WebAppSec WG Teleconference, April 10, 2012

10 Apr 2012


See also: IRC log


+1.978.944.aaaa, +1.303.229.aabb, Joseph_Scheuhammer, +1.650.678.aacc, +1.866.317.aadd, +1.650.648.aaee, gioma1, +1.503.712.aaff, bhill2, abarth, [Mozilla], rware, +1.831.246.aagg, +1.425.865.aahh, [Microsoft], dveditz, +1.781.218.aaii, +1.614.465.aajj, +1.415.596.aakk, gopal
bhill2, ekr
ekr, jrossi


<bhill21> zakim this will be 92794

<bhill21> rrsagent begin

<bhill21> scribenick: ekr

<jrossi> scribenick: jrossi

last call's minutes

bhill: any objections to approval?
... no objections, minutes approved


bhill: This is year in France. W3C wants to know if WebAppSec should meet.
... provide input on whether folks will be able to attend
... still having our F2F in May

CORs published LCWD

bhill: This triggers a new call for exclusions.

topics: Report on IETF 83 in Paris

Report on IETF 83 in Paris

jeffh: Sent mail to list with updates from IETF 83
... review presentations for your information (links in mail)


jeffh: WebSec WG's HSTS spec is in WG Last Call, comments received, no showstoppers
... IAB Tech Plenary presentations (slides and PDFs included here: http://lists.w3.org/Archives/Public/public-webappsec/2012Apr/0011.html)
... work on a new DNS API, one that accomodates async operations
... PKIX revocation and SSL Replacements/Enhancements
... HTTPbis, provide comments on HTTP/1.1, parts 4-7 in WG LC, parts 1-3 entering WG LC soon
... entertaining proposals for an HTTP 2.0, firm rechartering this summer where the proposal has been nailed down
... process/requirements gathering at  http://bit.ly/http2reqs
... Mark Nottingham's overview of process & reqs is worth reviewing ( https://www.ietf.org/proceedings/83/slides/slides-83-httpbis-6.pdf )
... 3 proposals were presented, SPDY, HTTP Speed+Mobility, and WAKA

<bhill21> http://tools.ietf.org/html/draft-pettersen-subtld-structure-09

<bhill21> various rumblings about fixing the "publicsuffix.org" problem at IETF.. possibly in a new list or discussion area

<bhill21> https://www.w3.org/2011/webappsec/track/actions/open

Reviewing open tracker actions


<trackbot> ACTION-20 -- Brad Hill to liason with widgets activity on policy placeholder for widgets -- due 2012-05-15 -- OPEN

<trackbot> http://www.w3.org/2011/webappsec/track/actions/20


<trackbot> ACTION-35 -- Adam Barth to add advice for server operators about combining policies -- due 2012-03-13 -- OPEN

<trackbot> http://www.w3.org/2011/webappsec/track/actions/35

<jeffh> see also: dra-sullivan-zone-policy-assertions-01

bhill: hasn't been touched lately, need to find a new owner?

abarth: if this is the last thing to do, i can do this

bhill: will evaluate after the call


<trackbot> ACTION-36 -- David Huang to copy clicking jacking info to wiki and email list -- due 2012-03-13 -- OPEN

<trackbot> http://www.w3.org/2011/webappsec/track/actions/36

bhill: will close this


<trackbot> ACTION-51 -- Jeff Hodges to review CORS new sec cons language and provide editorial fixes -- due 2012-03-25 -- OPEN

<trackbot> http://www.w3.org/2011/webappsec/track/actions/51

bhill: generally in the phase of providing last call comments for CORs
... think we should pay special attention to this one
... CORS has a security model for the developer that's easy to misunderstand
... good idea to make sure we make the right comments and the spec is clear to browser authors and the other audiences who will use this
... this action is on Jeff, but everyone should review


<trackbot> ACTION-56 -- Adam Barth to remove policy-uri directive -- due 2012-04-10 -- OPEN

<trackbot> http://www.w3.org/2011/webappsec/track/actions/56

bhill: is that complete?

abarth: yes

action-54 will follow up with adam, item later to talk about action-55

META tag support

bhill: discussion on list about keeping/removing
... resolved to remove from spec
... any particular opinions or data points we didn't hear on the mailing list?

