IRC log of bpwg on 2009-05-05
Timestamps are in UTC.
- 13:26:15 [RRSAgent]
- RRSAgent has joined #bpwg
- 13:26:15 [RRSAgent]
- logging to http://www.w3.org/2009/05/05-bpwg-irc
- 13:26:17 [trackbot]
- RRSAgent, make logs public
- 13:26:17 [Zakim]
- Zakim has joined #bpwg
- 13:26:19 [trackbot]
- Zakim, this will be BPWG
- 13:26:19 [Zakim]
- ok, trackbot; I see MWI_BPWG()9:30AM scheduled to start in 4 minutes
- 13:26:20 [trackbot]
- Meeting: Mobile Web Best Practices Working Group Teleconference
- 13:26:20 [trackbot]
- Date: 05 May 2009
- 13:27:15 [abel]
- abel has joined #bpwg
- 13:27:41 [francois]
- Agenda: http://lists.w3.org/Archives/Public/public-bpwg/2009May/0004.html
- 13:28:43 [francois]
- Regrets: Kai, Manrique, BruceLawson, Yeliz, DavidStorey, SangwhanMoon, tomhume
- 13:28:59 [cgi-irc]
- cgi-irc has joined #bpwg
- 13:29:06 [rob]
- rob has joined #bpwg
- 13:29:13 [adam]
- zakim, code?
- 13:29:13 [Zakim]
- the conference code is 2794 (tel:+1.617.761.6200 tel:+33.4.89.06.34.99 tel:+44.117.370.6152), adam
- 13:29:45 [Zakim]
- MWI_BPWG()9:30AM has now started
- 13:29:52 [Zakim]
- + +0207881aaaa
- 13:29:58 [adam]
- zakim, aaaa is me
- 13:29:58 [Zakim]
- +adam; got it
- 13:30:18 [Zakim]
- + +03531522aabb
- 13:30:27 [DKA]
- DKA has joined #bpwg
- 13:30:28 [jo]
- zakim, aabb is me
- 13:30:28 [Zakim]
- +jo; got it
- 13:31:03 [Zakim]
- +Francois
- 13:31:16 [Zakim]
- +??P5
- 13:31:26 [DKA]
- zakim, who's here?
- 13:31:26 [Zakim]
- On the phone I see adam, jo, Francois, ??P5
- 13:31:27 [Zakim]
- On IRC I see DKA, rob, adam, abel, Zakim, RRSAgent, jo, francois, trackbot
- 13:31:32 [DKA]
- zakim, ??p5 is DKA
- 13:31:32 [Zakim]
- +DKA; got it
- 13:31:33 [EdC]
- EdC has joined #bpwg
- 13:32:56 [jeffs]
- jeffs has joined #bpwg
- 13:33:12 [miguel]
- miguel has joined #bpwg
- 13:33:26 [Zakim]
- + +41.31.972.aacc
- 13:34:02 [Zakim]
- +[W3C-Spain]
- 13:34:14 [DKA]
- zakim, who's here?
- 13:34:14 [Zakim]
- On the phone I see adam, jo, Francois, DKA, +41.31.972.aacc, [W3C-Spain]
- 13:34:16 [Zakim]
- On IRC I see miguel, jeffs, EdC, DKA, rob, adam, abel, Zakim, RRSAgent, jo, francois, trackbot
- 13:34:41 [Zakim]
- + +1.585.278.aadd
- 13:34:56 [SeanP]
- SeanP has joined #bpwg
- 13:36:15 [jeffs]
- zakim aadd is me
- 13:36:41 [francois]
- zakim, aadd is jeffs
- 13:36:41 [Zakim]
- +jeffs; got it
- 13:36:44 [Zakim]
- + +1.630.414.aaee
- 13:36:59 [SeanP]
- Zakim, aaee is me
- 13:36:59 [Zakim]
- +SeanP; got it
- 13:37:39 [DKA]
- zakim, who's here?
- 13:37:39 [Zakim]
- On the phone I see adam, jo, Francois, DKA, +41.31.972.aacc, miguel, jeffs, SeanP
- 13:37:39 [francois]
- zakim, who is making noise?
