12:04:03 RRSAgent has joined #isolation 12:04:03 logging to http://www.w3.org/2016/09/21-isolation-irc 12:04:10 mkwest: would like to talk about a few isolation proposals that have come up lately 12:04:11 Zakim has joined #isolation 12:04:16 RobTrace has joined #isolation 12:04:17 … have some goals on the Chrome team for this kind of thing 12:04:18 annevk has joined #isolation 12:04:24 … Moz does to, not sure those are the same goals 12:04:32 … what are we talking about here? 12:04:48 … many devs are building important, security-critical apps that they would like to be on the web 12:04:57 … muchos advantages of being on the web 12:05:05 … some applications, the web is v scary 12:05:19 … one app, at Google, Chrome app… as opposed to a web site 12:05:25 … bc afraid of being on the web 12:05:34 … other entities can talk to you, not good 12:05:50 … bug in the browser can allow evil.com to read state from your origin 12:06:07 … [something] allows deployment on Google's servers 12:06:20 … deploy as a Chrome app as opposed to web app, gave isolation properties 12:06:35 … forced process isolation, impossible to accomplish direct communication 12:06:50 … navigation from the web to this app is impossible, CSRF is no longer a threat 12:07:08 … impossible to get a window handle to this app 12:07:20 … can open, but can't post-message, send-message, look through frames 12:07:33 … app opens a window, don't get a window opener back to the app 12:07:47 … this seems like a failure of the web 12:07:54 … shouldn't force building of a native app 12:07:56 bz has joined #isolation 12:08:08 … @estark on Chrome team have been kicking around 12:08:18 … some ways to apply isolation to the web 12:08:25 … in ways that are compat with web, and of the web 12:08:31 … document here 12:08:32 https://mikewest.github.io/isolation/explainer.html#isolation 12:08:42 … idea is to spell out a threat model 12:08:48 wseltzer has joined #isolation 12:08:52 … kinds of isolation that are relevant that we'd like to provide 12:08:54 rrsagent, pointer? 12:08:54 See http://www.w3.org/2016/09/21-isolation-irc#T12-08-54 12:08:59 … not complete, but a good start to the convo 12:09:17 rrsagent, make logs public 12:09:25 … doc walks through threat model, policy options to allow web sites to implement isolation 12:09:36 … and spells out the attacks this can protect against 12:09:39 … a few ways this can go further 12:09:47 … valuable to have a communication barrier 12:09:58 … i.e., cutting off handle to windows 12:10:07 … also navigation into those windows blocked 12:10:15 … proposal last year Entry Point Regulation 12:10:21 http://www.collinjackson.com/research/papers/appisolation.pdf 12:10:21 … based on: 12:10:25 … ^^^ 12:10:39 … spells out a similar idea in terms of threat model and iso techniques 12:10:54 … inspired site isolation effort in Chrome 12:11:04 … allow sites to force separate processes 12:11:11 … massive arch effort in Chrome 12:11:17 … will be live in Chrome 55 12:11:33 … want to get to a place where every site i a different process 12:11:51 … need to figure out how sites can signal to a browser that they are importnat and should be a separate process 12:12:02 … i.e., don't expose me to universal CSRF 12:12:21 annevk: Moz mostly interested in running a document in it's own process 12:12:35 … there is a sig. number of 32-bit computers out there 12:12:50 … allocating large buffers can run into address exhaustion problem 12:13:05 … ran into it with Unity (?) who wants to get more games on the web 12:13:14 … they don't want double-keying 12:13:24 … but separate processes 12:13:36 … add some flag, [?] 