W3C

- DRAFT -

WebAppSec Call (2011-11-22)

22 Nov 2011

Attendees

Present
+1.650.648.aaaa, +1.206.245.aabb, +1.650.678.aacc, [Mozilla], +1.503.712.aadd, bhill2, +1.866.317.aaee, ekr, +1.415.596.aaff, abarth, +1.978.944.aagg, gma1, Bjorn_Bringert, Satish_Sampath, rrware, +1.408.320.aahh, +1.408.234.aaii, [IPcaller]
Regrets
Chair
bhill2
Scribe
ekr

Contents


<scribe> SCRIBE: ekr

Date: 22 Nov 2011

Minutes from TPAC

<bhill2> RESOLVED: minutes approved

Review of Action Items

bhill2: (per abarth), add discussion of new refactored proposal between 7 and 8.
... next item is to review tracker.

<bsterne> why can't you guys hear me? hmmm

bhill2: item 3. move from mercurial cvs. Closed because we aren't going to do it.

<jeffh> bsterne going in & out

<jeffh> on audio

<bsterne> going to dial in again :|

<bhill2> brandon, comments on action 4?

bhill2: item 4: repoint all old CSP drafts to new version.

<bsterne> I did that

bhill2: action 10, done.

bsterne-- you're talking about item 4?

<jeffh> what's the uri phor the tracker ?

http://www.w3.org/2011/webappsec/track/actions/open

<jeffh> thx

<bsterne> ekr, yes, that was re: item 4

bhill2: action 23, marked as pending review

I just closed 4.

bhill2: anyone object to closing 23? No objections, closed.
... action 6: will happen soon, you will need to opt-in
... action 8: still open. we have an hg repo and some people have accounts
... please email me if you want to have committer access

<bsterne> yeah, our phone system is failing hard... sorry

bhill2: still working on the server-side story.

abarth: there will be some work to get the first tests working, but then once it's working, I will have a pile of tests to add. is there a sample test that I could start from and modify

gopal: yeah, I'll see what I can do.

abarth: just need a first test that shows a denial or whatever. Once that works, it should be pretty easy to scale that up.

<scribe> ACTION: gopal to set up mercurial repo for tests and get a simple test for Adam [recorded in http://www.w3.org/2011/11/22-webappsec-minutes.html#action01]

<trackbot> Created ACTION-26 - Set up mercurial repo for tests and get a simple test for Adam [on Gopal Raghavan - due 2011-11-29].

bhill2: the spec has already gone out, but we should defer liasing until we have hit FPWD.
... and defer this till next week
... [the above was for action 24, widgets activity]
... my closed actions: action 1, done.

brad was going real fast. Check the list.

<jeffh> :)

bhill2: for action 25, IE hasn't implemented it yet but doesn't have a strong opinion about inclusion

bsterne: action 14 can be closed as well. abarth and I took care of it week of tpac

abarth: action 9, didn't do it. Please move the deadline to a week from today.
... action 12. this is done, and it's in the experimental.html document

<jeffh> http://dvcs.w3.org/hg/content-security-policy/raw-le/tip/experimental.html

abarth: ACTION: I didn't do this b/c I wasn't sure exactly what we wanted. Need to discuss on the mailing list.
... propose we turn this action into an issue and then resolve.

<bhill2> ISSUE: identify proper behavior for html added via plubins / object tag

<trackbot> Created ISSUE-8 - Identify proper behavior for html added via plubins / object tag ; please complete additional details at http://www.w3.org/2011/webappsec/track/issues/8/edit .

abarth: action 24. I did an implementation but no language.
... please push it out one week

FPWD of CSP

<bhill2> anne, you reading this?

bhill2: email from Anne. Executive summary--just need editorial work and also some stuff pending on httpbis
... we had a call for consensus last week about approving fpwd.
... had some editorial notes.

abarth, bsterne: I haven't looked at them in detail

bhill2: can you spend an hour on them before we accept
... I think it's just editorial housekeeping stuff.

