19:58:57 RRSAgent has joined #webappsec 19:58:57 logging to http://www.w3.org/2014/12/15-webappsec-irc 19:58:59 RRSAgent, make logs world 19:58:59 Zakim has joined #webappsec 19:59:01 Zakim, this will be WASWG 19:59:01 ok, trackbot, I see SEC_WASWG()3:00PM already started 19:59:02 Meeting: Web Application Security Working Group Teleconference 19:59:02 Date: 15 December 2014 19:59:20 zakim, who is here? 19:59:20 On the phone I see mkwst, +1.206.753.aaaa, +1.418.907.aabb 19:59:21 jww has joined #webappsec 19:59:22 On IRC I see RRSAgent, francois, bhill2__, bfrantz, terri, tobie, timeless, Josh_Soref, mkwst, edulix, schuki, renoirb, freddyb, wseltzer, trackbot 19:59:27 zakim aaaa is bhill2 19:59:44 zakim, who is making noise? 19:59:55 bhill2__, listening for 10 seconds I heard sound from the following: mkwst (32%) 19:59:55 zakim aabb is francois 19:59:57 +Wendy 20:00:03 gmaone has joined #webappsec 20:00:14 + +1.415.736.aacc 20:00:27 + +1.503.712.aadd 20:00:34 Zakim, aadd is me 20:00:34 +terri; got it 20:00:36 Zakim aacc is jww 20:00:43 +??P6 20:00:52 Zakim, ??P6 is me 20:00:53 +gmaone; got it 20:01:15 zakim, who is here? 20:01:15 On the phone I see mkwst, +1.206.753.aaaa, +1.418.907.aabb, Wendy, +1.415.736.aacc, terri, gmaone 20:01:18 On IRC I see gmaone, jww, Zakim, RRSAgent, francois, bhill2__, bfrantz, terri, tobie, timeless, Josh_Soref, mkwst, edulix, schuki, renoirb, freddyb, wseltzer, trackbot 20:01:22 zakim, aaaa is bhill2 20:01:22 +bhill2; got it 20:01:33 zakim, aacc is jww 20:01:33 +jww; got it 20:01:39 zakim, aabb is francois 20:01:39 +francois; got it 20:01:57 zakim insists on correct punctuation 20:02:17 +[Mozilla] 20:02:49 ckerschb has joined #webappsec 20:02:55 zakim, Mozilla has dveditz and ckerschb 20:02:55 +dveditz, ckerschb; got it 20:03:22 zakim, who is here/ 20:03:22 I don't understand 'who is here/', bhill2__ 20:03:27 zakim, who is here? 20:03:27 On the phone I see mkwst, bhill2, francois, Wendy, jww, terri, gmaone, [Mozilla] 20:03:30 [Mozilla] has dveditz, ckerschb 20:03:30 On IRC I see ckerschb, gmaone, jww, Zakim, RRSAgent, francois, bhill2__, bfrantz, terri, tobie, timeless, Josh_Soref, mkwst, edulix, schuki, renoirb, freddyb, wseltzer, trackbot 20:03:56 scribe volunteer? 20:04:05 +[Microsoft] 20:04:38 Meeting: WebAppSec Teleconference 15-Dec-2014 20:04:43 Chairs, Bhill2, Dveditz 20:04:49 Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0059.html 20:04:57 Scribenick: bhill2_ 20:05:30 DWalp has joined #webappsec 20:05:46 TOPIC: Minutes Approval 20:05:50 dveditz has joined #webappsec 20:05:53 http://www.w3.org/2014/11/17-webappsec-minutes.html 20:06:01 Zakim, who is here? 20:06:01 On the phone I see mkwst, bhill2, francois, Wendy, jww, terri, gmaone, [Mozilla], [Microsoft] 20:06:03 [Mozilla] has dveditz, ckerschb 20:06:03 On IRC I see dveditz, DWalp, ckerschb, gmaone, jww, Zakim, RRSAgent, francois, bhill2__, bfrantz, terri, tobie, timeless, Josh_Soref, mkwst, edulix, schuki, renoirb, freddyb, 20:06:03 ... wseltzer, trackbot 20:06:18 No objection to unanimous approval of prior minutes. 20:06:30 TOPIC: Mixed Content ends Last Call 20:06:37 http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0056.html 20:08:18 +1 20:08:32 q+ 20:08:44 + +1.310.597.aaee 20:08:54 - +1.310.597.aaee 20:09:08 whoever just joined from aaee can you please mute? 20:09:38 bhill: any interest from others in adding a strict mode for subresources to mixed content? 20:09:42 [publishing moratorium: 19 December through 5 January 2015 ] 20:09:44 ... twitter and facebook would like this 20:09:56 mkwst: we have time given publication break to work on this, so no objections 20:10:26 dwalp: we have folks on vacation, can we respond first week of 2015 20:10:29 ack wseltzer 20:10:45 wseltzer: W3C publication break is 19-Dec to 5-Jan 20:10:56 ... and +1 to the fature 20:11:00 s/fature/feature 20:11:19 mkwst: work trying to hammer this out, many people are out of office, target mid-January for a CR seems reasonable 20:12:01 wseltzer: where are we in process transition? 