21:00:47 <RRSAgent> RRSAgent has joined #webappsec
21:00:47 <RRSAgent> logging to http://www.w3.org/2012/09/25-webappsec-irc
21:00:49 <trackbot> RRSAgent, make logs world
21:00:49 <Zakim> Zakim has joined #webappsec
21:00:51 <trackbot> Zakim, this will be 
21:00:51 <Zakim> I don't understand 'this will be', trackbot
21:00:52 <trackbot> Meeting: Web Application Security Working Group Teleconference
21:00:52 <trackbot> Date: 25 September 2012
21:01:02 <fred> fred has joined #webappsec
21:01:05 <tanvi> scribe: tanvi
21:01:14 <tanvi> trackbot-ng, start telcon
21:01:15 <jeffh> jeffh has joined #webappsec
21:01:16 <trackbot> RRSAgent, make logs world
21:01:18 <trackbot> Zakim, this will be 
21:01:18 <Zakim> I don't understand 'this will be', trackbot
21:01:19 <trackbot> Meeting: Web Application Security Working Group Teleconference
21:01:19 <trackbot> Date: 25 September 2012
21:01:28 <tanvi> Zakim, this will be Meeting: Web Application Security Working Group Teleconference
21:01:28 <Zakim> I do not see a conference matching that name scheduled within the next hour, tanvi
21:01:28 <tanvi> 2:01
21:01:28 <tanvi> Date: 25 September 2012
21:02:05 <ekr> zakim, who is here?
21:02:05 <Zakim> sorry, ekr, I don't know what conference this is
21:02:06 <Zakim> On IRC I see jeffh, fred, Zakim, RRSAgent, ekr, tanvi, gioma1, gopal, erlend, caribou, bhill2, odinho, tobie, timeless, mkwst, Velmont, trackbot
21:02:35 <ccarson> ccarson has joined #webappsec
21:03:04 <ekr> meeting: Web Application Security Working Group Teleconference
21:03:21 <ekr> scribenick: tanvi
21:03:23 <tanvi> meeting: Web Application Security Working Group Teleconference
21:03:35 <tanvi> zakim, who is here
21:03:35 <Zakim> tanvi, you need to end that query with '?'
21:03:42 <tanvi> zakim, who is here?
21:03:42 <Zakim> sorry, tanvi, I don't know what conference this is
21:03:43 <Zakim> On IRC I see ccarson, jeffh, fred, Zakim, RRSAgent, ekr, tanvi, gioma1, gopal, erlend, caribou, bhill2, odinho, tobie, timeless, mkwst, Velmont, trackbot
21:04:02 <ekr> rrsgent, make logs
21:04:06 <ekr> rrsagent, make logs
21:04:06 <RRSAgent> I'm logging. I don't understand 'make logs', ekr.  Try /msg RRSAgent help
21:04:19 <ekr> rrsagent, draft minutes
21:04:19 <RRSAgent> I have made the request to generate http://www.w3.org/2012/09/25-webappsec-minutes.html ekr
21:05:02 <jeffh> jeffh on phone
21:05:09 <erlend> erlend is on the phone
21:05:56 <ekr> zakim, who is here?
21:05:56 <Zakim> On the phone I see ??P0, [Mozilla], ccarson, ekr, ??P1, jeffh, +1.978.944.aaaa, ??P7
21:05:58 <Zakim> On IRC I see ccarson, jeffh, fred, Zakim, RRSAgent, ekr, tanvi, gioma1, gopal, erlend, caribou, bhill2, odinho, tobie, timeless, mkwst, Velmont, trackbot
21:06:17 <Zakim> -??P7
21:06:25 <tanvi> Zakim, [Mozilla] is tanvi
21:06:25 <Zakim> +tanvi; got it
21:06:34 <ekr> fred, tobie, timeless, and velmont not actually here
21:06:35 <Zakim> +??P7
21:06:50 <Zakim> +??P8
21:06:52 <mkwst> Zakim, ??P0 is mkwst
21:06:52 <Zakim> +mkwst; got it
21:06:53 <gioma1> Zakim, ??P7 is gioma1
21:06:54 <Zakim> +gioma1; got it
21:07:13 <ekr> http://www.w3.org/2012/09/11-webappsec-minutes.html
21:07:36 <tanvi> ekr: approval from last weeks meeting notes
21:07:36 <erlend> Zakim, ??P1 is erlend
21:07:36 <Zakim> +erlend; got it
21:07:41 <tanvi> ekr: http://www.w3.org/2012/09/11-webappsec-minutes.html
21:07:51 <dveditz> dveditz has joined #webappsec
21:08:04 <tanvi> ekr: agenda bashing?  no issues
21:08:15 <bhill2> http://www.w3.org/2011/webappsec/minutes/WebAppSec-minutes-11-Sep-2012.html
21:08:20 <bhill2> edited minutes there
21:08:21 <tanvi> ekr: open issues. http://www.w3.org/2011/webappsec/track/issues/open
21:08:31 <tanvi> ekr: no open issues. 
