$Id: 05-waf-minutes.html,v 1.12 2007/11/15 14:45:09 mike Exp $
See also: IRC log
<arve> I can't hear whoever's on now
arve, any better?
<danbri> I hear nothing
<arve> it's getting muted as noise half of the time
<danbri> lemme hangup see if it improves for arve
arve, I moved the mike, any better?
<arve> danbri: better
<danbri> (quite echoey still)
<danbri> (doc anne mentioned - http://www.w3.org/TR/access-control/ )
yeah: people continue to introduce themselves...
widget spec: http://dev.w3.org/2006/waf/widgets/
Widget reqs: http://dev.w3.org/2006/waf/widgets-reqs/
<danbri> Marcos, re the draft editors version, there is w3c boilerplate somewhere that says "Editor's draft" rather than "Working draft". Should be linked from pubrules...
<arve> I can't hear Art
<danbri> svg/webapps - http://www.w3.org/2001/sw/Europe/talks/200409-svgopen/
Artb: Just introducing the agenda for today and tomorrow.
<danbri> oh, echo gone... art did you do something different in last 10 seconds?
I moved the mike closer...
<arve> Marcos: are the slides up on slideshare yet?
<arve> Marcos: thanks
Artb: Anne and Marcos will do presentations on Access control, XBL, and widgets... after lunch we will talk about access control, at around 2-3 we will discuss widgets till the end of the day... tomorrow we will mostly be discussing widgets.
<danbri> draft of new charter (linked from above): http://www.w3.org/2006/appformats/group/Charter
AB: Our charter states that we need to have a team contact, but since Dean Jackson left us we have been without one. Usually the team contact would help us with the charter.... I've circulated the charter and the working group feels the charter is fairly complete.
AvK: ... there has been talk of maybe merging with WebAPI
AB: yes, there has been some discussions about that, but nothing more.
<danbri> +1 on public fora :)
AB: art discusses some of the
details of the new charter....
... ...we will try to complete the Access Control, the XBL, and widgets in the coming two years...
... art discusses the good standing rules as they relate to editors...
... Art finishes giving an overview of the charter.
... a question is asked about what other groups WAF will collaborate with.
... maybe with Open Ajax alliance, but we need to discuss this further.
<arve> I concur with Art's view here
AB: a small discussion takes place about Participation and the good standing rule...
<danbri> in my experience: many WGs end up being quite dependent on experts whose time is scarce, and who simply can't meet the formal good standing rules; i.e., the rules are widely ignored.
<arve> Zakim: I am PP4
UNKNOWN_SPEAKER: presentations slides will be put online later.
<arve> chaals: that the requirement remains as this WG has operated under
<arve> (correct me if I missed something)
<Lachy_> chaals, the good standing discussion just talked about applying the good standing requirement to editors only, rather than all members
DB: has this spec had a security expert review?
<danbri> has the spec had specific review from security experts?
<danbri> ... example scenario, issues around mischievous intermediaries inserting headers; are we sure there are no new attack possibilities introduced here?
<anne> from Mozilla, Opera, W3C guys
AB: Dean and I spoke to TimBL
about it, and he expressed some concerns. We have also had
Thomas looking at it, who is a security expert for the W3C. We
also have people from the Web Security Context WG....
... looking at it.
JF: I've also done a review of it from a security point of view. Open Ajax Alliance security people have also looked at it and have some concerns.
<danbri> Are the OAA concerns on the public record somewhere?
JF: I've looked at it, and I don't see any major problems
AB: thanks Anne.
see: W3C XBL 2.0 and Widgets 1.0
<danbri> (template model --- is that like XUL templates?)
<anne> Access Control for Cross-site Requests presentation: http://lists.w3.org/Archives/Public/www-archive/2007Nov/att-0023/cross-site-requests.htm
<anne> complex example on inheritance: http://www.w3.org/TR/xbl/#mixing
<artb> AB: was inheritance part of sXBL, Jon?
<artb> JF: no it wasn't; we discussed it and could not get consensus thus it was removed
<artb> MC: see http://www.slideshare.net/mcaceres
<artb> RC: is the widget packaging format overlapping work being done by the EXI WG?
