21:56:16 <RRSAgent> RRSAgent has joined #webappsec
21:56:16 <RRSAgent> logging to http://www.w3.org/2013/01/15-webappsec-irc
21:56:26 <gioma1> gioma1 has joined #webappsec
21:57:15 <gopal> zakim, this is 92794
21:57:15 <Zakim> ok, gopal; that matches SEC_WASWG()5:00PM
21:57:31 <gopal> rrsagent, begin
21:58:23 <Zakim> +??P2
21:58:28 <gopal> Meeting: WebAppSec WG [Jan|15]2013
21:58:32 <Zakim> + +1.425.865.aacc
21:58:45 <gopal> Chai: bhill2,ekr
21:59:02 <gioma1> Zakim, ??P2 is gioma1
21:59:02 <Zakim> +gioma1; got it
21:59:18 <ccarson> ccarson has joined #webappsec
21:59:29 <Zakim> + +1.650.648.aadd
21:59:52 <gopal> Scribe: gopal
22:00:06 <jimio> jimio has joined #webappsec
22:00:08 <gopal> ScribeNick:gopal
22:00:40 <Zakim> + +1.303.229.aaee
22:00:53 <Zakim> + +1.508.574.aaff
22:01:16 <abarth> abarth has joined #webappsec
22:01:31 <Zakim> + +1.714.488.aagg
22:01:42 <abresee> abresee has joined #webappsec
22:01:43 <Zakim> +[Mozilla]
22:02:07 <tanvi> tanvi has joined #webappsec
22:02:19 <tanvi> hi
22:02:31 <tanvi> Zakim, who is here
22:02:31 <Zakim> tanvi, you need to end that query with '?'
22:02:42 <tanvi> Zakim, who is here?
22:02:42 <Zakim> On the phone I see +1.781.362.aaaa, +1.801.701.aabb, gioma1, +1.425.865.aacc, +1.650.648.aadd, +1.303.229.aaee, +1.508.574.aaff, +1.714.488.aagg, [Mozilla]
22:02:43 <bhill2> bhill2 has joined #webappsec
22:02:46 <Zakim> On IRC I see tanvi, abresee, abarth, jimio, ccarson, gioma1, RRSAgent, Zakim, gopal, dveditz, neil, trackbot, tobie, timeless, mkwst_, bhill, yoav, odinho, caribou
22:03:26 <bhill2> zakim, who is here?
22:03:26 <Zakim> On the phone I see +1.781.362.aaaa, +1.801.701.aabb, gioma1, +1.425.865.aacc, +1.650.648.aadd, +1.303.229.aaee, +1.508.574.aaff, +1.714.488.aagg, [Mozilla]
22:03:29 <Zakim> On IRC I see bhill2, tanvi, abresee, abarth, jimio, ccarson, gioma1, RRSAgent, Zakim, gopal, dveditz, neil, trackbot, tobie, timeless, mkwst_, bhill, yoav, odinho, caribou
22:03:30 <tanvi> Zakim, [Mozilla] is tanvi_and_imelven
22:03:30 <Zakim> +tanvi_and_imelven; got it
22:03:36 <bhill2> zakim, aaee is bhill2
22:03:36 <Zakim> +bhill2; got it
22:03:43 <imelven> imelven has joined #webappsec
22:03:54 <imelven> happy new year, #webappsec
22:04:02 <ccarson> zakim, aacc is ccarson
22:04:02 <Zakim> +ccarson; got it
22:04:09 <Zakim> + +1.650.678.aahh
22:04:10 <abarth> Zakim, aadd is abarth
22:04:10 <Zakim> +abarth; got it
22:04:14 <imelven> zakim, who is on the call
22:04:14 <Zakim> I don't understand 'who is on the call', imelven
22:04:19 <imelven> zakim, who is here
22:04:19 <Zakim> imelven, you need to end that query with '?'
22:04:20 <neil> zakim: aagg
22:04:22 <imelven> zakim, who is here?
