15:56:44 RRSAgent has joined #webappsec 15:56:44 logging to http://www.w3.org/2016/04/20-webappsec-irc 15:57:53 freddyb has joined #webappsec 15:58:10 present+ bhill2 15:58:20 bhill2 has changed the topic to: https://lists.w3.org/Archives/Public/public-webappsec/2016Apr/0027.html 15:59:13 present +teddink 15:59:19 jeff has joined #webappsec 16:00:10 present+ freddyb 16:00:17 present+ mkwst 16:00:39 present+ gmaone 16:01:08 present+ jeff 16:01:39 present+ dveditz 16:01:45 francois has joined #webappsec 16:02:17 present+ John Wilander 16:02:29 estark has joined #webappsec 16:02:30 present+ francois 16:02:57 present+ estark 16:03:32 present+ wseltzer 16:04:16 dydz has joined #webappsec 16:04:38 Meeting; WebAppSec Teleconference, 20-Apr-2016 16:04:44 Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2016Apr/0027.html 16:05:09 TOPIC: Agenda Bashing 16:05:10 none 16:05:10 bhill2: first topic is agenda bashing. anything to add? 16:05:17 ... nothing to add 16:05:19 TOPIC: Minutes Approval 16:05:23 https://www.w3.org/2016/03/23-webappsec-minutes.html 16:05:31 ... next topic is minutes approval 16:05:41 TOPIC: May F2F is coming... 16:05:48 ... any objection to unanimous approval? ...... none, approved 16:06:01 ... May f2f is coming 16:06:10 Doodle Sign up: http://doodle.com/poll/38uhygx3wtg3ax3f 16:06:26 dveditz: Please sign up via the Doodle so we can plan for lunch. 16:06:34 ... Rooms for ~20 people. 16 signed up. 16:06:44 ... If more sign up, we can get a bigger room. 16:06:49 have we already talked about the fact that it's the same week as Google I/O? (so people should book hotel rooms, etc. ASAP) 16:06:54 ... If not, we might be crowded. 16:07:21 bhill2: TAG members might be interested. Will inform them that they should sign up as soon as possible, 16:07:51 dveditz: Sure. We'd love to have them. We just need to know in advance so we can have room for them. 16:08:09 bhill2: Don't wait to book a hotel. Google I/O is the same week (Thanks Emily!). 16:08:25 TOPIC: References to Fetch, etc. 16:08:30 bhill2: next topic, references to Fetch 16:08:45 ... we have a number of specs close to done or even just waiting 16:08:50 q+ 16:09:10 ... with a persistent issue about how to do references to documents that are not w3 docs. particularly WHATWG documents 16:09:28 ... fetch is the main one, but also parts of HTML and others 16:10:07 ... Mike, Wendy and myself met with @@ about how to construct stable references 16:10:09 weiler has joined #webappsec 16:10:23 ... made progress with DOM and HTML, but Fetch is a stickier issue 16:10:32 s/@@/Web Platform WG/ 16:10:51 ... also had some small corrections to CORS that said to reference the WHATWG Fetch spec, and that was rejected 16:11:35 wseltzer: I've been having some conversations with the director since then. Thank you for the document you wrote that helped pinpoint the technical questions the director has raised 16:11:54 https://www.w3.org/2013/09/normative-references 16:12:12 ... a thread of discussion is "is CORS/Fetch serving the web platform" and the other main one is what is the appropriate normative reference policy 16:12:39 ... One of the elements in the stability of the reference 16:12:49 s/in the/is the/ 16:13:42 ... another question is "is there another stable reference for the pointer, will the 'living specification' change and make the reference invalid?" 16:14:55 ... the directory also pointed out that in some cases there are references /from/ fetch to our own specs 16:15:30 ... If we can address the 'persistence and stability of the reference' problem then we're on a reasonable track to get these things moving again 16:15:44 ... thanks to your effort to get things moving, Brad. 16:16:04 https://docs.google.com/document/d/1AtxTDw-g9BSRW9n9kGTTqNkDTGcVfSKPAOjVGkPFu2k/edit?usp=sharing 16:16:09 bhill2: I feel like this persistence issue has been something we've been locking horns over for 3 or 4 years now 16:16:52 ... I linked to document that could help separate the concerns about CORS itself from the persistence issue 16:17:32 wseltzer: would it be a workable model to snapshot the Fetch spec as a normative reference. Not in the way HTML has done but in the more lightweight way the Encoding one was done 16:17:55 bhill2: even that is a non-trivial amount of work, many hours of editorial/formating work. 16:18:12 q+ 16:18:21 ... anyone want to take that on and create a w3 snapshot? 16:18:55 wseltzer: the action I volunteer to take is to examine each of the references closely to see if we have sufficient stability of the features, even if the overall document is changing 16:19:18 ... to see if that is enough to help us move forward with the director 16:19:28 action: wseltzer to examine Fetch refs for stability 16:19:28 Created ACTION-216 - Examine fetch refs for stability [on Wendy Seltzer - due 2016-04-27]. 