See also: IRC log
bhill: agenda bashing?
… next agenda item: open issues
<puhley> aaff is puhley
… widgets was published in the last few weeks. they have their own origin-restriction methodology. need to reconcile with them eventually, but right now they are going to proceed to CR.
… action 35: advice for server operators [abarth]
abarth: no progress yet
… will work on it some more
bhill2: action 36 [huang]. he has a paper deadline so can't get to it
… wil do soon
… moving on to actions pending review.
bhill2: action 34: ekr was to do review. he did. action 39 to respond, he did.
… action 40 [abarth]. the spec already requires this. this action arose out of a difference in behavior because of a webkit bug. I will fix.
bhill2: issue 10 [abarth] can it be closed?
abarth: yes, it's in pending review.
bhill2: noticed we have a new editor's draft. gfood
… anyone have a problem with only having the referrer header in the reports
abarth: would just have a new field called referrer
<anne> I'm gonna get some sleep, but if people find issues with http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html please file a bug as suggested in the "Participate" box rather than file ACTIONS on me; I'd like to keep the number of systems I need to track to a minimum
<scribe> ACTION: abarth to add referrer field for reporting [recorded in http://www.w3.org/2012/02/14-webappsec-minutes.html#action02]
<trackbot> Created ACTION-48 - Add referrer field for reporting [on Adam Barth - due 2012-02-21].
bhill2: action 43. This was on me. We were changing processing model on what URI is in reports to not be the direct HTTP request but rather URI as seen by user agent. The main consequence of this is that it does not include fragments.
… needed to clarify what to do with the fragment?
… there are deployed systems today that rely on having secrets i the fragment.
… in 1.0, propose not including fragment in report
… might want to add the ability to have fragments as a new feature request, e.g., 1.1
dveditz: but there are AJAX pages which rely on the fragment and you can't tell much about what's going on withou tit.
… maybe this is bad, but e.g., twitter does this and wants CSP
… if we're going to exclude it, is there a way to make opt-in part of initial draft
bhill2: the current status quo is not to have fragment. we're not breaking anyone's reliance on these reports
dveditz: would be easy to write down the option in 1.0
… but would we have two implementations in time?
abarth: we earlier agreed on a criterion based on whether there were existing implementations
… and this seems to clearly have no implementations at all, so it should be 1.1
<jeffh> ? = abarth
<jeffh> or was the "?" not intended to represent the speaker ?
bhill2: issue 44
abarth: unfortunately, there was an inconsistency in the document between requirements and examples. my question is: is there a normative requirement to include self, or have some other way of indicating self separately.
bhill2: any commentary on this on the list?
abarth: I don't know.
bhill2: last remaining issue was ACTION-45. I think this is done. Any objections?
… I think that makes a pretty serious dent on what we have
<bhill2> next agenda item:
abarth: probably useful to a small audience. might be useful in 1.1 or future version
… I don't have strong feeling
abarth: why don't we put it on the list of things to consider for 1.1
bhill2: this seems like something you could accomplish wit sandbox
<scribe> ACTION: bhill2 to followup on list to http://lists.w3.org/Archives/Public/public-webappsec/2012Feb/0014.html [recorded in http://www.w3.org/2012/02/14-webappsec-minutes.html#action03]
<trackbot> Created ACTION-49 - Followup on list to http://lists.w3.org/Archives/Public/public-webappsec/2012Feb/0014.html [on Brad Hill - due 2012-02-21].
bhill2: next item is to look at all open raised issues. I think we're pretty much there.
<scribe> … new editors draft. outstanding items on policy-uri and sandbox.
… to resolve by vote of implementations
… todo section on server advice.
abarth: just need a solid day to write this
bhill2: any objections once these are fixed to do a CfC for LC on 1.0 on next call
abarth: last issue is issue #7--the policy-uri issue
bhill2: was this one of the ones where we going to let implementations vote, or is the debate about if we want it at all
abarth: I think it's not a good feature. I know Dan disagrees
… was hoping some other WG members could contribute
jeffh: is there a thread on the list
abarth: not yet, but I think this may be a good time
<scribe> ACTION: abarth to start discussion on ISSUE 7 [recorded in http://www.w3.org/2012/02/14-webappsec-minutes.html#action04]
<trackbot> Created ACTION-50 - Start discussion on ISSUE 7 [on Adam Barth - due 2012-02-21].
bhill2: any other issues anyone wants to raise on CSP 1.0?
… moving on to next item: moving CORS to LC
… we issued a CfC over a month ago. Issues were raised privately. Some parties were not interested in engaging publicly?
… chairs and editors engaged with them and then came back with some suggested language.
… intent wasn't to keep anyone in the dark, just to preemptively cut off some of the political probelms.
… I proposed some security considerations text.
… Anne incorporated it into latest draft.
… deals mostly with how to avoid confused deputy attacks.
… also ACTION-46 was added to clarify setting of origin header when following redirect.
… appears that web origin and CORS evolved independently to point at each other for how to handle this. ACTION-46 is to take the previous origin RFC text and put it in CORS
… Anne has also done that. I
… I believe this addresses all the outstanding consensus objections
jeffh: were these written down?
bhill2: they were private comments. people didn't want to engage publicly.
… was an unfortunate situation, but I tried to keep the group looped in
… idea was to get ahead of public objections.
… does anyone have any objections to the proposed text in the latest editor's draft
jeffh: I haven't had time to read it
abarth: can I ask a process question. To what extent can private objections prevent the spec from moving forward? Do these folks need to eventually come into public to make these points.
bhill2: you can't prevent the spec from advancing purely by private objections
… but in this case the objectors would have raised it through influencing members of the TAG.
… figured the best course of action was to address it privately before it became a formal objection
bhill2: this has been out for comment for a long the and most of the changes seem to have been dealt with
… objections to requesting advancement to LC at this point?
… Jeff, do you want time to read this before giving assent.
jeffh: will need a little while to look through it. I also have some editorial comments.
… now that this security considerations thing has bubbled up, I now think it's time to address these editorial issues, including precise security considerations.
bhill2: I don't think there is harm in waiting for another two weeks to get your comments
<scribe> ACTION: jeffh to review new sec cons language and provide editorial fixes [recorded in http://www.w3.org/2012/02/14-webappsec-minutes.html#action05]
<trackbot> Sorry, couldn't find user - jeffh
Jeff, what is your W3C name?
<jeffh> pls stand by
bhill2: last item is proposed F2F in bay area.
… topics would include hashing out ideas for new CSP directives and dig down deeper into anti-clickjacking
<scribe> ACTION: jhodges3 to review CORS new sec cons language and provide editorial fixes [recorded in http://www.w3.org/2012/02/14-webappsec-minutes.html#action06]
<trackbot> Created ACTION-51 - Review CORS new sec cons language and provide editorial fixes [on Jeff Hodges - due 2012-02-21].
bhill2: would mostly be April 10-11
<jeffh> have we Found a location For the F2F ?
<ptheriault> Australia ;)
jeffh: it's going to be california
<jeffh> i realize that -- we checked into hosting here @paypal, but the rooms are already booked :(
bhill2: I will create another doodle poll.