IRC log of webappsec on 2012-02-28

Timestamps are in UTC.

21:51:41 [RRSAgent]
RRSAgent has joined #webappsec
21:51:41 [RRSAgent]
logging to
21:51:49 [Zakim]
Zakim has joined #webappsec
21:52:21 [bhill2]
zakim, this will be 92794
21:52:21 [Zakim]
ok, bhill2; I see SEC_WASWG()5:00PM scheduled to start in 8 minutes
21:57:44 [Zakim]
SEC_WASWG()5:00PM has now started
21:57:51 [Zakim]
21:59:23 [linshunghuang]
linshunghuang has joined #webappsec
21:59:43 [Zakim]
22:00:18 [Zakim]
+ +1.408.320.aaaa
22:01:19 [bhill2]
bhill2 has joined #webappsec
22:03:15 [Zakim]
+ +1.650.678.aabb
22:04:12 [Zakim]
+ +1.310.597.aacc
22:04:16 [bhill21]
bhill21 has joined #webappsec
22:04:21 [gioma1]
gioma1 has joined #webappsec
22:04:27 [Zakim]
- +1.310.597.aacc
22:04:33 [abarth]
abarth has joined #webappsec
22:04:52 [Zakim]
+ +1.310.597.aadd
22:05:10 [abarth]
Zakim: who is on the call?
22:05:17 [Zakim]
- +1.310.597.aadd
22:05:27 [Zakim]
22:05:50 [Zakim]
+ +1.310.597.aaee
22:06:33 [Zakim]
22:06:47 [jrossi]
jrossi has joined #webappsec
22:06:56 [linshunghuang]
zakim, i am aaaa
22:06:56 [Zakim]
+linshunghuang; got it
22:07:05 [bhill2]
bhill2 has joined #webappsec
22:07:09 [bhill2]
agenda is:
22:07:19 [Zakim]
22:08:11 [gioma1]
Zakim, +??P7 is gioma1
22:08:11 [Zakim]
sorry, gioma1, I do not recognize a party named '+??P7'
22:08:19 [ekr]
ekr has joined #webappsec
22:08:19 [gioma1]
Zakim, ??P7 is gioma1
22:08:19 [Zakim]
+gioma1; got it
22:08:40 [dveditz]
dveditz has joined #webappsec
22:09:01 [bhill21]
bhill21 has joined #webappsec
22:09:06 [abarth]
i'm here
22:09:17 [jrossi]
an on IRC
22:09:56 [bhill22]
bhill22 has joined #webappsec
22:09:57 [Zakim]
+ +1.831.246.aaff
22:10:09 [Tanvi]
Tanvi has joined #webappsec
22:10:15 [dveditz]
zakim: I am aaff
22:10:49 [dveditz]
zakim, i am aaff
22:10:49 [Zakim]
+dveditz; got it
22:10:49 [ekr]
zakim, who is here?
22:10:50 [Zakim]
On the phone I see abarth, bhill2, linshunghuang, +1.650.678.aabb, puhley, +1.310.597.aaee, [Microsoft], gioma1, dveditz
22:10:50 [Zakim]
On IRC I see Tanvi, bhill22, bhill21, dveditz, ekr, jrossi, abarth, gioma1, linshunghuang, Zakim, RRSAgent, trackbot
22:11:35 [linshunghuang]
ekr: published minutes, approve?
22:11:49 [linshunghuang]
ekr: resolved approved
22:12:39 [bhill2]
bhill2 has joined #webappsec
22:13:02 [linshunghuang]
bhill21: action 20 still waiting
22:13:24 [linshunghuang]
abarth: will keep action 35
22:14:10 [puhley]
puhley has joined #webappsec
22:15:51 [bhill2]
bhill2 has joined #webappsec
22:18:12 [bhill21]
bhill21 has joined #webappsec
22:18:31 [linshunghuang]
I will share evaluation of anti-clickjacking proposals when possible
22:19:29 [linshunghuang]
puhley: would like to share Adobe's info, looking for a place to put it
22:20:37 [linshunghuang]
puhley: some details .. issues with screen scraping and sandbox...
