IRC log of webappsec on 2015-10-29

Timestamps are in UTC.

23:40:19 [RRSAgent]
RRSAgent has joined #webappsec
23:40:19 [RRSAgent]
logging to http://www.w3.org/2015/10/29-webappsec-irc
23:40:21 [trackbot]
RRSAgent, make logs world
23:40:21 [Zakim]
Zakim has joined #webappsec
23:40:23 [trackbot]
Zakim, this will be WASWG
23:40:23 [Zakim]
I do not see a conference matching that name scheduled within the next hour, trackbot
23:40:24 [trackbot]
Meeting: Web Application Security Working Group Teleconference
23:40:24 [trackbot]
Date: 29 October 2015
23:40:27 [wseltzer]
rrsagent, this meeing spans midnight
23:40:27 [RRSAgent]
I'm logging. I don't understand 'this meeing spans midnight', wseltzer. Try /msg RRSAgent help
23:40:36 [wseltzer]
rrsagent, this meeting spans midnight
23:46:44 [wonsuk]
wonsuk has joined #webappsec
23:53:51 [jungkees]
jungkees has joined #webappsec
00:06:24 [rbarnes]
rbarnes has joined #webappsec
00:08:46 [francois]
francois has joined #webappsec
01:05:14 [wonsuk]
wonsuk has joined #webappsec
01:09:31 [rbarnes]
rbarnes has joined #webappsec
01:18:55 [bhill2]
bhill2 has joined #webappsec
01:21:07 [yoav]
yoav has joined #webappsec
01:30:22 [mnot]
mnot has joined #webappsec
01:33:11 [bhill2]
bhill2 has joined #webappsec
01:35:02 [kiyoung]
kiyoung has joined #webappsec
01:35:11 [barryleiba]
barryleiba has joined #webappsec
01:35:13 [Yoshi]
Yoshi has joined #webappsec
01:35:56 [rbarnes]
rbarnes has joined #webappsec
01:36:44 [yoav]
yoav has joined #webappsec
01:39:04 [bhill2]
present+ bhill2
01:39:08 [francois]
present+ francois
01:39:09 [barryleiba]
present+ BarryLeiba
01:39:13 [dveditz]
present+ dveditz
01:39:32 [wseltzer]
present+ wseltzer
01:39:40 [Melinda]
Melinda has joined #webappsec
01:39:42 [Mek]
present+ mek
01:40:35 [Melinda]
present+ Melinda
01:42:08 [bhill2]
scribe: bhill2
01:42:32 [bhill2]
deian: SOP/CSP/CORS are discretionary access control
01:43:01 [wseltzer]
[Deian will share slides after]
01:44:01 [bhill2]
... mashup use cases and data sharing cases are difficult with DAC
01:44:50 [bhill2]
... libraries are over-permissioned, credentials are over-delegated and there are mashup scenarios we can't easily build between mutually distrusting services
01:47:31 [wonsuk]
wonsuk has joined #webappsec
01:48:27 [hwlee]
hwlee has joined #webappsec
01:50:14 [jgraham]
jgraham has joined #webappsec
01:53:44 [JeffH]
JeffH has joined #webappsec
01:56:52 [annevk]
annevk has joined #webappsec
01:57:19 [annevk]
(window.location.origin should be document.origin)
02:00:55 [bhill2]
what stops a context from stringifying the data and postMessaging a string with no label
02:01:04 [bhill2]
s/what/dveditz: what/
02:01:20 [bhill2]
deian: there should be no definition for stringifying a labeled object
02:01:27 [bhill2]
dveditz: would have to be opaque?
02:01:45 [bhill2]
deian: there is a definition for how to structurally clone, which is to clone the label and then the opaque object
02:02:27 [bhill2]
... have to use a getter to open the opaque object, which taints your context when used
02:02:45 [bhill2]
... and who you can communicate with is then restricted
02:07:45 [bhill2]
bhill2: what about navigating other contexts you have a handle to?
02:08:00 [bhill2]
deian: you can't do that because of information flow policies
02:08:07 [bhill2]
annevk: do you taint all the children?
02:09:53 [bhill2]
deian: no.. mods to html5
02:10:01 [bhill2]
bhill2: what about workers?
