IRC log of webappsec on 2016-07-13

Timestamps are in UTC.

14:50:48 [RRSAgent]
RRSAgent has joined #webappsec
14:50:48 [RRSAgent]
logging to http://www.w3.org/2016/07/13-webappsec-irc
14:50:49 [jochen___]
then we should be good to move forward
14:51:11 [jochen___]
thank you :)
14:51:21 [jochen___]
then I'll repeat what I just said..
14:51:21 [wseltzer]
you might send email, for broader visibility
14:51:40 [jochen___]
oh, I just saw this specific question on the agenda that Brad sent around
14:51:47 [jochen___]
I don't think it's particularly urgent
14:51:58 [jochen___]
anyway, about Referrer policy moving forward
14:52:05 [jochen___]
I'd like to add some text about CSS and referrers
14:52:16 [jochen___]
now that we have the referrer policy header, I think we're in a good place where we can spec this
14:52:22 [jochen___]
once that's done, we can move forward
14:52:56 [jochen___]
EOM :)
14:53:25 [wseltzer]
rrsagent, make logs public
14:53:29 [wseltzer]
rrsagent, draft minutes
14:53:29 [RRSAgent]
I have made the request to generate http://www.w3.org/2016/07/13-webappsec-minutes.html wseltzer
15:37:48 [Zakim]
Zakim has joined #webappsec
15:38:10 [botie]
botie has joined #webappsec
15:38:46 [wseltzer]
botie, inform bhill2 jochen left some notes on irc earlier, http://www.w3.org/2016/07/13-webappsec-minutes.html
15:38:46 [botie]
will do
15:46:35 [bhill2]
bhill2 has joined #webappsec
15:46:35 [botie]
bhill2, at 2016-07-13 15:38 UTC, wseltzer said: jochen left some notes on irc earlier, http://www.w3.org/2016/07/13-webappsec-minutes.html
15:51:58 [estark]
estark has joined #webappsec
15:53:09 [dydz]
dydz has joined #webappsec
15:55:25 [yoav]
yoav has joined #webappsec
15:57:30 [bhill2_]
bhill2_ has joined #webappsec
15:59:03 [bhill2_]
bhill2_ has changed the topic to: https://lists.w3.org/Archives/Public/public-webappsec/2016Jul/0014.html
16:00:47 [bhill2_]
Meeting: WebAppSec Teleconference, 13-Jul-2016
16:00:50 [bhill2_]
Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2016Jul/0014.html
16:01:00 [bhill2_]
Chairs: bhill2, dveditz
16:01:14 [bhill2_]
RRSAgent, draft minutes
16:01:14 [RRSAgent]
I have made the request to generate http://www.w3.org/2016/07/13-webappsec-minutes.html bhill2_
16:01:28 [bhill2_]
present+ bhill2, mkwst
16:01:37 [estark]
present+ estark
16:01:49 [bhill2_]
present+ daniel bates
16:02:08 [terri]
present+ terri
16:02:29 [dveditz]
present+ dveditz
16:02:42 [wseltzer]
regrets+ wseltzer
16:02:51 [bhill2_]
can do
16:02:54 [teddink_]
teddink_ has joined #webappsec
16:03:16 [moneill2]
moneill2 has joined #webappsec
16:03:16 [pranjal]
pranjal has joined #webappsec
16:04:15 [teddink_]
present+ teddink
16:04:30 [bhill2_]
TOPIC: agenda bashing
16:04:49 [mkwst]
bhill2_: Sent out a call for agenda items, put together some topic from the last month and a half.
16:04:55 [mkwst]
... Anything I missed?
16:05:06 [mkwst]
Everyone: <crickets>
16:05:07 [bhill2_]
TOPIC: minutes approval
16:05:20 [bhill2_]
https://www.w3.org/2011/webappsec/draft-minutes/2016-05-17-webappsec-minutes.html
16:05:20 [bhill2_]
https://www.w3.org/2011/webappsec/draft-minutes/2016-05-16-webappsec-minutes.html
16:05:31 [mkwst]
bhill2_: Objections to approving these minutes?
16:05:31 [bhill2_]
bhill2: any objections to unanimous approval?
16:05:35 [mkwst]
Everone: <crickets>
16:05:39 [mkwst]
bhill2_: Approved.