<artb> HS: no, EXI is working on a compression schema for a single XML file, not an archive/packaging format
<arve> The definition of "Identifier" is currently unspecified
<danbri> who is it that has "tell widget"? yahoo?
<arve> FWIW, I think this should be left to the html5 wg
<danbri> I've wondered about a bluetooth-like "pairing" metaphor for interwidget comms, ... but yep if it can be done in html, so much the better
<arve> (Except specifying the origin and the discovery mechanism)
<artb> HS: how does auto update relate to the HTML5 Google Gears offline?
<artb> MC: good question; we need to coordinate here with the HTML WG
<artb> RC: can you leverage XML Schema's versioning mechanism
<artb> MC: not clear we want to add the complexity of XML Schema
<artb> TR: perhaps the Widget's URI and the update URI could be combined (e.g. give the Widget URI version info)?
<danbri> something we wonder at joost, is where width/height should best live...
<artb> MC: agree we should consider something like this; think we need to work through some examples and do some experimentation
<artb> TR: does a widget have access to browser state e.g. cookies, etc?
<arve> I'm having problems hearing current speaker
<arve> someone give me a summary
<arve> (Security concerns?)
<danbri> yeah, audio is not fantastic
<arve> Opera's security model has separation of both cache, cookies and storage for each individual widget
<artb> AvK: on opera the cache and state of the widget engine are separate from the browser
<arve> and said items are never shared with the browser
<danbri> so it is widgets until 12:00 boston time?
<artb> yes dan
<danbri> and a 25 min break now? ok
<arve> I'll call back in
<danbri> me too
<anne> arve, you still there?
<danbri> widgetty newsflash: http://blogs.joost.com/dev/2007/11/first_preview_release.html -- a dev build of joost that runs some opera/w3c widgets (chuck norris facts :)
<arve> anne: yes
<anne> arve, as it's getting late in Europe, anything you'd like to prioritize?
<anne> arve, there's about 45 min it seems
<danbri> did you start again?
<anne> chuck norris facts, nice
chuck norris knows all
<arve> anne: obviously widgets
any section in particular
"Chuck Norris can divide by zero"
<artb> MC: I haven't made significant changes recently
<arve> Marcos: you're dropping out
<artb> MC: lately I have started to fill out the Appendices
<artb> MC: now have a row in the table for Joost Widgets and Nokia's Web-Runtime
<artb> MC: also added a new table regarding configuration data
<artb> MC: also added an element types table with descriptions of the elements
<arve> I'm having trouble hearing the conversations because of echo and automuting
<danbri> i'm hearing everything twice
<danbri> could be
<danbri> i was muted locally
<anne> seems like it
<danbri> but zakim muting seems to fix it
<anne> maybe it was arve
<danbri> i'm happy asking Qs by Zakim
<artb> MC: some other tables are new e.g. API table
<artb> MC: also added a table of Properties and a table for Events supported
<danbri> we're talking about http://dev.w3.org/2006/waf/widgets-reqs/#appendix right?
<arve> Zakim: mute Arve
<danbri> to ask my Q in text, ... could you take care to capture something of the OpenSocial system recently proposed from Google? It's (like G. Desktop) based on Gadgets, but is more in the "social network extension" space
<artb> JF: this contains lots of useful info
<artb> AB: I agree and was wondering about moving the appendix table into a separate "Landscape" type doc
<artb> RM: I agree with that; the data will change quite a bit
<ferraiolo> Here is what OpenAjax is doing about versioning: http://www.openajax.org/member/wiki/OpenAjax_Hub_Specification_Libraries#OpenAjax.hub.registerLibrary.28prefix.2C_namespaceURI.2C_version.5B.2C_extraData.5D.29
<artb> MC: Arve, what about Debian regarding their versioning model?
<artb> ABe: I haven't found a detailed spec about Debian's model
<artb> JF: we discussed this at the OAA
<artb> JF: we use N.N.N and algorithms to compare
<arve> I can try to inquire with some of the Ubuntu developers
<artb> JF: we need this for our Ajax libs
<artb> JF: we also realize some people use text e.g. "beta" at the end
<artb> MC: we can make it quite open
<artb> MC: the other option is to follow Hixie's suggestion and just say "is it different?"
