W3C

WebAppSec

21 May 2014

See also: IRC log

Attendees

Present
+49.162.102.aaaa, +1.503.712.aabb, +1.503.712.aacc, +1.831.246.aadd, +49.162.102.aaee, gmaone, dveditz, mkwst, terri
Regrets
Chair
dveditz
Scribe
mkwst__

Contents


<freddyb> I can't make today's meeting but will lurk in IRC.

<dveditz> RRSAgent scribenick mkest__

<dveditz> RRSAgent scribenick mkwst__

dveditz: Approve minutes?
...: Approved.

<terri> Minutes link: http://www.w3.org/2011/webappsec/draft-minutes/2014-05-07-webappsec-minutes.html

Open items in tracker

dveditz: ACTION-166: privacy section to SRI?

mkwst: haven't touched SRI or CSP 1.2. trying to get csp 1.1 out the door.

dveditz: Service worker?

mkwst: spoke with folks at BlinkOn. have some interesting ideas. will summarize something to the list with jww@.

GitHub tracker.

dveditz: These issues look like SRI. Not done yet.

TPAC.

dveditz: TPAC is in Santa Clara. October 21-31st.
...: Discuss on the list when we want to have F2F. First two days, last two days, etc.
... Registration in June.

CSP spec thread.

dveditz: anything to talk about?

mkwst: not really. i just stole the style from the CSSWG, and took an editorial pass over pretty much everything while porting to Bikeshed.

paths + redirects = sadness.

dveditz: Sigbjorn isn't here. Too bad.
...: Not sure how far we can get without Opera.

dveditz: Should we drop reporting? I don't think that solves the problem. Other side channels, etc.

mkwst: problem was forum.org -> xxx.forum.org redirection being detectable via POSTed reports.
...: Problem isn't unique, but CSP makes it a perfect oracle.

dveditz: If dropping reporting would solve the problem, I'd consider dropping reporting.
...: Dropping paths on redirect weakens the protection.
... Added paths for a reason; large, complex sites like Google need them.

mkwst: the current proposal is indeed a compromise. i haven't seen other proposals that i'm convinced would solve the problem.

dveditz: Back to the mailing list, I suppose.

CSP to LC?

dveditz: No quorum here.
...: We'd like to do that. Close to doing that.
... Need to resolve the path issue.
... Did you (mike) update the spec with the proposal?

mkwst: I did.
... https://w3c.github.io/webappsec/specs/content-security-policy/

dveditz: Ok, we're close, but not enough people here today.
...: Still enough of an open issue that we should wait.

mkwst: Do we have to have folks on a call to go to LC? Or can we do it on the list?

dveditz: Will look into it.

mkwst: I don't think we'll ever have a quorum on the call. Doing it on the list would be simpler.

dveditz: I'll talk to Brad about starting a thread.
...: Need to wrap up paths.

mkwst: Anything else? Paths are the only thing on my list.

dveditz: If there are objections or other issues, folks should speak up.
...: We should probably send a mail to the WG, saying "We think we're close to there. Are there objections?"

mkwst: Sent something similar earlier in the year, didn't get much response. Will be happy to do it again.

dveditz: Ok, I'll send a mail.
... Microsoft has nominated a new person to join the group: Kevin Hill.
...: Yahoo has joined. Nominated Sean S...(?).
... Mozilla nominated Garrett.
... Nice to see Microsoft getting more actively involved.
... Short call today? AOB?
... Watch for TPAC registration to open!

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.136 (CVS log)
$Date: 2014-06-24 21:01:52 $