22:04:22 <Zakim> On the phone I see +1.781.362.aaaa, +1.801.701.aabb, gioma1, ccarson, abarth, bhill2, +1.508.574.aaff, +1.714.488.aagg, tanvi_and_imelven, +1.650.678.aahh
22:04:26 <Zakim> On IRC I see imelven, bhill2, tanvi, abresee, abarth, jimio, ccarson, gioma1, RRSAgent, Zakim, gopal, dveditz, neil, trackbot, tobie, timeless, mkwst_, bhill, yoav, odinho, caribou
22:04:29 <imelven> oh tanvi already got us
22:04:34 <jimio> zakim, aaff is jimio
22:04:34 <Zakim> +jimio; got it
22:04:42 <neil> zakim: aagg is neil
22:04:43 <abresee> Sorry, could you run that by me one more time?
22:04:58 <gopal> Zakim, aaaa is gopal
22:04:58 <Zakim> +gopal; got it
22:04:58 <neil> zakim, aagg is neil
22:04:59 <Zakim> +neil; got it
22:05:41 <bhill2> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0041.html
22:05:54 <ekr_> ekr_ has joined #webappsec
22:06:25 <abresee> zakim, aabb is abresee
22:06:25 <Zakim> +abresee; got it
22:06:49 <gopal> bhill2: any items to add to agenda
22:06:56 <ekr_> zakim, who is here?
22:06:56 <Zakim> On the phone I see gopal, abresee, gioma1, ccarson, abarth, bhill2, jimio, neil, tanvi_and_imelven, +1.650.678.aahh
22:06:58 <Zakim> On IRC I see ekr_, imelven, bhill2, tanvi, abresee, abarth, jimio, ccarson, gioma1, RRSAgent, Zakim, gopal, dveditz, neil, trackbot, tobie, timeless, mkwst_, bhill, yoav, odinho,
22:06:58 <Zakim> ... caribou
22:07:14 <gopal> ... CORS status missed publication deadline
22:07:43 <gopal> ... review probably happen next week
22:08:40 <imelven> where would this be ?
22:08:48 <gopal> ... briefly talked about brief meeting scheduled tentatively for 23-26 april
22:09:20 <gopal> ... ebay/paypal sponsored in bay area
22:09:53 <Zakim> +[IPcaller]
22:10:00 <bhill2> http://www.w3.org/wiki/HTML/wg/2013-04-Agenda
22:10:03 <dveditz> Zakim, IPCaller is dveditz
22:10:03 <Zakim> +dveditz; got it
22:10:18 <bhill2> https://www.w3.org/2011/webappsec/track/actions/open
22:10:20 <ekr_> zakim, aahh is ekr_
22:10:20 <Zakim> +ekr_; got it
22:10:35 <ekr_> I regretttably have terrible connectivity here.
22:10:40 <gopal> ... action item 3 leave it as is
22:11:20 <gopal> ... action item 92 to dveditz, look at issue 32
22:11:21 <bhill2> https://www.w3.org/2011/webappsec/track/issues/32
22:11:34 <bhill2> ISSUE-32: Do we specify that path-specificity applies only to hierarchical URI schemes?
22:11:34 <trackbot> Notes added to ISSUE-32 Do we specify that path-specificity applies only to hierarchical URI schemes?.
22:11:50 <gopal> dveditz: haven't looked at it yet
22:12:10 <Zakim> + +1.415.832.aaii
22:12:16 <gopal> bhill2: action 94 to mike west
22:12:27 <gopal> ... leave it open
22:12:39 <puhley> puhley has joined #webappsec
22:13:04 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0030.html
22:13:10 <gopal> ... action 98, marked as pending review
22:13:44 <gopal> ... marking closed
22:14:28 <gopal> .. action 101, reassigned to Brad to escalate issue
22:14:51 <gopal> ... action 104 to abarth,
22:15:05 <gopal> abarth: push to next call and will look at it
22:15:52 <gopal> bhill2: action 105, change due date to next call
22:16:30 <gopal> ... action 106, Mike is not on call, leave it as is
22:16:52 <gopal> ... associated products to issues
22:17:37 <gopal> ... opened up lot of feedback and questions,
22:18:15 <bhill2> example:   associate ACTION-123 with ISSUE-45
22:18:20 <bhill2> will create an association
22:19:16 <bhill2> https://www.w3.org/2011/webappsec/track/issues/raised
22:19:18 <gioma1> I'm here , but no mic
22:19:21 <bhill2> raised issues.  number 20
22:19:35 <gopal> ... issue-20 , no volunteer
22:20:08 <gioma1> I can take on issue 20
22:20:19 <bhill2> ACTION to bhill2 investigate assistive technologies use of real or synthetic events
22:20:19 <trackbot> Error finding 'to'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.
