IRC log of webappsec on 2011-12-06

Timestamps are in UTC.

22:00:12 [RRSAgent]

RRSAgent has joined #webappsec

22:00:12 [RRSAgent]

logging to http://www.w3.org/2011/12/06-webappsec-irc

22:00:20 [bhill2]

zakim, this is 92794

22:00:20 [Zakim]

ok, bhill2; that matches SEC_WASWG()5:00PM

22:00:26 [bhill2]

rrsagent, begin

22:00:38 [bhill2]

meeting: WebAppSec WG Call Dec 6, 2011

22:00:51 [bhill2]

Chairs: bhill2, ekr

22:01:21 [bhill2]

Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0001.html

22:01:28 [bhill2]

zakim, who is here

22:01:28 [Zakim]

bhill2, you need to end that query with '?'

22:01:33 [bhill2]

zakim, who is here?

22:01:33 [Zakim]

On the phone I see [IPcaller], +1.866.317.aaaa, ekr

22:01:35 [Zakim]

On IRC I see RRSAgent, Zakim, bhill2, gma1, jrossi, gopal, bsterne, anne, trackbot

22:01:45 [Zakim]

+[Microsoft]

22:02:02 [bhill2]

zakim, who is talking?

22:02:15 [Zakim]

bhill2, listening for 12 seconds I heard sound from the following: [IPcaller] (3%), +1.866.317.aaaa (16%)

22:02:34 [jeffh]

jeffh has joined #webappsec

22:03:30 [bhill2]

zakim, aaaa is [PayPal]

22:03:30 [Zakim]

+[PayPal]; got it

22:03:44 [Zakim]

+??P5

22:04:48 [bhill2]

zakim, who is talking?

22:04:50 [gma1]

zakim, ??P5 is gma1

22:04:50 [Zakim]

+gma1; got it

22:04:51 [Zakim]

+ +1.978.944.aabb

22:05:01 [Zakim]

bhill2, listening for 10 seconds I could not identify any sounds

22:05:07 [bsterne]

bhill2: I tried two weeks ago but couldn't figure out how to let Zakim know that [IPcaller] is me

22:05:29 [bhill2]

zakim, aabb is gopal

22:05:29 [Zakim]

+gopal; got it

22:06:23 [bhill2]

scribe: bhill2

22:06:35 [jrossi]

scribenick: bhill2

22:06:35 [bhill2]

zakim, who is here?

22:06:35 [Zakim]

On the phone I see [IPcaller], [PayPal], ekr, [Microsoft], gma1, gopal

22:06:36 [Zakim]

On IRC I see jeffh, RRSAgent, Zakim, bhill2, gma1, jrossi, gopal, bsterne, anne, trackbot

22:06:56 [Zakim]

+ +1.415.832.aacc

22:07:56 [bhill2]

zakim, aacc is peleus

22:07:56 [Zakim]

+peleus; got it

22:08:15 [bsterne]

bhill2: can you link to the agenda here? (mozilla mail servers have been down for 48 hours)

22:08:29 [bhill2]

brandon: http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0001.html

22:08:32 [bsterne]

thanks

22:09:24 [Zakim]

+abarth

22:09:51 [bsterne]

http://www.w3.org/2011/webappsec/track/actions/open

22:10:10 [bhill2]

topic: open issues in tracker

22:10:16 [abarth]

abarth has joined #webappsec

22:10:32 [bhill2]

bhill2: I am coordinating with w3c staff to get mercurial repository mirrored to w3c-test.org

22:10:36 [bhill2]

issue remains open

22:10:53 [bhill2]

ekr: second open issue to abarth

22:11:08 [bhill2]

action 9

22:11:08 [trackbot]

Sorry, bad ACTION syntax

22:11:09 [linshunghuang]

linshunghuang has joined #webappsec

22:11:30 [bhill2]

abarth: failed to complete this, please postpone due date to next call

22:11:31 [jrossi]

anne, are you around?

22:11:44 [jrossi]

question regarding Action-11 for you

22:11:45 [EC]

EC has joined #webappsec

22:12:31 [bhill2]

bhill2: anne can't make this call generally, so his issues may need to have the call moved temporarily if live discussion needed

22:12:56 [bhill2]

ekr: next item, number 19, clarify policy on html loaded via object tag. remains open, to be discussed later on this call

22:12:57 [Zakim]

+ +1.408.320.aadd

22:13:53 [bhill2]

ekr: next item, number 20, widgets liason

22:14:04 [bhill2]

bhill2: didn't get to it, please postpone due date one month

22:14:33 [bhill2]

ekr: next item, number 23, draft spec language for sandbox directive

22:14:34 [anne]

jrossi: what's the question?

