Re: Agenda, 5 June 2014 SVG WG / WebAppSec WG telcon from Hill, Brad on 2014-06-04 (www-svg@w3.org from June 2014)

From: Hill, Brad <bhill@paypal.com>
Date: Wed, 4 Jun 2014 19:55:08 +0000
To: "www-svg@w3.org" <www-svg@w3.org>
CC: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <834FC928-A80B-4A46-A755-37FEDD926BA6@paypal.com>

Thanks, Erik.

By way of context for the SVG folks:

CSP is "Content Security Policy".

http://www.w3.org/TR/CSP
and
http://www.w3.org/TR/CSP11

In short, CSP allows setting a policy in an HTTP header that determines things like where a resource may load other resources from, and whether certain features like inline scripting, inline css and eval() are allowed.  It's goal is to reduce the damage that content injections (like XSS) can do.

SVG is interesting for this because it has its own notions of scripting and css and we have to determine how to apply CSP policies to SVG in various contexts, and understand whether and in what circumstances it ought to "inherit" the policy of a containing resource, or when it ought to conform to a policy it was delivered with.

We noticed the recent SVG Integration draft (https://svgwg.org/specs/integration/) and that it was relevant to similar questions we've had in our WG about how to treat SVG and CSP, and these are some of our last outstanding issues to clarify before taking CSP 1.1 to Last Call, so we asked for soem time to chat so we can make sure what we do makes sense with what the SVG model actually implies.

thanks,

-Brad Hill

On Jun 4, 2014, at 12:36 AM, Erik Dahlström <ed@opera.com> wrote:

> Hello SVG WG and WebAppSec WG,
> 
> I'd like to welcome the WebAppSec WG to tomorrow's SVG WG call, to start the discussion on how SVG and CSP can play nicely together.
> 
> 
> Time and date: http://www.timeanddate.com/worldclock/fixedtime.html?month=06&day=05&year=2014&hour=13&min=00&sec=0&p1=0
> Phone: +1 617-761-6200 (US) or zakim@voip.w3.org (SIP)
> Conference code: SVG1# (7841#)
> IRC for minutes/discussion: #svg on irc.w3.org, port 6665
> Agenda requests: http://www.w3.org/Graphics/SVG/WG/wiki/Agenda
> 
> 
> Agenda:
> 
> * How can SVG and CSP play nicely together? (WebAppSec WG)
> * Resolve exact dates for London F2F (Cameron)
> * Sydney F2F (early 2015) (ed)
> * Should we use unrestricted double for SVGLength, SVGNumber, SVGAngle and all attributes? DOMPoint, DOMRect, DOMMatrix do already. (krit)
> * Missing 'turn' unit in SVGAngle, see CSS3 Values and Units (ed)
> 
> -- 
> Erik Dahlstrom, Web Technology Developer, Opera Software
> Co-Chair, W3C SVG Working Group
>

Received on Wednesday, 4 June 2014 19:55:41 UTC