21:08:51 <ekr> http://www.w3.org/2011/webappsec/track/actions/open
21:08:59 <tanvi> ekr: open actions - http://www.w3.org/2011/webappsec/track/actions/open
21:09:09 <ekr> http://www.w3.org/2011/webappsec/track/actions/76
21:09:13 <tanvi> ekr: most action items assigned to people who are not here today
21:09:22 <tanvi> ekr: ACTION-76 assigned to gopal
21:09:51 <tanvi> ekr: quite a few tests running.  will go back and check
21:09:57 <tanvi> sorry...
21:10:03 <tanvi> gopal: quite a few tests running.  will go back and check
21:10:11 <tanvi> ekr: should we push out a couple weeks?
21:10:51 <tanvi> gopal: yeah.  we are checking test coverage.  we have a bunch of tests running, but dont' have an idea on what specific features are at risk.
21:11:49 <tanvi> ekr: issues on the mailing list to go over
21:12:05 <tanvi> ekr: long thread about whether there is a privacy threat due to mandatory csp enforcement
21:12:24 <tanvi> mike: the one point i was clear of, was the concept of extensions in browsers potentially visibile to a website thats using csp
21:13:04 <tanvi> mike: if a resource from an extension violates the pages' policy.  then server get a report saying that that resource violated csp
21:13:27 <tanvi> mike: and can determine what extension the user is running
21:13:44 <tanvi> dveditz: the extension part is real.  working with twitter, there were more violations than should be, and some from addons
21:14:02 <tanvi> dveditz: nothing in the spec that would prevent the user agent from allowing addons to make an exception for themselves
21:14:15 <tanvi> ??: spec says that extensiosn and addons shoudn't be affected by csp
21:14:25 <tanvi> dveditz: in right now firefox there are, but we consider that a bug
21:14:33 <tanvi> ??: in webkit and chrome they are as well and we also consider that a bug
21:15:14 <fred> can it be avoided
21:15:19 <tanvi> dveditz: User agent.  maybe i changed my user agent to xx to hide myself, but the csp errors show that i am actually firefox.  coudl be a problem for the tor bundle (though right now it only uses firefox)
21:15:40 <tanvi> dveditz: so could turn of csp completely.  but not the safest thing to do
21:15:58 <tanvi> ??: creating a user agent in such a way that it enhances user privacy
21:16:08 <tanvi> (can ?? identify themselves)
21:16:55 <tanvi> ??: spec is clear that extensions shouldn't affect csp.  the spec is quite clear on this point.  there is some discussion that user agents are having about how to do this. 
21:17:00 <jeffh> ?? is apparently referring to the new W3C "Privacy Interest Group"
21:17:13 <ekr> zakim, who is making noise?
21:17:26 <erlend> /cgi-bin/blockpage.cgi?ws-session
21:17:27 <tanvi> dveditz: do noting to the spec, but firefox and webkit have bugs
21:17:30 <ekr> zakim, who is talking?
21:17:30 <jeffh> http://www.w3.org/community/groups/proposed/#pua
21:17:31 <fred> fred is Fredrick Andrews
21:17:32 <Zakim> ekr, listening for 10 seconds I heard sound from the following: erlend (42%)
21:17:47 <mkwst> tanvi: ?? is me. :)
21:17:47 <Zakim> ekr, listening for 12 seconds I heard sound from the following: erlend (23%), ??P8 (79%)
21:17:53 <mkwst> mike west.
21:17:53 <tanvi> dveditz: twitter encountered a lot more modified content
21:17:57 <tanvi> thanks mike
21:18:04 <tanvi> s/??/mkwst/
21:18:10 <ekr> whoever is ??P8 should tell zakim.
21:18:49 <dveditz> zakim, who is here
21:18:49 <Zakim> dveditz, you need to end that query with '?'
21:18:51 <tanvi> mkwst: if dealing with active network attacker, csp not helpful.  which is why we request people use https
21:18:59 <dveditz> zakim, who is here?
21:18:59 <Zakim> On the phone I see mkwst, tanvi, ccarson, ekr, erlend, jeffh, +1.978.944.aaaa, gioma1, ??P8
21:19:01 <Zakim> On IRC I see dveditz, ccarson, jeffh, fred, Zakim, RRSAgent, ekr, tanvi, gioma1, erlend, caribou, bhill2, odinho, tobie, timeless, mkwst, Velmont, trackbot
21:19:03 <tanvi> ekr: unsafe inline for style source
21:19:58 <tanvi> tanvi: what does unsafe-inline really mean for style-src?
