21:56:55 RRSAgent has joined #webappsec 21:56:55 logging to http://www.w3.org/2011/11/22-webappsec-irc 21:57:17 Meeting: WebAppSec WG Call, Nov 22, 2011 21:57:23 Chair: bhill2, ekr 21:57:52 Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2011Nov/0023.html 21:58:31 zakim, who is here 21:58:31 bhill2, you need to end that query with '?' 21:58:39 zakim, who is here? 21:58:39 sorry, bhill2, I don't know what conference this is 21:58:40 On IRC I see RRSAgent, Zakim, rrware, gma1, bhill2, anne, eduardovela, trackbot 21:58:48 zakim, this is 92794 21:58:48 ok, bhill2; that matches SEC_WASWG()5:00PM 21:58:52 + +1.650.678.aacc 21:58:53 zakim, who is here? 21:58:54 On the phone I see ??P0, +1.650.648.aaaa, +1.206.245.aabb, +1.650.678.aacc 21:58:55 On IRC I see RRSAgent, Zakim, rrware, gma1, bhill2, anne, eduardovela, trackbot 21:59:07 ekr has joined #webappsec 21:59:19 abarth has joined #webappsec 21:59:26 +[Mozilla] 21:59:34 any volunteers to scribe today? 21:59:37 I am on the call 21:59:41 I guess I can scribe. 21:59:49 Unless you think someone else should suffer :) 21:59:50 + +1.503.712.aadd 22:00:00 zakim, aabb is bhill2 22:00:00 +bhill2; got it 22:00:14 linshunghuang has joined #webappsec 22:00:26 + +1.866.317.aaee 22:01:13 bsterne has joined #webappsec 22:01:19 okay, I got in 22:01:31 zakim, who is here 22:01:31 bhill2, you need to end that query with '?' 22:01:35 zakim, who is here? 22:01:35 On the phone I see ??P0, +1.650.648.aaaa, bhill2, +1.650.678.aacc, [Mozilla], +1.503.712.aadd, +1.866.317.aaee 22:01:37 On IRC I see bsterne, linshunghuang, abarth, ekr, RRSAgent, Zakim, rrware, gma1, bhill2, anne, eduardovela, trackbot 22:01:39 -[Mozilla] 22:01:47 zakim, aacc is ekr 22:01:47 +ekr; got it 22:01:48 + +1.415.596.aaff 22:02:03 Eric has joined #webappsec 22:02:08 +[Mozilla] 22:02:14 neat 22:02:21 zakim, aaaa is abarth 22:02:21 +abarth; got it 22:02:31 jeffh has joined #webappsec 22:02:50 are zakim phone "numbers" listed in order of joining? 22:02:50 zakim, who is here? 22:02:50 On the phone I see ??P0, abarth, bhill2, ekr, +1.503.712.aadd, +1.866.317.aaee, +1.415.596.aaff, [Mozilla] 22:02:53 On IRC I see jeffh, Eric, bsterne, linshunghuang, abarth, ekr, RRSAgent, Zakim, rrware, gma1, bhill2, anne, eduardovela, trackbot 22:02:57 Zakim: aadd is Ryan Ware (rrware) 22:02:57 + +1.978.944.aagg 22:03:12 so how do i map my ph# to my irc presence? 22:03:24 zakim, ??P0 is gma1 22:03:24 +gma1; got it 22:03:24 type: zakim, aaxx is nick 22:03:37 jeffh: find your number in the list and then do "zakim, is jeffh" 22:03:37 zakim aadd is rrware 22:03:44 +Bjorn_Bringert,Satish_Sampath 22:03:45 zakim, aadd is rrware 22:03:45 +rrware; got it 22:03:46 which list ? 22:03:58 the "on the phone" list above 22:04:03 zakim, who is here 22:04:03 ekr, you need to end that query with '?' 22:04:05 zakim, who is here? 22:04:05 On the phone I see gma1, abarth, bhill2, ekr, rrware, +1.866.317.aaee, +1.415.596.aaff, [Mozilla], +1.978.944.aagg, Bjorn_Bringert,Satish_Sampath 22:04:08 zakim, who is here? 22:04:08 On IRC I see jeffh, Eric, bsterne, linshunghuang, abarth, ekr, RRSAgent, Zakim, rrware, gma1, bhill2, anne, eduardovela, trackbot 22:04:09 Zakim: [Mozilla] is bsterne 22:04:10 On the phone I see gma1, abarth, bhill2, ekr, rrware, +1.866.317.aaee, +1.415.596.aaff, [Mozilla], +1.978.944.aagg, Bjorn_Bringert,Satish_Sampath 22:04:13 On IRC I see jeffh, Eric, bsterne, linshunghuang, abarth, ekr, RRSAgent, Zakim, rrware, gma1, bhill2, anne, eduardovela, trackbot 22:04:17 + +1.408.320.aahh 22:04:39 dunno what our/my outgoing # is 22:04:56 jeffh, you probably are the 415 or 408? 