16:48:30 RRSAgent has joined #webappsec 16:48:30 logging to http://www.w3.org/2017/02/21-webappsec-irc 16:48:33 Zakim has joined #webappsec 16:48:35 Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2017Feb/0024.html 16:48:45 wseltzer has changed the topic to: Meeting 21 Feb, Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2017Feb/0024.html 16:50:11 bhill2 has joined #webappsec 16:50:24 bhill2 has joined #webappsec 16:57:12 gmaone has joined #webappsec 16:58:07 present+ mkwst 16:58:14 Meeting: WebAppSec Teleconference 21-FEB-2017 16:58:16 present+ bhill2 16:58:23 Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2017Feb/0024.html 16:58:29 Chairs: bhill2, dveditz 16:58:47 present+ 17:01:42 present+ 17:01:51 present+ 17:03:21 deian has joined #webappsec 17:05:42 zakim, who is here? 17:05:42 Present: mkwst, bhill2, wseltzer, dveditz, gmaone 17:05:44 On IRC I see deian, gmaone, bhill2, Zakim, RRSAgent, timbl, yoav, jyasskin, ojan, jochen___, jww, slightlyoff, wseltzer, trackbot, freddyb, Agent_Smith_BR, gszathmari, adrianba, 17:05:44 ... jkt, Domenic, hadleybeeman, sangwhan, dbaron, dveditz, Josh_Soref, mkwst, timeless, MattN, crakrjak, tobie, Mek, schuki, terri, jcj_moz, Jb, mounir 17:06:04 TOPIC: agenda bashing 17:06:14 zakim is +646-821-1675 17:06:26 present+ deian 17:06:40 no additions 17:06:44 TOPIC: minutes approval 17:07:13 prior meeting minutes approved by unanimous consent: https://www.w3.org/2011/webappsec/draft-minutes/2017-01-25-webappsec-minutes.html 17:07:21 TOPIC: Recharter 17:07:56 wseltzer: draft charter has gone out to Advisory Committee, anyone who can, contact your AC rep and urge support 17:08:22 https://lists.w3.org/Archives/Public/public-new-work/2017Feb/0014.html 17:09:11 [[This Working Group will use the W3C Software and Document license for all deliverables.]] 17:09:17 https://www.w3.org/2011/webappsec/charter-2017.html 17:09:44 wseltzer: we have also updated to use a more permissive creative commons attribution license 17:09:52 mkwst: can we publish all of our new work under that license? 17:10:22 wseltzer: if anyone objects to re-licensing then we may need to discuss, otherwise charter says we will use the new license for all deliverables 17:10:40 mkwst: I would like to interpret it that way 17:11:00 dveditz: how about reach out to editors and see if anyone objects 17:11:44 wseltzer: goal is to make it easy to take excerpts for documentation, code, etc. permits forking but only w3c official version has the patent commitments 17:12:27 (actually I meant send an announcement to the mailing list that this is what we're doing, barring strenuous objections. And reach out to other editors to have them do the same) 17:12:32 TOPIC: Specs from CR -> PR -> REC 17:12:45 email reply on this from mkwst: https://lists.w3.org/Archives/Public/public-webappsec/2017Feb/0025.html 17:13:26 q+ 17:13:58 mkwst: will look into HTML deps, but Fetch is more the outstanding question, whether we can make that work in the w3c context 17:14:38 ... bz has some clarity and definition comments for Mixed Content. Don't think he wants any normative changes, but restructuring may change words that have normative meaning 17:14:44 dveditz: don't see any open issues on the spec 17:15:07 ack wseltzer 17:15:24 wseltzer: working with PLH to address Fetch dependency concerns 17:16:08 bhill2: we have also made promises to keep an eye on things and move ahead in the past 17:16:18 wseltzer: we are working to satisfy director that we're doing that 17:16:29 ... also re: giving Fetch a forward reference from CORS 17:16:57 mkwst: link shows bz's questions about clarity of optionally blockable 17:17:02 ... plan to do that before moving forward 17:17:13 ... don't think that any tests will change 17:17:28 ... we should be able to make any changes in a non-normative way 17:17:44 ... looked at Mixed Content tests in WPT, vast majority look good and is fairly thorough 17:17:48 ... a couple have bitrotted 17:18:01 ... blink is now importing WPT w/ bi-directional sync 17:18:17 ... which is awesome, but also shows that many tests we wrote don't work the way we want 17:18:24 ... generally speaking, fairly good agreement between browsers 17:18:50 ... UIR is in a very similar situation. test suite in WPT not as robust 17:18:57 ... plan