See also: IRC log
<bhill21> zakim this will be 92794
<bhill21> rrsagent begin
<bhill21> scribenick: ekr
<jrossi> scribenick: jrossi
bhill: any objections to
approval?
... no objections, minutes approved
bhill: This is year in France.
W3C wants to know if WebAppSec should meet.
... provide input on whether folks will be able to attend
... still having our F2F in May
bhill: This triggers a new call for exclusions.
topics: Report on IETF 83 in Paris
jeffh: Sent mail to list with
updates from IETF 83
... review presentations for your information (links in
mail)
http://lists.w3.org/Archives/Public/public-webappsec/2012Apr/0011.html
jeffh: WebSec WG's HSTS spec is
in WG Last Call, comments received, no showstoppers
... IAB Tech Plenary presentations (slides and PDFs included
here:
http://lists.w3.org/Archives/Public/public-webappsec/2012Apr/0011.html)
... work on a new DNS API, one that accomodates async
operations
... PKIX revocation and SSL Replacements/Enhancements
... HTTPbis, provide comments on HTTP/1.1, parts 4-7 in WG LC,
parts 1-3 entering WG LC soon
... entertaining proposals for an HTTP 2.0, firm rechartering
this summer where the proposal has been nailed down
... process/requirements gathering at http://bit.ly/http2reqs
... Mark Nottingham's overview of process & reqs is worth
reviewing (
https://www.ietf.org/proceedings/83/slides/slides-83-httpbis-6.pdf
)
... 3 proposals were presented, SPDY, HTTP Speed+Mobility, and
WAKA
<bhill21> http://tools.ietf.org/html/draft-pettersen-subtld-structure-09
<bhill21> various rumblings about fixing the "publicsuffix.org" problem at IETF.. possibly in a new list or discussion area
<bhill21> https://www.w3.org/2011/webappsec/track/actions/open
Action-20?
<trackbot> ACTION-20 -- Brad Hill to liason with widgets activity on policy placeholder for widgets -- due 2012-05-15 -- OPEN
<trackbot> http://www.w3.org/2011/webappsec/track/actions/20
Action-35?
<trackbot> ACTION-35 -- Adam Barth to add advice for server operators about combining policies -- due 2012-03-13 -- OPEN
<trackbot> http://www.w3.org/2011/webappsec/track/actions/35
<jeffh> see also: dra-sullivan-zone-policy-assertions-01
bhill: hasn't been touched lately, need to find a new owner?
abarth: if this is the last thing to do, i can do this
bhill: will evaluate after the call
action-36?
<trackbot> ACTION-36 -- David Huang to copy clicking jacking info to wiki and email list -- due 2012-03-13 -- OPEN
<trackbot> http://www.w3.org/2011/webappsec/track/actions/36
bhill: will close this
action-51?
<trackbot> ACTION-51 -- Jeff Hodges to review CORS new sec cons language and provide editorial fixes -- due 2012-03-25 -- OPEN
<trackbot> http://www.w3.org/2011/webappsec/track/actions/51
bhill: generally in the phase of
providing last call comments for CORs
... think we should pay special attention to this one
... CORS has a security model for the developer that's easy to
misunderstand
... good idea to make sure we make the right comments and the
spec is clear to browser authors and the other audiences who
will use this
... this action is on Jeff, but everyone should review
action-56?