12:13:45 mkwest: talk about containers project 12:13:57 annevk: containers is browser-in-a-browser idea 12:14:02 … paper just linked to 12:14:18 Tomoyuki has joined #isolation 12:14:20 … open a new container tag, won't be logged into FB anymore, for example 12:14:35 … everything has a container key (an extra key) added 12:14:42 … separate connection pool, etc. 12:14:46 mkwest: user-facing feature 12:15:06 igarashi has joined #isolation 12:15:12 … part of inspiration here was to take the user-facing feature and make it a dev feature 12:15:19 … something here would be pretty valuable 12:15:28 https://mikewest.github.io/origin-policy/ 12:15:30 dbaron has joined #isolation 12:15:33 … may tie this to another proposal origin policy 12:15:33 jungkees has joined #isolation 12:15:42 ???: DPUB... 12:15:58 … we don't want one book/document to influence another book/doc 12:16:05 … don't want sharing of local storage 12:16:18 mkwest: that's an interesting use-case 12:16:24 … probably better served by sub-origin 12:16:39 s/???/Leonardo 12:16:40 … multiple books on a single origin… book1.books.com book2.books.com 12:16:40 https://w3c.github.io/webappsec-suborigins/ 12:16:42 rrsagent, make minutes 12:16:42 I have made the request to generate http://www.w3.org/2016/09/21-isolation-minutes.html Tomoyuki 12:17:03 Leonardo: don't understand the diff between iso and sub-origins 12:17:11 mkwest: iso proposes to isolate an origin entirely 12:17:15 … we have SOP 12:17:32 … evil.com can't get example.com's storage, but can open, post messages, etc. 12:18:07 dbaron: to summarize: this is about making the restritions of SOP stronger 12:18:17 … suborigins is about [?] 12:19:01 mkwest: my goal is that we want to make sure folks don't have to build Chrome apps 12:19:16 … what do folks want to do? 12:19:32 mikeo'neil: what about the origin policy? 12:19:50 mkwest: idea about origin policy is to set properties for an origin instead of a resource 12:20:03 … can set a CSP for a document, but doesn't have any impact on the origin itself 12:20:16 … other headers, HSTS, have origin-wide impact delivered by a resource 12:20:26 mkwst: think of a manifest for an origin 12:20:32 … origin policy defines a manifest for an origin 12:20:44 … and a set of headers pinned to the origin 12:20:50 … lives in a WK location 12:21:12 … e.g., go to example.com… here's the document, go get this manifest file (synchronous request) 12:21:21 … think this should be good with h2 and PUSH 12:21:30 … make rq, parse manifest 12:22:27 s/suborigins is about [?]/suborigins is about dividing the origins more finely/ 12:23:20 https://mikewest.github.io/origin-policy/ 12:24:02 mkwst: this is origin-based, not resource-specific 12:24:45 ... should probably update the navigation proposed 12:25:11 @@: synchronous? like XHR? 12:25:17 mkwst: async, but blocks navigation 12:25:30 ... navigation does not complete until you get a response 12:26:00 s/@@/Dom/ 12:26:22 ... the resource you're requesting has response headers that assert sthg about manifest 12:26:35 ... that tells browser to get manifest (from cache, from push, from server) 12:26:49 ... apply it to response befor you return from navigation/fetch 12:27:00 ... I think it would be ok to apply to subresources, but room to argue 12:27:09 Dom: that's the kind of reassurance was looking for 12:27:48 @@: I have a page iwth a bunch of imges. One gets the header, does it block the other images? 12:27:58 ... I think that will cause interop problems 12:28:10 s/@@/bz/ 12:28:11 mkwst: goal, that this is something origin asserts when you nav to the homepage 12:28:37 ... compare HSTS 12:28:54 bz: failure modes if you don't apply STS might be worse 12:29:00 mkwst: open to discussion 12:29:09 ... something in the response causes policy to be applied 12:29:15 .. might be ext resource 12:29:20 aliams has joined #isolation 12:29:26 leonardo: suborigins? 12:29:32 present+ Ali_Alabbas 12:29:33 mkwst: yet to be determined 12:30:41 ... Subdomains are separate origins. 12:30:59 annevk: when are you shipping this? 12:31:09 mkwst: it's lots of work. I hope Moz can get there quickly from containers 12:31:23 ... not shipping tomorrow 12:31:43 AdrianHB: Can a server ask a browser if it supports? 