- 13:37:41 [Zakim]
- On IRC I see SeanP, miguel, jeffs, EdC, DKA, rob, adam, abel, Zakim, RRSAgent, jo, francois, trackbot
- 13:37:52 [Zakim]
- francois, listening for 10 seconds I heard sound from the following: DKA (86%)
- 13:38:10 [francois]
- Chair: DKA
- 13:38:29 [Zakim]
- + +0207287aaff
- 13:38:42 [rob]
- zakim, aaff is me
- 13:38:42 [Zakim]
- +rob; got it
- 13:38:43 [francois]
- Scribe: jeffs
- 13:39:26 [jeffs]
- synopisis/Review last teleconfcall by Francois
- 13:39:49 [jeffs]
- some small changes by Adam, expect publishing by end of this wk or beginning of next wk
- 13:40:19 [jeffs]
- 2nd thing: waiting for ed & outreach group to publish new accessibility draft
- 13:40:40 [jeffs]
- francois will check w them then tell us so we can vote on publishing our draft
- 13:41:01 [jeffs]
- most of the content transformation topics put off for this mtg
- 13:41:34 [jeffs]
- chose to use existing HTTP RFC rather than defining our own definitions
- 13:42:01 [jeffs]
- Dan: are we done w same-origin & MIME type issues?
- 13:42:14 [jeffs]
- Francois: waiting for feedback before submitting IETF form
- 13:43:04 [jeffs]
- Dan & Francois: as far as MWABP goes, getting closer to being ready but a couple of topics still need discussion
- 13:44:17 [EdC]
- Basically, sections 3.6.1-3.6.2 of MWABP.
- 13:44:18 [jeffs]
- Francois: some topics to be discussed w Francois & Eduardo: DevDesc repository, capability detection, & a few others
- 13:44:46 [jeffs]
- Francois: suggests Adam may be able to talk about sec 3.6
- 13:45:05 [francois]
- -> http://lists.w3.org/Archives/Public/public-bpwg/2009Apr/0040.html Eduardo's comments on MWABP
- 13:45:21 [jeffs]
- Adam: prefer server-side detection, but may need to use client-side detection for some other things
- 13:45:34 [francois]
- -> http://lists.w3.org/Archives/Public/public-bpwg/2009Apr/0044.html fd's comments on MWABP
- 13:46:15 [jeffs]
- Adam: we should review Eduardo's comments, we should ensure rigorous & correct statements in our document (re 3.6.1-3.6.2)
- 13:46:51 [jeffs]
- Adam: agrees w Eduardo things are somewhat over-simplified & these sections could become more rigorous... Eduardo refers to his comments again
- 13:47:18 [francois]
- -> http://www.w3.org/2005/MWI/BPWG/Group/Drafts/BestPractices-2.0/ED-mobile-bp2-20090405 latest MWABP draft
- 13:47:48 [jeffs]
- Adam: mostly just fixed typos, bigger issues responded to on the email thread
- 13:48:05 [jeffs]
- Adam: mainly sections 3.6.1-3.6.2 need discussion
- 13:48:52 [jeffs]
- Dan: who wants to intro topic & make a proposal for today's call?
- 13:49:32 [jeffs]
- Dan: or do we need to examine &beforehand, do that on thread and find our way to resolution on next week's call
- 13:49:53 [jeffs]
- Adam: still working out what the right thing is to propose, awaiting more community feedback
- 13:50:03 [francois]
- q+
- 13:50:14 [DKA]
- ack fra
- 13:50:38 [jeffs]
- Francois: need more review by non-techie point of view of some examples in BP
- 13:51:21 [jeffs]
- Francois: we need to give someone the Task of reviewing the examples to make sure as many ppl as possible will understand them
- 13:51:44 [jeffs]
- I'll try to drum up some more review, like I did w transcoding issue
- 13:53:14 [jeffs]
- I'll try to drum up some more review onCHW blog, like I did w transcoding issue
- 13:53:19 [jeffs]
- Dan: wants an action plan
- 13:53:49 [jeffs]
- jeffs: I'll take an action if Adam (or someone else) will too
- 13:54:20 [jeffs]
- Dan: talked about need for review and process
- 13:54:27 [francois]
- [some sections with examples to review at some point: 3.4.10 on Set-Cookie, 3.5.10.2 on viewport]
- 13:55:11 [jeffs]
- Adam: suggests review from non-engineering perspective important now
- 13:55:39 [jeffs]
- Adam: will also push next draft around at work for review & comment
- 13:57:17 [jeffs]
- part of both reviewing myself & seeking input via CHW blog is to get not-so-tech folks
- 13:58:27 [jeffs]
- Dan: moving on to content transformation
- 13:58:56 [jeffs]
- Dan: on to same-origin policy