22:14:58 [bhill2]

abarth: defined correctly, ready for closure, will get refined as HTML closes their changes to the spec

22:15:21 [anne]

jrossi: I added a comment to http://www.w3.org/2011/webappsec/track/actions/11

22:15:28 [anne]

jrossi: last week I think

22:15:44 [bhill2]

anne, we will close 11

22:15:46 [anne]

jrossi: the week before last week even :)

22:16:05 [bhill2]

action 16 remains open, if you want to provide new milestones

22:16:05 [trackbot]

Sorry, couldn't find user - 16

22:16:32 [jrossi]

anne: adam's going to look at your comment and confirm for you

22:16:40 [jrossi]

anne: I'm just IRC proxying from the call :-)

22:17:06 [bhill2]

ekr: back to issue-26, basic test setup

22:17:16 [anne]

bhill2: so I did realize today http://lists.w3.org/Archives/Public/ietf-http-wg/2011OctDec/0341.html might be problematic, but then I've no idea when HTTP will be done so whether you want to wait for that, dunno

22:17:41 [anne]

bhill2: as for milestones, we can go to Last Call as I said on the list; after that it's up in the air

22:17:42 [bhill2]

gopal: we now have a repository with two tests checked in and folders setup, quite a few CORS tests already exist for webkit

22:17:57 [bhill2]

gopal: figuring out how to automate tests and how to use test harness

22:18:14 [bhill2]

gopal: also figuring out how to use multiple domains

22:18:23 [bhill2]

ekr: so issue remains open?

22:18:58 [bhill2]

gopal: this is a long running thing

22:19:06 [bhill2]

gopal: in repository there a lot of tests

22:20:44 [bhill2]

bhill2: testing including server-side php execution is paused pending mirroring of repo to w3c-test.org by w3c techncial staff

22:21:17 [bhill2]

erk: can we close this>?

22:21:41 [bhill2]

bhill2: mirroring to working server is in critical path, move to pending review once we can see if they're resovled?

22:22:00 [ekr]

ekr has joined #webappsec

22:22:01 [bhill2]

ekr: remaining issues are for abarth to raise some discussions on the list

22:22:08 [abarth]

hi ekr

22:22:13 [bhill2]

abarth: didn't get to for Thanksgiving week, will do soon

22:24:50 [bhill2]

bhill2: proxying anne to voice, ready for LC, further progression may be path dependency on HTTPbis in IETF

22:25:16 [bhill2]

bhill2: proposes to issue formal CfC on LC of CORS

22:25:47 [bhill2]

ACTION to ekr to send out CfC for CORS advancement to Last Call to mailing list of public-webappsec and public-webapps

22:25:47 [trackbot]

Sorry, couldn't find user - to

22:26:09 [bhill2]

ACTION ekr to send out CfC for CORS advancement to Last Call to public-webappsec and public-webapps

22:26:09 [trackbot]

Sorry, couldn't find user - ekr

22:26:26 [bhill2]

ACTION bhill2 to send out CfC for CORS advancement to Last Call to public-webappsec and public-webapps

22:26:26 [trackbot]

Created ACTION-29 - Send out CfC for CORS advancement to Last Call to public-webappsec and public-webapps [on Brad Hill - due 2011-12-13].

22:26:47 [bhill2]

bhill2: (ekr, I'm assigning that action to myself since trackbot can't find you)

22:26:51 [ekr]

ACTION erescorl: test

22:26:51 [trackbot]

Created ACTION-30 - Test [on Eric Rescorla - due 2011-12-13].

22:28:24 [ekr]

ACTION abarth: Edit Firefox compatible CSP/Workers interaction into document

22:28:25 [trackbot]

Created ACTION-31 - Edit Firefox compatible CSP/Workers interaction into document [on Adam Barth - due 2011-12-13].

22:28:47 [bsterne]

consensus on CSP interaction with Worker is that new Worker inherits the CSP of the page that created it and will be subject to restrictions imposed by the inherited policy

22:29:11 [bhill2]

ekr: next agenda item: what is the policy for html generated by plugins or object tag?

22:29:36 [bhill2]

abarth: object tag is very flexible thing that can hold plugin or iframe, when it holds an iframe, should it be held to iframe or object src directive?

