19:56:42 RRSAgent has joined #webappsec 19:56:42 logging to http://www.w3.org/2013/02/26-webappsec-irc 19:56:52 rrsagent, draft minutes 19:56:52 I have made the request to generate http://www.w3.org/2013/02/26-webappsec-minutes.html bhill2 19:57:38 rrsagent, set logs public-visible 21:42:35 test 21:46:21 jimio has joined #webappsec 21:48:10 hi, jeff 21:52:04 hey 21:53:54 gmaone has joined #webappsec 21:56:18 bhill has left #webappsec 21:57:24 Zakim has joined #webappsec 21:57:41 zakim, this will be 92794 21:57:42 ok, bhill2; I see SEC_WASWG()5:00PM scheduled to start in 3 minutes 21:57:42 SEC_WASWG()5:00PM has now started 21:57:49 +[GVoice] 21:57:58 -[GVoice] 21:57:59 SEC_WASWG()5:00PM has ended 21:57:59 Attendees were [GVoice] 21:58:21 SEC_WASWG()5:00PM has now started 21:58:23 zakim, this is 92794 21:58:23 bhill2, this was already SEC_WASWG()5:00PM 21:58:24 ok, bhill2; that matches SEC_WASWG()5:00PM 21:58:28 +??P0 21:58:33 +bhill 21:58:50 Meeting: WebAppSec WG Teleconference, Tuesday, 26-Feb-2013 21:58:54 Chairs: ekr, bhill2 21:58:54 + +1.866.317.aaaa 21:58:59 zakim, ??p0 is gmaone 21:58:59 +gmaone; got it 21:59:15 zakim, aaaa is JeffH (i think) 21:59:15 I don't understand 'aaaa is JeffH (i think)', jeffh 21:59:16 Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0066.html 21:59:20 lol 21:59:34 zakim, aaaa is JeffH 21:59:34 +JeffH; got it 21:59:39 i hope so, zakim 21:59:59 neil has joined #webappsec 22:00:18 +[GVoice] 22:00:40 zakim, GVoice is jimio 22:00:40 +jimio; got it 22:00:58 + +1.415.426.aabb 22:01:09 dveditz has joined #webappsec 22:01:20 + +1.650.678.aacc 22:01:32 (mostly listening in while on mute today, neil & nick from twitter here too) 22:01:34 zakim, aabb is neil 22:01:34 +neil; got it 22:01:53 + +1.650.488.aadd 22:02:02 zakim, aadd is mkwst 22:02:02 +mkwst; got it 22:02:09 zakim, who is here? 22:02:09 On the phone I see gmaone, bhill, JeffH, jimio, neil, +1.650.678.aacc, mkwst 22:02:12 On IRC I see dveditz, neil, Zakim, gmaone, jimio, RRSAgent, bhill2, jeffh, timeless, mkwst_, wseltzer, erlend, trackbot 22:02:12 +[IPcaller] 22:02:24 +[Mozilla] 22:02:28 Zakim, IPCaller is dveditz 22:02:28 +dveditz; got it 22:02:40 ekr has joined #webappsec 22:02:44 zakim, who is herE? 22:02:44 On the phone I see gmaone, bhill, JeffH, jimio, neil, +1.650.678.aacc, mkwst, dveditz, [Mozilla] 22:02:47 On IRC I see ekr, dveditz, neil, Zakim, gmaone, jimio, RRSAgent, bhill2, jeffh, timeless, mkwst_, wseltzer, erlend, trackbot 22:02:51 zakim, aacc is ekr 22:02:51 +ekr; got it 22:03:08 tanvi has joined #webappsec 22:03:12 Zakim, who is here? 22:03:13 On the phone I see gmaone, bhill, JeffH, jimio, neil, ekr, mkwst, dveditz, [Mozilla] 22:03:14 imelven2 has joined #webappsec 22:03:15 On IRC I see tanvi, ekr, dveditz, neil, Zakim, gmaone, jimio, RRSAgent, bhill2, jeffh, timeless, mkwst_, wseltzer, erlend, trackbot 22:03:27 Zakim, tanvi is tanvi_and_imelven 22:03:27 sorry, tanvi, I do not recognize a party named 'tanvi' 22:03:48 http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0066.html 22:04:21 +[Microsoft] 22:04:25 scribe: Jeff Hodges 22:04:27 sorry, I'm on mute 22:04:29 scribenick: jeffh 22:04:32 need to leave early (this is jim) 22:04:37 alrightie 22:04:57 joining us: Dave Ross, Microsoft 22:06:12 http://www.surveymonkey.com/s/NXSTXNN 22:06:48 Brad solicits input on how WG is working, via the survey at the above link 22:07:16 webappsec concall in 2 weeks conflicts with ietf HTTP auth WG session at IETF-86 Orlando 22:07:32 hence cancelling webappsec meeting in 2 weeks 22:07:54 