02:10:13 [bhill2]
deian: only talk to workers through postMessage, so tainted
02:10:17 [bhill2]
annevk: do you block push?
02:10:49 [bhill2]
@@: how does this work with message ports? no concept of origins
02:11:05 [bhill2]
deian: only allow sending messages when you know the origin at the other end
02:11:11 [bhill2]
@@: but you can't know until too late
02:12:02 [bhill2]
annevk: mostly have message ports for shared workers, apple just removed them, msft has no plans to support, and mostly never used - maybe they can go away
02:12:15 [bhill2]
@@: used to queue tasks quickly or structured clone things
02:12:34 [bhill2]
deian: maybe can look and decide when receiving message, not sure where to specify that
02:13:28 [wseltzer]
s/@@:/Mek:/
02:13:37 [bhill2]
thx wseltzer
02:14:29 [bhill2]
deian: prototype was done in terms of CSP hooks
02:14:53 [bhill2]
annevk: for navigation you need to hook directly into navigation to avoid traversing history
02:15:17 [bhill2]
deian: maybe navigation source directive into CSP would make it a natural place to work
02:15:29 [bhill2]
annevk: once you are confined you no longer have an active server connection
02:15:39 [bhill2]
deian: yes, but it gets revoked once your confidentiality label changes
02:15:46 [bhill2]
annevk: once you're confined, then things drop
02:16:05 [bhill2]
dveditz: what happens to service worker? do you skip or drop if it's not an appropriate service worker?
02:16:48 [bhill2]
annevk: might have to disable notifications, too, to avoid waking up service worker
02:18:21 [bhill2]
deian: also, server-supplied labels for XHR
02:20:56 [bhill2]
annevk: look at fetch since we've stopped adding features to XHR
02:21:59 [bhill2]
deian: wanted to do this, but fetch made it awkward to look at response type to deal with labeled JSON
02:24:00 [bhill2]
annevk: you can't extract an origin from a cowl:// URL, it is null / unique because that's not on the whitelist of schemes that have hierarchical authority
02:24:06 [bhill2]
dveditz: we could add that....
02:24:31 [bhill2]
some discussion w/dveditz and annevk about suborigins, not yet defined
02:24:59 [bhill2]
dveditz: some way of making a suborigin look like a url would be useful
02:26:20 [bhill2]
annevk: you could just compare literals
02:26:35 [bhill2]
dveditz: if literals, don't make it look like an origin, maybe even reject anything with a colon
02:27:40 [bhill2]
annevk: CORS just uses string literal
02:27:58 [bhill2]
deian: was a reason to extract origin, to send servers you're communicating with your context information
02:28:05 [bhill2]
... so for cross-origin requests, that is useful
02:28:29 [bhill2]
dveditz: so this creates a leakage if you've blocked referrer
02:29:22 [bhill2]
dveditz: like idea of signaling, because tells server more about how to answer a request
02:29:37 [bhill2]
... but it also leaks information you may not want to leak across origins, need to think about it and get wide review
02:30:22 [bhill2]
annevk: use of commas in header may be a problem
02:30:54 [bhill2]
dveditz: doesn't need to be json, could just be WSP delimited
02:31:11 [bhill2]
... what do brackets do for you? difference between AND and OR?
02:31:19 [bhill2]
deian: yes, conjunction vs. disjunction
02:34:34 [bhill2]
deian: header and js api has some mismatch- js api lets you specify in any format, but representation is always canonical ndis format
02:38:28 [bhill2]
... firefox patch in the works
02:38:41 [bhill2]
... also a subset we could do with a polyfill + CSP + 3rd party server
02:41:10 [mkwst]
bhill2: It seems to me that suborigins overlaps.
02:41:19 [mkwst]
... Where does this fit in relation to that spec?
02:41:38 [mkwst]
... Suborigins are not about confinement, they want a public label for postmessage, normal cross-origin communication.
02:41:48 [mkwst]
... They need to be able to live as a top-level application.
02:42:05 [mkwst]
... Splitting out applications that happen to be deployed on the same domain without a synthetic domain.
02:42:13 [mkwst]
deian: Disjunction does that.
02:42:35 [mkwst]
... No labeled cookies, etc.
02:42:55 [mkwst]
bhill2: Seems like an explicit goal of suborigins that you could have localstorage and cookies and etc. Looks like a regular origin label.
