:04 s/mkwst/bhill 13:28:09 krit: were you asking for the general use case of SVG or SVG as image? 13:28:21 cam: I want to know what that CSP keyword does. 13:29:00 krit: it is a complex topic. we svg as a root document, and image, with an iframe. so we have a number of issues 13:29:14 krit: you can have an image tag in html content 13:29:25 krit: a lot of the content created with SVG uses inline style 13:30:02 krit: I don’t think that disabling style on SVG images is going to work 13:30:51 mdwst: what I would like to evaluate is the risk that SVG images create. They need to not have access to the content they are embedded and cannot pull in resources. 13:31:00 s/mdwst/mkwst/ 13:31:26 mkwst: we just need to verify that those 2 are always the case and and if so I am not particularly worried 13:31:32 krit: that is the case 13:31:41 cam: we need to put this information in 13:32:15 s/in/in (into the SVG Integration spec) 13:32:29 mkwst: what are the capabilties of SVG when loaded into an ifrrame or an iframe of that same origin. A content security policy needs to be delivered in these cases 13:32:50 mkwst: a security policy must be in place to cover all the things SVG can do. 13:33:08 http://www.w3.org/TR/CSP/#directives 13:33:21 https://svgwg.org/specs/integration/ 13:33:51 mkwst: the common security spec. mentions little about SVG as I know little about it 13:34:03 https://w3c.github.io/webappsec/specs/content-security-policy/#sec-directives <-- Editor's draft of CSP 1.1 is a more up-to-date resource. 13:34:11 krit: should there a difference with id, object, or embed? 13:34:25 mkwst: I don’t know. What are the differences that are relevant? 13:34:26 s/id/iframe/ 13:34:33 cam: we don’t know 13:34:52 cam: the difference with how the document is treated is some sizing. 13:35:51 mkwst: different directives will dictate will dictated by the resource 13:36:28 cam: gradient, use elements, we say the external document is loaded as a resource document. In the future we will say that these disable script 13:37:16 cam: should individual elements refrence things or the whole effort we have a policy regarding loading resources 13:37:54 shepazu and chris: we thing we should apply to the whole SVG spec. not individual elements 13:38:09 s/chris/krit 13:38:56 q+ 13:39:10 krit: for resources documents we had the same policy as images 13:39:22 krit: some don’t support resources at all 13:39:39 cam: the resource document can’t load scripts or have external resources at all 13:40:04 shepazu: there are 2 different ways of style. One involves CSS and the other makes use of attributes 13:40:15 Zakim, help 13:40:15 Please refer to http://www.w3.org/2001/12/zakim-irc-bot for more detailed help. 13:40:18 Some of the commands I know are: 13:40:18 xxx is yyy - establish yyy as the name of unknown party xxx 13:40:18 if yyy is 'me' or 'I', your nick is substituted 13:40:18 xxx may be yyy - establish yyy as possibly the name of unknown party xxx 13:40:19 I am xxx - establish your nick as the name of unknown party xxx 13:40:19 xxx holds yyy [, zzz ...] - establish xxx as a group name and yyy, etc. as participants within that group 13:40:19 xxx also holds yyy - add yyy to the list of participants in group xxx 13:40:19 who's here? - lists the participants on the phone 13:40:20 who's muted? - lists the participants who are muted 13:40:20 mute xxx - mutes party xxx (like pressing 61#) 13:40:20 unmute xxx - reverses the effect of "mute" and of 61# 13:40:20 is xxx here? - reports whether a party named like xxx is present 13:40:20 list conferences - reports the active conferences 13:40:21 this is xxx - associates this channel with conference xxx 13:40:21 excuse us - disconnects from the irc channel 13:40:21 I last learned something new on $Date: 2013-03-03 19:18:47 $ 13:41:01 shepazu: unlike CSS which has selectors which can change an element. I don’t see how there can be a security issue with attribute based styling as they don’t have selectors. 13:42:06 shepazu: another nuance of the use element is that if I have 2 SVGs injected into and HTML document. SVG 1 can use a resource from SVG2. If Ihave an icon and I inject both SVGs into the page. I can use an icon from SVG2 into SVG1 13:42:28 shepazu: I don’t have to use the same origin. Those resource might have actual different origins 13:42:37 krit: so it is like one document 13:42:42 shepazu: yes 13:43:04 mkwt: We problaby need an unsafe inline directive for and SVG inline into the page 13:43:10 krit: why image? 13:43:34 mkwt: the other option is that we control it via script given that SVG can control it via script. 