15:22:47 <RRSAgent> RRSAgent has joined #webappsec
15:22:47 <RRSAgent> logging to http://www.w3.org/2017/04/19-webappsec-irc
15:23:25 <wseltzer> wseltzer has changed the topic to: Meeting 19 April https://lists.w3.org/Archives/Public/public-webappsec/2017Apr/0028.html
15:23:28 <wseltzer> Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2017Apr/0028.html
15:44:47 <timbl> timbl has joined #webappsec
15:54:01 <JohnWilander> JohnWilander has joined #webappsec
15:54:15 <JohnWilander> present+
15:58:31 <gmaone> gmaone has joined #webappsec
15:59:45 <bhill2> bhill2 has joined #webappsec
15:59:57 <bhill2> rrsagent, begin logging
15:59:57 <RRSAgent> I'm logging. I don't understand 'begin logging', bhill2.  Try /msg RRSAgent help
16:00:26 <ArturJanc> ArturJanc has joined #webappsec
16:00:58 <battre> present+
16:01:04 <jochen___> present+
16:01:20 <gmaone> present+
16:02:18 <dveditz> present+
16:02:18 <ArturJanc> present+
16:02:47 <deian> deian has joined #webappsec
16:02:51 <zkoch> zkoch has joined #webappsec
16:02:56 <plh_> plh_ has joined #webappsec
16:02:59 <plh_> present+
16:03:05 <mkwst> present+
16:03:54 <terri> present+
16:04:04 <deian> present+
16:04:20 <bhill2> present+ bhill2
16:04:32 <bhill2> zakim, who is here?
16:04:32 <Zakim> Present: JohnWilander, battre, jochen___, gmaone, dveditz, ArturJanc, plh_, mkwst, terri, deian, bhill2
16:04:34 <estark> estark has joined #webappsec
16:04:35 <Zakim> On IRC I see plh, zkoch, deian, ArturJanc, bhill2, gmaone, JohnWilander, timbl, RRSAgent, Zakim, terri, francois, battre, Agent_Sm1th_BR, gszathmari, lukasz, wseltzer, tobie,
16:04:35 <Zakim> ... sangwhan, jyasskin, mounir, Jb, MattN, jcj_moz, schuki, timeless, adrianba, crakrjak, jochen___, Mek, ojan, slightlyoff, jww, Domenic, hadleybeeman, mkwst, Josh_Soref, jkt,
16:04:35 <Zakim> ... dbaron, dveditz, trackbot
16:04:47 <bhill2> Meeting: WebAppSec Teleconference, 19-April-2017
16:05:14 <bhill2> Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2017Apr/0028.html
16:05:18 <bhill2> bhill2 has changed the topic to: https://lists.w3.org/Archives/Public/public-webappsec/2017Apr/0028.html
16:05:37 <wseltzer> present+
16:05:41 <mark> mark has joined #webappsec
16:05:41 <wseltzer> zakim, who is here?
16:05:41 <Zakim> Present: JohnWilander, battre, jochen___, gmaone, dveditz, ArturJanc, plh_, mkwst, terri, deian, bhill2, wseltzer
16:05:44 <Zakim> On IRC I see mark, estark, plh, zkoch, deian, ArturJanc, bhill2, gmaone, JohnWilander, timbl, RRSAgent, Zakim, terri, francois, battre, Agent_Sm1th_BR, gszathmari, lukasz,
16:05:44 <Zakim> ... wseltzer, tobie, sangwhan, jyasskin, mounir, Jb, MattN, jcj_moz, schuki, timeless, adrianba, crakrjak, jochen___, Mek, ojan, slightlyoff, jww, Domenic, hadleybeeman, mkwst,
16:05:44 <Zakim> ... Josh_Soref, jkt, dbaron, dveditz, trackbot
16:05:46 <estark> present+
16:06:50 <bhill2> TOPIC: agenda bashing
16:06:54 <bhill2> no new suggestions
16:07:30 <bhill2> dveditz notes that there is discussion on list of serializing of suborigins, but right people probably not on the call today, better left to list and github issue discussion for now
16:07:57 <jochen___> we still don't have two implementations of everything
16:08:06 <wseltzer> q+
16:08:20 <estark> Chrome doesn't have 3 of the policy values implemented
16:08:23 <jochen___> yes!
