See also: IRC log
Zakim [IPcaller] is neilm
<freddyb> I am this "??P2", Zakim reports...and have yet to find out how this all works :)
<freddyb> Zakim: I am ??P2
<freddyb> gmaone: thanks :)
<bhill2> Scribe: Neil Matatall
<bhill2> Scribenick: neilm
<terri> can't tell if the call dropped or what.
<freddyb> it's completely quiet for me
<bhill2> today's agenda
<bhill2> http://www.w3.org/2013/12/17-webappsec-minutes.html < - real minutes link
bhill2: not going to close voting today, perhaps 8 or 9 PST
<freddyb> I considered this a representative week, fwiw
bhill2: Monday 8:30 PST and
Friday ??? likely candidates
... who is security lover? Speak up :)
<klee> 8:30 pm or am?
klee: AM PST
<klee> I'd be down with that
mkwst: 1. removed most of script
interface, needs to be reworked
... suggested push out to 1.2 (policy violation event still exists)
... 2. meta element changes converting todos
... 3: Workers no longer inherit policy automatically, rather when generated from origins w/ unique urls.
... 4: new child-src directive, default context source list, used for frame/worker/popup-src directives
... and child-src inherits from default-src
... nothing governs window.open
<freddyb> in general, if you're not talking: please mute. the feedback is indeed annoying
<terri> I'm having trouble hearing much of anything because of it.
<freddyb> on a sidenote, when it comes to directives: was it discussed in this WG whether it makes sense to put html imports into script-src?
<bhill2> freddy: yes, that was the conclusion we came to
dveditz: potential issues around workers [noise]
<freddyb> bhill2: thanks. I'll read up first then
dveditz: no need for child-src && worker-src, or just have separate frame/worker-src
???: complexity is a leading blocker for adoption
<dveditz> who is speaking? apf?
<bhill2> was that terri oda speaking?
<terri> yes, I'm the former academic on the call
<mkwst> bah. dialing back in.
bhill2: Ian's ideas around CSSOM
appear to have no objections and decent support
... frame-ancestors in 1.1 (not frame-options)
bhill2: requiring eval for cssom might break things
mkwst: if we feel it's an issue,
we need to base decisions on data
... adding eval to style-src
bhill2: does this impact chrome extensions and the like?
<dveditz> FIrefox OS privileged apps have a default CSP of "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'"
<dveditz> but we could easily add "unsafe-eval' to the style-src if we make this change
<freddyb> certified apps (internal things like dialer, sms, ..) don't have 'unsafe-inline' for styles yet
<freddyb> privileged do
1) pros: ensure unauth'd code alerts, cons: might slow things down, might break things
terri: intro needs to be clarified to distinguish from what CSP does
2) "cdn integrity" pros: no brainer, cons:
3) "integrity for downloads" cons: result of navigation before direct download might cause issues in a new context
bhill2: is this meaningful? copy/pasting urls is a workaround as well
4) "Ensure UI elements aren't manipulated before being displayed"
interaction with about:// could be controlled
mkwst: chrome new tab page is another example
freddyb: some of these pages are privileged as well
mkwst: 1, 2, 4, 5 can probably be consolidated
<bhill2> next call will probably be Friday, Jan 31