22:05:39 ' 22:06:01 RESOLVED: minutes approved 22:06:04 can people not hear me? 22:06:12 erk, nope 22:06:13 perhaps 408 unless anyone else is using it, but I was on the call already bephore joining here 22:06:17 hear some typing 22:07:48 bhill2: (per abarth), add discussion of new refactored proposal between 7 and 8. 22:07:57 bhill2: next item is to review tracker. 22:08:52 why can't you guys hear me? hmmm 22:09:27 ... item 3. move from mercurial cvs. Closed because we aren't going to do it. 22:09:33 bsterne going in & out 22:09:40 on audio 22:09:44 going to dial in again :| 22:09:46 brandon, comments on action 4? 22:10:00 ... item 4: repoint all old CSP drafts to new version. 22:10:11 I did that 22:10:12 bhill2: action 10, done. 22:10:30 bsterne-- you're talking about item 4? 22:10:30 what's the uri phor the tracker ? 22:10:35 http://www.w3.org/2011/webappsec/track/actions/open 22:10:40 thx 22:10:59 ekr, yes, that was re: item 4 22:11:16 bhill2: action 23, marked as pending review 22:11:33 I just closed 4. 22:11:45 bhill2: anyone object to closing 23? No objections, closed. 22:12:00 ... action 6: will happen soon, you will need to opt-in 22:12:19 ... action 8: still open. we have an hg repo and some people have accounts 22:12:34 ... please email me if you want to have committer access 22:12:37 yeah, our phone system is failing hard... sorry 22:12:55 ... still working on the server-side story. 22:13:15 + +1.408.234.aaii 22:13:25 abarth: there will be some work to get the first tests working, but then once it's working, I will have a pile of tests to add. is there a sample test that I could start from and modify 22:13:33 gopal: yeah, I'll see what I can do. 22:14:06 abarth: just need a first test that shows a denial or whatever. Once that works, it should be pretty easy to scale that up. 22:14:50 action: gopal to set up mercurial repo for tests and get a simple test for Adam 22:14:50 Created ACTION-26 - Set up mercurial repo for tests and get a simple test for Adam [on Gopal Raghavan - due 2011-11-29]. 22:15:24 +[IPcaller] 22:15:25 bhill2: the spec has already gone out, but we should defer liasing until we have hit FPWD. 22:15:32 ... and defer this till next week 22:15:47 ... [the above was for action 24, widgets activity] 22:16:34 ... my closed actions: action 1, done. 22:17:25 brad was going real fast. Check the list. 22:17:33 :) 22:17:58 bhill2: for action 25, IE hasn't implemented it yet but doesn't have a strong opinion about inclusion 22:18:28 bsterne: action 14 can be closed as well. abarth and I took care of it week of tpac 22:19:19 abarth: action 9, didn't do it. Please move the deadline to a week from today. 22:19:40 ... action 12. this is done, and it's in the experimental.html document 22:19:59 http://dvcs.w3.org/hg/content-security-policy/raw-le/tip/experimental.html 22:20:05 ... action: I didn't do this b/c I wasn't sure exactly what we wanted. Need to discuss on the mailing list. 22:20:35 abarth: propose we turn this action into an issue and then resolve. 