- 13:59:41 [jeffs]
- Francois: last f2f pointed us to existing test suites to use to test out
- 13:59:46 [francois]
- -> http://lists.w3.org/Archives/Public/public-bpwg/2009Apr/0014.html fd's report on CT and same-origin policy
- 14:00:34 [jeffs]
- Francois: there are existing if not-complete test suites around, problem is same-origin policy is a fairly large umbrella
- 14:01:05 [jeffs]
- Francois: no 2 browsers alike re same-origin, HTML 5 defining (for 1st time in stds work)
- 14:01:44 [jeffs]
- Francois: some ongoing work in WebApps group to define how to allow X-posting, moving target right now
- 14:02:54 [jeffs]
- Francois: in the end, CT proxy must not introduce a new origin... need more info written into the Guidelines
- 14:03:21 [jeffs]
- Francois: going to pass 3 proposal solution
- 14:03:24 [francois]
- PROPOSED RESOLUTION 1: Since there doesn't appear to be a way in which the URI sent to the User Agent can be manipulated to preserve security related to
- 14:03:24 [francois]
- same origin policies it is permissible for a CT proxy to act on content
- 14:03:24 [francois]
- in so that security is nonetheless preserved as adjudged by conformance
- 14:03:24 [francois]
- tests that are to be researched. If no such security tests can be found
- 14:03:24 [francois]
- then there cannot be conformance associated with link rewriting and it cannot be permissible for CT proxies to do so.
- 14:03:25 [DKA]
- q?
- 14:03:47 [francois]
- PROPOSED RESOLUTION 2: Links re-writing is strongly NOT RECOMMENDED because it jeopardizes the same-origin policy if no appropriate security
- 14:03:47 [francois]
- measures are taken on the proxy. When links are re-written, proxies MUST ensure that the resulting content is purely static, and MUST therefore remove all scripting and cookies from the content served to the client.
- 14:04:26 [jeffs]
- Francois: talking about proposed resolutions
- 14:04:34 [francois]
- PROPOSED RESOLUTION 3: Links re-writing is strongly NOT RECOMMENDED because it jeopardizes the same-origin policy if no appropriate security measures are taken on the proxy. Areas affected include DOM access, Cookies, and XHR calls.
- 14:06:18 [jeffs]
- Francois: not for prop 1, would go for prop 3
- 14:06:35 [EdC]
- I'd rather go for 2.
- 14:06:37 [jeffs]
- +1 on proposal 3
- 14:07:01 [DKA]
- +1 on 3
- 14:07:04 [SeanP]
- q+
- 14:07:04 [jo]
- +1 to proposal 2
- 14:07:09 [jeffs]
- Dan & Francois: discussion of proposals
- 14:07:22 [DKA]
- ack se
- 14:07:24 [francois]
- ack SeanP
- 14:07:26 [jeffs]
- I like the simplicity and clarity and security of #3
- 14:07:29 [EdC]
- Comment: what are the "appropriate measures on the proxy"? If no definition, then the proposed resolution is vague.
- 14:07:38 [EdC]
- Re: prop. 3.
- 14:07:53 [jeffs]
- SeanP: making suggestion for other wording
- 14:07:55 [EdC]
- q+
- 14:08:13 [jeffs]
- SeanP: only say not recommended BP way to handle things
- 14:08:21 [DKA]
- q?
- 14:08:22 [jeffs]
- Francois: how is that diff than #1?
- 14:08:46 [francois]
- s/#1/#3
- 14:08:55 [jeffs]
- IMHO, proposed resolution #3 makes the most sense and is the easiest to work with
- 14:09:49 [jeffs]
- SeanP: are we saying not recommended even if CT is behaving?
- 14:10:16 [rob]
- +1 on 3 and on 2
- 14:10:32 [EdC]
- q+
- 14:10:34 [jeffs]
- Francois: needs to be strongly recommended against in all cases, only used because there is no other way now to accomplish some tasks
- 14:10:39 [DKA]
- ack ed
- 14:10:42 [jeffs]
- +1 on 3
- 14:11:00 [jeffs]
- Ed: sees #2 as a reinforcement of #3
- 14:11:31 [jeffs]
- Ed: do we know what "approp security measures" are (re #3)?
- 14:12:03 [Zakim]
- -adam
- 14:12:22 [jeffs]
- Francois: we have to talk about what they are, lists some references & what areas primarily effected
- 14:12:45 [jeffs]
- Francois: no way to normatively tell what yuo need to do to remove the security risk
- 14:13:14 [jeffs]
- Ed: this is a bit farther than what I was recommending
- 14:13:37 [jeffs]
- Ed: what are the measures the proxy could take to make this okay?
