Re: Summary of recent conversations for WebAppSec from Mike West on 2017-02-15 (public-webappsec@w3.org from February 2017)

From: Mike West <mike@mikewest.org>
Date: Wed, 15 Feb 2017 17:53:37 +0100
To: Daniel Veditz <dveditz@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Jochen Eisinger <eisinger@google.com>, Emily Stark <estark@google.com>
Message-ID: <CAJToGzPG1cXOD16FmsH6zX+JXdW-QJ8ABp=GRCK_pQx8K7UDQg@mail.gmail.com>

On Wed, Feb 15, 2017 at 5:38 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> Here are a few highlights of recent WebAppSec activity you may have missed:
>

Thanks for pulling this list together, Dan!

Referrer Policy transitioned to CR on January 26; call for exclusions ends
> March 27.
>

Yay, y'all!

> We received charter feedback that our milestones looked unrealistic, and
> resistance to adding Isolated Origins until we reduce the number of current
> specs we're juggling.
>

Isolated Origins should indeed be considered an incubation thing. I
mentioned it in the context of the charter feedback mostly to ensure that
we agreed that the scope in the document would allow us to pull it in
(though I didn't make that at all clear...).

> New Referrer-Policy issue #94 requests an 'origin-when-downgrade' option.
>

Jochen, Emily? How many words can we stick next to other words before
Brian's more granular v2 starts looking appealing? :)

IMO, sure, why not, but it shouldn't block ->PR->REC at this point.

Credential Management issue #58 references a hidden Chrome bug about XSS
> attacks on passwords and suggests adding a non-normative section containing
> "additional security measures to be used in combination with CM API to
> provide the best protection against XSS attacks on passwords." No proposed
> text, presumably waiting until the Chrome bug is unhidden?
>

If you've read section 3 of
http://www.w2spconf.com/2012/papers/w2sp12-final11.pdf, you know all the
interesting bits of that Chrome bug. The "additional measures" boil down to
"Don't have XSS. Also use CSP. But really, try hard not to have XSS." :)

> Credential Management issue 56 wants to add a way to delete credentials
> when a login attempt fails so a site doesn't keep annoying the user with
> automatic but failed login attempts.
>

In general, we've started working on the spec again to clean it up for CR
based on our implementation experience. Apple's public declaration of
interest
<https://lists.webkit.org/pipermail/webkit-dev/2017-January/028684.html> is
also a good reason to clean up some of the rough edges so that their
implementation might go a little more smoothly than ours did. Relatedly,
how's Mozilla feeling, Dan? :)

> Following up to Artur's discussion on the call last month about risks when
> using nonce with CSP, issue #177 proposes a warning about the risks of
> injected base-uri when using nonces.
>

I have a few more patches in flight that I haven't finished yet. Maybe on a
plane tomorrow I'll get the nonce-hiding bits and pieces written up.

-mike

Received on Wednesday, 15 February 2017 16:54:42 UTC