13:26:15 RRSAgent has joined #bpwg 13:26:15 logging to http://www.w3.org/2009/05/05-bpwg-irc 13:26:17 RRSAgent, make logs public 13:26:17 Zakim has joined #bpwg 13:26:19 Zakim, this will be BPWG 13:26:19 ok, trackbot; I see MWI_BPWG()9:30AM scheduled to start in 4 minutes 13:26:20 Meeting: Mobile Web Best Practices Working Group Teleconference 13:26:20 Date: 05 May 2009 13:27:15 abel has joined #bpwg 13:27:41 Agenda: http://lists.w3.org/Archives/Public/public-bpwg/2009May/0004.html 13:28:43 Regrets: Kai, Manrique, BruceLawson, Yeliz, DavidStorey, SangwhanMoon, tomhume 13:28:59 cgi-irc has joined #bpwg 13:29:06 rob has joined #bpwg 13:29:13 zakim, code? 13:29:13 the conference code is 2794 (tel:+1.617.761.6200 tel:+33.4.89.06.34.99 tel:+44.117.370.6152), adam 13:29:45 MWI_BPWG()9:30AM has now started 13:29:52 + +0207881aaaa 13:29:58 zakim, aaaa is me 13:29:58 +adam; got it 13:30:18 + +03531522aabb 13:30:27 DKA has joined #bpwg 13:30:28 zakim, aabb is me 13:30:28 +jo; got it 13:31:03 +Francois 13:31:16 +??P5 13:31:26 zakim, who's here? 13:31:26 On the phone I see adam, jo, Francois, ??P5 13:31:27 On IRC I see DKA, rob, adam, abel, Zakim, RRSAgent, jo, francois, trackbot 13:31:32 zakim, ??p5 is DKA 13:31:32 +DKA; got it 13:31:33 EdC has joined #bpwg 13:32:56 jeffs has joined #bpwg 13:33:12 miguel has joined #bpwg 13:33:26 + +41.31.972.aacc 13:34:02 +[W3C-Spain] 13:34:14 zakim, who's here? 13:34:14 On the phone I see adam, jo, Francois, DKA, +41.31.972.aacc, [W3C-Spain] 13:34:16 On IRC I see miguel, jeffs, EdC, DKA, rob, adam, abel, Zakim, RRSAgent, jo, francois, trackbot 13:34:41 + +1.585.278.aadd 13:34:56 SeanP has joined #bpwg 13:36:15 zakim aadd is me 13:36:41 zakim, aadd is jeffs 13:36:41 +jeffs; got it 13:36:44 + +1.630.414.aaee 13:36:59 Zakim, aaee is me 13:36:59 +SeanP; got it 13:37:39 zakim, who's here? 13:37:39 On the phone I see adam, jo, Francois, DKA, +41.31.972.aacc, miguel, jeffs, SeanP 13:37:39 zakim, who is making noise? 13:37:41 On IRC I see SeanP, miguel, jeffs, EdC, DKA, rob, adam, abel, Zakim, RRSAgent, jo, francois, trackbot 13:37:52 francois, listening for 10 seconds I heard sound from the following: DKA (86%) 13:38:10 Chair: DKA 13:38:29 + +0207287aaff 13:38:42 zakim, aaff is me 13:38:42 +rob; got it 13:38:43 Scribe: jeffs 13:39:26 synopisis/Review last teleconfcall by Francois 13:39:49 some small changes by Adam, expect publishing by end of this wk or beginning of next wk 13:40:19 2nd thing: waiting for ed & outreach group to publish new accessibility draft 13:40:40 francois will check w them then tell us so we can vote on publishing our draft 13:41:01 most of the content transformation topics put off for this mtg 13:41:34 chose to use existing HTTP RFC rather than defining our own definitions 13:42:01 Dan: are we done w same-origin & MIME type issues? 13:42:14 Francois: waiting for feedback before submitting IETF form 13:43:04 Dan & Francois: as far as MWABP goes, getting closer to being ready but a couple of topics still need discussion 13:44:17 Basically, sections 3.6.1-3.6.2 of MWABP. 13:44:18 Francois: some topics to be discussed w Francois & Eduardo: DevDesc repository, capability detection, & a few others 13:44:46 Francois: suggests Adam may be able to talk about sec 3.6 13:45:05 -> http://lists.w3.org/Archives/Public/public-bpwg/2009Apr/0040.html Eduardo's comments on MWABP 13:45:21 Adam: prefer server-side detection, but may need to use client-side detection for some other things 13:45:34 -> http://lists.w3.org/Archives/Public/public-bpwg/2009Apr/0044.html fd's comments on MWABP 13:46:15 Adam: we should review Eduardo's comments, we should ensure rigorous & correct statements in our document (re 3.6.1-3.6.2) 13:46:51 Adam: agrees w Eduardo