Charter update is underway 22:08:06 hopefully done before F2F in April 22:08:15 https://www.w3.org/2011/webappsec/track/actions/open?sort=owner 22:08:18 now look at open actions in tracker 22:09:16 ABarth not present 22:09:21 next victim: Brad 22:09:52 + +1.415.596.aaee 22:09:54 will attempt to chip away at his open action items 22:10:36 + +1.650.648.aaff 22:10:38 Dan Veditz: have sent msg on #82 22:10:52 s/#82/#92/ 22:10:58 issue #32 22:11:04 they can be closed 22:11:10 abarth has joined #webappsec 22:11:16 #97 and #109 still in todo queue 22:11:29 https://www.w3.org/2011/webappsec/track/actions/open?sort=owner 22:11:37 abarth has arrived 22:12:02 n_ has joined #webappsec 22:12:13 puhley has joined #webappsec 22:12:43 MWest next: #94 believes is done; #102 working on it, lang wrt events, still looking for an example(s) -- events being specified in some 2ndary spec -- tug his sleeve if anyone has any ideas 22:13:01 bhill: ui safety spec may have an example 22:13:12 mwest: attrs are easy, but there's other issues 22:13:58 mwest: #106, has text coming soon; #116 open; #117 ?; #119 done? 22:14:24 above is correct? 22:14:28 yup 22:14:30 thx 22:14:40 http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0052.html 22:14:52 Topic: Script-Hash Proposal 22:15:17 "Proposal for script-hash directive in CSP 1.1" 22:15:38 Nicholas Green 22:15:50 n_ ? 22:16:17 question: is script-hash a replacement for script-nonce, or a separate concept/directive? 22:16:47 abarth: is there particular reason chose utf-8 22:16:48 ? 22:17:03 what about ? 22:17:25 nick: got input on that, devs said don't do it, they prefer utf-8 22:17:34 abarth: what is the alt you mentioned? 22:17:46 UCS-2 22:17:49 thx 22:19:09 bhill: there's an issue in that utf-8 apparently isn't all that friendly for some existing content out there in asian encodings 22:19:29 bhill: this is for inline script 22:19:48 dveditz: inline script will be in encoding the doc is in 22:20:07 bhill: but doc can change encoding mid-stream -- worry about bugs and perf overhead 22:20:40 bhill: so, if you want ur content to be stable enough to be hashed for sec purposes, need to declare doc encoding at top of doc 22:20:52 ekr: what about hash alg? 22:21:20 ekr: 22:21:46 ekr: collisions seem like a irrelvant (?) threat model here 22:22:03 ekr: prob with sha-1 is it isn't as strong as other choices 22:22:37 ekr: sha-256 (sha-180?) is stronger than sha-1 22:23:17 bhill: we should ref the algs in xml-sec or web-crypto, and we don't have to define 'em -- we just do parsing and such 22:23:44 ekr: am fine with that, but there's still the question wrt agility -- can u use two different(?) ones concurently? 22:23:56 what I was suggesting here is that you should be able to have two hash algorithms at once. that allows transitions. 22:24:33 bhill: we should require alg agility, allow same content to be specified with mult hases, but which hashes we support should be defined by ref to another spec most likely web-crypto 22:25:47 bhill: is suggesting that can attach mult hashes via diff algs to one content doc, and so if UA understands at least one of them, can verify it 22:26:09 dveditz: what is UA behavior if encounters a hash it doesn't understand? 