<artb> ABe: yes, knowing if it is different is indeed the important question
<artb> ABe: knowing the origin is also important
<artb> ABe: an important designing principle is easy for user to understand the model
<artb> MC: agree; I just need to know if something is new and don't care about the details
<artb> ABe: we allow user to download old versions of widgets but version numbers are created by the server and not the widget author
<artb> JF: client software e.g. browser or OS determines if there is an updated widget or not
<artb> JF: question is can everyone agree on this; think it may be futile to get such an agreement e.g. by MS, Apple, Google, etc.
<artb> JF: seems like its a bit premature to spec something that isn't settled in the industry
<artb> MC: I think something like FF and its extension model is a good working model
<artb> JF: but some models don't tell the user and do it behind their back
<artb> RM: need to go back to the question: why are the updates being done?
<artb> RM: until you understand that, not clear you can spec a good model
<artb> MC: we have an enumeration of some of the reasons in the Requirements doc
<artb> MC: agree we need to understand the user interaction model(s) being used by the major widget engines
<danbri> I'd suggest doing the signing/checking parts first, then coming back to versioning and auto-update (since doing the latter without the former is scary)
<danbri> (in terms or priorities i mean)
<danbri> artb: we have xml security spec maintainer coming tommorrow morning
<danbri> I meant in general, ... not in terms of this meeting
<artb> MC: we will specify how to sign a widget but actually doing so i.e. signing a widget would not be required
<artb> JF: good; don't make it required but do indeed support it
<artb> MC: could also use JAR as is being done by Joost
<artb> RM: also important to be able to uninstall the Widget
<danbri> re jar signer ... we're not 100% committed there, but yes having good supporting tools is v important to us
<artb> AB: but we don't actually state how to install a Widget
<artb> RM: what about widget dependencies, will they be spec'ed?
<artb> MC: nothing yet
<artb> AB: save that for v2 :)
<arve> will widgets be on the on the agenda at 15.00?
<danbri> from my pov, having a solid treatment of I18N/L18N is one of the big selling points for adopting W3C specs
<arve> again: can zakim call in?
we will make sure it is set up
no, it can only call W3C team members
I was just told
<arve> I'll stick around then
<danbri> I'm going to head off now, thanks for letting me join!
<sicking> Zakim: [Mozilla] is sicking
<sicking> Zakim: sicking is [Mozilla]
<sicking> Zakim: sicking is Mozilla
<arve> sicking: zakim is really picky on the ','
<sicking> yeah, i forgot
<arve> I'd say that's a bug
<arve> marcos on his way back online
<arve> I got a somewhat authoritative document on debian version numbers from an Ubuntu developer, http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Version
<artb> Scribe: ArtB
<MikeSmith> Observers and others present: Art, Marcos, Anne, Mez, FredrickHirsh, ThomasRoessler, YngvePettersen, IanFerry, JonFerraiolo, Roland, HenriSivonen, PhilippHallamBaker, DaveRaggett, HalLockhart, RogerCutler, Bill, Amit, KimDoan, Kangchan
<MikeSmith> On the phone: JonasSicking
<MikeSmith> Scribenick: MikeSmith
anne: Hoping to rename the spec
... (as in Topic)
<artb> Anne's slides: http://lists.w3.org/Archives/Public/www-archive/2007Nov/att-0023/cross-site-requests.htm
[anne walking us through the slides]
[anne describing non-GET solution; see slides]
[now on Authentication request slide]
[now on final slide]
Hal: I think the term "authorization request" would be more accurate
<Mez> I'd particularly like to understand the security properties of the non get part
tlr: Hal is right
<Mez> but I haven't read the current draft; can anyone point me to a section?
tlr: You are describing a mechanism ...
<Mez> is Anne the only one who can answer me?
tlr: the current draft mixes at
least two different protection goals ...
... the 2nd goal is to not allow cross-site posts, but with certain exceptions ...
... Is the current work on POST worthwhile at all? ...
Hixie: I had the exact same
... implementors (specifically Mozilla) said they are "not willing to take the risk" of support cross-site posts
hal: What is the history that led to this?
<Mez> x site posts scare the heck out of me
artb: Origin of this work was from a Voice Browser WG note ...
<Mez> but I want to understand the security model before derailing anything more than IRC
artb: but use cases have expanded since then
Fredrick: Concerned about what the policy-enforcement point was ...