16:05:53 [bhill2_]
TOPIC: transition of some specs to WG NOTE
16:06:10 [mkwst]
bhill2_: We put things on the board at the end of day 1 of the F2F.
16:06:23 [francois]
francois has joined #webappsec
16:06:31 [mkwst]
... Came up with a list of things we might want to transition to NOTE.
16:06:40 [mkwst]
... CfC expires next Friday.
16:06:56 [mkwst]
... This basically means that we're not taking them towards REC. Just archived for historical purposes.
16:07:32 [mkwst]
... FPWD retains some IPR if we resurrect them (and we can, this isn't irrevocable).
16:07:39 [mkwst]
... Cookie Controls was the first one.
16:07:50 [mkwst]
... Mike suggested that Feature Policy might be a better home.
16:07:55 [bhill2_]
The Feature Policy proposal (
16:07:55 [bhill2_]
https://wicg.github.io/feature-policy/) could be a better home for the
16:07:55 [bhill2_]
intended functionality as part of a broader and more coherent approach,
16:07:57 [bhill2_]
rather than putting this into CSP.
16:08:05 [moneill2]
q
16:08:27 [bhill2_]
bhill2: would clear site data be also under feature policy?
16:08:46 [bhill2_]
mkwst: I see it as distinct because it operates on the storage for an origin and not just a page / resource
16:08:56 [bhill2_]
... enough interest that it's worth continuing in that
16:09:02 [mkwst]
estark: Is feature policy done by WebAppSec?
16:09:11 [mkwst]
bhill2_: Currently in incubator group. WICG.
16:09:23 [tanvi]
tanvi has joined #webappsec
16:09:26 [estark]
^ tanvi? wasn't me
16:09:34 [tanvi]
present+ tanvi
16:09:36 [tanvi]
yeah, that was me
16:10:10 [bhill2_]
mkwst: don't have a target group at the moment, Chrome puts ideas into incubation before looking for a group
16:10:10 [francois]
present+ francois
16:10:21 [bhill2_]
... when we are far enough along and have enough experience we think about where to move it
16:10:37 [bhill2_]
... my impression is that web perf is interested but also some overlap here, no strong opinion
16:10:51 [wseltzer]
s/estark:/tanvi:/
16:10:53 [bhill2_]
... folks here and in web perf should be taking a look at it and there are a number of places it might life
16:11:34 [bhill2_]
moneill2: about cookie controls; one of the points of CSP was it allowed use of set-cookie headers in embedded resources
16:11:50 [bhill2_]
... feature policy only gives control over javascript accessing document.cookie
16:12:13 [bhill2_]
mkwst: the only thing that would affect embedded resources is the embedded enforcement mechanism that we are investigating for CSP
16:12:30 [bhill2_]
... which says you will only embed a frame if it accepts certain policy
16:12:51 [bhill2_]
moneill: but the CSP cookie controls allowed managing cookie headers for images, etc.
16:13:20 [bhill2_]
mkwst: it didn't and we didn't get far enough in specifying it; would suggest you look at Feature Policy, and we should consider how to handle that
16:13:50 [bhill2_]
... document will suggest a policy that denies a certain thing for a set of origins, please file bugs against that as we might be able to support these features there
16:14:40 [bhill2_]
moneill2: meta tag in CSP was ruled out for feature policy, would be good to have that back as it is quite useful for content served by e.g. agencies
16:14:54 [bhill2_]
... easier to have a library that can insert a meta tag than control headers
16:15:08 [bhill2_]
mkwst: good convo to have on the incubator group / github repo for feature policy
16:15:35 [bhill2_]
bhill2: any other concerns with stopping this work here?
16:15:52 [bhill2_]
Entry Point Regulation
16:15:52 [bhill2_]
https://www.w3.org/TR/epr/
16:16:15 [mkwst]
dveditz: Mozilla supports pushing this to NOTE.
16:16:25 [mkwst]
bhill2_: Will ask drx to follow up on the list.
16:17:07 [mkwst]
... At F2F folks seemed to feel that the SameSite cookie work at the IETF took care of much of the same threats that EPR wanted to address.
16:17:22 [mkwst]
terri: Sad to see it move to NOTE, but accurate, as no one is working on it.
