See also: IRC log
<trackbot> Date: 09 April 2014
<freddyb> I think I am ??P2 but I forgot how to tell Zakim :)
<freddyb> thanks wendy
<bhill2> Meeting: WebAppSec Teleconference 09-April-2014
<freddyb> gmaone is Giorgio Maone, not Garrett Robinson :-)
<bhill2> I will have to duck out early today
<tanvi> Zakim aaaa is tanvi
ekr: call for minutes approval; minutes approved
<freddyb> terri: that's ekr talking today
freddyb: thanks. I'm not so great with everyone's voices yet, and he sounds a little garbled
<freddyb> sure, np.
review of open issues in the tracker. Skipping those associated with those not on the call right now...
<ekr> mkwst: have you done actions 164 and 166?
<garrettr> epoch fail!
no response from mwest so we're assuming those have not been completed
<bhill2> resolution to Action 149 is in https://github.com/w3c/webappsec/pull/10
wseltzer: reminder of call for exclusions on UISecurity and SRI, details on mailing list
<bhill2> http://manifest.sysapps.org/#csp-member
<wseltzer> [UISecurity call for exclusions ends 17 May; SRI ends 15 August. Details were mailed to AC reps on the member-cfe list]
bhill2: meeting on sysapps is
discussing CSP for packaged webapps and there is concern about
when and how to enforce the policy in the manifest
... there may be no issue given appropriate recommendations for
loading of manifest
<bhill2> garrett robinson, I believe
mozilla thinks that manifest is loaded first, so perhaps not an issue
may be worth considering a default policy
<freddyb> (that was grobinson talking)
<freddyb> err, garrettr
garrettr: not sure if a note belongs in app manifest spec or
[sorry, missed the other option; everyone's sounding a little garbled to m etoday]
ekr: next topic, using hashes to locate the resource
<bhill2> ACTION grobinson to raise handling of CSP policies associated with installed apps (like firefox apps) to the list
<trackbot> Error finding 'grobinson'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.
<bhill2> ACTION garrettr to raise to the list handling of CSP associated with installed apps as possible spec note
<trackbot> Error finding 'garrettr'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.
ekr: the major objection is that the privacy policies may not be optimal
<ekr> action, devdatta to read and respond to use of SRI hashes for caching/alternate locations: http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0103.html
<ekr> http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0047.html
<bhill2> ACTION bhill2 to respond to list queries about hints for content-addressable storage
<trackbot> Created ACTION-167 - Respond to list queries about hints for content-addressable storage [on Brad Hill - due 2014-04-16].
@@: what content should we hash to compare values? issue is that browsers silently deal with unzipping files, so we may need to strip content encodings
<bhill2> ACTION bhill2 to raise to the list handling of CSP associated with installed apps as possible spec note
<trackbot> Created ACTION-168 - Raise to the list handling of csp associated with installed apps as possible spec note [on Brad Hill - due 2014-04-16].
<freddyb> ACTION devdatta to read and respond to use of SRI hashes for caching/alternate locations: http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0103.html
<trackbot> Created ACTION-169 - Read and respond to use of sri hashes for caching/alternate locations: http://lists.w3.org/archives/public/public-webappsec/2014mar/0103.html [on Devdatta Akhawe - due 2014-04-16].
<freddyb> terri: devdatta was devdatta
<bhill2> rrsagent make minutes
<freddyb> thanks everyone
<wseltzer> trackbot, end teleconf