21:20:53 <tanvi> dveditz: in principal we all agree, but some edge cases we have to work out
21:21:15 <tanvi> dveditz: the only one i dont entirely agree about is that you could argue that adding css text property is invoking the parser and therefore might coutn as inline styles
21:21:57 <tanvi> dveditz: otherwise agree with all the other DOM manipulations of inline style is not covered by inline style.  directive intended to protect against injected content. 
21:22:12 <tanvi> mkswt: write another email that says that
21:22:33 <tanvi> dveditz: implementation wise, it may be easier to drop this.
21:23:01 <tanvi> dveditz: still unclear, even after mail thread, about why we care so much about inline style
21:23:46 <tanvi> dveditz: the old browser that included executable like things.  all the browser have dropped that dangerous stuff. 
21:24:13 <tanvi> dveditz: although adam's comments about new css features are valid
21:24:28 <tanvi> ekr: dveditz still think about this some and then raise again if an issue
21:24:34 <tanvi> ekr: moving on to next item...
21:24:45 <tanvi> tanvi: interaction of csp sandbox and meta tag
21:25:04 <tanvi> dveditz: 1.1 issue
21:25:41 <tanvi> tanvi: confused on the conclusion from the thread
21:25:52 <tanvi> ekr: bring it up on the  next call when adam and jacob are here
21:25:55 <Zakim> - +1.978.944.aaaa
21:26:11 <tanvi> ekr: csp connect-src and browser plugins raised by erlend
21:26:34 <tanvi> erlend: thinking in terms of things like flash, can make http requests that include the cookies the user has at the time
21:26:45 <tanvi> erlend: that is what brought up the subject
21:26:51 <tanvi> dveditz: i think the spec probably shoudl be clearer
21:27:21 <tanvi> dveditz: i know what we did in firefox, but after the issue was raised i realized we were sort of guessing.  it's easy to promise more thatn the browser can deliver since plugins can mkae their own network requests independent of the browser
21:27:35 <tanvi> dveditz: some web author may think they are sandboxing more than they are
21:27:59 <tanvi> ekr: but then they wouldnt have access to cookies.  ??
21:28:23 <tanvi> dveditz: sometimes they are just reading data.  but often in playlist situation (ex: youtube), loading a whole new chunk of plugin content
21:29:07 <tanvi> ekr: final agenda item is on web crypto wg
21:29:18 <tanvi> ekr: webcrypto wg announced FPWD
21:29:39 <ekr> http://www.w3.org/TR/WebCryptoAPI/
21:29:59 <Zakim> -jeffh
21:30:06 <Zakim> -ccarson
21:30:10 <Zakim> -ekr
21:30:14 <Zakim> -gioma1
21:30:18 <Zakim> -mkwst
21:30:19 <Zakim> -erlend
21:30:22 <ekr> http://www.w3.org/WAI/PF/wiki/Teleconference_cheat_sheet
21:30:28 <tanvi> rrsagent, generate minutes
21:30:28 <RRSAgent> I have made the request to generate http://www.w3.org/2012/09/25-webappsec-minutes.html tanvi
21:30:38 <jeffh> thx all, l8r
21:30:42 <Zakim> -??P8
21:30:49 <Zakim> -tanvi
21:30:50 <dveditz> ah… I was ??P8
21:30:51 <Zakim> SEC_WASWG()5:00PM has ended
21:30:51 <Zakim> Attendees were ccarson, ekr, jeffh, +1.978.944.aaaa, tanvi, mkwst, gioma1, erlend
21:30:51 <tanvi> rrsagent, stop log
21:30:51 <RRSAgent> I'm logging. I don't understand 'stop log', tanvi.  Try /msg RRSAgent help
21:31:02 <ekr> sorry, I was half-wayt o hanging up
21:31:59 <tanvi> no problem, hopefully that worked
21:32:11 <ekr> that looks fine
21:32:49 <tanvi> is there a way to edit the minutes?
21:33:01 <tanvi> misspelled words, typos, etc?
21:33:06 <ekr> I usually don'tbother
21:33:31 <tanvi> okay cool
21:35:54 <bhill2> rrsagent, set logs public-visible
21:36:56 <abarth> abarth has joined #webappsec
21:37:35 <Zakim> SEC_WASWG()5:00PM has now started
21:37:41 <Zakim> +abarth
21:38:10 <abarth> i guess you all ended early
21:38:18 <tanvi> yeah, we finished at 2:30
21:38:44 <Zakim> -abarth
21:38:45 <Zakim> SEC_WASWG()5:00PM has ended
21:38:45 <Zakim> Attendees were abarth
21:39:01 <tanvi> abarth: http://www.w3.org/2012/09/25-webappsec-minutes.html
21:39:06 <tanvi> i dont know what's up with Zakim
21:39:20 <tanvi> i'm going to dismiss him.
21:39:23 <tanvi> Zakim, please part
21:39:23 <Zakim> Zakim has left #webappsec