- 14:13:48 [jeffs]
- Ed: we need to say what to do on the proxy
- 14:14:17 [jeffs]
- Francois: we can say more informatively than normatively in this area
- 14:14:47 [jeffs]
- Ed: is there any existing doc saying what approp sec measures are? Francois: nope
- 14:15:43 [jeffs]
- Ed & Francois: back and forth on availability & criticality (or not) of documentation on what exactly for servers to do
- 14:16:21 [jeffs]
- Ed: review of prop #2 details w Francois
- 14:17:03 [jeffs]
- Ed: asking about where proposed measures found by Francois
- 14:17:20 [jeffs]
- Francois: talked about orgs he spoke w about the issue
- 14:17:42 [jeffs]
- Francois: talked about recommendations he got from discussions
- 14:17:59 [jeffs]
- Ed: discussion of same-origin policy XSS issues
- 14:18:09 [DKA]
- q?
- 14:18:55 [jeffs]
- Ed: speaking in favor of #2 (as giving more info) over #3
- 14:19:15 [jeffs]
- Francois: fine w that but thinks may be excessively restrictive
- 14:19:49 [jeffs]
- Ed: 1st prop is a solution, but harsh... the 2nd is a solution, but less harsh... the 3rd is no solution at all
- 14:20:34 [jeffs]
- Dan: before we take a vote on this, is there other work from which we can leverage ideas & policy recommendations?
- 14:21:03 [jeffs]
- Francois: not sure
- 14:21:22 [jeffs]
- Dan: will try to find more info on this
- 14:22:01 [DKA]
- +1 on 3
- 14:22:20 [jeffs]
- what is wrong w #3 with examples? I am afraid of too much specificity on this
- 14:22:50 [SeanP]
- 3 for me
- 14:23:02 [jeffs]
- Dan: if work on HTML5 is picked up it will become de facto, we don't want to bump into their work
- 14:23:06 [francois]
- +1 on 3, 0 on 2.
- 14:23:22 [EdC]
- +1 on 2
- 14:23:25 [jeffs]
- +1 on 3
- 14:23:27 [jo]
- +1 on 2
- 14:23:35 [rob]
- +1 on 3 or 2
- 14:23:54 [jo]
- [I think it's meaningless to say "appropriate"]
- 14:25:31 [SeanP]
- sean didn't hear it either
- 14:25:53 [jeffs]
- Jo: thinks we will get lots of push-back & complaints
- 14:26:18 [jeffs]
- Rob: said that 2 and 3 basically say the same thing but 2 is a bit more explicit about how to stay secure than 3
- 14:26:51 [jeffs]
- Dan & Jo: back & forth on what other group is shaping up as defacto std
- 14:27:19 [jeffs]
- Francois: want to avoid too restrictive a BP, but thinks no danger of contradicting work of others
- 14:27:45 [jeffs]
- Dan: want to avoid things too restrictive as leading to ppl not attending to this BP
- 14:28:10 [jeffs]
- Jo: then the conformance statement (strongly rec'd rather than must not) helps
- 14:28:31 [jeffs]
- Dan: reading "must" statements
- 14:28:58 [jeffs]
- Jo: "strongly not recommended" would be okay
- 14:29:19 [jeffs]
- Dan: looking for a "middle way"
- 14:29:35 [francois]
- PROPOSED RESOLUTION 2: Links re-writing is strongly NOT RECOMMENDED because it jeopardizes the same-origin policy if no appropriate security measures are taken on the proxy. When links are re-written, proxies SHOULD ensure that the resulting content is purely static, and SHOULD therefore remove all scripting and cookies from the content served to the client.
- 14:29:37 [EdC]
- What about replacing the MUST with something like: STRONGLY NOT RECOMMENDED to send anything else than static content...
- 14:30:18 [jeffs]
- Dan: restating the exact normative language we must use
- 14:30:54 [francois]
- +1
- 14:31:09 [EdC]
- add " Areas affected include DOM access, Cookies, and XHR calls." after "taken on the proxy."
- 14:31:27 [DKA]
- +1
- 14:31:29 [SeanP]
- +0.5 (I like 3 better, but this is OK)
- 14:31:34 [jeffs]
- is that an exhaustive list of the areas affected??