things are somewhat over-simplified & these sections could become more rigorous... Eduardo refers to his comments again 13:47:18 -> http://www.w3.org/2005/MWI/BPWG/Group/Drafts/BestPractices-2.0/ED-mobile-bp2-20090405 latest MWABP draft 13:47:48 Adam: mostly just fixed typos, bigger issues responded to on the email thread 13:48:05 Adam: mainly sections 3.6.1-3.6.2 need discussion 13:48:52 Dan: who wants to intro topic & make a proposal for today's call? 13:49:32 Dan: or do we need to examine &beforehand, do that on thread and find our way to resolution on next week's call 13:49:53 Adam: still working out what the right thing is to propose, awaiting more community feedback 13:50:03 q+ 13:50:14 ack fra 13:50:38 Francois: need more review by non-techie point of view of some examples in BP 13:51:21 Francois: we need to give someone the Task of reviewing the examples to make sure as many ppl as possible will understand them 13:51:44 I'll try to drum up some more review, like I did w transcoding issue 13:53:14 I'll try to drum up some more review onCHW blog, like I did w transcoding issue 13:53:19 Dan: wants an action plan 13:53:49 jeffs: I'll take an action if Adam (or someone else) will too 13:54:20 Dan: talked about need for review and process 13:54:27 [some sections with examples to review at some point: 3.4.10 on Set-Cookie, 3.5.10.2 on viewport] 13:55:11 Adam: suggests review from non-engineering perspective important now 13:55:39 Adam: will also push next draft around at work for review & comment 13:57:17 part of both reviewing myself & seeking input via CHW blog is to get not-so-tech folks 13:58:27 Dan: moving on to content transformation 13:58:56 Dan: on to same-origin policy 13:59:41 Francois: last f2f pointed us to existing test suites to use to test out 13:59:46 -> http://lists.w3.org/Archives/Public/public-bpwg/2009Apr/0014.html fd's report on CT and same-origin policy 14:00:34 Francois: there are existing if not-complete test suites around, problem is same-origin policy is a fairly large umbrella 14:01:05 Francois: no 2 browsers alike re same-origin, HTML 5 defining (for 1st time in stds work) 14:01:44 Francois: some ongoing work in WebApps group to define how to allow X-posting, moving target right now 14:02:54 Francois: in the end, CT proxy must not introduce a new origin... need more info written into the Guidelines 14:03:21 Francois: going to pass 3 proposal solution 14:03:24 PROPOSED RESOLUTION 1: Since there doesn't appear to be a way in which the URI sent to the User Agent can be manipulated to preserve security related to 14:03:24 same origin policies it is permissible for a CT proxy to act on content 14:03:24 in so that security is nonetheless preserved as adjudged by conformance 14:03:24 tests that are to be researched. If no such security tests can be found 14:03:24 then there cannot be conformance associated with link rewriting and it cannot be permissible for CT proxies to do so. 14:03:25 q? 14:03:47 PROPOSED RESOLUTION 2: Links re-writing is strongly NOT RECOMMENDED because it jeopardizes the same-origin policy if no appropriate security 14:03:47 measures are taken on the proxy. When links are re-written, proxies MUST ensure that the resulting content is purely static, and MUST therefore remove all scripting and cookies from the content served to the client. 14:04:26 Francois: talking about proposed resolutions 14:04:34 PROPOSED RESOLUTION 3: Links re-writing is strongly NOT RECOMMENDED because it jeopardizes the same-origin policy if no appropriate security measures are taken on the proxy. Areas affected include DOM access, Cookies, and XHR calls. 14:06:18 Francois: not for prop 1, would go for prop 3 14:06:35 I'd rather go for 2. 