20:58:17 RRSAgent has joined #webappsec 20:58:17 logging to http://www.w3.org/2013/05/07-webappsec-irc 20:58:20 zakim, who is here? 20:58:20 sorry, bhill2, I don't know what conference this is 20:58:21 On IRC I see RRSAgent, Zakim, bhill2, gmaone, neil, jeffh, bhill, timeless, trackbot, odinho, mkwst_, wseltzer 20:58:25 zakim, this is 92794 20:58:25 ok, bhill2; that matches SEC_WASWG()5:00PM 20:58:33 zakim, who is here? 20:58:33 On the phone I see +1.303.229.aaaa 20:58:34 On IRC I see RRSAgent, Zakim, bhill2, gmaone, neil, jeffh, bhill, timeless, trackbot, odinho, mkwst_, wseltzer 20:58:37 zakim, aaaa is bhill2 20:58:37 +bhill2; got it 20:58:50 + +1.425.865.aabb 20:59:07 Meeting: WebAppSec Teleconference 7-May-2013 20:59:35 Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013May/0035.html 20:59:40 ccarson has joined #webappsec 20:59:53 rrsagent, set logs public-visible 21:00:01 + +1.949.273.aacc 21:00:20 zakim, aacc is neil 21:00:20 +neil; got it 21:00:57 zakim, aabb is ccarson 21:00:57 +ccarson; got it 21:00:58 zakim, who is here? 21:00:58 On the phone I see bhill2, ccarson, neil 21:00:59 On IRC I see ccarson, RRSAgent, Zakim, bhill2, gmaone, neil, jeffh, bhill, timeless, trackbot, odinho, mkwst_, wseltzer 21:00:59 +??P10 21:01:21 zakim, ??P10 is gmaone 21:01:21 +gmaone; got it 21:02:31 + +1.650.648.aadd 21:02:53 zakim, aadd is abarth 21:02:53 +abarth; got it 21:02:55 + +1.650.678.aaee 21:03:02 + +1.866.317.aaff 21:03:07 abarth has joined #webappsec 21:03:19 zakim aaff is JeffH 21:03:51 zakim, aaee is ekr 21:03:51 +ekr; got it 21:04:00 zakim, aaff is JeffH 21:04:00 +JeffH; got it 21:04:22 irc.w3.org is a pretty good web client if you're somewhere that blocks irc 21:04:30 ekr has joined #webappsec 21:04:30 mibbit is also an option 21:04:35 Test 21:04:40 howdy 21:05:23 zakim, who is here? 21:05:23 On the phone I see bhill2, ccarson, neil, gmaone, abarth, ekr, JeffH 21:05:24 On IRC I see ekr, abarth, ccarson, RRSAgent, Zakim, bhill2, gmaone, neil, jeffh, bhill, timeless, trackbot, odinho, mkwst_, wseltzer 21:05:40 + +1.801.701.aagg 21:06:23 zakim, aagg is adam(digicert) 21:06:23 +adam(digicert); got it 21:07:27 Scribe: Neil Matatall 21:07:37 Scribenick: neil 21:07:49 abresee has joined #webappsec 21:07:51 Topic: Minutes Approval 21:07:53 testing 21:07:57 + +1.978.944.aahh 21:08:15 zakim, aahh is gopal 21:08:15 +gopal; got it 21:08:37 resolved: minutes approved 21:08:37 bhill2: no objections, minutes approved 21:09:17 bhill2: sent publication request to w3c to publish UI-sec directives draft, going up later this week 21:09:20 http://lists.w3.org/Archives/Public/public-webappsec/2013May/0032.html 21:09:47 bhill2: checked in example code + framework for testing CSP 21:10:29 ... moving from mercurial -> github 21:12:28 action: abarth to issue CfC to list on new WD publication of CSP 1.1 21:12:28 Created ACTION-136 - Issue CfC to list on new WD publication of CSP 1.1 [on Adam Barth - due 2013-05-14]. 21:13:06 one update: http://lists.w3.org/Archives/Public/public-webappsec/2013May/0038.html 21:13:44 bhill2: discussing rechartering - good group - continue progress 21:13:57 ... handle upcoming issues in other groups 21:14:13 ... sub resource hashing 21:14:17 ... no mixed content 21:14:40 ... http[s]? vs http[s]? handling 21:14:47 ... custom elements 21:14:53 abresee_ has joined #webappsec 21:15:10 ... any objections to broadening of scope? 21:15:21 abarth: chrome interesting in convering w/ mozilla on this 21:15:35 jeffh: sounds good to me 21:16:27 bhill2: add scope to charter - annotations to shadow DOM sub trees and web components model 21:16:50 ... imposing strict behaviors for (inner|out)HTML, standardizing toStaticHTML 21:17:26 ... sandboxing components, like iframes + postMessage but easier to use 21:17:46 ccarson: boeing +1 21:18:26 seems fine 21:18:40 I suggest wordsmithing on the list 21:19:15 Topic: Tracker 21:19:16 https://www.w3.org/2011/webappsec/track/actions/open?sort=owner 21:20:06 ekr, can you man the tracker? 21:20:44 brad, working on it 21:21:19 my network is sucking 21:21:32 OK, I now have it 21:22:09 adam: what was the resolution of 115? 21:22:38 ekr: move to pending review 21:24:44 bhill2: skipping raised issues, pending cleanup 21:24:52 Topic: HTTP Auth and CORS 21:24:53 http://lists.w3.org/Archives/Public/public-webappsec/2013May/0034.html 21:25:25 bhill2: discussing http auth, handling 401s for CORS + credentials 21:26:11 ... no proposed spec text 21:26:30 ... should we re-open CORS or will it become part of fetch? 