02:43:04 [mkwst]
... Could have origin-labeled access to standard platform features.
02:43:23 [mkwst]
deian: We could probably have some sort of labeled storage?
02:43:36 [mkwst]
bhill2: Maybe suborigins are just the privilege part of this.
02:43:59 [mkwst]
... Privileges you expect. Reaching into other document contexts being considered cross-origin, etc. Doesn't imply navigation.
02:44:09 [mkwst]
... Would like to separate these concerns.
02:44:32 [mkwst]
deian: Labels would do confinement, suborigins could do privileges.
02:45:53 [mkwst]
bhill2: Header is the only way to enter suborigins, doesn't change state dynamically.
02:46:09 [mkwst]
... Forces isolation for the page from other things on the "same" origin.
02:47:37 [bhill2]
annevk: what about permissions?
02:47:57 [bhill2]
mkwst: "parent" origin permissions might cascade into suborigins, or it might be distinct - JoelW needs to decide this
02:48:21 [bhill2]
... might need to ask users more often and store it internally - can't put any more info into URL bar, probably not putting suborigin there
02:48:49 [bhill2]
... user would be confused why "google.com" keeps asking for permissions because the suborigin abstraction is not exposed
02:50:30 [mkwst]
bhill2: Do I have to ask for permission every time for new disjunction states?
02:50:35 [mkwst]
deian: Yes.
02:50:43 [mkwst]
annevk: Since you're sandboxed, maybe the permissions are gone?
02:51:01 [mkwst]
bhill2: You couldn't keep that up to date unless you were continually receiving messages from someone.
02:52:01 [mkwst]
deian: But you couldn't receive messages unless you accepted the label.
02:52:15 [mkwst]
annevk: Sensor API? Maybe you couldn't leak information that way.
02:52:19 [mkwst]
deian: Open question!
02:52:29 [JeffH]
http://www.chromium.org/developers/design-documents/per-page-suborigins
02:54:29 [mkwst]
deian: If I have an iframe, I read something from somewhere else, I get tainted. But I still might have a handle to objects in the iframe.
02:54:36 [mkwst]
... Need to wipe out those references somehow.
02:54:39 [mkwst]
... Easy to do in Firefox.
02:54:48 [mkwst]
... Harder in Chrome.
02:55:07 [mkwst]
... Can we lock this to secure contexts?
02:55:13 [mkwst]
dveditz: Yes. That's the whole point of that spec.
02:55:25 [mkwst]
... Browsers are generally moving towards locking things to secure contexts.
02:55:39 [mkwst]
... Only makes sense to talk about tainting if you know who you are to begin with.
02:55:45 [mkwst]
... So should require secure contexts.
02:55:53 [mkwst]
deian: Future directions:
02:56:05 [mkwst]
... (More important to get v1 hammered out)
02:56:16 [mkwst]
... (Should talk to Joel to see what the overlap with suborigins might be)
02:57:11 [mkwst]
bhill2: Yes. Would be nice if these were built on the same primitives.
03:10:24 [bblfish]
bblfish has joined #webappsec
03:17:17 [rbarnes]
rbarnes has joined #webappsec
03:29:45 [jyasskin]
jyasskin has joined #webappsec
03:43:51 [Zakim]
Zakim has left #webappsec
03:58:57 [rbarnes]
rbarnes has joined #webappsec
04:01:32 [barryleiba]
barryleiba has joined #webappsec
04:05:55 [mnot]
mnot has joined #webappsec
04:09:46 [Melinda]
Melinda has joined #webappsec
04:10:04 [rbarnes]
rbarnes has joined #webappsec
04:11:50 [bblfish]
bblfish has joined #webappsec
04:15:46 [Zakim]
Zakim has joined #webappsec
04:23:57 [rbarnes]
rbarnes has joined #webappsec
04:28:40 [npdoty]
npdoty has joined #webappsec
04:31:43 [rbarnes]
rbarnes has joined #webappsec
04:34:50 [deian]
deian has joined #webappsec
04:36:05 [bhill2]
TOPIC: Agenda bashing
04:38:44 [bhill2]
TOPIC: containers
04:38:49 [bhill2]
https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
04:39:19 [bhill2]
rbarnes: additional labels applied to contexts, local storage, etc. to prevent sharing state between e.g. two logins to Twitter with different accounts
04:39:25 [bhill2]
dveditz: are these created by user or site?
