W3C

- DRAFT -

WebAppSec

20 Sep 2017

See also: IRC log

Attendees

Present
ArturJanc, dveditz, jeffh, mkwst, weiler, wseltzer
Regrets
Chair
dveditz
Scribe
wseltzer

Contents

Agenda Bashing

<dveditz> https://www.w3.org/2017/08/16-webappsec-minutes.html

dveditz: minutes approved
... TPAC is coming; register before Oct. 7 for early-bird rates

ArturJanc: I will most likely be there

mkwst: I'll be there too

dveditz: Mozilla will send me, Tanvi, and Christoph

https://www.w3.org/2002/09/wbs/101147/cors-obs-2017-09/results

wseltzer: Currently AC review of Obsoleting Fetch

dveditz: there was also a request on the chairs' list to publish a snapshot of Fetch
... my sense is that this group would support doing that

mkwst: I'm surprised; let's find a venue in which to discuss response

dveditz: even a supporter prefers the term "Superseded"

wseltzer: I'll ping some AC reps too

dveditz: and I'll encourage Mozilla
... what specs should we push at TPAC?

mkwst: Mixed Content and Upgrade Insecure Requests
... we have test suites
... and a couple of others
... Some specs with lesser implementation status
... Credential Management, webauthn dependence
... Clear Site Data is shipping in Chrome
... Embedded Enforcement too
... so we could move those toward CR
... For me, the elephant is CSP3
... plodding along; a colleague will be giving more attention to it
... probably not ready for CR by TPAC, but we should be thinking about it
... Some new things, including some from Artur, that I hope we can discuss F2F

ArturJanc: A couple things
... Origin Policy and Isolation proposal Tanvi and Emily have been talking about
... also Suborigins and Origin Attributes

dveditz: Some of those things are in WICG.

mkwst: I think WebAppSec has the right group of people, it's a reasonable target destination for many of these specs when they're ready
... I'd like them to be on WebAppSec's radar

dveditz: want to work nicely with WICG

mkwst: I don't think they'll mind if we talk about their work
... for the things I'm working on, I'd love to talk about them here

wseltzer: I believe these are in general scope of WebAppSec charter;
... doesn't hurt to communicate with WICG

dveditz: anything else n TPAC?
... First day (Monday) will focus on specs that are nearly done, moving those forward
... and second day, continue that if necessary, then move on to potential new work, WICG

Secure Contexts

dveditz: one thing challengign Moz
... if opener is insecure page, then it's not secure context
... that doesn't appear to be the way Chrome works,
... and it's not what we'd want

mkwst: sounds like a bug; I messed up the implementation
... unfortunate, because some people have started to rely on it
... especially around notifications
... folks have been popping up push notifications from insecure page
... that's unfriendly

dveditz: it's asymmetric

mkwst: suggestion of rolling back this requirement would make developers happy

dveditz: maybe instead there's a way to break the opener relationship

mkwst: service workers @@
... Please file a bug
... and we can discuss there

dveditz: If Boris hasn't already filed an issue, I'll check and file one
... AOB?

ArturJanc: A possible topic
... features that possibly subvert CSP
... Safe Types proposal
... can we discuss interactions between browsers and JS frameworks and what they're providing to developers

?

scribe: Is there interest?

<mkwst> Trusted Types: https://github.com/mikewest/trusted-types

mkwst: research on gadgets is intriguing
... Trusted Types might eventually lead to better patterns
... so it would be useful to talk about those things

dveditz: Artur, what name should we give that topic?

ArturJanc: Script Gadgets will be understandable to security folks

dveditz: risks raised by script gadgets?

ArturJanc: sounds good

mkwst: Let's also reach out again to Apple
... they had raised a few topics a few months ago
... something like single-origin app, and domain binding
... If they were interested in presenting in more detail, would be good

[no one from Apple on the call today]

dveditz: some fits with Origin Attributes discussion

mkwst: there's currently a call for adoption in DNSOP WG at IETF
... re let Localhost be bound to loopback addresses only
... relevant to secure contexts
... namely, question whether localhost can be secure context
... please think about whether you support, and say so on-list

<mkwst> https://www.ietf.org/mail-archive/web/dnsop/current/msg20963.html

mkwst: call closes today, so add if you support

jeffh: you support it?

<mkwst> https://datatracker.ietf.org/doc/draft-west-let-localhost-be-localhost/

mkwst: I wrote it, so yes

dveditz: I personally support it
... not sure the concerns of our networking folks

mkwst: would be good to hear more

dveditz: see you next month and at TPAC

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2017/09/20 16:43:41 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/@@/Mixed Content/
Succeeded: s/proposal/proposal Tanvi and Emily have been talking about/
Succeeded: s/interes/interest/
Succeeded: s/dunno as yet//
Present: ArturJanc dveditz jeffh mkwst weiler wseltzer
No ScribeNick specified.  Guessing ScribeNick: wseltzer
Inferring Scribes: wseltzer
Got date from IRC log name: 20 Sep 2017
Guessing minutes URL: http://www.w3.org/2017/09/20-webappsec-minutes.html
People with action items:
[End of scribe.perl diagnostic output]