21:26:47 abarth: not worth re-opening, more like on-going refinements 21:27:06 bhill2: to raise on the list 21:27:33 ACTION: bhill2 to query list whether CORS HTTP auth should re-open spec 21:27:33 Created ACTION-137 - Query list whether CORS HTTP auth should re-open spec [on Brad Hill - due 2013-05-14]. 21:27:55 Topic: Security implications of cross-origin violation reports in CSP 21:27:56 http://lists.w3.org/Archives/Public/public-webappsec/2013May/0033.html 21:28:33 bhill2: mkwst_ brought up iframe scoped to origin, loading a resource could cause a redirect, leaking identity information 21:29:11 abarth: came up before when full URLs were part of violations reports 21:29:31 ... providing only host name helps address this info 21:29:46 bhill2: issues with leaking secrets in URL, also what can be inferred from the presence of a redirect 21:30:05 ... e.g. redirect implies an authenticated session 21:30:38 abarth: another example, logged in pages much slower than logged out so there's a timing attack too 21:32:48 http://lists.w3.org/Archives/Public/public-webappsec/2013May/0025.html 21:32:56 was actual list thread 21:33:01 -gopal 21:33:15 Topic: Cross-origin reporting 21:33:16 http://lists.w3.org/Archives/Public/public-webappsec/2013May/0033.html 21:36:08 abarth: best thing to do might be use a new content type 21:36:34 ... would people care about the content type? 21:37:33 bhill2: content of request body is constrained, not "arbitrarily horrible" ^TM 21:38:05 ACTION: abarth to update csp report content-type to application/csp-report or similar 21:38:05 Created ACTION-138 - Update csp report content-type to application/csp-report or similar [on Adam Barth - due 2013-05-14]. 21:38:42 Topic: innerHTML, web components, sandboxing, etc. 21:38:47 http://lists.w3.org/Archives/Public/public-webappsec/2013May/0009.html 21:38:52 http://lists.w3.org/Archives/Public/public-webappsec/2013May/0010.html 21:40:42 abarth: solicit use cases as well as proposals 21:40:59 bhill2: yeah, we might want to wait until the new charter is out 21:44:24 bhill2: finding a common solution is ideal, we don't want to further complicate things 21:44:31 -ekr 21:44:33 Topic: srcdoc, data, inheriting CSP policies 21:44:40 http://lists.w3.org/Archives/Public/public-webappsec/2013Apr/0097.html 21:44:45 http://lists.w3.org/Archives/Public/public-webappsec/2013May/0005.html 21:44:58 doh, lost call 21:45:23 +ekr 21:46:00 abarth: spec language is next step, some discussions w/ imelvin 21:46:04 Topic: trimming the securitypolicy DOM interface 21:46:05 http://lists.w3.org/Archives/Public/public-webappsec/2013May/0004.html 21:47:09 bhill2: pushback on the list to limiting, feelings that we shouldn't be restricting interfaces 21:47:54 ... adding hooks for specific use cases, need to solicit use cases 21:49:25 abarth: to clarify, make the proposed change and let people raise objections as needed? 21:50:01 bhill2: it's reasonable and consistent 21:50:14 -JeffH 21:50:44 -ekr 21:50:46 -neil 21:50:48 -ccarson 21:50:50 -abarth 21:50:58 zakim, list attendees 21:50:58 As of this point the attendees have been +1.303.229.aaaa, bhill2, +1.425.865.aabb, +1.949.273.aacc, neil, ccarson, gmaone, +1.650.648.aadd, abarth, +1.650.678.aaee, 21:51:01 ... +1.866.317.aaff, ekr, JeffH, +1.801.701.aagg, adam(digicert), +1.978.944.aahh, gopal 21:51:02 trackbot, end meeting 21:51:02 Zakim, list attendees 21:51:02 As of this point the attendees have been +1.303.229.aaaa, bhill2, +1.425.865.aabb, +1.949.273.aacc, neil, ccarson, gmaone, +1.650.648.aadd, abarth, +1.650.678.aaee, 21:51:05 ... +1.866.317.aaff, ekr, JeffH, +1.801.701.aagg, adam(digicert), +1.978.944.aahh, gopal 21:51:10 RRSAgent, please draft minutes 21:51:10 I have made the request to generate http://www.w3.org/2013/05/07-webappsec-minutes.html trackbot 21:51:11 RRSAgent, bye 21:51:11 I see 3 open action items saved in http://www.w3.org/2013/05/07-webappsec-actions.rdf : 21:51:11 ACTION: abarth to issue CfC to list on new WD publication of CSP 1.1 [1] 21:51:11 recorded in http://www.w3.org/2013/05/07-webappsec-irc#T21-12-28 21:51:11 ACTION: bhill2 to query list whether CORS HTTP auth should re-open spec [2] 21:51:11 recorded in http://www.w3.org/2013/05/07-webappsec-irc#T21-27-33 21:51:11 ACTION: abarth to update csp report content-type to application/csp-report or similar [3] 21:51:11 recorded in http://www.w3.org/2013/05/07-webappsec-irc#T21-38-05 21:51:11 thanks for scribing, neil! 21:51:20 -gmaone