16:19:56 bhill2: it's not doing anyone any help to pretend the Fetch spec doesnt' exist 16:20:01 jww has joined #webappsec 16:20:44 mkwst: I went through the CSP spec last week and went through and filed bugs against the W3 HTML spec where it's incompatible with what CSP and the web are actually doing. 16:21:09 ... some changes will be straightforward, and some are based on frameworks and concepts the w3 version just doesn't have. 16:21:38 q+ 16:21:42 ... the WG claimed they had imported things up to @@ but when I checked that was not entirely true, some things were missing or incomplete 16:21:47 present+ terri 16:22:08 wseltzer: thanks very much mike for going through and doing that. heard from Philippe that was happening and useful 16:22:39 ... we're trying to be responsive to that.. please do keep pushing on us to get that right 16:22:51 ... we'll be keeping a closer eye on it 16:23:37 ... in this group I would simply note that it's going to be difficult to review the patches the HTML group adds to make sure they're the same as the equivalent in the WHATWG version. 16:24:06 ... there are some conceptual differences between the two and making the same hooks to each might have different effects 16:24:35 ... Some of the concepts are new, some are simply described in a new way. "Realms" for instance, has come from ES6 16:24:58 ... In certain places the specs were more different than I expected them to be 16:26:03 mkwst: I don't want to be the one doing that review, I'm suggesting that the W3 have someone do that 16:26:19 TOPIC: CSP Level 2 - Welcome Safari Technical Preview! 16:26:34 Hello from Cupertino, CA 16:27:00 scribe note: speaker was mkwst starting with "in this group I would simply note..." 16:27:02 welcome, Safari! 16:27:41 Welcome! 16:27:44 yay! 16:27:46 http://w3c.github.io/webappsec/implementation_reports/CSP2_implementation_report.html 16:27:54 dydz: [Apple has joined the working group] 16:28:29 bhill2: the link I just posted is a CSP implementation report for the latest browsers 16:28:58 ... includes the most recent Firefox would has made recent improvements, and Safari 16:29:20 ... we're missing some tests for font-src, report-only, and the script/event handling 16:29:43 ... would like help improving the tests to get to 100% coverage of the spec 16:30:03 mkwst: took a look at two of them, and one needs to be rebased but otherwise they look good 16:30:17 TOPIC: default-src definition in CSP2 16:30:20 bhill2: skipping ahead, to "last things for CSP2" 16:30:25 https://github.com/w3c/webappsec/issues/514#issuecomment-211587068 16:30:42 ... from an issue submitted by April King, pointing out in how we define the default-src directive 16:32:04 ... april is of the opinion that our implementations are correct and match CSP3, and that it's the CSP2 spec that was incorrect or unclear. 16:32:46 mkwst: I do think it's worth correcting in CSP2. It's just a correction, a large typo if you will. 16:33:22 ... I don't think there is any actual normative impact if we change this. This is the second time this question has come up so it'd be worth correcting 16:33:51 ... we're so far into this that having to wait a little longer to get the spec approved wouldn't hurt 16:34:00 TOPIC: 'unsafe-dynamic' 16:34:04 https://github.com/w3c/webappsec-csp/issues/70#event-631031432 16:34:17 bhill2: I'll write some tests. if we have 3 conforming implementations then it should be easy to show this is a non-normative change 16:34:44 mkwst: unsafe-dynamic is something I've proposed that some google properties are playing around with 16:35:25 ... if you include a script and that script loads more scripts you have to whitelist all of them. fragile, hard to work with, too much coordination with downstream libraries 16:36:05 ... the extensive whitelisting can actually introduce security holes because it tends to be too lose to accommodate 16:36:34 ... Chrome 5? is going to release with an implementation and we'll see how this works 16:36:41 ... haven't heard much from others 16:37:04 bhill2: taking off my chair hat, from a Facebook perspective I'm interested in this feature and think it will help. 16:38:34 ... do you have any thoughts about redirects, such as google switching to country-specific ones? 16:38:53 mkwst: with nonces we already allow that. are you asking outside the context of nonces? 16:39:33 bhill2: if this new behavior only applies to nonces then my concern may have already been taken care of 16:40:11 mkwst: I also have the idea to combine CSP and SRI. currently we only allow hashes to work for inline scripts 16:41:57 mkwst: will file a bug and we can alk about it there 16:42:14 Microsoft is also interested, just a matter of prioritization of work. 16:42:30 bhill2: any other implementors? 