16:17:23 [bhill2_]
terri: sad to see it moved to note but accurately reflects where the effort is
16:18:00 [bhill2_]
CSP Pinning
16:18:11 [bhill2_]
https://www.w3.org/TR/csp-pinning/
16:18:25 [mkwst]
bhill2_: We probably need something like this, but this probably isn't the right mechanism.
16:18:33 [mkwst]
... Costs to sending a default policy with all requests.
16:18:42 [mkwst]
... Platform needs a more general mechanism.
16:18:48 [mkwst]
... .well-known, manifest, etc.
16:19:00 [mkwst]
mkwst: I agree.
16:19:38 [bhill2_]
TOPIC: Referrer Policy to PR: What is needed?
16:19:51 [bhill2_]
https://github.com/w3c/webappsec-referrer-policy/issues
16:20:07 [mkwst]
bhill2_: Missing states we discussed at F2F have been added.
16:20:10 [mkwst]
... What's left?
16:20:23 [mkwst]
estark: Three items left:
16:20:36 [mkwst]
... 1. Updating web platform tests: header and new policy states.
16:20:53 [mkwst]
... 2. Finish the HTML integration for the `referrerpolicy` attribute and new policy states.
16:21:18 [bhill2_]
Jochen left this note in IRC earlier: https://www.w3.org/2016/07/13-webappsec-minutes.html re: CSS
16:21:20 [mkwst]
... 3. Jochen wanted to do something for stylesheets. Process headers delivered with stylesheets for resources loaded via the sheet.
16:21:58 [mkwst]
francois: I'm planning on doing some of the items Emily just mentioned.
16:22:05 [mkwst]
... New policy states to WPT and to HTML.
16:22:08 [mkwst]
... Fetch also.
16:22:11 [dveditz]
q?
16:22:16 [dveditz]
q+
16:22:16 [mkwst]
... That's all I think is needed.
16:22:25 [bhill2_]
ack dveditz
16:22:37 [mkwst]
dveditz: Two of the issues are in the 11 open issues for the spec.
16:23:12 [mkwst]
dveditz: Perhaps we could invent a label for those issues in the repo so that we know what we need to get done.
16:23:35 [francois]
https://github.com/w3c/webappsec-referrer-policy/issues/50 is the issue for finishing the work around the new states
16:24:09 [mkwst]
dveditz: Just want to distinguish between editorial changes and big normative issues.
16:24:37 [mkwst]
bhill2_: Meta-goal is to get specifications ready to go before TPAC, then I can poke at various folks about Fetch and HTML integrations.
16:24:54 [mkwst]
... That seems like a good forcing function to get resolution on these questions.
16:25:09 [bhill2_]
TOPIC: Mixed Content to PR
16:25:21 [bhill2_]
Should we allow localhost?
16:25:21 [bhill2_]
https://github.com/w3c/webappsec-mixed-content/issues/4
16:27:01 [bhill2_]
mkwst: 2 things: 1: align with secure contexts spec definitions; this has implications that 127.0.0.1 should not be considered mixed content
16:27:22 [tanvi]
tanvi has joined #webappsec
16:27:24 [bhill2_]
... because by going over loopback vs. network has same / similar security properties to something transiting the internet on a secure channel
16:27:37 [bhill2_]
... 2: other issue is the name 'localhost' vs loopback address
16:28:04 [bhill2_]
... there are some cases where localhost or *.localhost will hit the network for resolution, so would suggest we can't give it the same a priority secure designation
16:28:09 [tanvi]
tanvi has joined #webappsec
16:28:14 [bhill2_]
... as the loopback IP addresses
16:28:38 [bhill2_]
... suggestions on the list were to align the document and update such that the name localhost doesn't have the same definition as loopback addresses
16:28:53 [bhill2_]
tanvi: should we do the second one first? or will we be decreasing security before increasing it?
16:29:18 [bhill2_]
mkwst: we are doing both at the same time in Chrome in Q3/Q4; I've landed for 127.0.0.1, have to check on localhost
16:29:45 [bhill2_]
ccowan: is this going to land with localhost CORS requirements as discussed at F2F?