22:26:35 nick: hunch is script-hash would take precedence over unsafe-inline 22:27:03 nick: would have bkwards compat this way 22:27:12 bhill: need text for that 22:28:28 mwest: does each script loaded on page need to match all csp directives that might possibly apply 22:29:12 tanvi: instead of having unsafe-inline, can have nonce-inline/hash-inline, and so server side could have some way to figure out UA capabilities and adapt what it sends 22:30:26 nick/tanvi: the goal is to get the best protection on new browsers and least likelyhood of breaking old browsers; so if have unsafe-inline, ignore it if theres script-hash present 22:31:19 mwest: if both script-hash and script-src are present they have to match? 22:32:00 nick: might make more sense to say if script-hash is present, ignore unsafe-inline (?) 22:32:20 abarth: there's a lot of overlap in use case in script-nonce and script-hash -- should we do one or not other? 22:33:29 tanvi: was thinking about a case where might want both of themn. if page had inline scirpt, may want script-hash, and if you're also sucking script over the net, use script-nonce for that; but most ads now are in iframes and so aren't using script@src, so maybe not a big deal 22:33:46 ekr: script-mac ? like using a fixed key ? 22:33:54 jeffh: yeah. 22:34:00 So script-mac with a fixed-key is script-hash 22:34:08 script-mac with a null algorithm is script-nonce 22:34:11 nick: CDNs are a use case -- 22:34:28 dveditz: you're trying to protect against 3d party changes? 22:34:38 nick: no, just want to restrict inline script and style 22:35:16 nick: we serve some of our static assets off of cdn, and don't want to re-calc nonce for each request 22:35:55 nick: when told mobile team they need to make their script loaded not inline, they said no cuz of roundtrip 22:36:13 mwest: page and static assets via cdn? 22:36:17 nick: often both 22:36:33 I don’t see the gain of a hash for inline script 22:37:04 (over script-nonce) 22:37:13 mwest: like idea of combining these some way, might be a way to combine them; bundle this up in some way with script-src ? 22:37:29 I had assumed that script-hash was mostly for external scripts 22:37:43 I see the use of hashing for content integrity of 3rd party resources, but that seems it could be an “HTML” feature rather than a CSP feature 22:37:50 abarth: use case of main page mostly on cdn is interesting, will think about 22:37:58 Note that for third-party resources, collisions are a clear problem 22:38:31 how so? 22:39:06 you mean a 3rd party will swap content with malicious stuff with the same hash? 22:39:11 dveditz: yes 22:39:41 bhill: another item is perhaps using the url-safe base64 encoding 22:40:17 abarth: another issue: if u apply the hash to external resources, u can use this to do "identity queries" on resources you otherwise aren't allowed to read 22:41:12 bhill: let's note this down as an issue 22:41:45 issue: same-origin policy identity query via script-hash. issue is you do a third party inline script with a known script-hash. if it succeeds, you know that the target was as expected, even though you can't read it 22:41:45 Created ISSUE-44 - Same-origin policy identity query via script-hash. issue is you do a third party inline script with a known script-hash. if it succeeds, you know that the target was as expected, even though you can't read it; please complete additional details at . 22:41:47 ?: perhaps requiring CORS will mitigate this 22:42:11 http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0065.html 22:42:16 bhill: Dave Ross comments on UI Security draft 22:42:25 Topic: David Ross comments on UI Security draft, re: X-Frame-Options 22:44:06 DaveR: first was wrt framebusting JS -- issue there is .... 