<trackbot> ACTION-56 -- Adam Barth to remove policy-uri directive -- due 2012-04-10 -- OPEN
<trackbot> http://www.w3.org/2011/webappsec/track/actions/56
bhill: is that complete?
abarth: yes
action-54 will follow up with adam, item later to talk about action-55
bhill: discussion on list about
keeping/removing
... resolved to remove from spec
... any particular opinions or data points we didn't hear on
the mailing list?
tanvi: at Mozilla we feel we
don't want to muddle the policy that determines what's in the
HTML document to also be in the HTML document
... this is why we don't like the idea of the META tag
... at the same time, understand that pages may wish to
dynamically apply the policy after loading content
abarth: sounds like a good thing to consider in the 1.1 version of the spec
tanvi: I agree
bhill: probably should put on agenda for F2F to talk about use cases
bhill: fine to keep working on
here since it's relevant to other topics related to W3C
work
... abarth has volunteered to take that up and provide a
draft
<bhill21> http://dvcs.w3.org/hg/content-security-policy/rev/91163bbd2daf
<scribe> ACTION: abarth to cross-post proposal to HTTP and WebSec WG at IETF [recorded in http://www.w3.org/2012/04/10-webappsec-minutes.html#action01]
<trackbot> Created ACTION-57 - Cross-post proposal to HTTP and WebSec WG at IETF [on Adam Barth - due 2012-04-17].
bhill: IE has implementation, WebKit has the HTML implementation
abarth: sandbox directive is implemented in CSP implementation in WebKit
bhill: tanvi, is Mozilla working on it?
tanvi: working on iframe sandbox, not complete yet, hopefully will land in a month or so (won't be out for a few more months)
bhill: would mozilla be agreeable to including it in CSP?
<jeffh> who's speaking ?
I am
<jeffh> so jrossi querying dveditz wrt support For iFame sandbox, yes?
yes
<jeffh> dveditz: moz wanting to push iFrame sandbox to CSP 1.1
<jeffh> jrossi: arguing For including it in CSP 1.0, other browsers support it already, so need it documented/spec'd to avoid interop issues in Future
<jeffh> bhill: (summarizing) keep iFrame sandbox in spec For now, have more detailed discussion on list
<jeffh> jrossi: "sandbox" is more general than just on an iFrame, can be top-level page -- so let's keep it in spec For now, have more discussion on list
<jeffh> scribe back to u jrossi ?
bhill: very close to LC for CSP
1.0
... hopefully be ready to finish discussion on sandbox and have
a LC draft shortly following
... then move directly into 1.1
... objections of discussion CSP 1.1 and next objectives at
F2F?
... no objections
bhilll: more info on click jacking threats, propose taking time to discuss further on whether we can turn this into a spec, etc... objections/suggestions on anti-click-jacking agenda items?
bhill: big challenge left in
group is getting good test cases
... people interested in taking a significant chunk of time to
do a "live hackathon" to work together on some test case
momentum?
gopal: think this is a great idea
bhill: encourage everyone to
bring laptops and come ready to code then
... any additional agenda items for next F2F?
... no suggestions
This is scribe.perl Revision: 1.136 of Date: 2011/05/12 12:01:43 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Found ScribeNick: ekr Found ScribeNick: jrossi Inferring Scribes: ekr, jrossi Scribes: ekr, jrossi ScribeNicks: ekr, jrossi Default Present: +1.978.944.aaaa, +1.303.229.aabb, Joseph_Scheuhammer, +1.650.678.aacc, +1.866.317.aadd, +1.650.648.aaee, gioma1, +1.503.712.aaff, bhill2, abarth, [Mozilla], rware, +1.831.246.aagg, +1.425.865.aahh, [Microsoft], dveditz, +1.781.218.aaii, +1.614.465.aajj, +1.415.596.aakk Present: +1.978.944.aaaa +1.303.229.aabb Joseph_Scheuhammer +1.650.678.aacc +1.866.317.aadd +1.650.648.aaee gioma1 +1.503.712.aaff bhill2 abarth [Mozilla] rware +1.831.246.aagg +1.425.865.aahh [Microsoft] dveditz +1.781.218.aaii +1.614.465.aajj +1.415.596.aakk gopal Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2012Apr/0009.html Got date from IRC log name: 10 Apr 2012 Guessing minutes URL: http://www.w3.org/2012/04/10-webappsec-minutes.html People with action items: abarth WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option.[End of scribe.perl diagnostic output]