IRC log of webappsec on 2012-04-10

Timestamps are in UTC.

21:00:03 [RRSAgent]
RRSAgent has joined #webappsec
21:00:03 [RRSAgent]
logging to
21:00:12 [bhill21]
zakim this will be 92794
21:00:20 [bhill21]
zakim, this is 92794
21:00:20 [Zakim]
ok, bhill21; that matches SEC_WASWG()5:00PM
21:00:26 [bhill21]
rrsagent begin
21:00:28 [Zakim]
21:00:34 [bhill21]
rrsagent, begin
21:00:43 [Zakim]
21:00:53 [bhill21]
Meeting: WebAppSec WG Teleconference, April 10, 2012
21:00:59 [bhill21]
Chair: bhill2, ekr
21:01:24 [Zakim]
+ +1.650.648.aaee
21:01:26 [gioma1]
Zakim, ??P6 is gioma1
21:01:26 [Zakim]
+gioma1; got it
21:01:43 [bhill21]
21:01:53 [abarth]
abarth has joined #webappsec
21:01:55 [Zakim]
+ +1.503.712.aaff
21:02:07 [bhill21]
zakim, who is here?
21:02:07 [Zakim]
On the phone I see +1.978.944.aaaa, +1.303.229.aabb, +1.650.678.aacc, +1.866.317.aadd, Joseph_Scheuhammer, gioma1, +1.650.648.aaee, +1.503.712.aaff
21:02:10 [Zakim]
On IRC I see abarth, RRSAgent, Zakim, ekr, bhill21, jeffh, tanvi1, EC, gioma1, dveditz, bhill2, anne, trackbot
21:02:13 [bhill21]
zakim, aabb is bhill2
21:02:13 [Zakim]
+bhill2; got it
21:02:28 [abarth]
Zakim, aaee is abarth
21:02:28 [Zakim]
+abarth; got it
21:02:40 [Zakim]
21:02:51 [bhill21]
zakim, aaff is rware
21:02:51 [Zakim]
+rware; got it
21:02:57 [tanvi]
tanvi has joined #webappsec
21:04:15 [Zakim]
+ +1.831.246.aagg
21:04:48 [bhill21]
scribenick: ekr
21:05:21 [bhill21]
zakim, who is here
21:05:21 [Zakim]
bhill21, you need to end that query with '?'
21:05:26 [bhill21]
zakim, who is here?
21:05:26 [Zakim]
On the phone I see +1.978.944.aaaa, bhill2, +1.650.678.aacc, +1.866.317.aadd, Joseph_Scheuhammer, gioma1, abarth, rware, [Mozilla], +1.831.246.aagg
21:05:28 [Zakim]
On IRC I see tanvi, abarth, RRSAgent, Zakim, ekr, bhill21, jeffh, EC, gioma1, dveditz, bhill2, anne, trackbot
21:05:28 [Zakim]
+ +1.425.865.aahh
21:05:53 [Zakim]
21:05:56 [dveditz]
Zakim, dveditz is aagg
21:05:56 [Zakim]
sorry, dveditz, I do not recognize a party named 'dveditz'
21:06:08 [ekr]
zakim, aagg is dveditz
21:06:08 [Zakim]
+dveditz; got it
21:06:09 [dveditz]
Zakim, aagg is dveditz
21:06:09 [Zakim]
sorry, dveditz, I do not recognize a party named 'aagg'
21:06:10 [jrossi]
jrossi has joined #webappsec
21:06:57 [jrossi]
scribenick: jrossi
21:07:46 [cory]
cory has joined #webappsec
21:07:59 [jrossi]
topic: last call's minutes
21:08:14 [jrossi]
bhill: any objections to approval?
21:08:24 [jrossi]
bhill: no objections, minutes approved
21:08:48 [jrossi]
topic: F2F at TPAC
21:09:08 [jrossi]
bhill: This is year in France. W3C wants to know if WebAppSec should meet.
21:09:21 [jrossi]
bhill: provide input on whether folks will be able to attend
21:09:27 [jrossi]
bhill: still having our F2F in May
21:09:45 [jrossi]
topic: CORs published LCWD
21:09:54 [jrossi]
bhill: This triggers a new call for exclusions.