22:44:21 + +1.781.369.aagg 22:44:27 bhill: if you have FB code, and then stuff it in a URL the xss filters will clobber FB stuff for u 22:44:58 bhill: some of the interesting issues is whether we consider x-frame-options to be obsoleted by ui safety spec; 22:45:27 bhill: had been assuming one might deploy both for a while, then deprecate x-frame-options; 22:45:50 daver: if x-frame-options is there and ui-safety isn't, then use the former; 22:46:14 gopal has joined #webappsec 22:46:15 action bhill2 to remove obsolete language for XFO in UI Security draft 22:46:15 Created ACTION-122 - Remove obsolete language for XFO in UI Security draft [on Brad Hill - due 2013-03-05]. 22:46:24 daver: don't think it makes sense for the doc at this time to explicitly obsolete x-frame-options; maybe in 10 yrs 22:46:58 daver: doc sez "if u understand safety, you can ignore x-frame-options", but it is sorta contradicted later on in the spec 22:47:22 bhill: that item is specifically for "accessibility" considerations 22:48:08 bhill: that latter stmt specifically gives the accessibility tool author room to work 22:48:32 http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0062.html 22:48:45 daver: ok, don't have suggestion for alt text on that, so thinks its probably fine 22:48:56 bhill: there's the allow-from stuff 22:49:46 daver: now by using csp we can take advantage of csp infrastruc; still a tad worried about sites emitting huge bloated headers 22:50:12 tanvi: mozilla was thinking the policy-uri directive is one way to address that 22:50:33 bhill: still an open issue whether we want to include that policy-uri in the draft 22:50:43 bhill: this may be use case for that 22:51:18 daver: sitll a little worried that since you /can/ just cut & paste a ton or origins into that header that that's what we'll get..... 22:51:47 bhill: any limits to # of tokens you'll parse in allowed-srcs ? 22:51:51 ?: not in FF 22:51:58 ?=imelven 22:52:03 thx 22:52:16 nominal ans: all of virt memory 22:52:32 there is a max header size, not sure what that is 22:52:38 yeah 22:52:42 but if we use policy-uri that is nto an issue 22:53:14 bhill: will get edits into spec 22:53:40 -neil 22:53:41 -gmaone 22:53:41 -[Mozilla] 22:53:42 -[Microsoft] 22:53:42 -ekr 22:53:44 - +1.650.648.aaff 22:53:44 - +1.781.369.aagg 22:53:45 - +1.415.596.aaee 22:53:46 bhill: meeting adjourned -- please take survey !! 22:53:47 thanks for scribing, Jeff! 22:53:47 -mkwst 22:53:49 tanvi has left #webappsec 22:53:51 welcome :) 22:53:53 -dveditz 22:53:57 rrsagent, make minutes 22:53:57 I have made the request to generate http://www.w3.org/2013/02/26-webappsec-minutes.html bhill2 22:54:01 rrsagent, set logs public visible 22:54:07 zakim, list attendees 22:54:07 As of this point the attendees have been bhill, +1.866.317.aaaa, gmaone, JeffH, jimio, +1.415.426.aabb, +1.650.678.aacc, neil, +1.650.488.aadd, mkwst, [Mozilla], dveditz, ekr, 22:54:10 ... [Microsoft], +1.415.596.aaee, +1.650.648.aaff, +1.781.369.aagg 22:54:12 -JeffH 22:54:16 rrsagent, make minutes 22:54:16 I have made the request to generate http://www.w3.org/2013/02/26-webappsec-minutes.html bhill2 22:54:33 rrsagent, set logs public visible 22:54:35 bhill2 has left #webappsec 22:54:41 -bhill 23:00:54 neil_ has joined #webappsec 23:05:01 disconnecting the lone participant, jimio, in SEC_WASWG()5:00PM 23:05:02 SEC_WASWG()5:00PM has ended 23:05:02 Attendees were bhill, +1.866.317.aaaa, gmaone, JeffH, jimio, +1.415.426.aabb, +1.650.678.aacc, neil, +1.650.488.aadd, mkwst, [Mozilla], dveditz, ekr, [Microsoft], +1.415.596.aaee, 23:05:02 ... +1.650.648.aaff, +1.781.369.aagg 23:25:27 abarth has joined #webappsec