22:21:29 [linshunghuang]
puhley: will work on documenting
22:22:13 [linshunghuang]
bhill21: action 49 followed up and issued closed
22:22:31 [bhill2]
bhill2 has joined #webappsec
22:23:35 [linshunghuang]
abarth: no objections action 44, done
22:25:34 [linshunghuang]
ekr: is cors ready to move? not much problem, should move forward
22:25:51 [ekr]
ACTION, bhill2 to email tlr to send CORS to LC
22:26:08 [ekr]
ACTION: bhill2 to email tlr to send CORS to LC
22:26:08 [trackbot]
Created ACTION-52 - Email tlr to send CORS to LC [on Brad Hill - due 2012-03-06].
22:26:11 [bhill21]
bhill21 has joined #webappsec
22:26:57 [linshunghuang]
abarth: sent issue to mailinglist about policy-uri, 2 pro 1 con
22:28:06 [linshunghuang]
abarth: cited yahoo yslow, policy-uri will make the web slow
22:29:25 [linshunghuang]
abarth: surveyed deployment of policy-uri, only one site was using it
22:30:58 [linshunghuang]
puhley: centralized policy file sometimes easier to maintain
22:31:51 [bhill2]
bhill2 has joined #webappsec
22:32:15 [linshunghuang]
bhill: uri could be local resource, not network request
22:33:45 [linshunghuang]
dan: worried if killing it, complex sites that actually need it cant use CSP easily
22:35:49 [linshunghuang]
dan: long headers might hit performance
22:36:19 [linshunghuang]
abarth: meta headers (compressed) addresses the issue
22:38:45 [linshunghuang]
dan: possibility to inject before meta tag...
22:38:57 [linshunghuang]
abarth: meta tag takes affect when injected.. ?
22:40:09 [linshunghuang]
abarth: should convince them to move it earlier in the bootup
22:42:58 [linshunghuang]
dan: other commercial sites (other than google) might need it? .. talk about it in 1.1?
22:44:01 [linshunghuang]
abarth & dan: can live with either way
22:45:27 [linshunghuang]
jrossi: no strong opinion, would think about how to guide developers if implemented
22:45:50 [Tanvi]
have enough people adopted CSP for us to know whether or not the policy-uri is a useful feature?
22:46:16 [Tanvi]
it may well be helpful for companies that are having trouble adopting CSP, and hence haven't adopted yet
22:46:56 [Tanvi]
does chrome currently support policy-uri?
22:47:01 [linshunghuang]
puhley: personally not aware of huge performance issue for Flash for extra RTT
22:47:23 [Tanvi]
*i am at bsides, hence on mute; very loud here*
22:48:50 [ekr]
ACTION: erescorl to do straw poll on the list about policy-uri for CSP 1.0/1.1 question
22:48:51 [trackbot]
Created ACTION-53 - Do straw poll on the list about policy-uri for CSP 1.0/1.1 question [on Eric Rescorla - due 2012-03-06].
22:50:55 [linshunghuang]
abarth: remove sensitive information on report-uri?
22:51:50 [linshunghuang]
abarth: same origin was too strict
22:53:04 [linshunghuang]
abarth: often in header injection, the referer is the attacker
22:54:42 [linshunghuang]
dan: if different user got differnt CSP, attacker might reveal some info? a bit far fetch
22:54:53 [linshunghuang]
dan: nevermind
22:56:26 [linshunghuang]
ekr: question of csp and cross frame communication? is it a problem?
22:58:26 [Zakim]
- +1.650.678.aabb
22:58:27 [Zakim]
22:58:29 [Zakim]
- +1.310.597.aaee
22:58:35 [Zakim]
22:59:23 [Zakim]
22:59:54 [ekr]
rrsagent, stop log
22:59:54 [RRSAgent]
I'm logging. I don't understand 'stop log', ekr. Try /msg RRSAgent help
23:00:01 [Zakim]
23:00:03 [ekr]
rrsagent, create minutes
23:00:03 [RRSAgent]
I have made the request to generate ekr
23:00:35 [ekr]
rrsagent, please make logs public
23:04:07 [Zakim]
23:05:42 [Zakim]
23:05:46 [jrossi]
jrossi has left #webappsec
23:06:42 [Zakim]
23:06:43 [Zakim]
SEC_WASWG()5:00PM has ended
23:06:43 [Zakim]
Attendees were abarth, bhill2, +1.408.320.aaaa, +1.650.678.aabb, +1.310.597.aacc, +1.310.597.aadd, puhley, +1.310.597.aaee, [Microsoft], linshunghuang, gioma1, +1.831.246.aaff,
23:06:43 [Zakim]
... dveditz
23:11:56 [abarth]
abarth has joined #webappsec
23:37:31 [ekr]
ekr has joined #webappsec