14:06:37 +1 on proposal 3 14:07:01 +1 on 3 14:07:04 q+ 14:07:04 +1 to proposal 2 14:07:09 Dan & Francois: discussion of proposals 14:07:22 ack se 14:07:24 ack SeanP 14:07:26 I like the simplicity and clarity and security of #3 14:07:29 Comment: what are the "appropriate measures on the proxy"? If no definition, then the proposed resolution is vague. 14:07:38 Re: prop. 3. 14:07:53 SeanP: making suggestion for other wording 14:07:55 q+ 14:08:13 SeanP: only say not recommended BP way to handle things 14:08:21 q? 14:08:22 Francois: how is that diff than #1? 14:08:46 s/#1/#3 14:08:55 IMHO, proposed resolution #3 makes the most sense and is the easiest to work with 14:09:49 SeanP: are we saying not recommended even if CT is behaving? 14:10:16 +1 on 3 and on 2 14:10:32 q+ 14:10:34 Francois: needs to be strongly recommended against in all cases, only used because there is no other way now to accomplish some tasks 14:10:39 ack ed 14:10:42 +1 on 3 14:11:00 Ed: sees #2 as a reinforcement of #3 14:11:31 Ed: do we know what "approp security measures" are (re #3)? 14:12:03 -adam 14:12:22 Francois: we have to talk about what they are, lists some references & what areas primarily effected 14:12:45 Francois: no way to normatively tell what yuo need to do to remove the security risk 14:13:14 Ed: this is a bit farther than what I was recommending 14:13:37 Ed: what are the measures the proxy could take to make this okay? 14:13:48 Ed: we need to say what to do on the proxy 14:14:17 Francois: we can say more informatively than normatively in this area 14:14:47 Ed: is there any existing doc saying what approp sec measures are? Francois: nope 14:15:43 Ed & Francois: back and forth on availability & criticality (or not) of documentation on what exactly for servers to do 14:16:21 Ed: review of prop #2 details w Francois 14:17:03 Ed: asking about where proposed measures found by Francois 14:17:20 Francois: talked about orgs he spoke w about the issue 14:17:42 Francois: talked about recommendations he got from discussions 14:17:59 Ed: discussion of same-origin policy XSS issues 14:18:09 q? 14:18:55 Ed: speaking in favor of #2 (as giving more info) over #3 14:19:15 Francois: fine w that but thinks may be excessively restrictive 14:19:49 Ed: 1st prop is a solution, but harsh... the 2nd is a solution, but less harsh... the 3rd is no solution at all 14:20:34 Dan: before we take a vote on this, is there other work from which we can leverage ideas & policy recommendations? 14:21:03 Francois: not sure 14:21:22 Dan: will try to find more info on this 14:22:01 +1 on 3 14:22:20 what is wrong w #3 with examples? I am afraid of too much specificity on this 14:22:50 3 for me 14:23:02 Dan: if work on HTML5 is picked up it will become de facto, we don't want to bump into their work 14:23:06 +1 on 3, 0 on 2. 14:23:22 +1 on 2 14:23:25 +1 on 3 14:23:27 +1 on 2 14:23:35 +1 on 3 or 2 14:23:54 [I think it's meaningless to say "appropriate"] 14:25:31 sean didn't hear it either 14:25:53 Jo: thinks we will get lots of push-back & complaints 14:26:18 Rob: said that 2 and 3 basically say the same thing but 2 is a bit more explicit about how to stay secure than 3 14:26:51 Dan & Jo: back & forth on what other group is shaping up as defacto std 14:27:19 Francois: want to avoid too restrictive a BP, but thinks no danger of contradicting work of others 14:27:45 Dan: want to avoid things too restrictive as leading to ppl not attending to this BP 14:28:10 Jo: then the conformance statement (strongly rec'd rather than must not) helps 14:28:31 Dan: reading "must" statements 14:28:58 Jo: "strongly not recommended" would be okay 14:29:19 Dan: looking for a "middle way" 14:29:35 PROPOSED RESOLUTION 2: Links re-writing is strongly NOT RECOMMENDED because it jeopardizes the same-origin policy if no appropriate security measures are taken on the proxy. When links are re-written, proxies SHOULD ensure that the resulting content is purely static, and SHOULD therefore remove all scripting and cookies from the content served to the client. 