22:29:53 [bhill2]

abarth: thought is that we should test behavior, go with agreed behavior or discuss further if implementations differe

22:30:20 [bhill2]

jrossi: for IE's implementation, iframes are treated like a plugin, for purposes of sandbox not just a frame

22:30:58 [bhill2]

correction: jrossi: object tag should have object-src, when used through object tag

22:31:15 [bhill2]

abarth: agreed, should be syntax-oriented, not semantics-oriented

22:31:25 [bhill2]

bsterne: agreed, FF is also syntax-oriented

22:31:44 [bhill2]

abarth: will test webkit behavior in this regard

22:32:18 [ekr]

ACTION bsterne: Document object tag/HTML interaction (issue 8) as "should be syntax-oriented, not semantics-oriented"

22:32:19 [trackbot]

Created ACTION-32 - Document object tag/HTML interaction (issue 8) as "should be syntax-oriented, not semantics-oriented" [on Brandon Sterne - due 2011-12-13].

22:33:21 [bhill2]

topic: including HTML sandbox in CSP v 1.0 or not?

22:33:37 [bhill2]

bsterne: still my position that sandbox should be a CSP 1.1 feature

22:33:55 [bhill2]

... status is that FF is actively working on it, full time person, but got a late start

22:34:35 [bhill2]

... would prefer that spec reflect current reality of implementation, would be a shame if mozilla were penalized with the perception of an incomplete implementation when there were months to years of time for interested parties to express desire to have this in the spec

22:34:59 [bhill2]

... as MSFT will have an incomplete implementation only, would prefer 1.0 to not have sandbox so Mozilla can "get full credit" as it were

22:35:28 [bhill2]

jrossi: Don't think this is right time to decide what should be in the spec, CR is the right time to mark features as at risk by virtue of not being implemented

22:35:44 [bhill2]

jrossi: especially as FF is already starting to implement, prefer to keep in the spec, encourage other implementors

22:35:56 [bhill2]

... when CR time comes, if at risk from lack of implementations, strike it then

22:36:23 [bhill2]

... flipside is that there is no 1.1. spec for now, credit wise, MSFT wants credit for shipping something that was in spec as a proposed directive for some time

22:37:29 [bhill2]

ekr: brandon, if time comes to go to last call and Mozilla is done, do you object to having sandbox in 1.0? or only if you don't have it done?

22:38:01 [bhill2]

bsterne: I would be happy to have it in if we are done, hesitant to say yes though to extra work of having to back it out later

22:38:27 [bhill2]

ekr: if decided now, somebody will be unhappy, postponed, only maybe somebody's happy

22:38:42 [bhill2]

jrossi: yes, postpone the decision until it will impede progress

22:38:58 [bhill2]

q+

22:39:24 [bhill2]

bsterne: want to reserve right to back it out if Mozilla can't get it in

22:41:07 [bhill2]

bhill2: rules of spec advancement don't allow preferencing a particular implementor

22:41:52 [bhill2]

bhill2: current charter requires 2 complete implementations, so we can add it and be in the spirit of Brandon's request

22:42:17 [bhill2]

bhill2: but we can't specifically privilege Mozilla to prevent advancement, if, e.g. Opera implements everything in time for CR

22:42:35 [bhill2]

ack bhill2

22:42:38 [bhill2]

q=

22:42:39 [bhill2]

q-

22:44:22 [Zakim]

-ekr

22:44:23 [Zakim]

- +1.408.320.aadd

22:44:24 [Zakim]

-[IPcaller]

22:44:24 [Zakim]

-[PayPal]

22:44:26 [Zakim]

-[Microsoft]

22:44:28 [Zakim]

-gopal

22:44:30 [Zakim]

-gma1

22:44:32 [Zakim]

-peleus

22:44:33 [Zakim]

-abarth

22:44:34 [Zakim]

SEC_WASWG()5:00PM has ended

22:44:36 [Zakim]

Attendees were [IPcaller], +1.866.317.aaaa, ekr, [Microsoft], [PayPal], gma1, +1.978.944.aabb, gopal, +1.415.832.aacc, peleus, abarth, +1.408.320.aadd

22:45:03 [bhill2]

rrsagent, set logs public-visible

22:45:08 [bhill2]

rrsagent, make minutes

22:45:08 [RRSAgent]

I have made the request to generate http://www.w3.org/2011/12/06-webappsec-minutes.html bhill2

22:46:55 [jeffh]

jeffh has joined #webappsec

22:47:15 [jeffh]

test

22:56:26 [jeffh]

jeffh has joined #webappsec

23:04:08 [bhill2]

bhill2 has joined #webappsec

23:04:28 [jeffh]

jeffh has joined #webappsec

23:04:57 [jeffh]

jeffh has left #webappsec

23:07:32 [jrossi]

jrossi has left #webappsec

23:34:14 [bhill2]

bhill2 has left #webappsec