16:30:03 [bhill2_]
mkwst: that is a bit more work and so I'm doing the one first, the other will take a bit longer
16:30:10 [bhill2_]
ccowan: as long as they're not incompatible in a sneaky way
16:30:38 [bhill2_]
mkwst: what this allows is folks to stop installing certificates for localhost which is an unalloyed good, later stuff will compose
16:30:42 [bhill2_]
ccowan: sounds great
16:30:46 [bhill2_]
tanvi: I'm ok with this change.
16:30:52 [bhill2_]
dveditz: +1
16:31:18 [tanvi]
Zakim, who is here?
16:31:18 [Zakim]
Present: bhill2, mkwst, estark, daniel, bates, terri, dveditz, teddink, tanvi, francois
16:31:20 [Zakim]
On IRC I see tanvi, francois, pranjal, moneill2, teddink_, bhill2_, dydz, estark, botie, Zakim, RRSAgent, Jb, gszathmari, dveditz, MattN, terri, Mek_, adrianba, jyasskin,
16:31:20 [Zakim]
... slightlyoff, Josh_Soref, tobie, timeless, jochen___, jww, schuki, mounir, mkwst, wseltzer, trackbot
16:31:23 [bhill2_]
TOPIC: UIR with fallback
16:31:25 [terri]
I'm even excited about this change: it should make it easier for some of our engineers working on protype hardware
16:31:31 [bhill2_]
https://lists.w3.org/Archives/Public/public-webappsec/2016Jul/0012.html
16:33:02 [bhill2_]
dveditz: he's proposing we do upgrade and if it fails, retry?
16:33:10 [bhill2_]
... are redirects upgraded as well?
16:33:22 [bhill2_]
... so we'd have to retry each half-loop potentially?
16:33:35 [bhill2_]
mkwst: I think we can work out these details
16:33:57 [bhill2_]
... I understand why Peter likes the idea and the value he preceives
16:34:13 [bhill2_]
s/preceives/perceives
16:34:25 [bhill2_]
... but we don't have any other mechanism in the platform that does something like this
16:34:42 [bhill2_]
... so we have to do the work to invent that mechanism
16:35:00 [bhill2_]
... this is problematic even for doing preflights for things like images as part of RFC1918 CORS
16:35:20 [bhill2_]
... to support this at all we would need to do a request and start a new one that is tied to the old one and triggers all the same effects
16:35:38 [bhill2_]
... this could be possible and there could be real value but not sure the effort would be justified
16:35:59 [bhill2_]
... I do like the idea of magically turning it on and making one class of mixed content less prevalent
16:36:13 [bhill2_]
... but don't think could implement in the near future, though that shouldn't be a gating factor on what we specify
16:36:35 [bhill2_]
tanvi: christophe doesn't think this is that difficult, but not super easy either, need justification and people asking for it
16:37:08 [bhill2_]
mkwst: peter's request is interesting on behalf of Let's Encrypt as a novel way to automate https upgrading
16:37:41 [bhill2_]
... but also agree with brad that mixed scripts decrease that value
16:37:57 [bhill2_]
tanvi: some may be broken
16:38:27 [bhill2_]
mkwst: claim made was that it couldn't be automatic, would still need to be verified live after flipping the switch
16:38:44 [bhill2_]
... opposed to allowing mixed scripts
16:38:58 [tanvi]
yeah i wouldn't allow mixed script
16:39:41 [bhill2_]
tanvi: you're right, it would help some sites and not others and require testing
16:40:12 [bhill2_]
mkwst: interesting, has potential value, but not sure state of the world would allow it to be as automated as LE would like to do it by default
16:40:37 [bhill2_]
... and with that, not sure the rearchitecting for the fallback would be worthwhile.... but that is colored by my understanding of the difficulty of implementing in Chrome
16:41:20 [bhill2_]
tanvi: our perspective at mozilla is to wait on this until we hear from websites that this would be really useful to them
16:42:10 [bhill2_]
bhill2: maybe Peter can give us some data by simulation.
