See also: IRC log
NM: There will be a call on 22
December
... Regrets from YL
JT: Regrets
NM: LM, can you scribe?
LM: Yes
<noah> http://www.w3.org/2001/tag/2011/12/08-minutes
RESOLUTION: Approve the minutes of telcon of 2011-12-08
Local arrangements for upcoming F2F at https://lists.w3.org/Archives/Member/tag/2011Dec/0004.html
NM: HST, please arrange for a telephone bridge
HST: Will do
Agenda for f2f is building at http://www.w3.org/2001/tag/2012/01/04-agenda
NM: Mark Nottingham will join us for
the SPDY discussion
... Mark's time is limited, will have to fit in on Friday
morning
LM: Like to involve him on registries as well, as he's been taking the lead on the HAPPIANA work
NM: Given time constraint, let's
start the registries topic earlier, so we're well prepared to use
Mark's time well
... Wrt XML-HTML unification work, chasing with Norm Walsh
NM: This topic was suggested at the
Edinburgh f2f, suggesting we should look at what involvement we
might want to have wrt HTML after HTML5
... PLH has joined us, and will do so again at the F2F to
help
... References to possibly relevant material in the agenda
<noah> ACTION-637?
<trackbot> ACTION-637 -- Noah Mendelsohn to ask PLH to join us in Dec. to bring us up to speed on HTML.next, and also join in F2F discussion -- due 2011-12-20 -- PENDINGREVIEW
<trackbot> http://www.w3.org/2001/tag/group/track/actions/637
<noah> close ACTION-637
<trackbot> ACTION-637 Ask PLH to join us in Dec. to bring us up to speed on HTML.next, and also join in F2F discussion closed
NM: Most notably, a wiki at http://www.w3.org/wiki/HTML/next
PLH: Some background on
HTML.next
... Not very far yet
... The HTML WG is focussed on HTML5, given the number of open
issues, some of which are tricky
... So the discussions on .next have not gotten very far so far,
most recently at TPAC
... Modularization of the spec. has been mentioned several
times
<Larry> Modularization work might benefit from some planning, even though it is premature to actually start with the work
PLH: Some new features have been
suggested
... Media ?? WG has brought some suggestions for some changes in
their area
... A <data> element has been suggested by Ian Hickson
<Larry> common protocol elements with other protocols as a big theme
<noah> Larry, would you elaborate. Do mean things like HTTP-ish stuff in the <meta> tag, for example?
NM: There's a sort of process issue about whether the future will be understood as working on a monolithic HTML6 or whether feature (group) by feature (group) will be specced through to REC independently
PLH: Yes, but until we see a specific proposal, it's hard to know if/how this will work
HT: A large architectural issue, which might arise, is whether there is any expectation within the WG (as opposed to rest of W3C) that they might want think about differing requirements for Web app delivery platform vs. browser.
<Larry> I'd characterize what HT said was WebApps vs. HTML WG in W3C ... is that the right boundary in the long term
NM: There's a background issue
mentioned sometimes as to whether security has been well-treated in
the current round
... Doug Crockford has weighed in on this
<Larry> JavaScript & API rules
<noah> Doug Crockford on HTML and Security: http://security.sys-con.com/node/1544072
<noah> Title of article is "Discoverer of JSON Recommends Suspension of HTML5"
NM: [Paraphrasing] This new spec. is chock-full of new features, and not only have you not done much to address existing issues, you've significantly expanded the surface area, and hence the risk of vulnerabilities
<noah> He specifically criticizes the lack of clear resolution to cross site scripting problems, among others.