16:42:49 TOPIC: Block all non-SRI resources 16:42:50 dveditz: Mozilla is watching, but working on a lot of other requirements first so just watching for now 16:43:00 https://github.com/w3c/webappsec-csp/pull/64#issuecomment-211482914 16:43:10 https://lists.w3.org/Archives/Public/public-webappsec/2016Apr/0001.html 16:44:08 bhill2: suggested by dveditz that we punt on '*' for now since we only have two directives covered, and will avoid future breakage. 16:44:13 ... any responses? 16:44:36 mkwst: seems reasonable to me. gave neil some feedback on the patch, waiting for him to clean it up 16:45:07 TOPIC: Providing safer referrer policy states 16:45:13 https://lists.w3.org/Archives/Public/public-webappsec/2016Apr/0004.html 16:45:39 bhill2: proving safer referrer policy states. anyone on the call want to present it? 16:47:22 francois: current referrer policy is focused on unbreaking people moving to https, but there have been cases such as healthcare.gov where private data was leaked in referrers so it would be nice to add stricter states as well 16:47:58 ... currently in the spec if you want to truncate the referrer to origin there's no way to do that without leaking it insecurely 16:48:22 ... we proposed adding some additional states that preserves this 16:49:08 estark: are there develoeprs actually asking for these states? We've also proposed a more flexible syntax for the future maybe we should wrap up what we have and then move to 16:49:24 ... a more flexible syntax in a future version (that could also cover these new states) 16:49:41 bhill2: I also had the concern about changing current behavior making the new states the default 16:50:30 ... This is an incredibly useful feature for people who want to send referrers without having to go through unnecessary redirects 16:51:11 ... Saves Facebook a lot not having to redirect through a http: site, also our security posture improves because we don't need to support those http insecure end=points 16:51:40 estark: I'm also not enthusiastic about changing the defaults, but the meat of the proposal was the new states and doesn't require changing the default names 16:52:23 francois: that's correct, the name change is separate. would have been nice if we had started that way, but i take your point given the existing implementations 16:52:55 estark: are there developers who have asked for these states? I don't know if that should be a requirement, but I am curious. 16:53:15 dveditz: only individuals, no large sites 16:53:45 estark: do you have any thoughts, francois, about the future where we make the whole thing more flexible? 16:54:12 francois: personally I'd prefer to see the first version to include these simple additions rather than having to wait for version 2 16:55:06 estark: I need to look at what the implementation in Chrome would require. tempting to say it should be easy, but needs to be checked that it's not a major undertaking. 16:55:42 q+ 16:56:05 bhill2: seems like a 'nice to have', not all that pressing. Truncating to the origin is unlikely to leak sensitive information which mostly addresses the original reason for the https->http truncation 16:56:06 ack wseltzer 16:56:15 ... but maybe leaks sensitive subdomains? 16:56:45 wseltzer: maybe we should ask the privacy IG for a review since we're talking about control of what information is sent 16:58:23 TOPIC: Further granularity of unsafe-inline styles 16:58:30 https://github.com/w3c/webappsec-csp/issues/45 16:58:40 bhill2: two minutes left to discuss, probably don't have time to deal with it. but raising it 16:58:57 ... would be good to get more feedback from developers and implementors on that issue 16:59:36 ... should we cancel the next call, and just batch things up for the F2F? 16:59:47 sounds good 16:59:53 ... let's tentatively cancel, but will bring it up on the list 17:00:00 ... thanks everyone 17:00:18 zakim, list attendees 17:00:18 As of this point the attendees have been bhill2, freddyb, mkwst, gmaone, jeff, dveditz, John, Wilander, francois, estark, wseltzer, terri 17:00:28 rrasagent, make minutes 17:00:34 rrsagent, make minutes 17:00:34 I have made the request to generate http://www.w3.org/2016/04/20-webappsec-minutes.html bhill2 17:00:40 rrsagent, set logs world 17:01:29 weiler has left #webappsec 17:02:37 bhill2 has joined #webappsec 17:59:44 jeff_ has joined #webappsec 18:40:21 yoav has joined #webappsec 18:52:48 jeff_ has joined #webappsec 19:26:15 Zakim has left #webappsec 20:41:43 yoav has joined #webappsec