21:51:41 RRSAgent has joined #webappsec 21:51:41 logging to http://www.w3.org/2012/02/28-webappsec-irc 21:51:49 Zakim has joined #webappsec 21:52:21 zakim, this will be 92794 21:52:21 ok, bhill2; I see SEC_WASWG()5:00PM scheduled to start in 8 minutes 21:57:44 SEC_WASWG()5:00PM has now started 21:57:51 +abarth 21:59:23 linshunghuang has joined #webappsec 21:59:43 +bhill2 22:00:18 + +1.408.320.aaaa 22:01:19 bhill2 has joined #webappsec 22:03:15 + +1.650.678.aabb 22:04:12 + +1.310.597.aacc 22:04:16 bhill21 has joined #webappsec 22:04:21 gioma1 has joined #webappsec 22:04:27 - +1.310.597.aacc 22:04:33 abarth has joined #webappsec 22:04:52 + +1.310.597.aadd 22:05:10 Zakim: who is on the call? 22:05:17 - +1.310.597.aadd 22:05:27 +puhley 22:05:50 + +1.310.597.aaee 22:06:33 +[Microsoft] 22:06:47 jrossi has joined #webappsec 22:06:56 zakim, i am aaaa 22:06:56 +linshunghuang; got it 22:07:05 bhill2 has joined #webappsec 22:07:09 agenda is: http://lists.w3.org/Archives/Public/public-webappsec/2012Feb/0052.html 22:07:19 +??P7 22:08:11 Zakim, +??P7 is gioma1 22:08:11 sorry, gioma1, I do not recognize a party named '+??P7' 22:08:19 ekr has joined #webappsec 22:08:19 Zakim, ??P7 is gioma1 22:08:19 +gioma1; got it 22:08:40 dveditz has joined #webappsec 22:09:01 bhill21 has joined #webappsec 22:09:06 i'm here 22:09:17 an on IRC 22:09:56 bhill22 has joined #webappsec 22:09:57 + +1.831.246.aaff 22:10:09 Tanvi has joined #webappsec 22:10:15 zakim: I am aaff 22:10:49 zakim, i am aaff 22:10:49 +dveditz; got it 22:10:49 zakim, who is here? 22:10:50 On the phone I see abarth, bhill2, linshunghuang, +1.650.678.aabb, puhley, +1.310.597.aaee, [Microsoft], gioma1, dveditz 22:10:50 On IRC I see Tanvi, bhill22, bhill21, dveditz, ekr, jrossi, abarth, gioma1, linshunghuang, Zakim, RRSAgent, trackbot 22:11:35 ekr: published minutes, approve? 22:11:49 ekr: resolved approved 22:12:39 bhill2 has joined #webappsec 22:13:02 bhill21: action 20 still waiting 22:13:24 abarth: will keep action 35 22:14:10 puhley has joined #webappsec 22:15:51 bhill2 has joined #webappsec 22:18:12 bhill21 has joined #webappsec 22:18:31 I will share evaluation of anti-clickjacking proposals when possible 22:19:29 puhley: would like to share Adobe's info, looking for a place to put it 22:20:37 puhley: some details .. issues with screen scraping and sandbox... 22:21:29 puhley: will work on documenting 22:22:13 bhill21: action 49 followed up and issued closed 22:22:31 bhill2 has joined #webappsec 22:23:35 abarth: no objections action 44, done 22:25:34 ekr: is cors ready to move? not much problem, should move forward 22:25:51 ACTION, bhill2 to email tlr to send CORS to LC 22:26:08 ACTION: bhill2 to email tlr to send CORS to LC 22:26:08 Created ACTION-52 - Email tlr to send CORS to LC [on Brad Hill - due 2012-03-06]. 22:26:11 bhill21 has joined #webappsec 22:26:57 abarth: sent issue to mailinglist about policy-uri, 2 pro 1 con 22:28:06 abarth: cited yahoo yslow, policy-uri will make the web slow 22:29:25 abarth: surveyed deployment of policy-uri, only one site was using it 22:30:58 puhley: centralized policy file sometimes easier to maintain 22:31:51 bhill2 has joined #webappsec 22:32:15 bhill: uri could be local resource, not network request 22:33:45 dan: worried if killing it, complex sites that actually need it cant use CSP easily 22:35:49 dan: long headers might hit performance 22:36:19 abarth: meta headers (compressed) addresses the issue 22:38:45 dan: possibility to inject before meta tag... 22:38:57 abarth: meta tag takes affect when injected.. ? 22:40:09 abarth: should convince them to move it earlier in the bootup 22:42:58 dan: other commercial sites (other than google) might need it? .. talk about it in 1.1? 22:44:01 abarth & dan: can live with either way 22:45:27 jrossi: no strong opinion, would think about how to guide developers if implemented 22:45:50 have enough people adopted CSP for us to know whether or not the policy-uri is a useful feature? 22:46:16 it may well be helpful for companies that are having trouble adopting CSP, and hence haven't adopted yet 22:46:56 does chrome currently support policy-uri? 22:47:01 puhley: personally not aware of huge performance issue for Flash for extra RTT 22:47:23 *i am at bsides, hence on mute; very loud here* 22:48:50 ACTION: erescorl to do straw poll on the list about policy-uri for CSP 1.0/1.1 question 22:48:51 Created ACTION-53 - Do straw poll on the list about policy-uri for CSP 1.0/1.1 question [on Eric Rescorla - due 2012-03-06]. 22:50:55 abarth: remove sensitive information on report-uri? 22:51:50 abarth: same origin was too strict 22:53:04 abarth: often in header injection, the referer is the attacker 22:54:42 dan: if different user got differnt CSP, attacker might reveal some info? a bit far fetch 22:54:53 dan: nevermind 22:56:26 ekr: question of csp and cross frame communication? is it a problem? 22:58:26 - +1.650.678.aabb 22:58:27 -dveditz 22:58:29 - +1.310.597.aaee 22:58:35 -puhley 22:59:23 -bhill2 22:59:54 rrsagent, stop log 22:59:54 I'm logging. I don't understand 'stop log', ekr. Try /msg RRSAgent help 23:00:01 -gioma1 23:00:03 rrsagent, create minutes 23:00:03 I have made the request to generate http://www.w3.org/2012/02/28-webappsec-minutes.html ekr 23:00:35 rrsagent, please make logs public 23:04:07 -linshunghuang 23:05:42 -[Microsoft] 23:05:46 jrossi has left #webappsec 23:06:42 -abarth 23:06:43 SEC_WASWG()5:00PM has ended 23:06:43 Attendees were abarth, bhill2, +1.408.320.aaaa, +1.650.678.aabb, +1.310.597.aacc, +1.310.597.aadd, puhley, +1.310.597.aaee, [Microsoft], linshunghuang, gioma1, +1.831.246.aaff, 23:06:43 ... dveditz 23:11:56 abarth has joined #webappsec 23:37:31 ekr has joined #webappsec