tanvi: at Mozilla we feel we don't want to muddle the policy that determines what's in the HTML document to also be in the HTML document
... this is why we don't like the idea of the META tag
... at the same time, understand that pages may wish to dynamically apply the policy after loading content

abarth: sounds like a good thing to consider in the 1.1 version of the spec

tanvi: I agree

bhill: probably should put on agenda for F2F to talk about use cases

Header definitions have cross-responsibility between IETF/W3C

bhill: fine to keep working on here since it's relevant to other topics related to W3C work
... abarth has volunteered to take that up and provide a draft

<bhill21> http://dvcs.w3.org/hg/content-security-policy/rev/91163bbd2daf

<scribe> ACTION: abarth to cross-post proposal to HTTP and WebSec WG at IETF [recorded in http://www.w3.org/2012/04/10-webappsec-minutes.html#action01]

<trackbot> Created ACTION-57 - Cross-post proposal to HTTP and WebSec WG at IETF [on Adam Barth - due 2012-04-17].

Sandbox directive

bhill: IE has implementation, WebKit has the HTML implementation

abarth: sandbox directive is implemented in CSP implementation in WebKit

bhill: tanvi, is Mozilla working on it?

tanvi: working on iframe sandbox, not complete yet, hopefully will land in a month or so (won't be out for a few more months)

bhill: would mozilla be agreeable to including it in CSP?

<jeffh> who's speaking ?

I am

<jeffh> so jrossi querying dveditz wrt support For iFame sandbox, yes?


<jeffh> dveditz: moz wanting to push iFrame sandbox to CSP 1.1

<jeffh> jrossi: arguing For including it in CSP 1.0, other browsers support it already, so need it documented/spec'd to avoid interop issues in Future

<jeffh> bhill: (summarizing) keep iFrame sandbox in spec For now, have more detailed discussion on list

<jeffh> jrossi: "sandbox" is more general than just on an iFrame, can be top-level page -- so let's keep it in spec For now, have more discussion on list

<jeffh> scribe back to u jrossi ?

agenda for May F2F topics

bhill: very close to LC for CSP 1.0
... hopefully be ready to finish discussion on sandbox and have a LC draft shortly following
... then move directly into 1.1
... objections of discussion CSP 1.1 and next objectives at F2F?
... no objections

bhilll: more info on click jacking threats, propose taking time to discuss further on whether we can turn this into a spec, etc... objections/suggestions on anti-click-jacking agenda items?

bhill: big challenge left in group is getting good test cases
... people interested in taking a significant chunk of time to do a "live hackathon" to work together on some test case momentum?

gopal: think this is a great idea

bhill: encourage everyone to bring laptops and come ready to code then
... any additional agenda items for next F2F?
... no suggestions

Summary of Action Items

[NEW] ACTION: abarth to cross-post proposal to HTTP and WebSec WG at IETF [recorded in http://www.w3.org/2012/04/10-webappsec-minutes.html#action01]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.136 (CVS log)
$Date: 2012/04/10 21:58:55 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.136  of Date: 2011/05/12 12:01:43  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Found ScribeNick: ekr
Found ScribeNick: jrossi
Inferring Scribes: ekr, jrossi
Scribes: ekr, jrossi
ScribeNicks: ekr, jrossi
Default Present: +1.978.944.aaaa, +1.303.229.aabb, Joseph_Scheuhammer, +1.650.678.aacc, +1.866.317.aadd, +1.650.648.aaee, gioma1, +1.503.712.aaff, bhill2, abarth, [Mozilla], rware, +1.831.246.aagg, +1.425.865.aahh, [Microsoft], dveditz, +1.781.218.aaii, +1.614.465.aajj, +1.415.596.aakk
Present: +1.978.944.aaaa +1.303.229.aabb Joseph_Scheuhammer +1.650.678.aacc +1.866.317.aadd +1.650.648.aaee gioma1 +1.503.712.aaff bhill2 abarth [Mozilla] rware +1.831.246.aagg +1.425.865.aahh [Microsoft] dveditz +1.781.218.aaii +1.614.465.aajj +1.415.596.aakk gopal
Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2012Apr/0009.html
Got date from IRC log name: 10 Apr 2012
Guessing minutes URL: http://www.w3.org/2012/04/10-webappsec-minutes.html
People with action items: abarth

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.

[End of scribe.perl diagnostic output]