IRC log of webappsec on 2013-02-26

Timestamps are in UTC.

19:56:42 [RRSAgent]
RRSAgent has joined #webappsec
19:56:42 [RRSAgent]
logging to http://www.w3.org/2013/02/26-webappsec-irc
19:56:52 [bhill2]
rrsagent, draft minutes
19:56:52 [RRSAgent]
I have made the request to generate http://www.w3.org/2013/02/26-webappsec-minutes.html bhill2
19:57:38 [bhill2]
rrsagent, set logs public-visible
21:42:35 [jeffh]
test
21:46:21 [jimio]
jimio has joined #webappsec
21:48:10 [bhill2]
hi, jeff
21:52:04 [jeffh]
hey
21:53:54 [gmaone]
gmaone has joined #webappsec
21:56:18 [bhill]
bhill has left #webappsec
21:57:24 [Zakim]
Zakim has joined #webappsec
21:57:41 [bhill2]
zakim, this will be 92794
21:57:42 [Zakim]
ok, bhill2; I see SEC_WASWG()5:00PM scheduled to start in 3 minutes
21:57:42 [Zakim]
SEC_WASWG()5:00PM has now started
21:57:49 [Zakim]
+[GVoice]
21:57:58 [Zakim]
-[GVoice]
21:57:59 [Zakim]
SEC_WASWG()5:00PM has ended
21:57:59 [Zakim]
Attendees were [GVoice]
21:58:21 [Zakim]
SEC_WASWG()5:00PM has now started
21:58:23 [bhill2]
zakim, this is 92794
21:58:23 [Zakim]
bhill2, this was already SEC_WASWG()5:00PM
21:58:24 [Zakim]
ok, bhill2; that matches SEC_WASWG()5:00PM
21:58:28 [Zakim]
+??P0
21:58:33 [Zakim]
+bhill
21:58:50 [bhill2]
Meeting: WebAppSec WG Teleconference, Tuesday, 26-Feb-2013
21:58:54 [bhill2]
Chairs: ekr, bhill2
21:58:54 [Zakim]
+ +1.866.317.aaaa
21:58:59 [gmaone]
zakim, ??p0 is gmaone
21:58:59 [Zakim]
+gmaone; got it
21:59:15 [jeffh]
zakim, aaaa is JeffH (i think)
21:59:15 [Zakim]
I don't understand 'aaaa is JeffH (i think)', jeffh
21:59:16 [bhill2]
Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0066.html
21:59:20 [jeffh]
lol
21:59:34 [jeffh]
zakim, aaaa is JeffH
21:59:34 [Zakim]
+JeffH; got it
21:59:39 [jeffh]
i hope so, zakim
21:59:59 [neil]
neil has joined #webappsec
22:00:18 [Zakim]
+[GVoice]
22:00:40 [jimio]
zakim, GVoice is jimio
22:00:40 [Zakim]
+jimio; got it
22:00:58 [Zakim]
+ +1.415.426.aabb
22:01:09 [dveditz]
dveditz has joined #webappsec
22:01:20 [Zakim]
+ +1.650.678.aacc
22:01:32 [jimio]
(mostly listening in while on mute today, neil & nick from twitter here too)
22:01:34 [neil]
zakim, aabb is neil
22:01:34 [Zakim]
+neil; got it
22:01:53 [Zakim]
+ +1.650.488.aadd
22:02:02 [mkwst_]
zakim, aadd is mkwst
22:02:02 [Zakim]
+mkwst; got it
22:02:09 [bhill2]
zakim, who is here?
22:02:09 [Zakim]
On the phone I see gmaone, bhill, JeffH, jimio, neil, +1.650.678.aacc, mkwst
22:02:12 [Zakim]
On IRC I see dveditz, neil, Zakim, gmaone, jimio, RRSAgent, bhill2, jeffh, timeless, mkwst_, wseltzer, erlend, trackbot
22:02:12 [Zakim]
+[IPcaller]
22:02:24 [Zakim]
+[Mozilla]
22:02:28 [dveditz]
Zakim, IPCaller is dveditz
22:02:28 [Zakim]
+dveditz; got it
22:02:40 [ekr]
ekr has joined #webappsec
22:02:44 [ekr]
zakim, who is herE?