16:08:27 <jochen___> and estark :)
16:08:35 <jochen___> Firefox needs to implement the CSS bits
16:08:58 <bhill2> TOPIC: next steps for referrer policy
16:09:10 <bhill2> estark: still need to implement new policy values and firefox needs to do css things
16:09:22 <wseltzer> q-
16:09:31 <bhill2> TOPIC: rechartering
16:09:46 <bhill2> approved, https://lists.w3.org/Archives/Public/public-webappsec/2017Mar/0042.html
16:09:55 <bhill2> please ask your AC rep to re-join
16:10:04 <bhill2> TOPIC: UISecurity to NOTE status
16:10:23 <bhill2> dveditz: no objections on list or call so time to complete this
16:10:33 <bhill2> TOPIC: COWL spec update
16:11:03 <bhill2> deian: on implementation side, hired someone to work on the implementation full time, would like to bring him to work on the spec too, if possible
16:11:24 <bhill2> ... Abdul, a masters student started hacking on the chrome implementation a few weeks ago, want to talk to chrome team about exposing behind a flag
16:11:44 <bhill2> ... still refactoring after talking to Eduardo about his isolation proposal, a bigger overhaul than I thought it would be
16:11:57 <bhill2> ... in original spec, top level pages could drop privileges even if they couldn't be tainted
16:12:31 <bhill2> ... now that's no longer possible so you can only do interesting things in iframes, in long run this may be better as covert channels are less in out of process iframes
16:12:45 <bhill2> ... if someone can help me bikeshed it in the next few weeks that would be nice
16:13:25 <bhill2> bhill2: to clarify on bikeshedding?  actual discussion bikeshedding?
16:13:46 <wseltzer> q+
16:13:47 <bhill2> deian: yes, as in we are talking with Eduardo, so we are looking for design review on use cases, etc.
16:14:27 <bhill2> deian: would be nice to have a uniform way to interpose on postMessage the way we have with Fetch, since this is needed for suborigins as well
16:14:41 <jochen___> currently trying to refactor how suborigins hooks into postMessage: https://github.com/w3c/webappsec-suborigins/pull/67
16:14:47 <jochen___> comments welocme
16:15:16 <bhill2> ... would also be nice to extend the secure contexts notion to be able to disable certain features / APIs  in a confined iframe similar to as with http
16:15:19 <ArturJanc> for disabling certain APIs in COWL world maybe you can lean on the Feature Policy
16:16:09 <bhill2> deian: one thing we'd like to do is not allow websockets, for example, since overhauling to work with information flow seems like too much for now
16:16:18 <bhill2> ... I should look at feature policy
16:16:32 <wseltzer> q-
16:17:10 <bhill2> bhill2: working on Chrome you say, still working on Firefox?
16:17:22 <bhill2> deian: yes, a little slower, there is a team on CMU working on it
16:18:15 <jochen___> \o/
16:18:18 <bhill2> bhill2: might be interesting to find a way to have a more extended discussion with COWL, Suborigins, Feature Policy teams about common mechanisms for these different approaches
16:19:07 <bhill2> bhill2: let's propose that kind of meeting on the list to try to illuminate the core platform features that these things have in common
16:19:25 <bhill2> TOPIC: Upgrade Insecure Requests spec update
16:19:48 <bhill2> mkwst: this will be relatively short, not much of an update
16:19:55 <bhill2> ... on chrome, we are upstreaming tests to WPT
16:20:20 <bhill2> ... we've also found one issue that Emily is working on, we are not doing CSP reporting correctly, should be reporting before but are reporting after
16:20:34 <bhill2> ... patch in place that should land relatively soon, similar with redirects
16:20:45 <bhill2> ... I think we have interoperable implementations
16:21:21 <bhill2> ... we should verify that, but from a spec POV we are good and should move to PR once we have tests to back up that
16:21:36 <bhill2> devditz: does spec expect reporting to be synchronous?