<noah> Crockford is quoted as saying: "The XSS problem comes from two fundamental problems. The first is that the language of the web is unnecessarily complicated. HTML can be embedded in HTTP, and HTML can have embedded in it URLs, CSS, and JavaScript. "
<noah> "JavaScript can be embedded in URLs and CSS. Each of these languages has different encoding, escapement, and commenting conventions. Statically determining that a piece of text will not become malicious when inserted into an HTML document is surprisingly difficult. There is a huge and growing set of techniques by which an attacker can disguise a payload that can avoid detection. New techniques are discovered all the time, and usually the attackers find them
<noah> "The second problem is that all scripts on a page run with the same authority. "
PLH: But DC has not pointed to any specific vulnerabilities. An EU study surveyed the spec. from this perspective, and identified some moderate issues, but nothing that stands out as a major problem: http://www.enisa.europa.eu/act/application-security/web-security/a-security-analysis-of-next-generation-web-standards A Security Analysis of Next Generation Web Standards
LM: It's not clear that the kind of security review that is needed can be done properly
PLH: It's always possible that there are holes, but we're trying hard not to let that happen
LM: When we discussed HTML issues a while ago, we left some things off the list because they weren't timely -- should we pull them up again?
NM: I can't easily find that list --
someone needs to take an action to find the list and prepare a
discussion
... so that we don't waste time
LM: I will find the list, if someone else will do the review
NM: I will take an action to find the list and email a link to the group
<noah> ACTION: Noah to try and find list of review issues relating to HTML5 from earlier discussions [recorded in http://www.w3.org/2001/tag/2011/12/15-minutes.html#action01]
<trackbot> Created ACTION-641 - Try and find list of review issues relating to HTML5 from earlier discussions [on Noah Mendelsohn - due 2011-12-22].
NM: After that, I'll wait for specific requests for action wrt something there.
PLH: That security review
covers not just HTML5, but also related specs.
... It is often, as was the case with CSS, that it's combinations
of specs that create security risks
<Larry> perhaps ability to to security review is a goal for modularization
PLH: The CSS risk was not CSS alone, but in combination with the DOM
JT: From what you've seen about
possible HTML.next features, is there potential overlap with other
WGs?
... Because that's where problems have arisen in the past
PLH: Not that I'm aware of, but only in-so-far as we often don't have WGs in the areas that have been mentioned
<Zakim> noah, you wanted to ask if review really covered Doug C.'s concern
NM: PLH mentioned the existing study,
but DC's interview does mention some specifics
... For example
<noah> Doug Crockford (in article linked above): "HTML can be embedded in HTTP, and HTML can have embedded in it URLs, CSS, and JavaScript. JavaScript can be embedded in URLs and CSS. Each of these languages has different encoding, escapement, and commenting conventions. Statically determining that a piece of text will not become malicious when inserted into an HTML document is surprisingly difficult."
NM: Is that the kind of thing which that EU survey looked at? We're carrying a huge historical overhang which it's hard to untangle, or get away from
PLH: I don't know whether that issue was covered by the survey
<Zakim> Larry, you wanted to talk about modularization guideilnes, reasons for, requirements for... examples of where modularization helps, things to avoid... is this something TAG could
<Larry> for example, our recent finding on web applications and URIs for application state -- could we get that into HTML.next
LM: One of the requirements for
modularization is that it makes security reviews easier.
... That needs to feed in to any discussion of why modularize,
and how, which the TAG might contribute to
<noah> I agree, but I think another way of saying this is: separation of concerns is a good characteristic of a design. If that's achieved, then one benefit will be that specs can be reviewed in pieces.
LM: We've recently published a REC on Application State, and are headed for something on API Minimization
HT: He said, that we've published some things that weren't well timed to affect last year's work. Things like Storage and API work in the TAG could be focused on impacting html.next
HT: Those should feed in early to improve the chance of impact
PLH: There is very low interest in
the WebApps WG in working on the Web Storage API
... But it will go forward simply because it is so widely used, even though there is a widely
known bug, in the area of concurrent access to the API
PLH, AM: The bug is called out in the current spec. draft, in fact
PLH: Momentum is moving toward IndexDB
AM: People have been saying that Web Storage is a very simple API, IndexDB is more complicated, they don't need that complexity.
