See also: IRC log
<plh> trackbot-ng, start telcon
<trackbot> Date: 19 October 2011
trackbot, start teleconf
<trackbot> Meeting: Web Performance Working Group Teleconference
<trackbot> Date: 19 October 2011
Arvind: FYI, Andriod has started to implement NavigationTiming.
Jatinder: IE9 on Mango also supports Navigation Timing.
Jatinder: I have gone ahead and
made spec updates to comply with ACTION-52, 53, and 54. Please
go ahead and review the changes.
... I have also updated test_timing_xserver_redirect.html to
change the document.location.host to
documentation.location.hostname. This fixes the issues on all
browsers. Please do review.
Tony: The discussion with the public-web-security mailing list is given here: http://lists.w3.org/Archives/Public/public-web-security/2011Oct/0019.html
Jatinder: Based on cache hits and misses, malicious entities can determine with strong certainty when a resource is from a third party site. Based on our currenty third party restrictions, we don't give any additional information than what can already be determined today.
Tony: The mailing list brought up concerns about XSS. Though, once you have XSS on your page, all bets are off.
Jatinder: IE9 has a XSS filter
that blocks XSS on sites. Other UAs may have this, which will
mitigate this concern.
... What about the opt-out option mentioned in the mailing
list? Is this something we should consider?
<plh> "User agents must not send location information to Web sites without the express permission of the user."
<plh> http://www.w3.org/TR/geolocation-API/#security
James: If we are to draw a line on the opt-out option, we should let user's opt-out of all of web timing, not just the third party restrictions.
Karen: I would prefer if we allowed user's to just turn on the third-party restrictions, not all of web timing.
Zhiheng: I agree to not allow turn off all web timings.
Jatinder: Considering when you visit a site that site already has this information. That site can sell this information to third-parties. To mitigate such a risk, sites use a privacy policy to tell users they aren't selling this information. Seems like when a site uses the http header to give this information to third parties is not much different. Privacy policies should stop sites from using the header. I don't think there is a difference.
Arvind: I think we all agree to keep the spec as is.
Tony: The spec should include this discussion and our mitigation to make this clear to readers.
ACTION Jatinder to update Resource Timing security/privacy section.
<trackbot> Created ACTION-55 - Update Resource Timing security/privacy section. [on Jatinder Mann - due 2011-10-26].
Zhihend: Per my action item, looks like the HTML5 references are good. But I am still in process of finishing this.
Jatinder: We should target to have this data for TPAC. That will be a good data point in this discussion.
Plh: There are two tests that Firefox is failing on. We should figure out whether there is a test case bug or if it is a Firefox bug.
Karen: Yes, I was hoping we can
discuss. Boris and I have a discussion on the mailing
list.
... We may want to re-evaluate the header. I will follow up
with the IE Security team.
Jatinder: With the spec updates I've made, we have closed on many of the spec questions Boris brought up. The remaining issue was whether Page Visibilty should change state on navigate away.
Arvind: I think the spec should be updated to make it clear that on navigate away, Visibility shouldn't be changed.
Karen: Also, in the unload cancel case, the Visibility may be hidden for a moment, even though the Page has always been visible.
Jatinder: I will see if we can
update the spec to make this point clear.
... Please review the Page Visibility test cases. Once we are
happy with the changes, I can move the tests to the approved
directory.
... Also, should we keep the prefixes in the test cases or test
what the spec says?
plh: We can keep the prefixes in the test cases for now. When we go to CR, we need to remove them so we are testing the spec.
Jatinder: Agreed.
Karen: When you go to http://w3c-test.org/webperf/tests/approved/navigation-timing/html5/test_document_open.html, I get a 404 message stating "timing/resources/blank_page_yellow.htm was not found on this server."
This is scribe.perl Revision: 1.136 of Date: 2011/05/12 12:01:43 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) No ScribeNick specified. Guessing ScribeNick: JatinderMann Inferring Scribes: JatinderMann WARNING: Replacing list of attendees. Old list: Plh +1.650.253.aaaa +43.664.853.aabb [Microsoft] +1.650.214.aacc +44.207.881.aadd New list: Plh [Microsoft] +1.650.253.aaaa Default Present: Plh, [Microsoft], +1.650.253.aaaa Present: Plh [Microsoft] +1.650.253.aaaa Jatinder Arvind Alois Philippe JamesS TonyG Karen WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Found Date: 19 Oct 2011 Guessing minutes URL: http://www.w3.org/2011/10/19-webperf-minutes.html People with action items:[End of scribe.perl diagnostic output]