W3C

- DRAFT -

WebAppSec Teleconference 14 Jan 2014

14 Jan 2014

Agenda

See also: IRC log

Attendees

Present
BHill, neilm, gopal, +1.503.712.aaaa, dveditz, gmaone, mkwst, freddyb, Wendy, terri, +1.415.832.aabb, [Mozilla], +49.162.102.aacc
Regrets
ekr
Chair
bhill2
Scribe
Neil Matatall

Contents

Zakim [IPcaller] is neilm

<freddyb> I am this "??P2", Zakim reports...and have yet to find out how this all works :)

<freddyb> Zakim: I am ??P2

<freddyb> gmaone: thanks :)

<bhill2> Scribe: Neil Matatall

<bhill2> Scribenick: neilm

<terri> can't tell if the call dropped or what.

<freddyb> it's completely quiet for me

<dveditz> yes

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0068.html

<bhill2> today's agenda

minutes approval

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0003.html

<bhill2> http://www.w3.org/2013/12/17-webappsec-minutes.html < - real minutes link

Agenda bashing

New conference call time

<bhill2> http://doodle.com/qrrdy4qe2a5kdi3b

bhill2: not going to close voting today, perhaps 8 or 9 PST

<freddyb> I considered this a representative week, fwiw

bhill2: Monday 8:30 PST and Friday ??? likely candidates
... who is security lover? Speak up :)

<klee> 8:30 pm or am?

klee: AM PST

<klee> I'd be down with that

Open Actions

<bhill2> https://www.w3.org/2011/webappsec/track/actions/open?sort=owner

CSP 1.1 updates

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0001.html

mkwst: 1. removed most of script interface, needs to be reworked
... suggested push out to 1.2 (policy violation event still exists)
... 2. meta element changes converting todos
... 3: Workers no longer inherit policy automatically, rather when generated from origins w/ unique urls.
... 4: new child-src directive, default context source list, used for frame/worker/popup-src directives
... and child-src inherits from default-src
... nothing governs window.open

<freddyb> in general, if you're not talking: please mute. the feedback is indeed annoying

<terri> I'm having trouble hearing much of anything because of it.

<freddyb> on a sidenote, when it comes to directives: was it discussed in this WG whether it makes sense to put html imports into script-src?

<bhill2> freddy: yes, that was the conclusion we came to

dveditz: potential issues around workers [noise]

<freddyb> bhill2: thanks. I'll read up first then

dveditz: no need for child-src && worker-src, or just have separate frame/worker-src

[noise]

???: complexity is a leading blocker for adoption

<dveditz> who is speaking? apf?

<bhill2> was that terri oda speaking?

<terri> yes, I'm the former academic on the call

<mkwst> bah. dialing back in.

bhill2: Ian's ideas around CSSOM appear to have no objections and decent support
... frame-ancestors in 1.1 (not frame-options)

github ftw

Back compat in CSP

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0002.html

bhill2: requiring eval for cssom might break things

mkwst: if we feel it's an issue, we need to base decisions on data
... adding eval to style-src

bhill2: does this impact chrome extensions and the like?

mkwst: no

Sub-Resource Integrity Strawman and Use-Cases

<bhill2> http://w3c.github.io/webappsec/specs/subresourceintegrity/

<dveditz> FIrefox OS privileged apps have a default CSP of "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'"

<dveditz> but we could easily add "unsafe-eval' to the style-src if we make this change

<freddyb> certified apps (internal things like dialer, sms, ..) don't have 'unsafe-inline' for styles yet

<freddyb> privileged do

1) pros: ensure unauth'd code alerts, cons: might slow things down, might break things

terri: intro needs to be clarified to distinguish from what CSP does

2) "cdn integrity" pros: no brainer, cons:

3) "integrity for downloads" cons: result of navigation before direct download might cause issues in a new context

bhill2: is this meaningful? copy/pasting urls is a workaround as well

4) "Ensure UI elements aren't manipulated before being displayed"

interaction with about:// could be controlled

mkwst: chrome new tab page is another example

freddyb: some of these pages are privileged as well

mkwst: 1, 2, 4, 5 can probably be consolidated

<bhill2> next call will probably be Friday, Jan 31

Summary of Action Items

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014/01/14 23:06:09 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 0.99)

Found Scribe: Neil Matatall
Found ScribeNick: neilm
Default Present: BHill, neilm, gopal, +1.503.712.aaaa, dveditz, gmaone, mkwst, freddyb, Wendy, terri, +1.415.832.aabb, [Mozilla], +49.162.102.aacc
Present: BHill neilm gopal +1.503.712.aaaa dveditz gmaone mkwst freddyb Wendy terri +1.415.832.aabb [Mozilla] +49.162.102.aacc
Regrets: ekr
Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0068.html
Got date from IRC log name: 14 Jan 2014
Guessing minutes URL: http://www.w3.org/2014/01/14-webappsec-minutes.html
People with action items:
[End of scribe.perl diagnostic output]