22:21:34 gopal has joined #webappsec 22:21:44 ISSUE: identify proper behavior for html added via plubins / object tag 22:21:45 Created ISSUE-8 - Identify proper behavior for html added via plubins / object tag ; please complete additional details at http://www.w3.org/2011/webappsec/track/issues/8/edit . 22:21:58 gopal has joined #webappsec 22:22:05 abarth: action 24. I did an implementation but no language. 22:22:23 ... please push it out one week 22:22:31 anne, you reading this? 22:24:08 bhill2: email from Anne. Executive summary--just need editorial work and also some stuff pending on httpbis 22:25:23 bhill2: we had a call for consensus last week about approving fpwd. 22:25:30 ... had some editorial notes. 22:25:42 abarth, bsterne: I haven't looked at them in detail 22:25:52 bhill2: can you spend an hour on them before we accept 22:26:06 ... I think it's just editorial housekeeping stuff. 22:26:46 bsterne: most of this has to do with the respec(?) I can take a look and make the minor edits 22:26:58 bhill2: other issue is more substantive--the sanbox directive 22:27:11 ... do we want to do it now, wait for fpwd, or wait for 1.1 22:27:32 ... might be appropriate to put it in 1.0 with a [OPEN ISSUE] tag where we might remove it pre-CR 22:27:41 bsterne: jacob didn't sound religiously opposed to having it wait for 1.1 22:28:22 abarth: this isn't a blocker, we're going to rev the draft anyway 22:28:43 ekr: Maybe have an empty issue paragraph that just says "this is where sandbox would go" 22:29:00 bsterne: do we have consent to progress the draft after I get email from brandon about the respec issues 22:29:08 sorry, that was bhill2 22:29:27 RESOLVED: we will accept document as FPWD as soon as we get ok from brandon about edits being made 22:29:48 bsterne: will do that in the next day or two 22:29:58 RESOLVED: promote CSP to FPWD on Brandon's OK pending resolution of Robin Berjoin's comments 22:30:28 bhill2: new agenda item--experimental draft? 22:30:49 ... if both editors agree, then we should go ahead. 22:30:55 abarth: this meshes better with HTML5 22:31:08 bhill2: this is prerogative of the editors 22:32:13 bhill2: go ahead with that as gthe experimental doc? 22:32:15 bsterne: ok 22:32:17 RESOLVED: start with the "experimental revision" http://dvcs.w3.org/hg/content-security-policy/raw-le/tip/experimental.html as the current editor's draft 22:32:43 gopal_ has joined #webappsec 22:33:19 [discussion between abarth and bsterne about version cntrol issues] 22:34:30 bhill2: is this a start from the ground reorg, or can you plausibly read the diffs 22:34:39 abarth: the diff probably is not helpful 22:35:02 sterne: two browser windows worked ok for me 22:35:44 bhill2: next item on agenda is testing activity 22:36:04 ... I talked to gopal at tpac and he expressed interest in leading the activity 22:36:24 ... do you have a preference for which spec to start with 22:36:31 ... objections to Gopal working in that role 22:36:48 ... gopal, would you like help? preference for spec 22:37:18 gopal: we were discussing cors. Want to set up the test suite and then get started with cors 22:37:31 abarth: just sent email with thing for example tests 22:37:48 bhill2: anyone want to take lead on csp testing? 