20:12:48 + +1.310.597.aaff 20:12:56 tanvi has joined #webappsec 20:13:41 bhill: on linst we seemed to agree on continuing to have an informal LC process, but it isn't part of W3C formal steps anymore regardless 20:14:02 TOPIC: FPWD of Requirements for Powerful Features 20:14:09 http://www.w3.org/TR/powerful-features/ 20:14:47 + +1.415.857.aagg 20:14:48 bhill2__: this is a new spec we’re taking on, but pretty much all the features were formerly in MIX 20:15:16 bhill2__: new working draft triggers a new call for exclusions (see group calendar on our homepage) 20:15:29 TOPIC: Proposed new Charter 20:15:35 https://w3c.github.io/webappsec/admin/webappsec-charter-2015.html 20:15:51 … we’ve had a new charter up for review for a few weeks now 20:17:50 q+ 20:18:07 bhill: feedback from lawyers at Facebook that this was not a bad thing but was outside the narrow IPR scope of this group so far 20:18:23 ack wseltzer 20:18:49 bhill: proposed a compromise to accept it, but keep it tightly scoped to JS API only 20:19:21 dveditz: ambivalent, agree it is useful but somewhat outside our group's current scope, happy to accept it with proposed changes 20:19:57 dveditz: hearing no objections... 20:20:01 dev: seems like a very long list 20:20:18 dveditz: some of those pieces were broken out of or sprung from existing specs 20:20:37 mkwst: this takes us through July 2016, it is long, but we have time and new people coming in to do this 20:21:02 ... not a bad thing to bring in new things with people to do them 20:22:15 bhill: yes, part of earlier consideration was that there are editors to own this new work 20:22:26 dveditz: some of the dates for new work are fictional 20:22:31 mkwst: have we hit any dates ever? 20:23:11 bhill: I pulled those dates out of a hat, if we don't try to hit a date, we'll never make progress 20:23:35 q+ to encourage people to ask their AC reps to review this charter when it goes for review 20:24:44 dveditz: there are some with schedule risk because they are not well defined or have sample implementations yet 20:25:17 wseltzer: next steps are taking this to W3C management which should go quickly, then polling AC reps to indicate support 20:26:14 q- 20:26:16 ... and commit resources, this will help us gauge interest 20:26:36 action: wseltzer to take charter to w3m for review 20:26:36 Created ACTION-208 - Take charter to w3m for review [on Wendy Seltzer - due 2014-12-22]. 20:27:14 jww moves to adopt the draft charter 20:27:17 dev seconds 20:27:56 dveditz: with no objections, WG unanimously decides to send the charter for w3c management approval 20:28:39 TOPIC: [POWER] New vs Legacy functionality (Re: "Requirements for Powerful Features" strawman.) 20:28:49 http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0028.html 20:29:51 terri: have we talked to the Web of Things CG about this? 20:30:07 - +1.415.857.aagg 20:31:06 mkwst: we have generally punted IoT concerns out of this group 20:31:59 bhill: Geolocation group is doing this themselves, we're not driving it 20:32:12 mkwst: not actually clear that they're doing that - there is a thread, but it is unresolved 20:32:41 + +1.415.426.aahh 20:32:48 dveditz: some concerns at mozilla if it is mandating or using as examples features that have had their own intense debates about this 20:33:19 ... to the extent that those groups have made their own decisions, they don't want us to reverse them 20:33:31 mkwst: we are trying to lay out a framework for deciding what a powerful feature is 20:33:50 ... personally I feel some groups have made some poor decisions about this 20:34:14 ... I don't believe that this spec is mandating that specific features be restricted to HTTPS, but that a category be restricted 20:34:27 ... we can have healthy debate whether a feature falls into that category or not 20:35:33 bhill: there is also a split in responsibility here between WebAppSec and TAG 20:36:09 mkwst: we are defining the contours here of what is powerful, would be sad if we didn't try to outline when we think the algorithm should be applied 20:37:41 mkwst: a good place to focus discussion is on section 3: "Is feature powerful?" 