See also: IRC log
<abarth> Zakim: who is on the call?
<bhill2> agenda is: http://lists.w3.org/Archives/Public/public-webappsec/2012Feb/0052.html
<abarth> i'm here
<jrossi> an on IRC
<dveditz> zakim: I am aaff
ekr: published minutes,
approve?
... resolved approved
bhill21: action 20 still waiting
abarth: will keep action 35
I will share evaluation of anti-clickjacking proposals when possible
puhley: would like to share
Adobe's info, looking for a place to put it
... some details .. issues with screen scraping and
sandbox...
... will work on documenting
bhill21: action 49 followed up and issued closed
abarth: no objections action 44, done
ekr: is cors ready to move? not much problem, should move forward
RESOLVED: CORS ready to move to Last Call
<ekr> ACTION, bhill2 to email tlr to send CORS to LC
<ekr> ACTION: bhill2 to email tlr to send CORS to LC [recorded in http://www.w3.org/2012/02/28-webappsec-minutes.html#action01]
<trackbot> Created ACTION-52 - Email tlr to send CORS to LC [on Brad Hill - due 2012-03-06].
abarth: sent issue to mailinglist
about policy-uri, 2 pro 1 con
... cited yahoo yslow, policy-uri will make the web slow
... surveyed deployment of policy-uri, only one site was using
it
puhley: centralized policy file sometimes easier to maintain
bhill: uri could be local resource, not network request
dan: worried if killing it,
complex sites that actually need it cant use CSP easily
... long headers might hit performance
abarth: meta headers (compressed) addresses the issue
dan: possibility to inject before meta tag...
abarth: meta tag takes affect
when injected.. ?
... should convince them to move it earlier in the bootup
dan: other commercial sites (other than google) might need it? .. talk about it in 1.1?
abarth & dan: can live with either way
jrossi: no strong opinion, would think about how to guide developers if implemented
<Tanvi> have enough people adopted CSP for us to know whether or not the policy-uri is a useful feature?
<Tanvi> it may well be helpful for companies that are having trouble adopting CSP, and hence haven't adopted yet
<Tanvi> does chrome currently support policy-uri?
puhley: personally not aware of huge performance issue for Flash for extra RTT
<Tanvi> *i am at bsides, hence on mute; very loud here*
<ekr> ACTION: erescorl to do straw poll on the list about policy-uri for CSP 1.0/1.1 question [recorded in http://www.w3.org/2012/02/28-webappsec-minutes.html#action02]
<trackbot> Created ACTION-53 - Do straw poll on the list about policy-uri for CSP 1.0/1.1 question [on Eric Rescorla - due 2012-03-06].
abarth: remove sensitive
information on report-uri?
... same origin was too strict
... often in header injection, the referer is the attacker
dan: if different user got
differnt CSP, attacker might reveal some info? a bit far
fetch
... nevermind
ekr: question of csp and cross frame communication? is it a problem?