22:02:44 [Zakim]
On the phone I see gmaone, bhill, JeffH, jimio, neil, +1.650.678.aacc, mkwst, dveditz, [Mozilla]
22:02:47 [Zakim]
On IRC I see ekr, dveditz, neil, Zakim, gmaone, jimio, RRSAgent, bhill2, jeffh, timeless, mkwst_, wseltzer, erlend, trackbot
22:02:51 [ekr]
zakim, aacc is ekr
22:02:51 [Zakim]
+ekr; got it
22:03:08 [tanvi]
tanvi has joined #webappsec
22:03:12 [tanvi]
Zakim, who is here?
22:03:13 [Zakim]
On the phone I see gmaone, bhill, JeffH, jimio, neil, ekr, mkwst, dveditz, [Mozilla]
22:03:14 [imelven2]
imelven2 has joined #webappsec
22:03:15 [Zakim]
On IRC I see tanvi, ekr, dveditz, neil, Zakim, gmaone, jimio, RRSAgent, bhill2, jeffh, timeless, mkwst_, wseltzer, erlend, trackbot
22:03:27 [tanvi]
Zakim, tanvi is tanvi_and_imelven
22:03:27 [Zakim]
sorry, tanvi, I do not recognize a party named 'tanvi'
22:03:48 [bhill2]
http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0066.html
22:04:21 [Zakim]
+[Microsoft]
22:04:25 [bhill2]
scribe: Jeff Hodges
22:04:27 [jimio]
sorry, I'm on mute
22:04:29 [bhill2]
scribenick: jeffh
22:04:32 [jimio]
need to leave early (this is jim)
22:04:37 [jeffh]
alrightie
22:04:57 [jeffh]
joining us: Dave Ross, Microsoft
22:06:12 [bhill2]
http://www.surveymonkey.com/s/NXSTXNN
22:06:48 [jeffh]
Brad solicits input on how WG is working, via the survey at the above link
22:07:16 [jeffh]
webappsec concall in 2 weeks conflicts with ietf HTTP auth WG session at IETF-86 Orlando
22:07:32 [jeffh]
hence cancelling webappsec meeting in 2 weeks
22:07:54 [jeffh]
Charter update is underway
22:08:06 [jeffh]
hopefully done before F2F in April
22:08:15 [bhill2]
https://www.w3.org/2011/webappsec/track/actions/open?sort=owner
22:08:18 [jeffh]
now look at open actions in tracker
22:09:16 [jeffh]
ABarth not present
22:09:21 [jeffh]
next victim: Brad
22:09:52 [Zakim]
+ +1.415.596.aaee
22:09:54 [jeffh]
will attempt to chip away at his open action items
22:10:36 [Zakim]
+ +1.650.648.aaff
22:10:38 [jeffh]
Dan Veditz: have sent msg on #82
22:10:52 [jeffh]
s/#82/#92/
22:10:58 [jeffh]
issue #32
22:11:04 [jeffh]
they can be closed
22:11:10 [abarth]
abarth has joined #webappsec
22:11:16 [jeffh]
#97 and #109 still in todo queue
22:11:29 [bhill2]
https://www.w3.org/2011/webappsec/track/actions/open?sort=owner
22:11:37 [jeffh]
abarth has arrived
22:12:02 [n_]
n_ has joined #webappsec
22:12:13 [puhley]
puhley has joined #webappsec
22:12:43 [jeffh]
MWest next: #94 believes is done; #102 working on it, lang wrt events, still looking for an example(s) -- events being specified in some 2ndary spec -- tug his sleeve if anyone has any ideas
22:13:01 [jeffh]
bhill: ui safety spec may have an example
22:13:12 [jeffh]
mwest: attrs are easy, but there's other issues
22:13:58 [jeffh]
mwest: #106, has text coming soon; #116 open; #117 ?; #119 done?
22:14:24 [jeffh]
above is correct?