21:11:43 [Zakim]
- +1.978.944.aaaa
21:13:32 [jrossi]
topics: Report on IETF 83 in Paris
21:13:42 [jrossi]
topic: Report on IETF 83 in Paris
21:14:12 [jrossi]
jeffh: Sent mail to list with updates from IETF 83
21:14:31 [keeler]
keeler has joined #webappsec
21:15:19 [Zakim]
+ +1.781.218.aaii
21:15:30 [jrossi]
jeffh: review presentations for your information (links in mail)
21:16:23 [gopal]
gopal has joined #webappsec
21:16:31 [jrossi]
21:17:24 [jrossi]
jeffh: WebSec WG's HSTS spec is in WG Last Call, comments received, no showstoppers
21:17:35 [gopal]
present+ gopal
21:17:54 [jrossi]
jeffh: IAB Tech Plenary presentations (slides and PDFs included here:
21:18:30 [jrossi]
jeffh: work on a new DNS API, one that accomodates async operations
21:19:08 [Zakim]
21:19:14 [jrossi]
jeffh: PKIX revocation and SSL Replacements/Enhancements
21:20:45 [jrossi]
jeffh: HTTPbis, provide comments on HTTP/1.1, parts 4-7 in WG LC, parts 1-3 entering WG LC soon
21:21:36 [jrossi]
jeffh: entertaining proposals for an HTTP 2.0, firm rechartering this summer where the proposal has been nailed down
21:21:52 [jrossi]
jeffh: process/requirements gathering at
21:22:19 [jrossi]
jeffh: Mark Nottingham's overview of process & reqs is worth reviewing ( )
21:22:37 [jrossi]
jeffh: 3 proposals were presented, SPDY, HTTP Speed+Mobility, and WAKA
21:25:31 [Zakim]
+ +1.614.465.aajj
21:25:38 [Zakim]
+ +1.415.596.aakk
21:25:51 [gopal]
gopal has joined #webappsec
21:26:28 [bhill21]
21:26:46 [puhley]
puhley has joined #webappsec
21:28:53 [bhill21]
various rumblings about fixing the "" problem at IETF.. possibly in a new list or discussion area
21:29:23 [bhill21]
21:29:23 [jrossi]
topic: Reviewing open tracker actions
21:29:34 [jrossi]
21:29:34 [trackbot]
ACTION-20 -- Brad Hill to liason with widgets activity on policy placeholder for widgets -- due 2012-05-15 -- OPEN
21:29:34 [trackbot]
21:29:44 [jrossi]
21:29:45 [trackbot]
ACTION-35 -- Adam Barth to add advice for server operators about combining policies -- due 2012-03-13 -- OPEN
21:29:45 [trackbot]
21:29:57 [jeffh]
see also: dra-sullivan-zone-policy-assertions-01
21:30:01 [jrossi]
bhill: hasn't been touched lately, need to find a new owner?
21:30:16 [jrossi]
abarth: if this is the last thing to do, i can do this
21:30:24 [jrossi]
bhill: will evaluate after the call
21:30:28 [jrossi]
21:30:28 [trackbot]
ACTION-36 -- David Huang to copy clicking jacking info to wiki and email list -- due 2012-03-13 -- OPEN
21:30:28 [trackbot]
21:30:37 [jrossi]
bhill: will close this
21:31:02 [jrossi]
21:31:02 [trackbot]
ACTION-51 -- Jeff Hodges to review CORS new sec cons language and provide editorial fixes -- due 2012-03-25 -- OPEN
21:31:02 [trackbot]
21:31:17 [jrossi]
bhill: generally in the phase of providing last call comments for CORs
21:31:40 [jrossi]
bhill: think we should pay special attention to this one
21:31:58 [jrossi]
bhill: CORS has a security model for the developer that's easy to misunderstand
21:32:19 [jrossi]
bhill: good idea to make sure we make the right comments and the spec is clear to browser authors and the other audiences who will use this
21:32:45 [jrossi]
bhill: this action is on Jeff, but everyone should review
21:33:33 [jrossi]
21:33:33 [trackbot]
ACTION-56 -- Adam Barth to remove policy-uri directive -- due 2012-04-10 -- OPEN
21:33:33 [trackbot]
21:33:39 [jrossi]
bhill: is that complete?
21:33:42 [jrossi]
abarth: yes
21:34:15 [jrossi]
action-54 will follow up with adam, item later to talk about action-55
21:34:30 [jrossi]
topic: META tag support
21:34:38 [jrossi]
bhill: discussion on list about keeping/removing
21:34:43 [jrossi]
bhill: resolved to remove from spec
21:35:04 [jrossi]
bhill: any particular opinions or data points we didn't hear on the mailing list?
21:35:43 [jrossi]
tanvi: at Mozilla we feel we don't want to muddle the policy that determines what's in the HTML document to also be in the HTML document
21:35:52 [jrossi]
tanvi: this is why we don't like the idea of the META tag
21:36:20 [jrossi]
tanvi: at the same time, understand that pages may wish to dynamically apply the policy after loading content
21:36:29 [jrossi]
abarth: sounds like a good thing to consider in the 1.1 version of the spec
21:36:32 [jrossi]
tanvi: I agree
21:36:43 [jrossi]
bhill: probably should put on agenda for F2F to talk about use cases
21:37:07 [jrossi]
topic: Header definitions have cross-responsibility between IETF/W3C
21:37:26 [jrossi]
bhill: fine to keep working on here since it's relevant to other topics related to W3C work
21:37:39 [jrossi]
bhill: abarth has volunteered to take that up and provide a draft
21:37:47 [bhill21]
21:38:17 [jrossi]
action: abarth to cross-post proposal to HTTP and WebSec WG at IETF
21:38:17 [trackbot]
Created ACTION-57 - Cross-post proposal to HTTP and WebSec WG at IETF [on Adam Barth - due 2012-04-17].