<Mez> "who" can perform the post? does it check both the identity and the origin of the call?
Fredrick: There's not state at the server, so it has to do its own access control in addition [to this]
JonF: [to Hixie] What exactly is
Mozilla uncomfortable with?
... Does it come down to them being more comfortable if there were an authorization handshake?
... The attack being considered here is a cross-site scripting attack.
<sicking> i'm having trouble following the argument on phone, just following what's logged on irc
tlr: The differentiation we are making here is a very very weak one.
sicking: Cross-site posts are
... but you can't POST anything other than text/plain ...
... but XHR enables a lot more ...
<Mez> POSTing can be a web app command that does anything, right?
Henri: Is the assumption that site authors are clueful enough to be able to protect against POST but not about the other possibilities?
tlr: Should we be expending time on a processing model for this?
Hixie: problem is that browser
vendors have already said they will implement proprietary
... in the absence of any standard means
<Mez> I would like to understand that POST browser vendor issue more
<Mez> Why is POST important to GET for them?
<Mez> conceptual? usability? architectural? resource?
<tlr> It's a "safe" HTTP method.
<tlr> (See RFC 2616.)
Hixie: The feeling is that there are so many holes in the dam already, we don't want to add more.
tlr: The current processing model
for POST in this spec is really bad
... cross-site POSTs has been around in XForms for years ...
anne: Yeah, but how widely used is that, and are they doing any security checks?
sicking: We do a secure check for XForms.
tlr: Is it documented anywhere?
sicking: Yeah, but I don't have the URL on hand
anne: Model is that before you perform the POST request, you use a GET request to perform an authorization request
<tlr> thanks jonas
<sicking> hmm.. no, sorry, that's something else
<sicking> oh, no, it's right
<tlr> well, it sounds as if the security check is a local whitelist. Which strikes me as, umh, weak.
<sicking> it's basically just a whitelist
anne: Would need to have the GET authorization request for each URI
<sicking> tlr, we accept patches ;)
anne: The site is controlling whether the client is authorized to do a POST
Hixie: You can respond back with a list of domains that are allowed to do a POST
tlr: This effectively means that
the authorization policy is communicated back by use of at
least two HTTP headers and a processing instruction
... looks a little bit messy
... Could put it all in the Access-Control header
sicking: We have a preliminary implementation ... but can change it
<Hixie> (the briefly mentioned proposal was to move the method from Allow: to the Access-Control thingies)
sicking: we definitely need some sort of algorithm for [handling this problem case]
<Hixie> (as in <?access-control allow=... allow="post")
<anne> <?access-control allow="foobar.com" method="POST"?> ...
anne: We want to publish this as soon as possible
tlr: question about DELETE and
other methods ...
... this is driven by the assumption that there are use cases for cross-site requests ...
Hal: We need more details about what threats you are trying to deal with
anne: I'm open to contributions.
artb: We would be happy to have an editor to write the Primer for this spec.
<Marcos> stride info: http://msdn.microsoft.com/msdnmag/issues/06/11/ThreatModeling/default.aspx
JonF: I think it's incumbent on W3C an this WG to convince yourselves that this is not opening up any new security holes.
<Mez> how could this not open new security holes?
JonF: I'm not sure that you have yet gone through and looked at POST [as carefully as needed]
<Mez> just adding this sort of complexity will create new browser bugs
<Mez> but perhaps you mean "if it is implemented perfectly"
hsivonen: Question: What happened with the GET vs OPTIONS debate?
hsivonen: GET interferes with HTTP caching ...
<tlr> +1 to not using GET there, also given the side-effect-heavy use on the street
hsivonen: if you are for example doing something like validator.nu does, I would prefer to [do the less expensive thing if possible]
Hixie: You know it's an access
check because it has an extra header
... Problems with OPTIONS are that by default Apache returns an Allow header with everything in it ...
