W3C

- DRAFT -

Web Application Security Working Group Teleconference

09 Apr 2014

Agenda

See also: IRC log

Attendees

Present
freddyb, ekr, Wendy, gmaone, garrettr, bhill2, +1.310.597.aaaa, terri, tanvi, +1.510.725.aabb, devdatta
Regrets
Chair
ekr, bhill2
Scribe
terri

Contents


<trackbot> Date: 09 April 2014

<freddyb> I think I am ??P2 but I forgot how to tell Zakim :)

<freddyb> thanks wendy

<bhill2> Meeting: WebAppSec Teleconference 09-April-2014

<freddyb> gmaone is Giorgio Maone, not Garrett Robinson :-)

<bhill2> I will have to duck out early today

<tanvi> Zakim aaaa is tanvi

ekr: call for minutes approval; minutes approved

<freddyb> terri: that's ekr talking today

freddyb: thanks. I'm not so great with everyone's voices yet, and he sounds a little garbled

<freddyb> sure, np.

review of open issues in the tracker. Skipping those associated with those not on the call right now...

<ekr> mkwst: have you done actions 164 and 166?

<garrettr> epoch fail!

no response from mwest so we're assuming those have not been completed

<bhill2> resolution to Action 149 is in https://github.com/w3c/webappsec/pull/10

wseltzer: reminder of call for exclusions on UISecurity and SRI, details on mailing list

<bhill2> http://manifest.sysapps.org/#csp-member

<wseltzer> [UISecurity call for exclusions ends 17 May; SRI ends 15 August. Details were mailed to AC reps on the member-cfe list]

bhill2: meeting on sysapps is discussing CSP for packaged webapps and there is concern about when and how to enforce the policy in the manifest
... there may be no issue given appropriate recommendations for loading of manifest

<bhill2> garrett robinson, I believe

mozilla thinks that manifest is loaded first, so perhaps not an issue

may be worth considering a default policy

<freddyb> (that was grobinson talking)

<freddyb> err, garrettr

garrettr: not sure if a note belongs in app manifest spec or

[sorry, missed the other option; everyone's sounding a little garbled to m etoday]

ekr: next topic, using hashes to locate the resource

<bhill2> ACTION grobinson to raise handling of CSP policies associated with installed apps (like firefox apps) to the list

<trackbot> Error finding 'grobinson'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.

<bhill2> ACTION garrettr to raise to the list handling of CSP associated with installed apps as possible spec note

<trackbot> Error finding 'garrettr'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.

ekr: the major objection is that the privacy policies may not be optimal

<ekr> action, devdatta to read and respond to use of SRI hashes for caching/alternate locations: http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0103.html

<ekr> http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0047.html

<bhill2> ACTION bhill2 to respond to list queries about hints for content-addressable storage

<trackbot> Created ACTION-167 - Respond to list queries about hints for content-addressable storage [on Brad Hill - due 2014-04-16].

@@: what content should we hash to compare values? issue is that browsers silently deal with unzipping files, so we may need to strip content encodings

<bhill2> ACTION bhill2 to raise to the list handling of CSP associated with installed apps as possible spec note

<trackbot> Created ACTION-168 - Raise to the list handling of csp associated with installed apps as possible spec note [on Brad Hill - due 2014-04-16].

<freddyb> ACTION devdatta to read and respond to use of SRI hashes for caching/alternate locations: http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0103.html

<trackbot> Created ACTION-169 - Read and respond to use of sri hashes for caching/alternate locations: http://lists.w3.org/archives/public/public-webappsec/2014mar/0103.html [on Devdatta Akhawe - due 2014-04-16].

<freddyb> terri: devdatta was devdatta

<bhill2> rrsagent make minutes

<freddyb> thanks everyone

<wseltzer> trackbot, end teleconf

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014-04-17 17:46:34 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/bhill2/ekr/
Succeeded: s/@@/devdatta/
No ScribeNick specified.  Guessing ScribeNick: terri
Inferring Scribes: terri

WARNING: No "Topic:" lines found.

Default Present: freddyb, ekr, Wendy, gmaone, garrettr, bhill2, +1.310.597.aaaa, terri, tanvi, +1.510.725.aabb
Present: freddyb ekr Wendy gmaone garrettr bhill2 +1.310.597.aaaa terri tanvi +1.510.725.aabb devdatta
Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0005.html
Found Date: 09 Apr 2014
Guessing minutes URL: http://www.w3.org/2014/04/09-webappsec-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.


WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


[End of scribe.perl diagnostic output]