22:38:11 zakim, who is speaking 22:38:11 I don't understand 'who is speaking', ekr 22:38:30 bhill2: I'm happy to take the first cut. 22:38:40 ... don't think submitting test cases violates chair's neutrality 22:39:15 gopal: who is the contact person for test suite 22:39:37 bhill2: mike(TM) and the opera person who's name I don't remember 22:39:54 ... mike has been setting up the repo so far 22:40:10 -rrware 22:40:19 rrware has left #webappsec 22:40:57 bhill2: started working on the security wiki for anti-clickjacking. 22:42:01 ... ideas: screenshot comparison, protected UI element? 22:42:24 ... will write that up and send a more detailed description 22:42:33 ... any comments on that immediately? 22:42:47 ... do we want to go over issues list? 22:43:25 abarth: my preference would be to look at issues list and come up with one or two issues to focus o 22:44:35 abarth: thing to start with is issue 4 and ... [?] 22:44:42 ... issue 8 22:45:30 bhill2: we have identified issue 4 and 8 to discuss on the mailing list 22:45:40 ACTION: abarth to start discussion on issue 8 next week 22:45:40 Created ACTION-27 - Start discussion on issue 8 next week [on Adam Barth - due 2011-11-29]. 22:45:56 ACTION: abarth to start discussion on issue 4 next week 22:45:56 Created ACTION-28 - Start discussion on issue 4 next week [on Adam Barth - due 2011-11-29]. 22:46:07 bhill2: further business? 22:46:31 - +1.866.317.aaee 22:46:33 - +1.978.944.aagg 22:46:33 -abarth 22:46:34 -Bjorn_Bringert,Satish_Sampath 22:46:35 - +1.408.320.aahh 22:46:36 nice, tidy meeting, bhill2 22:46:37 - +1.415.596.aaff 22:46:42 -gma1 22:46:48 -ekr 22:46:52 -[IPcaller] 22:46:54 -bhill2 22:46:56 - +1.408.234.aaii 22:47:35 zakim lista ttendees 22:47:38 zakim list attendees 22:47:43 zakim, list attendees 22:47:43 As of this point the attendees have been +1.650.648.aaaa, +1.206.245.aabb, +1.650.678.aacc, [Mozilla], +1.503.712.aadd, bhill2, +1.866.317.aaee, ekr, +1.415.596.aaff, abarth, 22:47:46 ... +1.978.944.aagg, gma1, Bjorn_Bringert,Satish_Sampath, rrware, +1.408.320.aahh, +1.408.234.aaii, [IPcaller] 22:47:53 RRSAgent set logs public-visible 22:48:02 RRSAgent, set logs public-visible 22:48:06 RRSAgent, make minutes 22:48:06 I have made the request to generate http://www.w3.org/2011/11/22-webappsec-minutes.html ekr 22:49:20 thanks for scribing, ekr 22:51:43 bhill2--I can't edit the final minutes. Some sort of permissions problem that I think they still haven't fixed. can you take over the last few stesp 22:56:46 zakrrsagent, set logs public-visible 22:56:53 rrsagent, set logs public-visible 22:57:23 ekr: looks OK to me... 22:57:29 can you check it again? 23:05:01 disconnecting the lone participant, [Mozilla], in SEC_WASWG()5:00PM 23:05:05 SEC_WASWG()5:00PM has ended 23:05:07 Attendees were +1.650.648.aaaa, +1.206.245.aabb, +1.650.678.aacc, [Mozilla], +1.503.712.aadd, bhill2, +1.866.317.aaee, ekr, +1.415.596.aaff, abarth, +1.978.944.aagg, gma1, 23:05:10 ... Bjorn_Bringert,Satish_Sampath, rrware, +1.408.320.aahh, +1.408.234.aaii, [IPcaller] 23:05:12 bhill21 has joined #webappsec 23:08:26 abarth has left #webappsec 23:33:59 ekr has joined #webappsec 23:48:12 bhill21: sorry, had friends over 23:48:25 bhill21: and it's past midnight now so I think I'll head to bed