WebAppSec TPAC Day 2 Recap

WebAppSec WG members, the IRC logs of today's session at TPAC are available at:


Highlights of today's discussion included:

* The decision whether to include the sandbox directive from CSP 1.0 was re-opened by Jacob Rossi of Microsoft based on the existing implementation in the IE 10 developer preview.  Adam Barth will write draft specification language to determine if consensus on the definition of the feature can be reached in a short time.  Brandon Sterne will explore if Firefox can implement this directive on the established 1.0 timeline.  

* Discussion began on the requirements and shape of the deliverables for the chartered work on secure cross-domain framing.  

*  The group plans to definitely produce a deliverable targeted at preventing "classic clickjacking" attack cases.  Preventing in every case the most broadly defined problems of user-confusion and disintermediation is difficult or impossible, but it is worth trying to disrupt attacks against the most mainstream scenarios.

*  David Lin-Shung Huang volunteered to produce a draft document with a problem statement, common use cases to protect, attacks to avoid, and requirements that might be derived from such, that the WG can use to begin round-trip refinement with proposed solutions.

* The WG is soliciting straw-man proposals for solutions.

* The WG also agreed to explore the need for permissioned cross-origin interaction/communication with isolated origins created with sandbox or similar directives.  Brad Hill agreed to work on a draft problem statement and use cases, to determine what may be needed in this space.
 Members of the WG mailing list should have seen a number of ISSUES from the tracker, and a number more ACTIONS were created.  View the tracker at:
Eric Rescorla will shortly be mailing out a poll for WG members to vote on the best time of day for our bi-weekly calls.  Please only vote if you plan to regularly join the call.  We will target the week of November 14 for the first WG call. 

 Thank you,
 Brad Hill

Received on Wednesday, 2 November 2011 00:01:30 UTC