16:42:21 [bhill2_]
mkwst: would also be interesting to know if a SW can polyfill this for origins we know about
16:43:17 [bhill2_]
... add something to UIR that lets a ServiceWorker fill in with insecure content
16:45:12 [bhill2_]
bhill2: would still be opposed (with FB hat on) to allowing active mixed downgrades, need to know that redirecting user to https means https
16:45:52 [bhill2_]
TOPIC: Changing window.name behavior
16:45:59 [bhill2_]
https://lists.w3.org/Archives/Public/public-webappsec/2016Jul/0006.html
16:47:14 [bhill2_]
mkwst: seems reasonable to do what Artur suggests, clear on navigation as the spec says (but no browser actually does)
16:48:06 [bhill2_]
dveditz: believe that is for non-auxilliary windows, popups with names need to be targeted
16:48:16 [bhill2_]
mkwst: don't recall seeing that in the spec, but may have missed that
16:48:34 [bhill2_]
... I think it is a reasonable thing to do regardless of what the spec says. Chrome doesn't clear it at all in any case.
16:48:51 [bhill2_]
... would like to measure how often it is used and throw it away if low enough
16:49:03 [bhill2_]
... but probably doesn't solve any XSS vectors because there are other sources
16:49:20 [bhill2_]
... less inclined to break back compat because of that
16:50:21 [bhill2_]
... doesn't appear that any Google bug bounties used window.name as a vector
16:51:20 [mkwst]
bhill2_: Perhaps restricting character sets might be possible.
16:51:22 [bhill2_]
ccowan: if you restrict length, you will only break good applications, not malicious vectors
16:51:56 [bhill2_]
dveditz: not interested in changing charset or length, would break as much as flushing
16:52:06 [bhill2_]
... would be nice to flush if data shows we can do it without breakage
16:52:50 [bhill2_]
mkwst: planning on adding metrics to next version of chrome (54) will hit stable in 12-18 weeks
16:53:23 [bhill2_]
TOPIC: CORS for developers: adopt as WG note?
16:53:30 [bhill2_]
https://docs.google.com/document/d/1AtxTDw-g9BSRW9n9kGTTqNkDTGcVfSKPAOjVGkPFu2k/edit#heading=h.gbk9567omrcz
16:54:36 [bhill2_]
interesting to publish as a WG note?
16:54:54 [bhill2_]
mkwst: I think so yes, would like to see more developer facing documentation from this group in general
16:55:02 [bhill2_]
... both historical explainers and how-tos
16:55:15 [bhill2_]
terri: agree, would like to do more in this area
16:56:41 [mkwst]
bhill2_: TPAC is coming.
16:56:49 [mkwst]
... In Portugal.
16:56:56 [mkwst]
... Our slot is Thursday and Friday.
16:57:00 [mkwst]
... After the AC meeting.
16:57:08 [bhill2_]
rrsagent, make minutes
16:57:08 [RRSAgent]
I have made the request to generate http://www.w3.org/2016/07/13-webappsec-minutes.html bhill2_
16:57:12 [mkwst]
... Maybe everything with Fetch, etc will be resolved already!
16:57:18 [bhill2_]
zakim, list attendees
16:57:18 [Zakim]
As of this point the attendees have been bhill2, mkwst, estark, daniel, bates, terri, dveditz, teddink, tanvi, francois
16:57:23 [bhill2_]
rrsagent, make minutes
16:57:23 [RRSAgent]
I have made the request to generate http://www.w3.org/2016/07/13-webappsec-minutes.html bhill2_
16:57:30 [bhill2_]
rrsagent, set logs world
16:58:55 [bhill2]
bhill2 has joined #webappsec
17:03:03 [bhill2]
bhill2 has joined #webappsec
17:03:27 [bhill2]
bhill2 has joined #webappsec
17:14:09 [tanvi]
tanvi has joined #webappsec
18:12:00 [bhill2_]
bhill2_ has joined #webappsec
19:10:28 [yoav]
yoav has joined #webappsec
19:23:34 [Zakim]
Zakim has left #webappsec
19:30:24 [bhill2]
bhill2 has joined #webappsec
19:38:48 [bhill2]
bhill2 has joined #webappsec
19:42:33 [bhill2]
bhill2 has joined #webappsec
19:47:06 [bhill2]
bhill2 has joined #webappsec
19:57:39 [tanvi]
tanvi has left #webappsec
20:42:22 [estark]
estark has joined #webappsec
21:03:55 [bhill2]
bhill2 has joined #webappsec