... the much bigger problem is that you don't get to run a script with OPTIONS ...
sicking: OPTIONS is more for checking server capabilities ...
hsivonen: Argument for using
OPTIONS is that this use case does in fact meet the intended
purpose of OPTIONS
... so option doesn't interfere with GET caching and using OPTIONS allows early dispatch to allow running the computation you would run on a normal GET
Hixie: If I can't write a ten-line script in Apache to make this work, then the spec is broken.
hsivonen: It would be easier to
respond to OPTIONS than a GET
... it has not yet been researched that OPTIONS cannot be responded to
Hixie: I've actually done quite a bit of research on it.
sicking: Needs to be simple
... simple from the server side
Mez: I would really like to
understand why browser vendors need for this spec to apply to
... what are the use cases for allowing cross-site POST?
sicking: A use case for this is
... you could POST data in order to insert calendar entries ...
<fjh> in another persons calendar, with authorization
<Mez> I wish there was a less flexible way to enable very straightforward uses like the use cases discussed
<anne> why less flexible?
<fjh> in a stateless server REST world?
<Mez> because the flexibility will enable combinations that will allow for new attacks we haven't thought of
Hal: Should make it clear that this spec is in addition to any other access-control mechanisms.
<fjh> +1 to hal
<tlr> +1 to hal and fjh as well
<Mez> I'd be willing to place a bet on that; a pitcher of beer (or equivalent), within 6 months of substantial deployment
tlr: many good reasons for not overloading GET
Hixie: I agree but I think the onus should be on the person proposing an alternative to show how a 10-line perl or python (or whatever) script can implement the alternative.
<fjh> +1 tlr, to seriously consider using OPTIONS in place of GET due to caching issues, etc
Hixie: The problem that Google has with the first option is that we are likely to have a very long list of domains ...
Hixie: problem with OPTIONS is you can't do it simply on the server side ...
<Hixie> (specifically, implementing OPTIONS (or anything other than GET or POST) on a simple Apache setup appears to be non-trivial)
<tlr> well, hixie, that problem can be solved by writing one module and distributing that, no?
Roger: Problem of me giving a
permission to an app to do something, but not knowing exactly
what that app wants to do.
... or is it that you are not giving the app permission do anything, but you are giving it permission to try.
tlr: Two authorization decisions, one at the client side, one at the server side, and we are dealing only with the one on the client side.
PHB: I respect the reason why we
should make it work with deployed UAs ...
... but not that we should make it work with currently deployed Apache ...
<sicking> my worry with the current design of GET requests that include Referer-Root and Method-Check is that a HTTP cache sitting between the browser and the target server could cache a authorization-check (either a denying or allowing). When a subsequent authorization request is made to the same uri the HTTP cache will reply with the same decision, even though the Referer-Root and/or Method-Check...
<sicking> ...header is different
PHB: just get root and update your Apache ...
<sicking> This could be solved either by not having Referer-Root and Method-Check, forcing the full ACL to always be included. Or using OPTIONS, which won't get cached
<PHB> SAML=Security Assertion Markup Language, an OASIS standard
<PHB> WS-* = WS-Security and a suite based thereon, OASIS, W3C specifications.
Hixie: I, like many other thousands of people, use a hosting provider that allows me to run CGI scripts, etc. but I don't have access to update the Apache instance running on that server
PHB - thanks
hsivonen: There is an issue of
whether to expose the content that the UA already got ...
... but the other issue ... the POST authorization ... there really isn't any trust model ... it's just a matter of whether the server knows whether this kind of case actually exists or not (whether the developers of the server are clueful [about current technology] or not ...
anne: I'm interested in hearing more about the caching issues.
<anne> sicking explained that above apparently
<anne> sorry for not following that more carefully
<anne> so evil.com -> example.org (denied, cached); good.com -> example.org (denied, because it's cached on the intermediate thingie)
tlr: we are talking about a
deployment where this won't get widely deployed in browsers
until 2 or 3 years ...
... [so why will not Apache get updated also in the mean time]
hsivonen: There are many cases where [Apache updates to deal with browser changes lag behind by many years]
<hsivonen> rather, there are cases where browsers have had to work around apache limitations due to apache opting not to fix
<Hixie> btw the completely undocumented ScriptTrapOptions is how you are supposed to be able to enable OPTIONS for cgi on apache
<Hixie> according to my research
sicking: We can't count on Apache making fixes any time soon ...
anne: I don't really see a better way than the current GET thing.