13:43:55 shepazu: it is markup not script 13:44:50 cam: I think if your page allows inline SVG somehow the hacker brings in script the script could control the page 13:45:19 mkwt: the hacker could inject SVG where the author was not expecting 13:45:43 terri: a lot of people have broken content filters 13:46:04 cam: people are checking for HTML and are not really looking at SVG which can use script 13:46:29 mkwt: it is easy to inject say a pornographic image 13:46:41 shepazu: how much of this is security vs. defacement 13:47:18 mkwt: this is for protection against defacement as well as script injection. The overarching control is to put hands into the site author so that they are not surprised. 13:47:31 shepazu: I need to talk to you about annotation 13:48:09 shepazu: we certainly have focused on a number of issues around SVG 13:48:52 shepazu: I wrote the SVG integration spec. but I did so without a reallistic view of security. 13:49:15 krit: we more or less address issues but have not made major changes for security 13:49:33 krit: please review the spec and identify issues. 13:49:53 shepazu: don’t take the spec. as reflective of our opinions or how browsers work currently 13:50:12 shepazu: Having you guys review SVG integration would help us in setting our goals 13:50:30 mkwst: that sounds reasonable. Going forward we should start conversations on the mailing list 13:50:53 ed: On the wiki we should list all the issues that are found. it is easy to get lost in the mail 13:51:19 shepazu: should we do this on the general W3C wiki? 13:51:51 Action: Doug start a page on the general W3C wiki on security 13:51:51 Created ACTION-3629 - Start a page on the general w3c wiki on security [on Doug Schepers - due 2014-06-12]. 13:52:17 ed: most of the discussion should be on the mailing list 13:52:27 cam: it would be good to ask concrete questions 13:52:49 cam: if you have questions … does this CSP directive effect SVG? 13:53:33 mkwst: we are not on www-svg 13:53:54 shepazu: are we talking about this in the context of 1.1? 13:54:01 mkwst: 1.1 13:54:08 https://www.w3.org/wiki/SVG_Security 13:54:33 -BHill 13:54:50 Topic: Resolving the Face to Face Dates for London 13:54:53 -mkwst__ 13:55:00 -terri 13:55:19 Thanks folks, looking forward to future cooperation. :) 13:55:28 cam: we talked about hte dates for London. I will book that in the London office. We did resolve meeting just before graphical web. 13:55:42 Thanks, that was really interesting from a security perspective! 13:55:45 -Tav 13:55:54 http://www.w3.org/mid/538BBE1F.3040805@mcc.id.au 13:55:55 terri has left #svg 13:55:57 cam: given that graphical web is on a Wednesday. 13:56:14 -krit 13:56:16 cam: one was to make Th, Fr, Mo, Tues. 13:56:25 q+ 13:56:26 +Tav 13:56:43 krit: I would prefer starting on Friday 13:56:48 +krit 13:56:57 shepazu: starting friday and going saturday and sunday 13:57:02 s/krit/ed 13:57:24 cabanier: and krit: would prefer Friday either 13:57:27 cam: I am not sure everyone is going to the graphical web 13:58:38 cam: could do the action editing on Saturday 13:59:02 Zakim, who is on the call? 13:59:04 On the phone I see cabanier, Rich_Schwerdtfeger, ed, heycam, stakagi, nikos_, Doug_Schepers, Tav, krit 13:59:19 RRSAgent, make log public 13:59:43 shepazu: are you going to suggest places to stay or are we on our own? 13:59:48 cam: good question 13:59:57 cam: I can look into special rates 14:00:20 RESOLUTION: London Face to Face: Friday, Saturday, Sunday 14:00:26 glenn has joined #svg 14:01:00 q+ 14:01:14 ed: Sydney face to face host by Google? 14:01:40 shepazu: webplatform.org is a documentation site 14:01:40 all: sounds good 14:01:59 ed: will tell Shane to go ahead with the planning 14:02:01 shepazu: we want the SVG documentation really good for this summer 14:02:26 RESOLUTION: Google hosts Syndy face to face jan/feb 14:02:49 s/Syndy/Sydney/ 14:02:53 ACTION: ed to add a wikipage for Sydney F2F (early 2015) - hosted by google, co-located with csswg 14:02:53 Created ACTION-3630 - Add a wikipage for sydney f2f (early 2015) - hosted by google, co-located with csswg [on Erik Dahlström - due 2014-06-12]. 14:03:15 shepazu: would anyone want to hang around for a documentation day after graphical web? 14:03:26 shepazu: this would be in London. 14:03:38 -heycam 14:03:40 shepazu: I will take some vacation time after graphical web. 14:04:14 I will update the group soon with the London F2F meeting details. 14:04:20 shepazu: I am not sure people involved with graphical web would be interested in documentation 14:04:39 ed: please update the wiki page for the London F2F 14:04:48 shepazu: will do 14:05:01 zakim, bye 14:05:01 leaving. As of this point the attendees were BHill, Rich_Schwerdtfeger, cabanier, ed, terri, mkwst__, [IPcaller], heycam, krit, stakagi, nikos_, Doug_Schepers, Tav 14:05:01 Zakim has left #svg 14:05:06 RRSAgent, make minutes 14:05:06 I have made the request to generate http://www.w3.org/2014/06/05-svg-minutes.html richardschwerdtfeger