22:14:28 [mkwst_]
yup
22:14:30 [jeffh]
thx
22:14:40 [bhill2]
http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0052.html
22:14:52 [bhill2]
Topic: Script-Hash Proposal
22:15:17 [jeffh]
"Proposal for script-hash directive in CSP 1.1"
22:15:38 [jeffh]
Nicholas Green
22:15:50 [jeffh]
n_ ?
22:16:17 [dveditz]
question: is script-hash a replacement for script-nonce, or a separate concept/directive?
22:16:47 [jeffh]
abarth: is there particular reason chose utf-8
22:16:48 [jeffh]
?
22:17:03 [jeffh]
what about ?
22:17:25 [jeffh]
nick: got input on that, devs said don't do it, they prefer utf-8
22:17:34 [jeffh]
abarth: what is the alt you mentioned?
22:17:46 [dveditz]
UCS-2
22:17:49 [jeffh]
thx
22:19:09 [jeffh]
bhill: there's an issue in that utf-8 apparently isn't all that friendly for some existing content out there in asian encodings
22:19:29 [jeffh]
bhill: this is for inline script
22:19:48 [jeffh]
dveditz: inline script will be in encoding the doc is in
22:20:07 [jeffh]
bhill: but doc can change encoding mid-stream -- worry about bugs and perf overhead
22:20:40 [jeffh]
bhill: so, if you want ur content to be stable enough to be hashed for sec purposes, need to declare doc encoding at top of doc
22:20:52 [jeffh]
ekr: what about hash alg?
22:21:20 [jeffh]
ekr: <can't parse>
22:21:46 [jeffh]
ekr: collisions seem like a irrelvant (?) threat model here
22:22:03 [jeffh]
ekr: prob with sha-1 is it isn't as strong as other choices
22:22:37 [jeffh]
ekr: sha-256 (sha-180?) is stronger than sha-1
22:23:17 [jeffh]
bhill: we should ref the algs in xml-sec or web-crypto, and we don't have to define 'em -- we just do parsing and such
22:23:44 [jeffh]
ekr: am fine with that, but there's still the question wrt agility -- can u use two different(?) ones concurently?
22:23:56 [ekr]
what I was suggesting here is that you should be able to have two hash algorithms at once. that allows transitions.
22:24:33 [jeffh]
bhill: we should require alg agility, allow same content to be specified with mult hases, but which hashes we support should be defined by ref to another spec most likely web-crypto
22:25:47 [jeffh]
bhill: is suggesting that can attach mult hashes via diff algs to one content doc, and so if UA understands at least one of them, can verify it
22:26:09 [jeffh]
dveditz: what is UA behavior if encounters a hash it doesn't understand?
22:26:35 [jeffh]
nick: hunch is script-hash would take precedence over unsafe-inline
22:27:03 [jeffh]
nick: would have bkwards compat this way
22:27:12 [jeffh]
bhill: need text for that
22:28:28 [jeffh]
mwest: does each script loaded on page need to match all csp directives that might possibly apply
22:29:12 [jeffh]
tanvi: instead of having unsafe-inline, can have nonce-inline/hash-inline, and so server side could have some way to figure out UA capabilities and adapt what it sends
22:30:26 [jeffh]
nick/tanvi: the goal is to get the best protection on new browsers and least likelyhood of breaking old browsers; so if have unsafe-inline, ignore it if theres script-hash present
22:31:19 [jeffh]
mwest: if both script-hash and script-src are present they have to match?
22:32:00 [jeffh]
nick: might make more sense to say if script-hash is present, ignore unsafe-inline (?)
22:32:20 [jeffh]
abarth: there's a lot of overlap in use case in script-nonce and script-hash -- should we do one or not other?
22:33:29 [jeffh]
tanvi: was thinking about a case where might want both of themn. if page had inline scirpt, may want script-hash, and if you're also sucking script over the net, use script-nonce for that; but most ads now are in iframes and so aren't using script@src, so maybe not a big deal
22:33:46 [jeffh]
ekr: script-mac ? like using a fixed key ?
22:33:54 [ekr]
jeffh: yeah.
