See also: IRC log
brad: minutes from last meeting not posted unfortunately, so move on to agenda bash
bhill: no requests, so reviewing
tracker items
... have a new rev of CORS spec with comments from list (bhill,
jeffh) will send out later today hopefully
... issues 58, 70, 79 in CORS will be addressed
... action #76: any features at risk in cors due to lack of
impl ?
<tanvi> [Mozilla] is tanvi
bhill: odin and gopal not on call
? might want to wait for them to discuss. Odin working on CORS
test suite into shape, will put this on agenda for tpac f2f
discussion next week
... #77, bhill editing
#80, haven't heard back from ? will try to followup
#81: will close
bhill: CSP and CSS discussion
from list
... Ian, please explain
imelven (ian): doesn't think should slow down 1.0 spec; will pay attention to csp1.1
tanvi: tho might be issues wrt gecko vs webkit impl diffs
ian: there's diff understandings wrt aspects of CSSOM and DOM, and discussion on list is good and has reached some conclusions, can address spec changes in v1.1
abarth: thinks addrssing in 1.1 is fine, tho happy to be flexible on which spec we address it in (?)
( is that what abarth said ? )
ian: seems like we're converging on an understanding on the list discussion
who from Moz was mentioned as going to TPAC ?
mkwst == Mike West
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0022.html
now discussing above mail msg 0022.html
bhill: add specific language to spec to address ?
<erlend> It's already in the test suite
abarth: don't really understand
what the issue is?
... don't understand how policy is circumvented
bhill: <see cited msg>
abarth: this sounds like a bug -- poster sounds confused
?: but he's saying that in some browsers self /can/ alter the base tag it seems
abarth: if that's it, then it should be fixed
bhill: is there text that says that base tag shouldn't alter self ?
<gioma1> He refers to a hidden webkit bug: Reference Bug: https://bugs.webkit.org/show_bug.cgi?id=99318
abarth: not sure which browser is he working with? wud be surprised if webkit or geko
tanvi/dveditz: yes, the url is resolved ahead of time, we don't use the base attr to determine what self means
abarth: we should talk to him more on list and get more info
dveditz: < thinks there might be a way that it might happen >
abarth: will followup on list with poster
dveditz: anything in bug 99318 that's interesting/relevant?
abarth: oh, it's not public, will fix that so we can look at it
<imelven> jeffh: tanvi is going to TPAC
<dveditz> jeffh: I am as well
gotchat, thx
<dveditz> jeffh: other mozilla people are going to other WG
<imelven> not sure about sicking, and bz, i dropped them a mail
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0008.html
abarth: the bug is just a copy of the email msg -- will followup on list in any case
bhill: moving on
... issues with document promotion that was discussed on the
list
... do any WG members on call think we should re-open any of
the issues?
<silence> don't hear any objections to closing issues 11, 16, 17 , 18, 19 -- any motion to close these, and advance csp 1.0 to CR ?
jeffh: so moved
tanvi: seconded
dveditz: thirded
<tanvi> *applause*
<applause>
<bhill2> RESOLVED: issues 11, 16, 17, 18 and 19 to remain closed as previously resolved, CSP to CR
<dveditz> or making espresso?
<jrossi> hehe
<dveditz> coffee's done?
bhill: make a formal request to advance UI safety directives to FPWD ?
<no objections>
<bhill2> RESOLVED: Advance UISafety Directives for CSP to FPWD
portion of that spec may be subject to discussions at IETF-85 atlanta, the week following TPAC
next item
TPAC agenda?
bhill: "test the web forward" event the weekend prior to TPAC in paris -- some of us will be there, want to make some time to discuss that, as well as test suite status, specific areas of spec that needs work, test cases need to be generated, solicit folks to work on these, set scheduoles, this is nec. to get to CR
next item: rechartering for WG
<mkwst> ...
bhill: doesn't seem anything we're doing in CSP 1.1 necessitates changes to charter, but is oppty to upgrade charter with additional work; without additional actual deliverables, this WG may close after completing CSP v1.1 and UI Safety
<tanvi> jonas will be at TPAC
bhill: please think about
that
... will send povisional list of discussion items out to list
-- any that folks can think of right now?
... not hearing other proposed items, will send to list, we'll
have time to discuss online
... next item
... wrt "test web fwd" -- any info?
gopal: welcomes participation, pls submit test suites if you have them, offering to help you with them if you need help; need to get our test coverage numbers up; want to try to get a regression count -- has been going a bit slow, if can get some help should speed it up; will keep working on it in any case, again welcomes any contributed test cases
bhill: an impt aspect of moving to CR is demonstrating we have actual impls of spec features -- having test cases to demonstrate that will be big help
this is WRT CORS
<gopal> do we have a deadline for CR
bhill: wrt CSPv1.0, we're regarding on impl self-declaration; but CORS has additional complexities, so having actual test cases will be helpful
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0009.html
bhill: Re: CSP 1.1: Paths in source list definitions (msg URI above)
tanvi: thinks agreement on list is fine
dveditz: agrees
<tanvi> https://blog.mozilla.org/tanvi/
bhill: ok, at end of agenda
<dveditz> agrees as long as that understanding makes it into the spec :-)
<tanvi> UserCSP Add-on: https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/
<tanvi> UserCSP Code (Open Source): https://github.com/patilkr/userCSP
<tanvi> UserCSP Documentation: https://wiki.mozilla.org/SummerOfCode/2012/UserCSP/Wiki
tanvi: over summer worked on google code project "UserCSP"
see above
<jrossi> cool!
tanvi: has aspect that helps
developers craft CSP policy for given "page"
... is presently per page, would like feedback, want to make it
gen policy for "per site/domain"
bhill: anything else?
... not hearing anything, so see some of you @TPAC next week,
will be at ietf following week and have oppty to liase