to upstream some of the blink tests 17:19:09 ... if FF folks also have tests to upstream, would be excellent to cooperate 17:20:14 ... three fairly robust implementations 17:20:40 ... Secure Contexts - not much normative by itself, defines hooks for other specs 17:21:18 ... only normative thing is window secure context attr 17:21:40 dveditz: we have a few issues at Mozilla. Literal localhost secure or not? As long as it resolves. We should just assume that it does. 17:21:50 ccowan: +1 to that 17:22:18 mkwst: section 5.2 says UAs may treat localhost as potentially trustworthy if they follow the local resolution rules 17:22:59 https://github.com/w3c/webappsec-secure-contexts/issues/43 17:23:01 dveditz: other one is about window.opener, has lead some sites to break unless you refresh or kill the opener 17:23:02 https://github.com/w3c/webappsec-secure-contexts/issues/42 17:23:35 dveditz: think we need to resolve that issue before 17:23:42 ... we advance 17:25:31 shall we do UIR to Proposed Recommendation? 3 impls, no outstanding issues, Fetch integration is high-level 17:25:37 mkwst: will look at test suite upstreaming 17:25:42 bhill2: I will ping Apple re: same 17:25:53 TOPIC: Move UI Security Directives for CSP to NOTE status 17:26:19 https://www.w3.org/TR/upgrade-insecure-requests/ 17:26:35 bhill2: The ED is from May 2016, pretty stale. 17:27:05 bhill2: Side conversations at TPAC; still interest in the concept, but will likely make progress as part of a v2 of Intersection Observer rather than this particular form. 17:27:16 bhill2: In the interest of clearing the slate, I think we should take it to NOTE. 17:27:33 ... Then monitor progress of intersection observer. 17:27:54 ... If the IPR commitments we've made in this group would be helpful to that effort, we can do a joint deliverable, etc. 17:28:04 dveditz: No luck getting our platform guys interested in this. 17:28:13 ... As much as it seems useful from NoScript's implementation. 17:28:24 https://w3c.github.io/webappsec-uisecurity/index.html 17:29:13 gmaone: If we build a mechanism through CSP or something else, we can assume that the page wants to be protected. So the overhead of a ClearClick-style solution is tough to justify. 17:29:23 ... Intersection Observer might be a better approach. 17:29:41 ... Looking closely at these anyway as a possible helper for a cross-platform solution for NoScript. 17:30:05 bhill2: If you look at the latest draft, it's rewritten to be in the style of Intersection Observers. 17:30:29 ... Now that Intersection Observers are final, I think enhancing that is a better route. 17:30:38 ... If no one's dying to implement this, then let's take it to NOTE. 17:30:40 sounds like consensus on call is to issue a broader CfC to take to note 17:31:03 TOPIC: Status for COWL 17:31:22 deian: I've been slow on this. There has been some implementation work. 17:31:33 ... Refactoring Firefox to deal with [...] iframes. 17:31:55 ... After talking to Joel, it seems like the right way to go is to deal with a confined iframe mechanism instead of dealing with WebSockets, etc. 17:32:03 ... Refactoring to eliminate access to these APIs. 17:32:16 ... I think I can get that done this week to reflect the changes in the implementation. 17:32:37 ... If it's possible to give it a little more time, I'd appreciate that. 17:32:56 bhill2: Not in any hurry, just a good time to take stock of where we are, have honest discussions about what's moving and what isn't. 17:33:06 ... If there's progress on adoption, we don't have to close the door on it today. 17:33:20 ... Joel's no longer at Google. ( :( ) 17:33:40 ... Might want to talk to evn@, he's also looking at iframe-based isolation. 17:34:47 mkwst: Yeah, conversations are good to have. It's not at the top of our priority list, but it's worth talking about. 17:34:47 http://sirdarckcat.blogspot.com/2017/01/fighting-xss-with-isolated-scripts.html 17:35:14 TOPIC: Call structure for 2017. Back to spec-based calls? 17:36:22 bhill2: wseltzer, are there things you can tell us about other group's structure, process? 17:36:38 ... What can we learn from how other folks structure their discussions? What can we learn from incubation model? 17:36:56 wseltzer: WICG is a thing, folks have been using it as a catch-all for new things. 