WebAppSec Teleconference 23 October 2012

23 Oct 2012


See also: IRC log


+1.650.648.aaaa, +1.425.865.aabb, +1.650.678.aacc, +1.206.624.aadd, +1.866.317.aaee, gioma1, mkwst, bhill2, erlend, tanvi, jrossi, +1.978.944.aaff, ekr, jeffh
bhill, ekr


brad: minutes from last meeting not posted unfortunately, so move on to agenda bash

bhill: no requests, so reviewing tracker items
... have a new rev of CORS spec with comments from list (bhill, jeffh) will send out later today hopefully
... issues 58, 70, 79 in CORS will be addressed
... action #76: any features at risk in cors due to lack of impl ?

<tanvi> [Mozilla] is tanvi

bhill: odin and gopal not on call ? might want to wait for them to discuss. Odin working on CORS test suite into shape, will put this on agenda for tpac f2f discussion next week
... #77, bhill editing

#80, haven't heard back from ? will try to followup

#81: will close

bhill: CSP and CSS discussion from list
... Ian, please explain

imelven (ian): doesn't think should slow down 1.0 spec; will pay attention to csp1.1

tanvi: tho might be issues wrt gecko vs webkit impl diffs

ian: there's diff understandings wrt aspects of CSSOM and DOM, and discussion on list is good and has reached some conclusions, can address spec changes in v1.1

abarth: thinks addrssing in 1.1 is fine, tho happy to be flexible on which spec we address it in (?)

( is that what abarth said ? )

ian: seems like we're converging on an understanding on the list discussion

who from Moz was mentioned as going to TPAC ?

mkwst == Mike West

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0022.html

now discussing above mail msg 0022.html

bhill: add specific language to spec to address ?

<erlend> It's already in the test suite

abarth: don't really understand what the issue is?
... don't understand how policy is circumvented

bhill: <see cited msg>

abarth: this sounds like a bug -- poster sounds confused

?: but he's saying that in some browsers self /can/ alter the base tag it seems

abarth: if that's it, then it should be fixed

bhill: is there text that says that base tag shouldn't alter self ?

<gioma1> He refers to a hidden webkit bug: Reference Bug: https://bugs.webkit.org/show_bug.cgi?id=99318

abarth: not sure which browser is he working with? wud be surprised if webkit or geko

tanvi/dveditz: yes, the url is resolved ahead of time, we don't use the base attr to determine what self means

abarth: we should talk to him more on list and get more info

dveditz: < thinks there might be a way that it might happen >

abarth: will followup on list with poster

dveditz: anything in bug 99318 that's interesting/relevant?

abarth: oh, it's not public, will fix that so we can look at it

<imelven> jeffh: tanvi is going to TPAC

<dveditz> jeffh: I am as well

gotchat, thx

<dveditz> jeffh: other mozilla people are going to other WG

<imelven> not sure about sicking, and bz, i dropped them a mail

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0008.html

abarth: the bug is just a copy of the email msg -- will followup on list in any case

bhill: moving on
... issues with document promotion that was discussed on the list
... do any WG members on call think we should re-open any of the issues?

<silence> don't hear any objections to closing issues 11, 16, 17 , 18, 19 -- any motion to close these, and advance csp 1.0 to CR ?

jeffh: so moved

tanvi: seconded

dveditz: thirded

<tanvi> *applause*


<bhill2> RESOLVED: issues 11, 16, 17, 18 and 19 to remain closed as previously resolved, CSP to CR

<dveditz> or making espresso?

<jrossi> hehe

<dveditz> coffee's done?

bhill: make a formal request to advance UI safety directives to FPWD ?

<no objections>

<bhill2> RESOLVED: Advance UISafety Directives for CSP to FPWD

portion of that spec may be subject to discussions at IETF-85 atlanta, the week following TPAC

next item

TPAC agenda?

bhill: "test the web forward" event the weekend prior to TPAC in paris -- some of us will be there, want to make some time to discuss that, as well as test suite status, specific areas of spec that needs work, test cases need to be generated, solicit folks to work on these, set scheduoles, this is nec. to get to CR

next item: rechartering for WG

<mkwst> ...

bhill: doesn't seem anything we're doing in CSP 1.1 necessitates changes to charter, but is oppty to upgrade charter with additional work; without additional actual deliverables, this WG may close after completing CSP v1.1 and UI Safety

<tanvi> jonas will be at TPAC

bhill: please think about that
... will send povisional list of discussion items out to list -- any that folks can think of right now?
... not hearing other proposed items, will send to list, we'll have time to discuss online
... next item
... wrt "test web fwd" -- any info?

gopal: welcomes participation, pls submit test suites if you have them, offering to help you with them if you need help; need to get our test coverage numbers up; want to try to get a regression count -- has been going a bit slow, if can get some help should speed it up; will keep working on it in any case, again welcomes any contributed test cases

bhill: an impt aspect of moving to CR is demonstrating we have actual impls of spec features -- having test cases to demonstrate that will be big help

this is WRT CORS

<gopal> do we have a deadline for CR

bhill: wrt CSPv1.0, we're regarding on impl self-declaration; but CORS has additional complexities, so having actual test cases will be helpful

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0009.html

bhill: Re: CSP 1.1: Paths in source list definitions (msg URI above)

tanvi: thinks agreement on list is fine

dveditz: agrees

<tanvi> https://blog.mozilla.org/tanvi/

bhill: ok, at end of agenda

<dveditz> agrees as long as that understanding makes it into the spec :-)

<tanvi> UserCSP Add-on: https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/

<tanvi> UserCSP Code (Open Source): https://github.com/patilkr/userCSP

<tanvi> UserCSP Documentation: https://wiki.mozilla.org/SummerOfCode/2012/UserCSP/Wiki

tanvi: over summer worked on google code project "UserCSP"

see above

<jrossi> cool!

tanvi: has aspect that helps developers craft CSP policy for given "page"
... is presently per page, would like feedback, want to make it gen policy for "per site/domain"

bhill: anything else?
... not hearing anything, so see some of you @TPAC next week, will be at ietf following week and have oppty to liase

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.137 (CVS log)
$Date: 2012/10/24 20:49:16 $