22:34:00 [ekr]
So script-mac with a fixed-key is script-hash
22:34:08 [ekr]
script-mac with a null algorithm is script-nonce
22:34:11 [jeffh]
nick: CDNs are a use case --
22:34:28 [jeffh]
dveditz: you're trying to protect against 3d party changes?
22:34:38 [jeffh]
nick: no, just want to restrict inline script and style
22:35:16 [jeffh]
nick: we serve some of our static assets off of cdn, and don't want to re-calc nonce for each request
22:35:55 [jeffh]
nick: when told mobile team they need to make their script loaded not inline, they said no cuz of roundtrip
22:36:13 [jeffh]
mwest: page and static assets via cdn?
22:36:17 [jeffh]
nick: often both
22:36:33 [dveditz]
I don’t see the gain of a hash for inline script
22:37:04 [dveditz]
(over script-nonce)
22:37:13 [jeffh]
mwest: like idea of combining these some way, might be a way to combine them; bundle this up in some way with script-src ?
22:37:29 [ekr]
I had assumed that script-hash was mostly for external scripts
22:37:43 [dveditz]
I see the use of hashing for content integrity of 3rd party resources, but that seems it could be an “HTML” feature rather than a CSP feature
22:37:50 [jeffh]
abarth: use case of main page mostly on cdn is interesting, will think about
22:37:58 [ekr]
Note that for third-party resources, collisions are a clear problem
22:38:31 [dveditz]
how so?
22:39:06 [dveditz]
you mean a 3rd party will swap content with malicious stuff with the same hash?
22:39:11 [ekr]
dveditz: yes
22:39:41 [jeffh]
bhill: another item is perhaps using the url-safe base64 encoding
22:40:17 [jeffh]
abarth: another issue: if u apply the hash to external resources, u can use this to do "identity queries" on resources you otherwise aren't allowed to read
22:41:12 [jeffh]
bhill: let's note this down as an issue
22:41:45 [ekr]
issue: same-origin policy identity query via script-hash. issue is you do a third party inline script with a known script-hash. if it succeeds, you know that the target was as expected, even though you can't read it
22:41:45 [trackbot]
Created ISSUE-44 - Same-origin policy identity query via script-hash. issue is you do a third party inline script with a known script-hash. if it succeeds, you know that the target was as expected, even though you can't read it; please complete additional details at <http://www.w3.org/2011/webappsec/track/issues/44/edit>.
22:41:47 [jeffh]
?: perhaps requiring CORS will mitigate this
22:42:11 [bhill2]
http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0065.html
22:42:16 [jeffh]
bhill: Dave Ross comments on UI Security draft
22:42:25 [bhill2]
Topic: David Ross comments on UI Security draft, re: X-Frame-Options
22:44:06 [jeffh]
DaveR: first was wrt framebusting JS -- issue there is ....
22:44:21 [Zakim]
+ +1.781.369.aagg
22:44:27 [jeffh]
bhill: if you have FB code, and then stuff it in a URL the xss filters will clobber FB stuff for u
22:44:58 [jeffh]
bhill: some of the interesting issues is whether we consider x-frame-options to be obsoleted by ui safety spec;
22:45:27 [jeffh]
bhill: had been assuming one might deploy both for a while, then deprecate x-frame-options;
22:45:50 [jeffh]
daver: if x-frame-options is there and ui-safety isn't, then use the former;
22:46:14 [gopal]
gopal has joined #webappsec
22:46:15 [bhill2]
action bhill2 to remove obsolete language for XFO in UI Security draft
22:46:15 [trackbot]
Created ACTION-122 - Remove obsolete language for XFO in UI Security draft [on Brad Hill - due 2013-03-05].