16:22:21 <bhill2> mkwst:(summarized) we want CSP to be useable for detecting links that are not upgraded, while also supporting automatic upgrade
16:22:34 <bhill2> ... so reporting and enforcement are separate steps
16:23:00 <bhill2> dveditz: I'm reasonably sure that in Firefox the reporting and blocking are bound up in the same code
16:23:20 <bhill2> mkwst: in a lot of our tests we rely heavily on the DOM event so we don't have to go up to the server, but that doesn't work so well in firefox
16:23:43 <bhill2> ... it would be really good to get that event implemented so we could more easily write reusable tests for WPT
16:23:57 <bhill2> dveditz: I keep trying to make that a priority but it unfortunately isn't at the time
16:24:38 <bhill2> ... anecdotally, we got reports of someone who can't login to an old linksys router due to upgrade insecure requests, but somehow chrome works fine
16:25:35 <bhill2> TOPIC: Credential Management
16:26:12 <bhill2> mkwst: we've had robust conversations recently with the WebAuthN WG to bring FIDO work into a web-facing API
16:26:27 <dveditz> in this particular case it didn't kill the gear, Firefox lost a user
16:26:29 <bhill2> ... we're coming to the conclusion that it would be good if WebAuthN was structured as an extension of the CredMgr spec
16:26:51 <bhill2> ... we've rewritten it in a way that doesn't change it for developers but makes the extension mechanism more clear
16:27:13 <bhill2> ... and more useful for the types of extensions that would be useful for WebAuthN and other things people are thinking about
16:27:19 <bhill2> ... we've made some API changes
16:27:30 <bhill2> ... user mediation is now an enum vs. a boolean
16:27:41 <bhill2> ... previously allowed for potential of UI, but not required mediation
16:28:05 <bhill2> ... now you can do silent, potential UI but accepts silent, and a require user mediation as policy states for thaat
16:28:09 <bhill2> s/thaat/that
16:28:24 <bhill2> mkwst: we also added an async constructor for all credential types, new create method to navigator.credentials
16:28:45 <bhill2> ... need this for WebAuthN because they can only be created in an async fashion by talking to an external device
16:29:08 <bhill2> ... also gives user agents an opportunity to interject and do things like password generation while interacting with the user, which requires an async mechanism
16:29:18 <bhill2> ... navigator.credentials.create will return a promise
16:29:59 <bhill2> ... Domenic is probably on call and manages password mgr
16:30:17 <bhill2> domenic: we've had some reports of usability issues around use of Fetch
16:30:31 <bhill2> ... some website expect a JSON object, others process passwords before sending it along
16:31:00 <bhill2> ... by not exposing the credentials this is broken, and hiding the credential from the website doesn't provide that much extra security in XSS scenarios
16:31:46 <bhill2> ... e.g. by switching form fields.   After discussing with our security team, cred mgr API is a path forward to stronger credentials and it is good to make this sacrifice against XSS protection
16:32:17 <bhill2> ... in order to move the web forward faster towards better credential types by by not hindering adoption of cred mgr with this restriction
16:32:29 <JohnWilander> q+
16:32:45 <bhill2> ack JohnWIlander
16:33:24 <bhill2> JohnWilander: question about javascript access to credentials, could that be done by registering a function to apply without exposing it
16:33:40 <deian> cowl :)
16:33:46 <dveditz> :-)
16:34:25 <jochen___> the other problem was that ppl weren't able to change the server side
16:34:30 <bhill2> (can someone help the scribe with the proper spelling of the speaker's name, I was attempting to crib from irc nicks in the room and got it wrong)
16:35:40 <bhill2> mkwst: passwords are bad and we want to get rid of them, better to help users use password managers and better credentials than trying to protect use of passwords from XSS
16:36:17 <JohnWilander> q+
16:36:19 <bhill2> ... as lcamtuf noted in postcards from a post-xss world, it's totally possible to exfil data, fixing those seems for now more costly than it was worth
16:36:30 <bhill2> ack JohnWilander
16:36:47 <bhill2> JohnWilander: betting on passwords going away doesn't seem like it will happen before I retire
16:37:03 <bhill2> ... especially with two-factor, there will still be a password and then something else
16:37:06 <bhill2> mkwst: yes
16:37:38 <bhill2> ... webauthn has the notion of authenticators that are first factors in and of themselves
16:38:09 <bhill2> ... you can imagine something more capable than a security key today that could use biometrics or magic that can provide identity in addition to device and user presence
16:38:31 <bhill2> ... even if you don't buy that, I still think that the goal of increasing the usability of password managers is a win
16:38:51 <bhill2> ... they are defended against phishing in ways that are more important that defending against content injection at legitimate sites
16:38:57 <mkwst> JohnWilander: https://github.com/w3c/webappsec-credential-management/pull/76 <--
16:39:09 <bhill2> JohnWilander: can we discuss on the list this particular tradeoff?  so it is recorded
16:39:23 <bhill2> mkwst: see that pull request
16:40:38 <bhill2> mkwst: we have a model that works for the credentials we know about today, but want to think about and get feedback so extension points support things we may want in the future
16:40:44 <bhill2> ... more eyes would be super helpful
16:41:28 <wseltzer> -> https://github.com/w3c/webauthn/pull/384 PR 384, Strawman of an integration between WebAuthn and Credential Management
16:42:27 <bhill2> ... more eyes from WebAppSec on that PR would be awesome
16:43:23 <mkwst> bhill2: Edge 15 released.
16:43:26 <dveditz> TOPIC: late agenda bashing
16:43:33 <mkwst> ... CSP2. Nonces! frame-ancestors!