21:39:42 [jrossi]
topic: Sandbox directive
21:40:06 [jrossi]
bhill: IE has implementation, WebKit has the HTML implementation
21:40:20 [jrossi]
abarth: sandbox directive is implemented in CSP implementation in WebKit
21:40:28 [jrossi]
bhill: tanvi, is Mozilla working on it?
21:40:45 [jrossi]
tanvi: working on iframe sandbox, not complete yet, hopefully will land in a month or so (won't be out for a few more months)
21:40:55 [jrossi]
bhill: would mozilla be agreeable to including it in CSP?
21:41:57 [jeffh]
who's speaking ?
21:42:56 [jrossi]
I am
21:43:50 [jeffh]
so jrossi querying dveditz wrt support For iFame sandbox, yes?
21:44:07 [jrossi]
21:45:08 [jeffh]
dveditz: moz wanting to push iFrame sandbox to CSP 1.1
21:45:58 [jeffh]
jrossi: arguing For including it in CSP 1.0, other browsers support it already, so need it documented/spec'd to avoid interop issues in Future
21:47:48 [jeffh]
bhill: (summarizing) keep iFrame sandbox in spec For now, have more detailed discussion on list
21:48:30 [jeffh]
jrossi: "sandbox" is more general than just on an iFrame, can be top-level page -- so let's keep it in spec For now, have more discussion on list
21:48:42 [jeffh]
scribe back to u jrossi ?
21:48:51 [jrossi]
topic: agenda for May F2F topics
21:49:01 [jrossi]
bhill: very close to LC for CSP 1.0
21:49:20 [jrossi]
bhill: hopefully be ready to finish discussion on sandbox and have a LC draft shortly following
21:49:27 [jrossi]
bhill: then move directly into 1.1
21:49:42 [jrossi]
bhill: objections of discussion CSP 1.1 and next objectives at F2F?
21:49:50 [jrossi]
bhill: no objections
21:50:32 [jrossi]
bhilll: more info on click jacking threats, propose taking time to discuss further on whether we can turn this into a spec, etc... objections/suggestions on anti-click-jacking agenda items?
21:51:01 [jrossi]
bhill: big challenge left in group is getting good test cases
21:51:54 [jrossi]
bhill: people interested in taking a significant chunk of time to do a "live hackathon" to work together on some test case momentum?
21:52:06 [jrossi]
gopal: think this is a great idea
21:53:20 [jrossi]
bhill: encourage everyone to bring laptops and come ready to code then
21:53:56 [jrossi]
bhill: any additional agenda items for next F2F?
21:54:01 [jrossi]
bhill: no suggestions
21:56:43 [Zakim]
21:58:05 [Zakim]
- +1.415.596.aakk
21:58:07 [Zakim]
- +1.866.317.aadd
21:58:09 [Zakim]
- +1.781.218.aaii
21:58:11 [Zakim]
- +1.425.865.aahh
21:58:12 [Zakim]
- +1.614.465.aajj
21:58:12 [Zakim]
- +1.650.678.aacc
21:58:13 [Zakim]
21:58:15 [Zakim]
21:58:22 [Zakim]
21:58:25 [Zakim]
21:58:31 [Zakim]
21:58:38 [bhill21]
zakim, list attendees
21:58:38 [Zakim]
As of this point the attendees have been +1.978.944.aaaa, +1.303.229.aabb, Joseph_Scheuhammer, +1.650.678.aacc, +1.866.317.aadd, +1.650.648.aaee, gioma1, +1.503.712.aaff, bhill2,
21:58:41 [Zakim]
... abarth, [Mozilla], rware, +1.831.246.aagg, +1.425.865.aahh, [Microsoft], dveditz, +1.781.218.aaii, +1.614.465.aajj, +1.415.596.aakk
21:58:44 [bhill21]
rrsagent, set logs public-visible
21:58:50 [bhill21]
rrsagent, make minutes
21:58:50 [RRSAgent]
I have made the request to generate bhill21
21:58:56 [bhill21]
rrsagent, set logs public-visible
21:59:05 [bhill21]
thanks, all
21:59:11 [Zakim]
21:59:12 [Zakim]
SEC_WASWG()5:00PM has ended
21:59:12 [Zakim]
Attendees were +1.978.944.aaaa, +1.303.229.aabb, Joseph_Scheuhammer, +1.650.678.aacc, +1.866.317.aadd, +1.650.648.aaee, gioma1, +1.503.712.aaff, bhill2, abarth, [Mozilla], rware,
21:59:12 [Zakim]
... +1.831.246.aagg, +1.425.865.aahh, [Microsoft], dveditz, +1.781.218.aaii, +1.614.465.aajj, +1.415.596.aakk
22:00:53 [puhley]
puhley has left #webappsec
22:09:49 [tanvi1]
tanvi1 has joined #webappsec
22:30:02 [gopal]
gopal has joined #webappsec
22:49:16 [tanvi]
tanvi has joined #webappsec
23:17:40 [gopal]
gopal has joined #webappsec
23:18:45 [bhill2]
bhill2 has left #webappsec
23:26:53 [bhill21]
bhill21 has left #webappsec
23:48:55 [bhill2]
bhill2 has joined #webappsec