16:02:24 RRSAgent has joined #webappsec 16:02:24 logging to http://www.w3.org/2017/09/20-webappsec-irc 16:02:26 Zakim has joined #webappsec 16:05:44 present+ 16:05:55 present+ wseltzer, weiler, mkwst 16:05:57 present+ ArturJanc 16:06:11 Zakim, who is here 16:06:11 dveditz, you need to end that query with '?' 16:06:14 Zakim, who is here? 16:06:14 Present: dveditz, wseltzer, weiler, mkwst, ArturJanc 16:06:15 On IRC I see RRSAgent, ArturJanc, Mark, weiler, yoav, Agent_Smith_BR, jyasskin, lfaraone, terri, sangwhan, mkwst, Josh_Soref, ojan, Mek, slightlyoff, tobie, battre, timeless, 16:06:15 ... Domenic, gszathmari, dveditz, jww, jkt, Jb_, MattN, trackbot, mounir, adrianba, hadleybeeman, jochen___, jcj_moz, dbaron, wseltzer 16:07:21 chair: dveditz 16:07:29 topic: Agenda Bashing 16:07:32 present+ JonBarber 16:08:16 https://www.w3.org/2017/08/16-webappsec-minutes.html 16:08:51 dveditz: minutes approved 16:09:03 ... TPAC is coming; register before Oct. 7 for early-bird rates 16:09:23 ArturJanc: I will most likely be there 16:09:28 mkwst: I'll be there too 16:10:10 dveditz: Mozilla will send me, Tanvi, and Christoph 16:10:27 q+ 16:11:10 https://www.w3.org/2002/09/wbs/101147/cors-obs-2017-09/results 16:12:29 wseltzer: Currently AC review of Obsoleting Fetch 16:13:28 dveditz: there was also a request on the chairs' list to publish a snapshot of Fetch 16:13:38 ... my sense is that this group would support doing that 16:14:03 mkwst: I'm surprised; let's find a venue in which to discuss response 16:14:28 jeffh has joined #webappsec 16:17:05 dveditz: even a supporter prefers the term "Superseded" 16:17:46 wseltzer: I'll ping some AC reps too 16:17:55 dveditz: and I'll encourage Mozilla 16:18:15 dveditz: what specs should we push at TPAC? 16:18:29 mkwst: @@ and Upgrade Insecure Requests 16:18:42 ... we have test suites 16:18:59 s/@@/Mixed Content/ 16:19:02 ... and a couple of others 16:19:17 ... Some specs with lesser implementation status 16:19:30 ... Credential Management, webauthn dependence 16:19:39 ... Clear Site Data is shipping in Chrome 16:19:46 ... Embedded Enforcement too 16:19:53 ... so we could move those toward CR 16:20:06 ... For me, the elephant is CSP3 16:20:36 ... plodding along; a colleague will be giving more attention to it 16:20:54 ... probably not ready for CR by TPAC, but we should be thinking about it 16:21:22 ... Some new things, including some from Artur, that I hope we can discuss F2F 16:21:40 ArturJanc: A couple things 16:21:48 ... Origin Policy and Isolation proposal 16:21:57 ... also Suborigins and Origin Attributes 16:22:13 s/proposal/proposal Tanvi and Emily have been talking about/ 16:22:38 dveditz: Some of those things are in WICG. 16:23:08 mkwst: I think WebAppSec has the right group of people, it's a reasonable target destination for many of these specs when they're ready 16:23:16 ... I'd like them to be on WebAppSec's radar 16:23:23 q+ 16:24:06 dveditz: want to work nicely with WICG 16:24:15 mkwst: I don't think they'll mind if we talk about their work 16:24:55 ... for the things I'm working on, I'd love to talk about them here 16:26:04 wseltzer: I believe these are in general scope of WebAppSec charter; 16:26:25 ... doesn't hurt to communicate with WICG 16:26:32 dveditz: anything else n TPAC? 16:27:04 ... First day (Monday) will focus on specs that are nearly done, moving those forward 16:27:18 ... and second day, continue that if necessary, then move on to potential new work, WICG 16:27:25 Topic: Secure Contexts 16:27:32 dveditz: one thing challengign Moz 16:27:41 ... if