IRC log of webappsec on 2012-02-28
Timestamps are in UTC.
- 21:51:41 [RRSAgent]
- RRSAgent has joined #webappsec
- 21:51:41 [RRSAgent]
- logging to http://www.w3.org/2012/02/28-webappsec-irc
- 21:51:49 [Zakim]
- Zakim has joined #webappsec
- 21:52:21 [bhill2]
- zakim, this will be 92794
- 21:52:21 [Zakim]
- ok, bhill2; I see SEC_WASWG()5:00PM scheduled to start in 8 minutes
- 21:57:44 [Zakim]
- SEC_WASWG()5:00PM has now started
- 21:57:51 [Zakim]
- +abarth
- 21:59:23 [linshunghuang]
- linshunghuang has joined #webappsec
- 21:59:43 [Zakim]
- +bhill2
- 22:00:18 [Zakim]
- + +1.408.320.aaaa
- 22:01:19 [bhill2]
- bhill2 has joined #webappsec
- 22:03:15 [Zakim]
- + +1.650.678.aabb
- 22:04:12 [Zakim]
- + +1.310.597.aacc
- 22:04:16 [bhill21]
- bhill21 has joined #webappsec
- 22:04:21 [gioma1]
- gioma1 has joined #webappsec
- 22:04:27 [Zakim]
- - +1.310.597.aacc
- 22:04:33 [abarth]
- abarth has joined #webappsec
- 22:04:52 [Zakim]
- + +1.310.597.aadd
- 22:05:10 [abarth]
- Zakim: who is on the call?
- 22:05:17 [Zakim]
- - +1.310.597.aadd
- 22:05:27 [Zakim]
- +puhley
- 22:05:50 [Zakim]
- + +1.310.597.aaee
- 22:06:33 [Zakim]
- +[Microsoft]
- 22:06:47 [jrossi]
- jrossi has joined #webappsec
- 22:06:56 [linshunghuang]
- zakim, i am aaaa
- 22:06:56 [Zakim]
- +linshunghuang; got it
- 22:07:05 [bhill2]
- bhill2 has joined #webappsec
- 22:07:09 [bhill2]
- agenda is: http://lists.w3.org/Archives/Public/public-webappsec/2012Feb/0052.html
- 22:07:19 [Zakim]
- +??P7
- 22:08:11 [gioma1]
- Zakim, +??P7 is gioma1
- 22:08:11 [Zakim]
- sorry, gioma1, I do not recognize a party named '+??P7'
- 22:08:19 [ekr]
- ekr has joined #webappsec
- 22:08:19 [gioma1]
- Zakim, ??P7 is gioma1
- 22:08:19 [Zakim]
- +gioma1; got it
- 22:08:40 [dveditz]
- dveditz has joined #webappsec
- 22:09:01 [bhill21]
- bhill21 has joined #webappsec
- 22:09:06 [abarth]
- i'm here
- 22:09:17 [jrossi]
- an on IRC
- 22:09:56 [bhill22]
- bhill22 has joined #webappsec
- 22:09:57 [Zakim]
- + +1.831.246.aaff
- 22:10:09 [Tanvi]
- Tanvi has joined #webappsec
- 22:10:15 [dveditz]
- zakim: I am aaff
- 22:10:49 [dveditz]
- zakim, i am aaff
- 22:10:49 [Zakim]
- +dveditz; got it
- 22:10:49 [ekr]
- zakim, who is here?
- 22:10:50 [Zakim]
- On the phone I see abarth, bhill2, linshunghuang, +1.650.678.aabb, puhley, +1.310.597.aaee, [Microsoft], gioma1, dveditz
- 22:10:50 [Zakim]
- On IRC I see Tanvi, bhill22, bhill21, dveditz, ekr, jrossi, abarth, gioma1, linshunghuang, Zakim, RRSAgent, trackbot
- 22:11:35 [linshunghuang]
- ekr: published minutes, approve?
- 22:11:49 [linshunghuang]
- ekr: resolved approved
- 22:12:39 [bhill2]
- bhill2 has joined #webappsec
- 22:13:02 [linshunghuang]
- bhill21: action 20 still waiting
- 22:13:24 [linshunghuang]
- abarth: will keep action 35
- 22:14:10 [puhley]
- puhley has joined #webappsec
- 22:15:51 [bhill2]
- bhill2 has joined #webappsec
- 22:18:12 [bhill21]
- bhill21 has joined #webappsec
- 22:18:31 [linshunghuang]
- I will share evaluation of anti-clickjacking proposals when possible
- 22:19:29 [linshunghuang]
- puhley: would like to share Adobe's info, looking for a place to put it
- 22:20:37 [linshunghuang]
- puhley: some details .. issues with screen scraping and sandbox...