22:20:32 <bhill2> ACTION bhill2 to investigate assistive technologies use of real or synthetic events
22:20:32 <trackbot> Created ACTION-107 - Investigate assistive technologies use of real or synthetic events [on Brad Hill - due 2013-01-22].
22:20:40 <gopal> ... currently on issue 21,
22:20:42 <bhill2> associate ACTION-107 with ISSUE-21
22:20:43 <trackbot> ACTION-107 (Investigate assistive technologies use of real or synthetic events) associated with ISSUE-21.
22:21:00 <abresee> Do you mean issue 21?
22:21:07 <jeffh> jeffh has joined #webappsec
22:21:22 <bhill2> ACTION gioma1 to query list on whether default UI Security hueristic behavior should be block or report
22:21:22 <trackbot> Error finding 'gioma1'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.
22:21:55 <gioma1> I'm trying to update the list
22:22:06 <gopal> giomal please specify your w3c name
22:22:15 <bhill2> ACTION bhill2  to query list on whether default UI Security hueristic behavior should be block or report
22:22:17 <gioma1> done
22:22:19 <trackbot> Created ACTION-108 -  to query list on whether default UI Security hueristic behavior should be block or report [on Brad Hill - due 2013-01-22].
22:22:28 <bhill2> associate ACTION-108 with ISSUE-20
22:22:28 <trackbot> ACTION-108 (to query list on whether default UI Security hueristic behavior should be block or report) associated with ISSUE-20.
22:22:53 <gopal> bhill2: on issue-22
22:23:40 <gioma1> gopal: registered gioma1 nick
22:23:57 <gopal> ... have to look at it again, does anyone understand what we are talking about in this issue
22:25:26 <gopal> jeff: trying to think if there is an exclusive directive for frame options
22:26:19 <bhill2> “the directive is ignored if specified in a META tag” according to
22:26:19 <bhill2> http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx so that’s what we’ve done. There’s no official spec so “compatibility with IE” (which introduced the feature) is the goal.
22:26:26 <gopal> abarth: metatag may come quite late in the document. Makes no sense to bury it in the document
22:26:36 <bhill2> <-- from Dan Veditz in comments to http://blog.mozilla.org/security/2010/09/08/x-frame-options/
22:26:53 <jeffh> we shouldn't neglect/forget:  https://tools.ietf.org/html/draft-ietf-websec-frame-options-00
22:27:20 <jeffh> "meta" doesn't appear in the latter
22:27:26 <jeffh> fwiw
22:27:31 <gopal> Zakim, who is talking?
22:27:43 <Zakim> gopal, listening for 10 seconds I heard sound from the following: bhill2 (9%), tanvi_and_imelven (5%), dveditz (61%)
22:30:00 <ekr_> ekr_ has joined #webappsec
22:30:01 <bhill2> ACTION dveditz to add spec language to CSP 1.1 regarding certain directives not honored in META
22:30:01 <trackbot> Created ACTION-109 - Add spec language to CSP 1.1 regarding certain directives not honored in META [on Daniel Veditz - due 2013-01-22].
22:30:10 <gopal> dveditz: similar to html 5 wg spec, use  allowed in meta tag , no-allowed in metatag,
22:30:14 <bhill2> associate ACTION-109 with ISSUE-26
22:30:14 <trackbot> ACTION-109 (Add spec language to CSP 1.1 regarding certain directives not honored in META) associated with ISSUE-26.