04:39:31 [bhill2]
rbarnes: user in current implementation
04:40:04 [bhill2]
... when you load something in a container, everything is in that container
04:40:30 [bhill2]
... effectively lightweight profiles
04:40:34 [masato]
masato has joined #webappsec
04:40:59 [bhill2]
... in chrome each profile gets its own history, bookmarks, etc.
04:41:11 [bhill2]
... containers only are for page created state, share user-created state
04:41:29 [bhill2]
mkwst: interested in extracting some of the features out and giving them to sites, not just to users
04:42:04 [bhill2]
... some projects in google are using chrome apps to get these properties
04:42:26 [bhill2]
dveditz: firefox apps used to have that property and now they share cookies, etc.
04:42:46 [bhill2]
annevk: because you don't want to have to login to Facebook 100 times
04:42:49 [bhill2]
mkwst: but you do
04:43:45 [bhill2]
mkwst: a site might not want to share by default that a facebook user is at the bank without that user's choice
04:44:07 [bhill2]
... boils down to double-keying for all storage in a secure origins context
04:44:33 [bhill2]
... tor browser has proven this is doable; breaks some things - if you opt-in, we can probably guarantee that it doesn't break things for those who opt-in
04:46:05 [bhill2]
... loaded in separate process, subframes in separate process, separate cookie jar and all things I load use that new cookie jar, and identity is distinct in different embedding contexts even if same-origin
04:46:20 [bhill2]
.... only works in top-level contexts as a straw-man
04:46:50 [bhill2]
dveditz: would this be site-wide?
04:47:16 [bhill2]
mkwst: yes like hsts, with maybe a mandatory includessubdomain-like effect and locked to the topmost registerable domain
04:49:14 [bhill2]
... like first-party only cookies. If you're embedded your embeddor has no power over you, no ambient authority associated with the origin in another origin's context
04:49:35 [bhill2]
dvetditz: e.g. a womans' shelter might use this so embedded trackers can't know the user's been there
04:49:58 [bhill2]
mkwst: private mode is different about not leaving traces locally....
04:50:44 [bhill2]
rbarnes: this includes aspects of private browsing mode in terms of trackers, sharing, etc.
04:51:11 [bhill2]
francois: primarily about preventing CSRF.
04:51:16 [rbarnes]
rbarnes has joined #webappsec
04:51:33 [bhill2]
mkwst: primarily, but also if you know it is isolated it can be in a separate process, renderer can be hardened.
04:55:18 [bhill2]
... might be a different way of solving some of the problems that EPR is trying to tackle
04:55:20 [wonsuk]
wonsuk has joined #webappsec
04:55:52 [bhill2]
... example use case is to build as a web application, delivered through a browser, very sensitive things that are by-design not meant to be connected with the open web
04:56:05 [bhill2]
... say, to manage virtual machines
04:57:08 [bhill2]
deian: what if the browser tells the user about this...
04:57:14 [bhill2]
dveditz: then we would be triple keyed
04:57:27 [bhill2]
mkwst: in my use cases I care about there is no need to tell the user
04:58:07 [bhill2]
... mozilla implementation requires user to know and decide what is sensitive
04:58:22 [bhill2]
... different properties if a site can opt in
04:59:24 [rbarnes]
q+
04:59:50 [bhill2]
wseltzer: how does a user do something with isolated bank?
05:00:12 [bhill2]
mkwst: if isolated bank gives you a means of logging in outside the isolated context, you can do what you want normally
05:00:20 [bhill2]
... it might choose not to interact with you in those contexts
05:00:21 [mnot]
mnot has joined #webappsec
05:00:42 [bhill2]
dveditz: firefox apps had this, chrome has this, tor browser is adding htis
05:00:47 [bhill2]
s/htis/this/
05:01:22 [bhill2]
wseltzer: yes, but I think it is interesting and useful for the user to be able to interact with a site that declares itself this way
05:01:58 [bhill2]
mkwst: interesting paper by Charlie Reis, et al. about multiple browsers
05:02:06 [bhill2]
... epr is one implementation of an idea in there, this is another
05:02:08 [bhill2]
q+
05:02:27 [bhill2]
dveditz: I like what david is trying to do with EPR but manifest seems icky
05:02:34 [wseltzer]
http://www.collinjackson.com/research/papers/appisolation.pdf
05:02:42 [bhill2]
mkwst: I suspect he will still want EPR
05:02:48 [bhill2]
ack rbarnes
05:03:11 [bhill2]
rbarnes: if we have a way for sites to opt out of containers, change or refresh container, overlaps nicely with clear site data ideas
05:03:21 [bhill2]
... if all site data is containerized and you can throw it away...