20:38:37 TOPIC: [REFERRER][CSP] Improving the Web Platform's Referrer Policy 20:41:16 mkwst: there is still ongoing discussion, and we should put together a new draft in January / February that includes some of these ideas, like subresource vs. navigation policies 20:41:31 ... this is going to take some time, still some big topics to discuss and decisions to make 20:42:29 TOPIC: [SRI] Towards a LCWD in January... 20:43:55 http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0045.html 20:44:14 bhill: wanted noncanonical-src but ok with a shim 20:44:23 dev: yes, as version 1, but may still be good in future version 20:44:29 jww: +1, freddyb is also +1 20:44:38 also +1 from me 20:45:24 dev: javascript reporting is painful and not as useful as CSP-style implementation 20:46:02 bhill: important for an experiment like this to get data from operators and not just implementers 20:46:52 dveditz: like the idea of a unified w3c reporting uri spec 20:47:16 ... from a website's perspective, if you are listening and start getting new reports you weren't expecting, that is bad 20:50:00 bhill: nice for supporting policy evolution to associate each policy with its own endpoint 20:50:18 dev: but would be great to filter reports in JS 20:51:17 mkwst: error reporting in the DOM is shippping already 20:51:56 bhill: do we expose SRI errors in the DOM? 20:52:06 dev: shouldn't be a blocker for v1 20:52:22 dveditz: most resources support onError and onLoad events 20:52:49 mkwst: we did some work in order to avoid information disclosure for hash-guessing 20:53:52 bhill: retaining room for spec authors and UA implementers to manage information flow here is good defense against malicious resource authors 20:55:00 TOPIC: HTTP/HTTPS for SRI (stolen from a smart thread on chromium security-dev) 20:55:06 https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/hJwYZOOPaH4 20:55:20 jww: some disagreement on whether this is for 3rd-party integrity or integrity without confidentiality 20:55:37 ... and sub-camps, given one of those threat models, do you care if it's over http or not 20:56:00 ... would like to hear from application developers on this 20:57:12 bhill: set of customers who want to use this but have parent resource insecure is small, perhaps null 20:57:48 TOPIC: Clarifying how CSP sandboxing applies to Workers, ServiceWorkers 20:59:48 mkwst: seems a reasonable intrepretation 21:00:02 ... hope we can have non-same-origin workers in future and language also makes sense ther 21:01:27 -bhill2 21:01:28 - +1.415.426.aahh 21:01:31 -[Microsoft] 21:01:32 -Wendy 21:01:34 -jww 21:01:36 -mkwst 21:01:37 - +1.310.597.aaff 21:01:37 -[Mozilla] 21:01:38 -francois 21:01:39 -gmaone 21:01:42 -terri 21:01:44 SEC_WASWG()3:00PM has ended 21:01:44 Attendees were mkwst, +1.206.753.aaaa, +1.418.907.aabb, Wendy, +1.415.736.aacc, +1.503.712.aadd, terri, gmaone, bhill2, jww, francois, dveditz, ckerschb, [Microsoft], 21:01:44 ... +1.310.597.aaee, +1.310.597.aaff, +1.415.857.aagg, +1.415.426.aahh 21:01:57 rrsagent, make minutes 21:01:57 I have made the request to generate http://www.w3.org/2014/12/15-webappsec-minutes.html wseltzer 21:02:13 rrsagent, make logs public 21:02:34 Chair: bhill2, dveditz 21:02:44 rrsagent, make minutes 21:02:44 I have made the request to generate http://www.w3.org/2014/12/15-webappsec-minutes.html wseltzer 21:02:55 thanks wseltzer, 21:03:09 was just looking that up 21:03:10 bhill2 has joined #webappsec 21:48:37 dveditz has joined #webappsec 23:19:53 dveditz has joined #webappsec 23:51:48 dveditz has joined #webappsec 23:58:36 dveditz has joined #webappsec