16:43:49 <jochen___> and unprefixed Web Auth (?) cf jakob rossi
16:44:11 <mkwst> ... Crispin Cowan left Microsoft. We should encourage MS to continue their engagement with this group.
16:44:28 <mkwst> plh: I can help with that. Happy to poke people.
16:45:44 <bhill2> fb.me/recovery
16:45:47 <mkwst> bhill2: Credential recovery mechanism launched recently.
16:45:50 <bhill2> http://fb.me/recovery
16:45:51 <puhley> puhley has joined #webappsec
16:46:12 <mkwst> ... https://fb.me/recovery
16:46:32 <mkwst> ... This seems like a more secure solution than other recovery mechanisms out on the market today.
16:46:41 <mkwst> ... Would love to work with other companies!
16:46:56 <dveditz> q+
16:47:19 <dveditz> q+ potential topics/specs for next time
16:47:25 <JohnWilander> q+
16:47:25 <bhill2> (spec is at: https://github.com/facebook/DelegatedRecoverySpecification)
16:47:44 <bhill2> mkwst: would like to resurface discussions about associated origins
16:47:45 <battre> https://developers.google.com/digital-asset-links/v1/getting-started
16:47:47 <dveditz> q+ to talk about potential topics/specs for next time
16:47:53 <bhill2> ... both apple and google have ways to do this for credential sharing
16:48:05 <bhill2> ... would be interesting to figure out if there is appetite for doing things like that more broadly
16:48:12 <bhill2> ... is there a cowpath to be paved here?
16:48:35 <bhill2> ... seems like there is some level of commonality
16:48:43 <bhill2> mike, there is also this from FIDO days: https://fidoalliance.org/specs/fido-u2f-v1.0-ps-20141009/fido-appid-and-facets-ps-20141009.html
16:49:06 <battre> https://developer.apple.com/reference/security/shared_web_credentials
16:49:56 <bhill2> mkwst: also prior work in DBOUND, so =JeffH would want to discuss
16:50:07 <bhill2> ... though it seems like what apple and google have come up with is pretty different
16:50:32 <bhill2> dveditz: possible interest at Moz, we keep building and disbanding password manager groups as priorities change
16:50:35 <bhill2> qa/
16:50:36 <bhill2> q?
16:51:12 <bhill2> ack JohnWilander
16:51:20 <dveditz> q-
16:51:25 <bhill2> JohnWilander: I do think it's on me to continue the thread I started
16:51:46 <bhill2> ... should probably fork off the whole thread on shared credentials
16:52:48 <bhill2> TOPIC: agenda for next call
16:53:18 <jochen___> I'm here
16:53:19 <bhill2> dveditz: Suborigin has had active list discussions lately
16:53:39 <bhill2> mkwst: jochen has taken over for joel, seems like talking about it next month would be a good idea
16:54:12 <estark> I've been meaning to send around a rough spec for Isolate-Me (wicg.github.io/isolation/index.html), maybe if we put that on the agenda for next time it'll force me to actually send it out
16:54:39 <bhill2> bhill2: I think dev ususally has a conflict with this time, but maybe we can give him enough notice or give everyone else enough to shift this call an hour or a day if needed to get both him and jochen on the call
16:55:24 <bhill2> dveditz: clear site data?
16:56:28 <adrianba> we still have people from Microsoft who are members of this group - i'll figure out who is going to pick up the engagement from crispin
16:56:41 <dveditz> thanks, adrianba
16:57:43 <bhill2> rrsagent, make minutes
16:57:43 <RRSAgent> I have made the request to generate http://www.w3.org/2017/04/19-webappsec-minutes.html bhill2
16:57:43 <deian> thanks all
16:57:47 <bhill2> rrsagent, set logs world
17:27:50 <Agent_Smith_BR> Agent_Smith_BR has joined #webappsec
17:29:01 <mkwst> wseltzer: https://www.w3.org/2017/04/19-webappsec-minutes.html is throwing a 404. Does RRSAgent just take some time?
17:32:12 <wseltzer> rrsagent, make minutes
17:32:12 <RRSAgent> I have made the request to generate http://www.w3.org/2017/04/19-webappsec-minutes.html wseltzer
17:32:28 <wseltzer> mkwst, I'll check...
17:32:47 <wseltzer> now live
17:32:48 <mkwst> wseltzer: Working now. You're magic!
17:55:00 <timbl> timbl has joined #webappsec
19:11:46 <gmaone> gmaone has joined #webappsec
19:38:21 <Zakim> Zakim has left #webappsec
19:40:47 <francois> francois has joined #webappsec
20:11:27 <yoav> yoav has joined #webappsec