22:30:30 <gopal> dveditz: will follow up with issue and add more details
22:30:41 <bhill2> ACTION bhill2 to clarify that frame-options not allowed in META, reference relative to CSP 1.1 spec
22:30:41 <trackbot> Created ACTION-110 - Clarify that frame-options not allowed in META, reference relative to CSP 1.1 spec [on Brad Hill - due 2013-01-22].
22:30:48 <bhill2> associate ACTION-110 with ISSUE-25
22:30:49 <trackbot> ACTION-110 (Clarify that frame-options not allowed in META, reference relative to CSP 1.1 spec) associated with ISSUE-25.
22:31:28 <bhill2> giorgio - are you willing to take an action on ISSUE-27?
22:31:32 <bhill2> https://www.w3.org/2011/webappsec/track/issues/27
22:31:34 <gopal> bhill2: on issue 27
22:31:40 <gioma1> OK
22:32:08 <bhill2> ACTION gioma1 to provide guidance on efficient enforcment of display-time
22:32:08 <trackbot> Error finding 'gioma1'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.
22:32:54 <gioma1> I swear I registered the nickname, it's on the list. Maybe there's a delay?
22:32:56 <bhill2> ACTION bhill2 to provide guidance on efficient enforcment of display-time
22:32:56 <trackbot> Created ACTION-111 - Provide guidance on efficient enforcment of display-time [on Brad Hill - due 2013-01-22].
22:33:07 <bhill2> associate ACTION-111 with ISSUE-27
22:33:07 <trackbot> ACTION-111 (Provide guidance on efficient enforcment of display-time) associated with ISSUE-27.
22:34:04 <gioma1> ah OK, so the error message is quite misleading
22:34:24 <gioma1> my login name is "gmaone"
22:34:37 <gopal> bhill2: on  issue 28, will wait on it
22:34:43 <gopal> ... on issue 29
22:34:58 <gopal> ... sane defaults for clippping
22:35:24 <bhill2> ACTION gmaone to raise issue 29 on public-webappsec list for further discussion
22:35:24 <trackbot> Created ACTION-112 - Raise issue 29 on public-webappsec list for further discussion [on Giorgio Maone - due 2013-01-22].
22:35:32 <bhill2> associate ACTION-112 with ISSUE-29
22:35:32 <trackbot> ACTION-112 (Raise issue 29 on public-webappsec list for further discussion) associated with ISSUE-29.
22:36:05 <gopal> ... rest of issues related to csp 1.1
22:36:39 <gopal> abarth: will take issue-31
22:36:44 <bhill2> ACTION abarth to chase specs and references for URL/URI definition used in CSP 1.1
22:36:44 <trackbot> Created ACTION-113 - Chase specs and references for URL/URI definition used in CSP 1.1 [on Adam Barth - due 2013-01-22].
22:36:53 <bhill2> associate ACTION-113 with ISSUE-31
22:36:53 <trackbot> ACTION-113 (Chase specs and references for URL/URI definition used in CSP 1.1) associated with ISSUE-31.
22:38:40 <bhill2> associate ACTION-92 with ISSUE-32
22:38:41 <trackbot> ACTION-92 (Propose spec text to resolve ISSUE-32) associated with ISSUE-32.
22:40:25 <bhill2> ACTION bhill to assign actions for issues 34, 35, 36, 37, 38, 39 to abarth
22:40:25 <trackbot> Error finding 'bhill'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.
22:40:36 <bhill2> ACTION bhill2 to assign actions for issues 34, 35, 36, 37, 38, 39 to abarth
22:40:36 <trackbot> Created ACTION-114 - Assign actions for issues 34, 35, 36, 37, 38, 39 to abarth [on Brad Hill - due 2013-01-22].
22:42:33 <gopal> dveditz: instead of product csp 1.1 is there a product for content and integrity
22:42:51 <gopal> bhill2: leave it as is with csp 1.1
22:43:22 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0112.html
22:44:07 <gopal> ... anyone wants to express affirmative support with new charter ?