bsterne: most of this has to do with the respec(?) I can take a look and make the minor edits

bhill2: other issue is more substantive--the sanbox directive
... do we want to do it now, wait for fpwd, or wait for 1.1
... might be appropriate to put it in 1.0 with a [OPEN ISSUE] tag where we might remove it pre-CR

bsterne: jacob didn't sound religiously opposed to having it wait for 1.1

abarth: this isn't a blocker, we're going to rev the draft anyway

ekr: Maybe have an empty issue paragraph that just says "this is where sandbox would go"

bsterne: do we have consent to progress the draft after I get email from brandon about the respec issues

sorry, that was bhill2

RESOLUTION: we will accept document as FPWD as soon as we get ok from brandon about edits being made

bsterne: will do that in the next day or two

<bhill2> RESOLVED: promote CSP to FPWD on Brandon's OK pending resolution of Robin Berjoin's comments

bhill2: new agenda item--experimental draft?
... if both editors agree, then we should go ahead.

abarth: this meshes better with HTML5

bhill2: this is prerogative of the editors
... go ahead with that as gthe experimental doc?

bsterne: ok

RESOLUTION: start with the "experimental revision" http://dvcs.w3.org/hg/content-security-policy/raw-le/tip/experimental.html as the current editor's draft

[discussion between abarth and bsterne about version cntrol issues]

bhill2: is this a start from the ground reorg, or can you plausibly read the diffs

abarth: the diff probably is not helpful

sterne: two browser windows worked ok for me

Testing Activity

bhill2: next item on agenda is testing activity
... I talked to gopal at tpac and he expressed interest in leading the activity
... do you have a preference for which spec to start with
... objections to Gopal working in that role
... gopal, would you like help? preference for spec

gopal: we were discussing cors. Want to set up the test suite and then get started with cors

abarth: just sent email with thing for example tests

bhill2: anyone want to take lead on csp testing?
... I'm happy to take the first cut.
... don't think submitting test cases violates chair's neutrality

gopal: who is the contact person for test suite

bhill2: mike(TM) and the opera person who's name I don't remember
... mike has been setting up the repo so far

Anti-Clickjacking

bhill2: started working on the security wiki for anti-clickjacking.
... ideas: screenshot comparison, protected UI element?
... will write that up and send a more detailed description
... any comments on that immediately?
... do we want to go over issues list?

The next two weeks

abarth: my preference would be to look at issues list and come up with one or two issues to focus o
... thing to start with is issue 4 and ... [?]
... issue 8

bhill2: we have identified issue 4 and 8 to discuss on the mailing list

<scribe> ACTION: abarth to start discussion on issue 8 next week [recorded in http://www.w3.org/2011/11/22-webappsec-minutes.html#action02]

<trackbot> Created ACTION-27 - Start discussion on issue 8 next week [on Adam Barth - due 2011-11-29].

<scribe> ACTION: abarth to start discussion on issue 4 next week [recorded in http://www.w3.org/2011/11/22-webappsec-minutes.html#action03]

<trackbot> Created ACTION-28 - Start discussion on issue 4 next week [on Adam Barth - due 2011-11-29].

bhill2: further business?

<bsterne> nice, tidy meeting, bhill2

zakim lista ttendees

zakim list attendees

RRSAgent set logs public-visible

Summary of Action Items

[NEW] ACTION: abarth to start discussion on issue 4 next week [recorded in http://www.w3.org/2011/11/22-webappsec-minutes.html#action03]
[NEW] ACTION: abarth to start discussion on issue 8 next week [recorded in http://www.w3.org/2011/11/22-webappsec-minutes.html#action02]
[NEW] ACTION: gopal to set up mercurial repo for tests and get a simple test for Adam [recorded in http://www.w3.org/2011/11/22-webappsec-minutes.html#action01]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.136 (CVS log)
$Date: 2011/12/05 22:23:18 $