opener is insecure page, then it's not secure context 16:27:49 ... that doesn't appear to be the way Chrome works, 16:27:55 ... and it's not what we'd want 16:28:05 mkwst: sounds like a bug; I messed up the implementation 16:28:16 ... unfortunate, because some people have started to rely on it 16:28:27 ... especially around notifications 16:28:44 ... folks have been popping up push notifications from insecure page 16:28:49 ... that's unfriendly 16:29:58 dveditz: it's asymmetric 16:30:14 mkwst: suggestion of rolling back this requirement would make developers happy 16:30:53 dveditz: maybe instead there's a way to break the opener relationship 16:31:01 mkwst: service workers @@ 16:31:10 ... Please file a bug 16:31:18 ... and we can discuss there 16:31:40 dveditz: If Boris hasn't already filed an issue, I'll check and file one 16:31:54 dveditz: AOB? 16:32:26 ArturJanc: A possible topic 16:32:42 ... features that possibly subvert CSP 16:32:47 ... Safe Types proposal 16:33:08 ... can we discuss interactions between browsers and JS frameworks and what they're providing to developers 16:33:13 ? 16:33:27 ... Is there interes? 16:33:35 s/interes/interest/ 16:33:50 Trusted Types: https://github.com/mikewest/trusted-types 16:34:31 Anubha has joined #webappsec 16:35:10 mkwst: research on gadgets is intriguing 16:35:21 ... Trusted Types might eventually lead to better patterns 16:35:28 ... so it would be useful to talk about those things 16:35:56 dveditz: Artur, what name should we give that topic? 16:36:09 ArturJanc: Script Gadgets will be understandable to security folks 16:36:24 dveditz: risks raised by script gadgets? 16:36:26 ArturJanc: sounds good 16:36:51 mkwst: Let's also reach out again to Apple 16:37:03 ... they had raised a few topics a few months ago 16:37:31 ... something like single-origin app, and domain binding 16:37:44 ... If they were interested in presenting in more detail, would be good 16:37:53 [no one from Apple on the call today] 16:38:14 dveditz: some fits with Origin Attributes discussion 16:38:38 mkwst: there's currently a call for adoption in DNSOP WG at IETF 16:38:52 ... re let Localhost be bound to loopback addresses only 16:38:57 ... relevant to secure contexts 16:39:12 ... namely, question whether localhost can be secure context 16:39:25 ... please think about whether you support, and say so on-list 16:39:56 https://www.ietf.org/mail-archive/web/dnsop/current/msg20963.html 16:40:00 ... call closes today, so add if you support 16:40:04 jeffh: you support it? 16:40:07 https://datatracker.ietf.org/doc/draft-west-let-localhost-be-localhost/ 16:40:10 mkwst: I wrote it, so yes 16:40:11 dunno as yet 16:40:27 s/dunno as yet// 16:40:29 dveditz: I personally support it 16:40:44 ... not sure the concerns of our networking folks 16:41:05 mkwst: would be good to hear more 16:41:39 dveditz: see you next month and at TPAC 16:42:48 rrsagent, draft minutes 16:42:48 I have made the request to generate http://www.w3.org/2017/09/20-webappsec-minutes.html wseltzer 16:42:53 rrsagent, make logs public 16:42:55 rrsagent, draft minutes 16:42:55 I have made the request to generate http://www.w3.org/2017/09/20-webappsec-minutes.html wseltzer 16:43:20 present+ jeffh 16:43:25 Meeting: WebAppSec 16:43:30 present- JonBarber 16:43:36 rrsagent, draft minutes 16:43:36 I have made the request to generate http://www.w3.org/2017/09/20-webappsec-minutes.html wseltzer 16:55:29 francois has joined #webappsec 20:05:57 yoav has joined #webappsec 20:30:19 Zakim has left #webappsec 23:20:10 yoav has joined #webappsec