22:44:18 <jeffh> s/with/for/
22:45:47 <gopal> ... if no objections, submit it to directors and start a process for approval
22:46:15 <gopal> ... Are there any objections to advancing this charter to directors
22:46:22 <gopal> ... no objections
22:46:47 <bhill2> RESOLVED draft charter is approved by WG members for submission to Director and Advisory Committee
22:47:16 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0013.html
22:47:37 <gopal> ... script nonces: AND vs OR policy
22:48:06 <gopal> ... anyone on call wants to advocate
22:48:19 <gopal> abarth: advocate OR
22:50:08 <imelven> ok, agree re unsafe-inline OR nonce
22:50:14 <gopal> ... and: should satisfy both script src and script nonce.
22:50:26 <imelven> agree
22:51:37 <gopal> dveditz: is it too complicated to have both kinds ("or" nonce and "and" nonce")
22:52:19 <gopal> ... more concerned, don't want magic inline scripts on the page
22:53:26 <gopal> ... if security of inline script depends on not leaking the nonce
22:53:47 <gopal> ... if you make an "OR", it becomes brittle by breaking the nonce
22:54:42 <gopal> abarth: they need to be inline to get the script working
22:55:16 <gopal> ... eg: couple of web app had perf critical with inline scripts on top.
22:56:48 <gopal> dveditz: should nonce be in the script?
22:58:08 <jimio> nothing from my side on this.. I'd need to look into it a little bit more as well
22:58:19 <gopal> bhill2: any web site implementers who have an opinion?
22:59:06 <gopal> dveditz: more concerned about nonce with inline scripts rather than with script tags
22:59:28 <ekr_> ekr_ has joined #webappsec
23:00:01 <gopal> bhill2: move rest of agenda to next call
23:00:06 <Zakim> -neil
23:00:10 <Zakim> -ekr_
23:00:11 <Zakim> -tanvi_and_imelven
23:00:11 <Zakim> -jimio
23:00:12 <Zakim> -ccarson
23:00:13 <Zakim> -gopal
23:00:20 <Zakim> -gioma1
23:00:21 <Zakim> -abresee
23:00:23 <Zakim> -bhill2
23:00:24 <Zakim> -dveditz
23:00:38 <gopal> Zakim, list attendees
23:00:38 <Zakim> As of this point the attendees have been +1.781.362.aaaa, +1.801.701.aabb, +1.425.865.aacc, gioma1, +1.650.648.aadd, +1.303.229.aaee, +1.508.574.aaff, +1.714.488.aagg,
23:00:42 <Zakim> ... tanvi_and_imelven, bhill2, ccarson, +1.650.678.aahh, abarth, jimio, gopal, neil, abresee, dveditz, ekr_, +1.415.832.aaii
23:00:46 <Zakim> - +1.415.832.aaii
23:00:51 <jimio> jimio has left #webappsec
23:01:06 <Zakim> -abarth
23:01:07 <Zakim> SEC_WASWG()5:00PM has ended
23:01:07 <Zakim> Attendees were +1.781.362.aaaa, +1.801.701.aabb, +1.425.865.aacc, gioma1, +1.650.648.aadd, +1.303.229.aaee, +1.508.574.aaff, +1.714.488.aagg, tanvi_and_imelven, bhill2, ccarson,
23:01:07 <Zakim> ... +1.650.678.aahh, abarth, jimio, gopal, neil, abresee, dveditz, ekr_, +1.415.832.aaii
23:01:17 <gopal> RRSAgent, set logs public-visible
23:01:33 <gopal> RRSAgent, make minutes
23:01:33 <RRSAgent> I have made the request to generate http://www.w3.org/2013/01/15-webappsec-minutes.html gopal
23:06:56 <tanvi> tanvi has left #webappsec
23:08:51 <bhill2> bhill2 has joined #webappsec
23:10:07 <bhill2> bhill2 has left #webappsec
23:10:08 <bhill2> bhill2 has joined #webappsec
23:10:12 <bhill2> rrsagent, make minutes
23:10:12 <RRSAgent> I have made the request to generate http://www.w3.org/2013/01/15-webappsec-minutes.html bhill2
23:10:17 <bhill2> rrsagent, set logs public visible
23:10:19 <bhill2> bhill2 has left #webappsec
23:13:07 <jeffh> jeffh has joined #webappsec