22:46:24 [jeffh]
daver: don't think it makes sense for the doc at this time to explicitly obsolete x-frame-options; maybe in 10 yrs
22:46:58 [jeffh]
daver: doc sez "if u understand safety, you can ignore x-frame-options", but it is sorta contradicted later on in the spec
22:47:22 [jeffh]
bhill: that item is specifically for "accessibility" considerations
22:48:08 [jeffh]
bhill: that latter stmt specifically gives the accessibility tool author room to work
22:48:32 [bhill2]
http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0062.html
22:48:45 [jeffh]
daver: ok, don't have suggestion for alt text on that, so thinks its probably fine
22:48:56 [jeffh]
bhill: there's the allow-from stuff
22:49:46 [jeffh]
daver: now by using csp we can take advantage of csp infrastruc; still a tad worried about sites emitting huge bloated headers
22:50:12 [jeffh]
tanvi: mozilla was thinking the policy-uri directive is one way to address that
22:50:33 [jeffh]
bhill: still an open issue whether we want to include that policy-uri in the draft
22:50:43 [jeffh]
bhill: this may be use case for that
22:51:18 [jeffh]
daver: sitll a little worried that since you /can/ just cut & paste a ton or origins into that header that that's what we'll get.....
22:51:47 [jeffh]
bhill: any limits to # of tokens you'll parse in allowed-srcs ?
22:51:51 [jeffh]
?: not in FF
22:51:58 [tanvi]
?=imelven
22:52:03 [jeffh]
thx
22:52:16 [jeffh]
nominal ans: all of virt memory
22:52:32 [tanvi]
there is a max header size, not sure what that is
22:52:38 [jeffh]
yeah
22:52:42 [tanvi]
but if we use policy-uri that is nto an issue
22:53:14 [jeffh]
bhill: will get edits into spec
22:53:40 [Zakim]
-neil
22:53:41 [Zakim]
-gmaone
22:53:41 [Zakim]
-[Mozilla]
22:53:42 [Zakim]
-[Microsoft]
22:53:42 [Zakim]
-ekr
22:53:44 [Zakim]
- +1.650.648.aaff
22:53:44 [Zakim]
- +1.781.369.aagg
22:53:45 [Zakim]
- +1.415.596.aaee
22:53:46 [jeffh]
bhill: meeting adjourned -- please take survey !!
22:53:47 [bhill2]
thanks for scribing, Jeff!
22:53:47 [Zakim]
-mkwst
22:53:49 [tanvi]
tanvi has left #webappsec
22:53:51 [jeffh]
welcome :)
22:53:53 [Zakim]
-dveditz
22:53:57 [bhill2]
rrsagent, make minutes
22:53:57 [RRSAgent]
I have made the request to generate http://www.w3.org/2013/02/26-webappsec-minutes.html bhill2
22:54:01 [bhill2]
rrsagent, set logs public visible
22:54:07 [bhill2]
zakim, list attendees
22:54:07 [Zakim]
As of this point the attendees have been bhill, +1.866.317.aaaa, gmaone, JeffH, jimio, +1.415.426.aabb, +1.650.678.aacc, neil, +1.650.488.aadd, mkwst, [Mozilla], dveditz, ekr,
22:54:10 [Zakim]
... [Microsoft], +1.415.596.aaee, +1.650.648.aaff, +1.781.369.aagg
22:54:12 [Zakim]
-JeffH
22:54:16 [bhill2]
rrsagent, make minutes
22:54:16 [RRSAgent]
I have made the request to generate http://www.w3.org/2013/02/26-webappsec-minutes.html bhill2
22:54:33 [bhill2]
rrsagent, set logs public visible
22:54:35 [bhill2]
bhill2 has left #webappsec
22:54:41 [Zakim]
-bhill
23:00:54 [neil_]
neil_ has joined #webappsec
23:05:01 [Zakim]
disconnecting the lone participant, jimio, in SEC_WASWG()5:00PM
23:05:02 [Zakim]
SEC_WASWG()5:00PM has ended
23:05:02 [Zakim]
Attendees were bhill, +1.866.317.aaaa, gmaone, JeffH, jimio, +1.415.426.aabb, +1.650.678.aacc, neil, +1.650.488.aadd, mkwst, [Mozilla], dveditz, ekr, [Microsoft], +1.415.596.aaee,
23:05:02 [Zakim]
... +1.650.648.aaff, +1.781.369.aagg
23:25:27 [abarth]
abarth has joined #webappsec