05:03:37 [bhill2]
dveditz: label containers?
05:04:21 [bhill2]
rbarnes: hsts like semantics with max-age would create auto-expiring state
05:05:29 [rbarnes]
q+
05:05:38 [rbarnes]
ack bhill
05:06:18 [bhill2]
mkwst: would not want subresources to opt you in, maybe only from the root of the registerable domain
05:07:02 [bhill2]
bhill2: can you tie this to a manifested web app
05:07:11 [bhill2]
mkwst: easier to do at domain level because cookies are broken
05:07:20 [bhill2]
annevk: you need a cache for this to persist the state
05:07:26 [bhill2]
ack rbarnes
05:08:05 [bhill2]
rbarnes: having a label might let different origins 'hold hands' in their own universe
05:08:25 [bhill2]
bhill2: you can use a public key like android apps
05:09:12 [bhill2]
mkwst: would like to think about it with regard to syntax
05:10:25 [bhill2]
deian: I'd help write it up
05:11:37 [xiaoqian]
xiaoqian has joined #webappsec
05:11:54 [bhill2]
wseltzer: can a user opt a site into this for themselves?
05:12:09 [bhill2]
rbarnes: yes, it's already doing that, or could inject a header, or configure an origin by name...
05:12:13 [bhill2]
... tor browser already doing this
05:14:06 [bhill2]
TOPIC: timing attacks
05:14:08 [Kepeng]
Kepeng has joined #webappsec
05:14:24 [bhill2]
deian: aware of researchers that can do these kinds of leaks exfiltrating data with SVG by blurring an iframe
05:14:45 [bhill2]
... would be good to have guidance for spec authors on side channels and info leaks
05:16:46 [bhill2]
... even implementations-wise, e.g. a cache is likely to result in attacks if it is shared cross-origin
05:18:25 [bhill2]
TOPIC: COWL non-origin labels
05:20:44 [bhill2]
deian: maybe namespaces?
05:21:02 [bhill2]
... only thing that can mint privileges is the browser
05:21:08 [bhill2]
... mint a.com and give it to a.com page
05:21:25 [bhill2]
... but if we had something labeled geolocation: and we knew that only the browser could do that
05:21:37 [bhill2]
... only kinds are unique or delegated privileges
05:22:39 [bhill2]
dveditz: could have a colon if it had, e.g. a character illegal in scheme names to disambiguate it from scheme names, or a fixed name like cowl:, but would have to register it
05:23:18 [bhill2]
annevk: need to be serialized to go over the network
05:23:48 [bhill2]
... on network you could have a disambiguator when serialized, but object model would have different flags for origin vs. name
05:25:21 [rbarnes]
annevk: filed Fetch issue: https://github.com/whatwg/fetch/issues/150
05:25:37 [bhill2]
origin label; suborigin label - can't be minted by page; application label - can be created by any JS; "permission" label (result of an API call, unforgable); fresh
05:26:15 [bhill2]
annevk: could we start out a lot simpler if we only had a separate instance of a service worker that we can give some labeled object it can compute on and return the result to its caller
05:26:25 [bhill2]
... don't have to think about the interaction with as many things as browsing contexts
05:26:58 [bhill2]
... for service workers we're also considering cross-origin cases, haven't explored that for normal workers
05:28:16 [bhill2]
annevk: thinking: a.com gives some data to b.com's service worker, b.com can't communicate back to b.com once it opens the labeled object
05:28:23 [bhill2]
... could make the draft much simpler
05:28:35 [bhill2]
deian: but today you have UI
05:29:35 [bhill2]
bhill2: UI seems like most interesting case to me, provide experience to user of composite information but not leak that back to remote servers
05:38:39 [bhill2]
deian: what to do when label provided by server doesn't match what it is allowed to provide?