14:29:37 What about replacing the MUST with something like: STRONGLY NOT RECOMMENDED to send anything else than static content... 14:30:18 Dan: restating the exact normative language we must use 14:30:54 +1 14:31:09 add " Areas affected include DOM access, Cookies, and XHR calls." after "taken on the proxy." 14:31:27 +1 14:31:29 +0.5 (I like 3 better, but this is OK) 14:31:34 is that an exhaustive list of the areas affected?? 14:31:43 "main areas affected..." ? 14:31:52 +1 but 3 is still good too 14:31:56 I also like #3 better for the simplicity and flexibility 14:32:12 +1 on 2 14:32:12 but can live with adjusted #2 14:32:26 PROPOSED RESOLUTION 2: Links re-writing is strongly NOT RECOMMENDED because it jeopardizes the same-origin policy if no appropriate security measures are taken on the proxy. Main areas affected are DOM access, Cookies, and XHR calls. When links are re-written, proxies SHOULD ensure that the resulting content is purely static, and SHOULD therefore remove all scripting and cookies from the content served to the client. 14:32:27 +1 with EdC's proposal 14:32:44 +1 14:32:46 +1 14:33:07 Dan: I must leave, new chair or close off call now? 14:33:17 Dan: after we take a resolution 14:33:30 RESOLUTION 2: Links re-writing is strongly NOT RECOMMENDED because it jeopardizes the same-origin policy if no appropriate security measures are taken on the proxy. Main areas affected are DOM access, Cookies, and XHR calls. When links are re-written, proxies SHOULD ensure that the resulting content is purely static, and SHOULD therefore remove all scripting and cookies from the content... 14:33:31 ...served to the client. 14:33:52 RESOLUTION: Links re-writing is strongly NOT RECOMMENDED because it jeopardizes the same-origin policy if no appropriate security measures are taken on the proxy. Main areas affected are DOM access, Cookies, and XHR calls. When links are re-written, proxies SHOULD ensure that the resulting content is purely static, and SHOULD therefore remove all scripting and cookies from the content served... 14:33:54 ...to the client. 14:34:29 Dan: trying to pass mantle to Jo, instead call is done _grin_ 14:34:30 [bye] 14:34:35 -Francois 14:34:38 zakim, drop me 14:34:38 jo is being disconnected 14:34:39 -jo 14:34:40 bye 14:34:44 -miguel 14:34:45 - +41.31.972.aacc 14:34:53 -DKA 14:34:55 -jeffs 14:34:58 -SeanP 14:35:00 -rob 14:35:00 MWI_BPWG()9:30AM has ended 14:35:01 Attendees were +0207881aaaa, adam, +03531522aabb, jo, Francois, DKA, +41.31.972.aacc, miguel, +1.585.278.aadd, jeffs, +1.630.414.aaee, SeanP, +0207287aaff, rob 14:35:07 zakim, draft minutes 14:35:07 I don't understand 'draft minutes', francois 14:35:12 RRSAgent, draft minutes 14:35:12 I have made the request to generate http://www.w3.org/2009/05/05-bpwg-minutes.html francois 14:36:55 rob has left #bpwg 14:42:53 i/synopisis/Topic: Last week's call review/ 14:43:51 abel has left #bpwg 14:43:54 i/Francois: some topics to be discussed/Topic: Mobile Web Application Best Practices/ 14:44:45 i/Dan: moving on to content transformation/Topic: CT - same origin policy 14:44:49 RRSAgent, draft minutes 14:44:49 I have made the request to generate http://www.w3.org/2009/05/05-bpwg-minutes.html francois 14:48:06 Present+ abel_on_IRC 14:48:07 RRSAgent, draft minutes 14:48:07 I have made the request to generate http://www.w3.org/2009/05/05-bpwg-minutes.html francois 15:01:29 RRSAgent, bye 15:01:29 I see no action items