PLH: It will get done, but it won't get improved or extended
NM: The TAG has discussed the whole
question of client-side storage, and whether we should gear up to
look at this area
... The Web started out pretty stateless, then along came cookies,
and now various forms of client-side persistent data, Web Storage,
IndexDB, etc. . .
... I think the TAG's concern should be at the architectural level,
comparing these mechanisms to a local HTTP caching proxy
... and looking at the question of accessing it via an index rather
than a URI
... We need to find out what people want from these, that they
can't get from a caching proxy
... and maybe feed back to developers
... So even if Web Storage isn't complicated, or likely to be
extended, there may be work for the TAG to do
AM: In our recent discussion, we looked also at the relation of App Cache to Web Storage
NM: Not sure how much we need to
devote to this going forward
... but without more evidence of new ideas, we may have to
reconsider using f2f time
... Thank you Philippe for joining us
<noah> List of topics: http://www.w3.org/2001/tag/2012/01/04-agenda.html#agendaInProgress
NM: Embedded in agenda format, but focus on timeline fixed points, and Working List of Agenda Items
AM: 11:30 end on Friday?
NM: No, usual goal -- aim for 4
p.m.
... What's up with Privacy?
AM: Not yet connected with DA on this
AM: I have written a short doc't,
arguing that although the W3C now has a Do Not Track WG, there are
other problem areas which are worrying
... But it's not clear what W3C can do in these areas
... Perhaps W3C should make a few statements on such things: Net
Neutrality, ???
NM: Maybe this will fit in no problem, will see how the schedule goes
JT: Previous agenda discussion
included, wrt Publishing and Agenda on the Web, there is now
probably not going to be a new document, because we haven't had
any legal input
... But we did talk about having a brainstorming session on what
kinds of punchy short outputs we should aim for
... This is a good thing for f2f
HST: +1
AM: +1
... Also need to think about how they should be delivered
NM: Right, I'll plan to do that
... Aiming to wrap the agenda in the coming week, please note
JT: I would like to have a brief slot to bring us up to date on the Microdata/RDFa situation
NM: 30 minutes?
JT: Yes
NM: 10 minute update, 20 minute discussion
JT: I'm not aware of any specific thing we need to do, but did want to report
NM: There are several major document
promises wrt preparation time before the f2f
... So the sooner the better
... Please get behind this and push if you're on the hook
NM: Are we good to go here?
JT: Yes, given recent agreement to the amended wording, I think we're ready to go
NM: No objections? None.
<noah> Can we record a resolution pointing to the email with the agreed text?
JT: I'll go ahead then
<noah> Since this is communication with an outside group
<JeniT> Final email in thread is http://lists.w3.org/Archives/Public/www-tag/2011Dec/0077.html
RESOLUTION: TAG agrees that Jeni Tennison will send the text in http://lists.w3.org/Archives/Public/www-tag/2011Dec/0026.html to the RDFa WG and thereby close ACTION-509
<JeniT> In some of the examples below we have used IRIs with fragment identifiers that are local to the document containing the RDFa fragment identifiers shown (e.g., 'about="#me"'). This idiom, which is also used in RDF/XML [RDF-SYNTAX-GRAMMAR] and other RDF serializations, gives a simple way to 'mint' new IRIs for entities described by RDFa and therefore contributes considerably to the expressive power of RDFa. The precise meaning of IRIs which include fragment identifiers when they appear in RDF graphs is given in Section 7 of [RDF-CONCEPTS]. To ensure that such fragment identifiers can be interpreted correctly, media type registrations for markup languages that incorporate RDFa should directly or indirectly reference this specification (RDFa Core).
<noah> ACTION-631?