05:38:45 [bhill2]
... taking approach of not warning user about this
05:38:59 [bhill2]
dveditz: should fail closed to the extent we can
05:39:58 [bhill2]
... what if we just drop it, call it a network error
05:40:04 [bhill2]
... new stuff nobody is using, we can check and be strict
05:41:09 [bhill2]
mkwst: if we're going to be parsing, maybe extract this out to someplace where parsing happens
05:41:20 [bhill2]
annevk: order matters, COWL before cookies
05:41:35 [bhill2]
mkwst: have at least two blocks parsing CSP
05:41:48 [bhill2]
annevk: that's because of service workers, but COWL is only right from the network
05:42:31 [bhill2]
annevk: can a service worker add these labels....does it do the right thing
05:42:53 [bhill2]
deian: service worker would have to abide by confinement
05:43:01 [bhill2]
mkwst: would that mean you can find where redirects go?
05:43:21 [bhill2]
... if not-example.com returns labeled responses, I can read that cross-origin?
05:43:32 [bhill2]
annevk: labeled data has to be CORS accessible
05:43:43 [bhill2]
... there is a problem with confining service workers because they are shared
05:44:12 [bhill2]
... to instances of b.com sharing a service worker, then a.com communicates with one in a way that introduces confinement, the other tabs stop working
05:44:28 [bhill2]
... if you want fetching to work offline, going to involve service workers, and foreign fetch is coming
05:44:57 [bhill2]
... so you'd have to have multiple instances of service workers
05:45:18 [bhill2]
deian: may be able to think of service worker as extending the authority of the server and may not need to confine it
05:45:28 [bhill2]
annevk: sw also has access to storage and other stuff
05:49:04 [bhill2]
annevk thinks that chrome doesn't have wrappers, so existing references to a node in a different document that depended on being same origin won't be broken by setting the sandboxing flag
05:49:24 [bhill2]
mkwst: true today, but not forever, eventually we will implement something like membranes...
05:49:24 [virginie]
virginie has joined #webappsec
05:50:02 [bhill2]
annevk: maybe we should standardize membranes then...
06:00:45 [wseltzer]
Topic: AOB
06:01:57 [wseltzer]
Melinda: We presented some work on DNS API previously; we've continued work and have Firefox and Chrome extensions
06:02:38 [wseltzer]
... work going into TLS after 1.3
06:03:07 [wseltzer]
[discussion of uses of DNSSEC, additional information, isolation modes, supplementing CA info]
06:03:39 [wseltzer]
bhill2: DNSSEC as a transport for policy
06:03:56 [wseltzer]
rbarnes: also cache priming
06:04:11 [wseltzer]
Melinda: Paul Wouters work
06:04:24 [wseltzer]
... establishing authority
06:04:51 [wseltzer]
... OpenSSL 1.2 implementation
06:06:48 [bhill2]
rrsagent, make minutes
06:06:48 [RRSAgent]
I have made the request to generate http://www.w3.org/2015/10/29-webappsec-minutes.html bhill2
06:06:54 [bhill2]
rrsagent, set logs public-visible
06:07:10 [bhill2]
meeting adjourned, transitioning to non-minuted unofficial security BoF in this room following the break
06:07:42 [bhill2]
bhill2 has joined #webappsec
06:20:24 [npdoty]
npdoty has joined #webappsec
06:37:29 [rbarnes]
rbarnes has joined #webappsec
07:01:33 [barryleiba]
barryleiba has joined #webappsec
07:02:38 [wonsuk]
wonsuk has joined #webappsec
07:15:07 [barryleiba]
barryleiba has left #webappsec
07:15:33 [Zakim]
Zakim has left #webappsec
07:17:18 [Melinda]
Melinda has joined #webappsec
07:25:20 [bblfish]
bblfish has joined #webappsec
08:00:45 [rbarnes]
rbarnes has joined #webappsec
08:19:44 [bblfish]
bblfish has joined #webappsec
08:23:33 [bblfish]
bblfish has joined #webappsec
08:23:37 [mnot]
mnot has joined #webappsec
08:24:51 [deian]
deian has joined #webappsec