- 14:31:43 [EdC]
- "main areas affected..." ?
- 14:31:52 [rob]
- +1 but 3 is still good too
- 14:31:56 [jeffs]
- I also like #3 better for the simplicity and flexibility
- 14:32:12 [EdC]
- +1 on 2
- 14:32:12 [jeffs]
- but can live with adjusted #2
- 14:32:26 [francois]
- PROPOSED RESOLUTION 2: Links re-writing is strongly NOT RECOMMENDED because it jeopardizes the same-origin policy if no appropriate security measures are taken on the proxy. Main areas affected are DOM access, Cookies, and XHR calls. When links are re-written, proxies SHOULD ensure that the resulting content is purely static, and SHOULD therefore remove all scripting and cookies from the content served to the client.
- 14:32:27 [jo]
- +1 with EdC's proposal
- 14:32:44 [jeffs]
- +1
- 14:32:46 [EdC]
- +1
- 14:33:07 [jeffs]
- Dan: I must leave, new chair or close off call now?
- 14:33:17 [jeffs]
- Dan: after we take a resolution
- 14:33:30 [jeffs]
- RESOLUTION 2: Links re-writing is strongly NOT RECOMMENDED because it jeopardizes the same-origin policy if no appropriate security measures are taken on the proxy. Main areas affected are DOM access, Cookies, and XHR calls. When links are re-written, proxies SHOULD ensure that the resulting content is purely static, and SHOULD therefore remove all scripting and cookies from the content...
- 14:33:31 [jeffs]
- ...served to the client.
- 14:33:52 [jeffs]
- RESOLUTION: Links re-writing is strongly NOT RECOMMENDED because it jeopardizes the same-origin policy if no appropriate security measures are taken on the proxy. Main areas affected are DOM access, Cookies, and XHR calls. When links are re-written, proxies SHOULD ensure that the resulting content is purely static, and SHOULD therefore remove all scripting and cookies from the content served...
- 14:33:54 [jeffs]
- ...to the client.
- 14:34:29 [jeffs]
- Dan: trying to pass mantle to Jo, instead call is done _grin_
- 14:34:30 [jo]
- [bye]
- 14:34:35 [Zakim]
- -Francois
- 14:34:38 [jo]
- zakim, drop me
- 14:34:38 [Zakim]
- jo is being disconnected
- 14:34:39 [Zakim]
- -jo
- 14:34:40 [jeffs]
- bye
- 14:34:44 [Zakim]
- -miguel
- 14:34:45 [Zakim]
- - +41.31.972.aacc
- 14:34:53 [Zakim]
- -DKA
- 14:34:55 [Zakim]
- -jeffs
- 14:34:58 [Zakim]
- -SeanP
- 14:35:00 [Zakim]
- -rob
- 14:35:00 [Zakim]
- MWI_BPWG()9:30AM has ended
- 14:35:01 [Zakim]
- Attendees were +0207881aaaa, adam, +03531522aabb, jo, Francois, DKA, +41.31.972.aacc, miguel, +1.585.278.aadd, jeffs, +1.630.414.aaee, SeanP, +0207287aaff, rob
- 14:35:07 [francois]
- zakim, draft minutes
- 14:35:07 [Zakim]
- I don't understand 'draft minutes', francois
- 14:35:12 [francois]
- RRSAgent, draft minutes
- 14:35:12 [RRSAgent]
- I have made the request to generate http://www.w3.org/2009/05/05-bpwg-minutes.html francois
- 14:36:55 [rob]
- rob has left #bpwg
- 14:42:53 [francois]
- i/synopisis/Topic: Last week's call review/
- 14:43:51 [abel]
- abel has left #bpwg
- 14:43:54 [francois]
- i/Francois: some topics to be discussed/Topic: Mobile Web Application Best Practices/
- 14:44:45 [francois]
- i/Dan: moving on to content transformation/Topic: CT - same origin policy
- 14:44:49 [francois]
- RRSAgent, draft minutes
- 14:44:49 [RRSAgent]
- I have made the request to generate http://www.w3.org/2009/05/05-bpwg-minutes.html francois
- 14:48:06 [francois]
- Present+ abel_on_IRC
- 14:48:07 [francois]
- RRSAgent, draft minutes
- 14:48:07 [RRSAgent]
- I have made the request to generate http://www.w3.org/2009/05/05-bpwg-minutes.html francois
- 15:01:29 [francois]
- RRSAgent, bye
- 15:01:29 [RRSAgent]
- I see no action items