12:32:01 ... e.g. very important bank wants to know or tell you to dl the app 12:32:12 mkwst: not yet. possibly header 12:32:53 mkwst: I think it's the case htat there are browsers that can't do process separatation; and chrome isn't going to guarantee process separation 12:34:00 mkwst: defense in depth 12:34:11 ... this doesn't substitute for CSRF protection 12:34:52 ... EPR didn't go far because people didn't like its relation to linkability on the web 12:35:11 ... hope this proposal has more support because server rather than UA-forcing 12:36:40 ... possibilities, make this a new element in foreign fetch 12:36:51 ... trying to respond to needs and keep webby properties 12:37:17 bz: how do you provide protections in such a way that they're useful if not everyone is on a freshly minted browser 12:37:43 mkwst: couch it in properties we already have, e.g. x-frame-options, but can't block headers 12:38:01 ... maybe isolation proposal just becomes a collection of small things 12:38:14 bz: assuming you don't want to mint a new protocol 12:38:35 mkwst: that's worse, would completely break compatibility 12:38:56 @@: restrictions on navigations? post different from get? 12:39:10 mkwst: they're both dangerous. servers clearly don't consider get idempotent 12:39:50 ... if we leave it up to the server, via preflights or foreign fetch 12:40:08 ... or limited declarative policy, but wouldn't treat get/post differently 12:40:18 annevk: even post needs to be implemented retry-safe 12:40:47 bz: can't the server always return an error page? 12:40:56 ... what do they want to know that they don't know now to make that decision? 12:41:12 mkwst: origin headers not sent, form posts in firefox, e.g. 12:41:29 annevk: we basically need a new origin header 12:41:41 ... because the current one is mostly used for CORS 12:42:06 mkwst: cases where origin info is missing 12:42:18 ... foreign fetch might give what they need 12:42:36 annevk: foreign fetch isn't quite settled yet 12:42:45 ... Apple has different cookie storage policy 12:43:14 mkwst: hard to know what it means for suborigins and cookies 12:43:24 ... one idea: subkey cookies 12:43:44 ... what does that do to OAUTH flows 12:44:07 ... killing auth makes it difficult for google to use 12:44:49 @@: app manifest 12:45:01 mkwst: might well be possible to merge them 12:45:21 ... a few design differences 12:45:29 bz: fail open, closed, or up to the server 12:45:38 ... foreign fetch fails open 12:45:45 ... origin header, leaves to server 12:45:52 ... which do we want here? 12:46:47 mkwst: several new features, we've said are optional on the client 12:47:07 AdrianHB: If I can ask you to spawn new processes, that's an attack vector 12:47:25 annevk: at what level do you need to know it doesn't work 12:48:17 mkwst: possible where in the process that service worker comes in 12:50:11 mkwst: you don't necessarily know at request time whether you have a process free 12:50:52 ... private repo, I'll probably move it to WICG 12:50:57 ... discuss in webappsec 12:51:07 ... issues in the github repo 12:51:12 rrsagent, make minutes 12:51:12 I have made the request to generate http://www.w3.org/2016/09/21-isolation-minutes.html wseltzer 12:51:19 ty wseltzer! 12:51:37 JoeHallCDT has left #isolation 12:51:44 bz has left #isolation 12:54:42 smaug has joined #isolation 12:58:07 Tomoyuki has joined #isolation 13:01:41 leonardr has joined #isolation 13:09:47 Tomoyuki has left #isolation 13:16:43 bhill2 has joined #isolation 14:34:41 masato has joined #isolation 14:35:31 smaug has joined #isolation 14:39:12 plinss has left #isolation 14:39:18 plinss has joined #isolation 14:41:05 Zakim has left #isolation 14:45:34 plinss has left #isolation 14:47:18 leonardr has joined #isolation 14:47:43 leonardr has joined #isolation 15:26:23 bhill2 has joined #isolation 15:32:19 francois has left #isolation 16:56:54 bhill2 has joined #isolation 17:07:21 leonardr has joined #isolation 17:38:22 smaug has joined #isolation 18:01:52 smaug has joined #isolation 20:01:04 bhill2 has joined #isolation 21:43:09 bhill2_ has joined #isolation 22:01:17 bhill2 has joined #isolation 22:16:39 smaug has joined #isolation 22:19:53 bhill2_ has joined #isolation 22:21:46 bhill2 has joined #isolation 22:22:24 bhill2 has joined #isolation 22:22:48 smaug has joined #isolation 22:23:22 bhill2_ has joined #isolation