<trackbot> ACTION-631 -- Jeni Tennison to suggest how is best to deal with explicit reference to only Microdata (not RDFa) from HTML spec -- due 2011-11-18 -- PENDINGREVIEW
<trackbot> http://www.w3.org/2001/tag/group/track/actions/631
NM: Near consensus that not much needs to be done
JT: At the moment the HTML5 spec
mentions neither Microdata or RDFa
... But that means there's no FYN route from the soon-to-be
text/html media type definition to either of these
<Larry> maybe this belongs in the MIME document
NM: No action on FYN for HTML5, I don't think
HST: I think this needs to be against HTML5 - unconvinced focusing on mime doc now is the right way to go
JT: I'll take an action
LM: I'd like to help
<Larry> I think we need to address the issue of media type registration in the compound specifications and media type registration and use....
NM: Due date just ahead of the f2f, so at least we can discuss this there by expanding the microdata nd RDFa session
JT: It might also make sense to discuss it in the HTML.next session, as it's larger than just microdata and RDFa
NM: Doesn't really fit with HTML.next -- time frame wrong, for one thing
JT: It was mostly that I was hoping PLH would be there
NM: OK, I'll expand both the time slot and the topic for what was called above the Microdata and RDFa reporting session
<noah> ACTION: Jeni with help from Larry to make plan of action for getting "follow your nose" for (at least) microdata and RDFA from HTML5 Due: 2 January 2012 [recorded in http://www.w3.org/2001/tag/2011/12/15-minutes.html#action02]
<trackbot> Created ACTION-642 - With help from Larry to make plan of action for getting "follow your nose" for (at least) microdata and RDFA from HTML5 Due: 2 January 2012 [on Jeni Tennison - due 2011-12-22].
<noah> ACTION-642 Due 2012-01-02
<trackbot> ACTION-642 With help from Larry to make plan of action for getting "follow your nose" for (at least) microdata and RDFA from HTML5 Due: 2 January 2012 due date now 2012-01-02
NM: So, close ACTION-631?
<noah> close ACTION-631
<trackbot> ACTION-631 Suggest how is best to deal with explicit reference to only Microdata (not RDFa) from HTML spec closed
<noah> ACTION-614?
<trackbot> ACTION-614 -- Jeni Tennison to report on progress relating to RDFa and Microdata -- due 2011-12-15 -- OPEN
<trackbot> http://www.w3.org/2001/tag/group/track/actions/614
<noah> ACTION-614 Due 2012-01-06
<trackbot> ACTION-614 Report on progress relating to RDFa and Microdata due date now 2012-01-06
<noah> http://www.w3.org/2001/tag/group/track/actions/pendingreview
<noah> ACTION-528?
<trackbot> ACTION-528 -- Henry Thompson to create and get consensus on a product page and tracker product page for persistence of names -- due 2011-11-29 -- PENDINGREVIEW
<trackbot> http://www.w3.org/2001/tag/group/track/actions/528
HST: Was planning to discuss minutes of the workshop today, but someone asked for more time
ACTION-588?
<trackbot> ACTION-588 -- Noah Mendelsohn to work with Larry to update mime-web product page Due 2011-08-18 -- due 2011-12-13 -- PENDINGREVIEW
<trackbot> http://www.w3.org/2001/tag/group/track/actions/588
Overtaken by ACTION-636 (Noah successfully fobs this off on Larry). Marking PENDING REVIEW.
close ACTION-588
<trackbot> ACTION-588 Work with Larry to update mime-web product page Due 2011-08-18 closed
ACTION-625?
<trackbot> ACTION-625 -- Noah Mendelsohn to schedule followup discussion of http://www.w3.org/wiki/HttpRange14Options (per agreement in Santa Clara) -- due 2011-12-21 -- PENDINGREVIEW
<trackbot> http://www.w3.org/2001/tag/group/track/actions/625
HST: There is a plan we hatched in Edinburgh, JAR will be letting us all know about it
<noah> Include ACTION-625 in F2F agendum on URI Definition Discovery -- new work to be available for discussion
<noah> ACTION-639?