17:37:06 ... I can ask the chairs what they're doing to monitor work for incubation. 17:37:23 ... W3C team is trying to keep an eye on CGs for things that might be ready to move to REC track work. 17:38:04 ... This group is free to pick up anything that fits within the chartered scope. 17:38:18 ... We have freedom to pick up interesting things without rechartering. 17:39:10 bhill2: Would it make sense to, as part of structuring call agendas around specific topics, do a check-in with folks working on those interesting things through WICG. CORS-RFC1918, etc. 17:39:30 wseltzer: SGTM. We're asking those communities to give us signals when they think their work is ready for wider review. 17:39:49 ... Surface those topics coming from folks we might not be as familiar with. 17:40:17 mkwst, any thoughts on how you would like to see this group interact with things in incubation? 17:40:31 mkwst: things that are relevant to this group are being done by the same people in this group 17:40:50 ... only distinction is the technical and legal distinction is that some things are directly covered and others are not 17:40:54 q+ 17:41:19 ... would find input from this group to be valuable to things I'm working on in WICG 17:41:22 ack wseltzer 17:41:34 wseltzer: procedural steps most relevant is at time of publishing a FPWD 17:42:01 ... we can note things going on elsewhere and discuss under terms of CG process and then bringing onto REC track triggers CfC. 17:42:10 mkwst: good test case is suborigins spec 17:42:31 ... we never actually published a FPWD, have a fairly complete implementation in Chrome and want to move forward as an origin trial in relatively near future 17:42:49 ... since it hasn't been published; would be in incubation if that had existed, but now it is in limbo 17:42:57 ... we should clarify since Joel has left Google 17:43:58 ... we should communicate with him what future contributions he could make and on what terms 17:45:13 TOPIC: CSP embedded enforcement 17:45:26 mkwst: would like to ship in near future, feedback would be extremely helpful 17:45:54 https://w3c.github.io/webappsec-csp/embedded/ 17:46:13 https://www.w3.org/TR/csp-embedded-enforcement/ 17:46:30 mkwst: this is part of this group, we have a FPWD. incubation didn't exist 17:46:51 ... so this group should take a look, if not done, it is very close 17:48:09 mike also suggests attention to: https://github.com/whatwg/fetch/pull/465 17:48:23 and https://github.com/whatwg/fetch/pull/464 17:49:23 march also starts on a Wednesday, so next regularly scheduled call is on 15-Mar 17:49:27 thanks! 17:49:34 zakim, list attendees 17:49:34 As of this point the attendees have been mkwst, bhill2, wseltzer, dveditz, gmaone, deian 17:49:46 present+ ccowan 17:49:51 zakim, list attendees 17:49:51 As of this point the attendees have been mkwst, bhill2, wseltzer, dveditz, gmaone, deian, ccowan 17:49:55 rrsagent, make minutes 17:49:55 I have made the request to generate http://www.w3.org/2017/02/21-webappsec-minutes.html bhill2 17:49:59 rrsagent, set logs world 17:57:40 rrsagent, make minutes 17:57:40 I have made the request to generate http://www.w3.org/2017/02/21-webappsec-minutes.html wseltzer 17:58:26 i/ED is from May 2016/scribenick: mkwst 17:59:05 i/things that are relevant to this group are being done by the same people in this group/scribenick: bhill2 17:59:13 rrsagent, draft minutes 17:59:13 I have made the request to generate http://www.w3.org/2017/02/21-webappsec-minutes.html wseltzer 17:59:48 i/no additions/scribenick: bhill2 17:59:50 rrsagent, draft minutes 17:59:50 I have made the request to generate http://www.w3.org/2017/02/21-webappsec-minutes.html wseltzer 18:02:26 rrsagent, you should use HTTPS 18:02:26 I'm logging. I don't understand 'you should use HTTPS', wseltzer. Try /msg RRSAgent help 18:03:53 thanks, wseltzer 18:17:42 wseltzer has changed the topic to: Next meeting 15 March 18:29:28 gmaone has joined #webappsec 19:29:39 bhill2 has joined #webappsec 19:31:46 bhill2_ has joined #webappsec 20:04:20 Zakim has left #webappsec 20:22:13 timbl has joined #webappsec 20:31:15 timbl has joined #webappsec 21:01:00 bhill2 has joined #webappsec 21:01:23 bhill2 has joined #webappsec 21:09:12 timbl has joined #webappsec 21:48:03 timbl has joined #webappsec