<artb> ACTION: Barstow seek input from the HTTP WG re the Read Access spec [recorded in http://www.w3.org/2007/11/05-waf-minutes.html#action01]
<trackbot-ng> Created ACTION-131 - Seek input from the HTTP WG re the Read Access spec [on Arthur Barstow - due 2007-11-12].
tlr: This working group should specifically solicit feedback on this from the HTTP working group
artb encourages everybody to continue discussion of the on the mailing list
artb thanks to Mez for sharing folks from the WSC WG for this session
<arve> going directly to widgets?
<Marcos> arve, if you are there, we can probably start
<arve> Marcos: here now
<artb> Scribe: ArtB
MC: want to talk about ZIP format
AB: spec is here: http://www.w3.org/TR/widgets/
<MikeSmith> Scribenick: artb
<scribe> Scribe: ArtB, MikeSmith, Marcos, Anne
JF: when a file is created author can choose standard Zip or the 64 bit extensions
MC: and engine should expect either format
ABe: concerned about use of MAY
... what is the requirement for supporting 64bit?
MC: author can use 64bit even for
small (=3 bytes) file
... Jon's after some future proofing
ABe: are there any problems with this?
MC: Windows Vista doesn't support
... not sure about Mac OS
AB: if there is no evidence of widespread support I would remove it
MC: I've been talking to InfoZip people
ABe: I tend to agree with Art on removing this requirement
MC: Jon, do you have any comments?
JF: I didn't realize it wasn't widely implement so I tend to agree with Art
MC: I will add a "red block" and state that this requirement will be deleted unless there are compelling use cases and demonstration of wide-spread implementation
ABe: I'm generally OK with the other requirements in section 2.5
<arve> is it possible for Jon to move closer to the mic?
<arve> he's getting cut off a lot
CV: I'm OK with section 2.5; I
see this as mostly a platform vendor problem
... is there any other real option?
MC: well "tar" is one option
JF: ODF chose Zip; Open Office format also uses Zip
<arve> Zakim: mute [Arve]
AB: comment recently: http://lists.w3.org/Archives/Public/public-appformats/2007Nov/0003.html
MC: the general idea is to standardize an "ext" directory for extension files
ABe: not clear why this is needed
MC: tend to agree
... additionally potential issue with security e.g. if using non-HTTP protocol
... The spec does not preclude this from happening
<scribe> ACTION: Marcso to respond to Richard's extension proposal [recorded in http://www.w3.org/2007/11/05-waf-minutes.html#action02]
<trackbot-ng> Sorry, couldn't find user - Marcso
<scribe> ACTION: Marcos respond to Richard's extension proposal [recorded in http://www.w3.org/2007/11/05-waf-minutes.html#action03]
<trackbot-ng> Created ACTION-132 - Respond to Richard's extension proposal [on Marcos Caceres - due 2007-11-12].
MC: Zip has some limits regarding length of filenames, nesting directory levels, etc.
ABe: some other issues too like
characters permitted in filenames
... e.g. need to exclude some specific characters
AB: is there a model we can leverage?
MC: yes, OCF
RM: someone must have already done this
<arve> There are also restrictions on domain names we could look at
<arve> RFC 3492
ABe: problem with the 3rd paragraph
<Marcos> "It is recommended that a widget resource is served over HTTP with the .wgt file extension in lower case."
<arve> If a widget user agent encounters a resource with an invalid Media Type, but with a .wgt files extension, the resource is in error and the widget user agent should not attempt to process the resource.
<arve> My proposal is to change "should not" to "must not" in this case
JF: expect file system to handle
file extensions properly e.g. invoke the appropriate
... may want to look at what SVG specifies
MC: OK, I will do so
... I'm wondering if we should specify some type of content sniffing algorithm
ABe: we used to do something like that but not any more
JF: is the config file mandatory?
MC: yes, I think so
ABe: canvas defaults to 300x150 if not specified
AB: regarding is the config file
mandatory, section 2.2 says no.
... regarding should we specify anything regarding content sniffing, I think we should be silent.
ABe: there could be some security issues with sniffing
MC: perhaps then we should say only process the Zip if it has a .wgt extension.
AB: we need to a time check
... tomorrow we will continue with section 3.
... Meeting Adjourned for today; see you tomorrow @ 09:00.