<trackbot> ACTION-639 -- Noah Mendelsohn to invite Mark Nottingham to SPDY/HTTP F2F session -- due 2011-12-15 -- PENDINGREVIEW
<trackbot> http://www.w3.org/2001/tag/group/track/actions/639
<noah> close ACTION-639
<trackbot> ACTION-639 Invite Mark Nottingham to SPDY/HTTP F2F session closed
<noah> ACTION-560?
<trackbot> ACTION-560 -- Henry Thompson to review HTML polyglot last call Due 2011-06-06 -- due 2011-12-06 -- OPEN
<trackbot> http://www.w3.org/2001/tag/group/track/actions/560
HST: Some progress behind the scenes, but nothing definite to report on yet
ACTION-560 due 2011-12-20
<trackbot> ACTION-560 Review HTML polyglot last call Due 2011-06-06 due date now 2011-12-20
<noah> ACTION-635?
<trackbot> ACTION-635 -- Henry Thompson to update product page for Frag IDS and Mime types, to include realistic goals and dates -- due 2011-12-08 -- OPEN
<trackbot> http://www.w3.org/2001/tag/group/track/actions/635
HST: I'll scope a session on this for the f2f, in case it's needed
ACTION-635 due 2011-12-20
<trackbot> ACTION-635 Update product page for Frag IDS and Mime types, to include realistic goals and dates due date now 2011-12-20
HST: The updated page will not promise anything in time for the f2f
<noah> http://www.w3.org/2001/tag/group/track/actions/overdue?sort=owner
<noah> ACTION-501?
<trackbot> ACTION-501 -- Ashok Malhotra to follow up on whether GeoLocation finds reasonable answer on giving permission per site/app etc [self-assigned] -- due 2011-12-06 -- OPEN
<trackbot> http://www.w3.org/2001/tag/group/track/actions/501
<noah> ACTION-633?
<trackbot> ACTION-633 -- Ashok Malhotra to drive TAG review of Geolocation last call Due 2011-12-06 -- due 2011-12-06 -- OPEN
<trackbot> http://www.w3.org/2001/tag/group/track/actions/633
NM: It really matters that Product pages really need to tell the truth about when substantial documents will be forthcoming
AM: I think these are done, I sent email about them, saying the spec. looked OK to me and no action was required
<noah> NM: Right, we need that especially as input to the F2F...otherwise we will burn time there editing the product pages to reflect earlier decision
<Larry> +1
<noah> close ACTION-501
<trackbot> ACTION-501 Follow up on whether GeoLocation finds reasonable answer on giving permission per site/app etc [self-assigned] closed
<noah> close ACTION-633
<trackbot> ACTION-633 Drive TAG review of Geolocation last call Due 2011-12-06 closed
AM: I've done my half of ACTION-634
<noah> ACTION-634?
<trackbot> ACTION-634 -- Noah Mendelsohn to with help from Noah to publish http://www.w3.org/2001/tag/doc/IdentifyingApplicationState-20111130 as a TAG Finding -- due 2011-12-20 -- OPEN
<trackbot> http://www.w3.org/2001/tag/group/track/actions/634
AM: Waiting on NM for the other half
<Larry> I will bump the dates on my open actions
<noah> ACTION-632?
<trackbot> ACTION-632 -- Ashok Malhotra to frame issues around client-side storage work Due 2011-12-06 -- due 2011-12-06 -- OPEN
<trackbot> http://www.w3.org/2001/tag/group/track/actions/632
NM: I do want to talk about this at the f2f, so need it before then
<noah> ACTION-632 Due 2012-01-02
<trackbot> ACTION-632 Frame issues around client-side storage work Due 2011-12-06 due date now 2012-01-02
LM: I have been working on xxx, and would welcome review from everyone
<Larry> i've been making good progress, i'm ready for 1-1 review of the document i'm working on, but not in a mode where you read something and give me feedback days later...
NM: Adjourned
<Larry> i posted a couple of "uncool URLs must change" links
<Larry> and HTTP status cats as a new registry
<ht> +1 for HTTP status cats