- 22:21:29 [linshunghuang]
- puhley: will work on documenting
- 22:22:13 [linshunghuang]
- bhill21: action 49 followed up and issued closed
- 22:22:31 [bhill2]
- bhill2 has joined #webappsec
- 22:23:35 [linshunghuang]
- abarth: no objections action 44, done
- 22:25:34 [linshunghuang]
- ekr: is cors ready to move? not much problem, should move forward
- 22:25:51 [ekr]
- ACTION, bhill2 to email tlr to send CORS to LC
- 22:26:08 [ekr]
- ACTION: bhill2 to email tlr to send CORS to LC
- 22:26:08 [trackbot]
- Created ACTION-52 - Email tlr to send CORS to LC [on Brad Hill - due 2012-03-06].
- 22:26:11 [bhill21]
- bhill21 has joined #webappsec
- 22:26:57 [linshunghuang]
- abarth: sent issue to mailinglist about policy-uri, 2 pro 1 con
- 22:28:06 [linshunghuang]
- abarth: cited yahoo yslow, policy-uri will make the web slow
- 22:29:25 [linshunghuang]
- abarth: surveyed deployment of policy-uri, only one site was using it
- 22:30:58 [linshunghuang]
- puhley: centralized policy file sometimes easier to maintain
- 22:31:51 [bhill2]
- bhill2 has joined #webappsec
- 22:32:15 [linshunghuang]
- bhill: uri could be local resource, not network request
- 22:33:45 [linshunghuang]
- dan: worried if killing it, complex sites that actually need it cant use CSP easily
- 22:35:49 [linshunghuang]
- dan: long headers might hit performance
- 22:36:19 [linshunghuang]
- abarth: meta headers (compressed) addresses the issue
- 22:38:45 [linshunghuang]
- dan: possibility to inject before meta tag...
- 22:38:57 [linshunghuang]
- abarth: meta tag takes affect when injected.. ?
- 22:40:09 [linshunghuang]
- abarth: should convince them to move it earlier in the bootup
- 22:42:58 [linshunghuang]
- dan: other commercial sites (other than google) might need it? .. talk about it in 1.1?
- 22:44:01 [linshunghuang]
- abarth & dan: can live with either way
- 22:45:27 [linshunghuang]
- jrossi: no strong opinion, would think about how to guide developers if implemented
- 22:45:50 [Tanvi]
- have enough people adopted CSP for us to know whether or not the policy-uri is a useful feature?
- 22:46:16 [Tanvi]
- it may well be helpful for companies that are having trouble adopting CSP, and hence haven't adopted yet
- 22:46:56 [Tanvi]
- does chrome currently support policy-uri?
- 22:47:01 [linshunghuang]
- puhley: personally not aware of huge performance issue for Flash for extra RTT
- 22:47:23 [Tanvi]
- *i am at bsides, hence on mute; very loud here*
- 22:48:50 [ekr]
- ACTION: erescorl to do straw poll on the list about policy-uri for CSP 1.0/1.1 question
- 22:48:51 [trackbot]
- Created ACTION-53 - Do straw poll on the list about policy-uri for CSP 1.0/1.1 question [on Eric Rescorla - due 2012-03-06].
- 22:50:55 [linshunghuang]
- abarth: remove sensitive information on report-uri?
- 22:51:50 [linshunghuang]
- abarth: same origin was too strict
- 22:53:04 [linshunghuang]
- abarth: often in header injection, the referer is the attacker
- 22:54:42 [linshunghuang]
- dan: if different user got differnt CSP, attacker might reveal some info? a bit far fetch
- 22:54:53 [linshunghuang]
- dan: nevermind
- 22:56:26 [linshunghuang]
- ekr: question of csp and cross frame communication? is it a problem?
- 22:58:26 [Zakim]
- - +1.650.678.aabb
- 22:58:27 [Zakim]
- -dveditz
- 22:58:29 [Zakim]
- - +1.310.597.aaee
- 22:58:35 [Zakim]
- -puhley
- 22:59:23 [Zakim]
- -bhill2
- 22:59:54 [ekr]
- rrsagent, stop log
- 22:59:54 [RRSAgent]
- I'm logging. I don't understand 'stop log', ekr. Try /msg RRSAgent help
- 23:00:01 [Zakim]
- -gioma1
- 23:00:03 [ekr]
- rrsagent, create minutes
- 23:00:03 [RRSAgent]
- I have made the request to generate http://www.w3.org/2012/02/28-webappsec-minutes.html ekr
- 23:00:35 [ekr]
- rrsagent, please make logs public
- 23:04:07 [Zakim]
- -linshunghuang
- 23:05:42 [Zakim]
- -[Microsoft]
- 23:05:46 [jrossi]
- jrossi has left #webappsec
- 23:06:42 [Zakim]
- -abarth
- 23:06:43 [Zakim]
- SEC_WASWG()5:00PM has ended
- 23:06:43 [Zakim]
- Attendees were abarth, bhill2, +1.408.320.aaaa, +1.650.678.aabb, +1.310.597.aacc, +1.310.597.aadd, puhley, +1.310.597.aaee, [Microsoft], linshunghuang, gioma1, +1.831.246.aaff,
- 23:06:43 [Zakim]
- ... dveditz
- 23:11:56 [abarth]
- abarth has joined #webappsec
- 23:37:31 [ekr]
- ekr has joined #webappsec