20:59:56 <RRSAgent> RRSAgent has joined #webappsec
20:59:56 <RRSAgent> logging to http://www.w3.org/2013/08/27-webappsec-irc
21:00:22 <bhill2> Meeting: WebAppSec WG Teleconference, 27-August-2013
21:00:27 <bhill2> Chair: bhill2, ekr
21:00:46 <bhill2> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013Aug/0056.html
21:00:49 <ekr> ekr has joined #webappsec
21:01:00 <ekr> zakim, who is here/
21:01:00 <Zakim> I don't understand 'who is here/', ekr
21:01:05 <ekr> zakim, who is here?
21:01:05 <Zakim> sorry, ekr, I don't know what conference this is
21:01:05 <bhill2> zakim, this is 92794
21:01:06 <Zakim> On IRC I see ekr, RRSAgent, Zakim, bhill2, gmaone, mkwst_, timeless, trackbot, odinho, tlr, wseltzer
21:01:06 <Zakim> ok, bhill2; that matches SEC_WASWG()5:00PM
21:01:12 <Zakim> +??P4
21:01:20 <Zakim> + +1.415.832.aaaa
21:01:22 <bhill2> zakim, who is here?
21:01:23 <Zakim> On the phone I see bhill2, [Mozilla], ??P4, +1.415.832.aaaa
21:01:24 <Zakim> On IRC I see ekr, RRSAgent, Zakim, bhill2, gmaone, mkwst_, timeless, trackbot, odinho, tlr, wseltzer
21:01:25 <gmaone> Zakim, ??P4 is gioma1
21:01:25 <Zakim> +gioma1; got it
21:01:30 <ekr> zakim, ekr is at mozilla
21:01:30 <Zakim> I don't understand 'ekr is at mozilla', ekr
21:01:37 <bhill2> zakim, mozilla has ekr
21:01:37 <Zakim> +ekr; got it
21:01:39 <gmaone> Zakim, ??P4 is gmaone
21:01:39 <Zakim> I already had ??P4 as gioma1, gmaone
21:01:42 <ekr> bhill2: thanks
21:01:46 <Zakim> -gioma1
21:01:59 <bhill2> zakim, aaaa is puhley
21:01:59 <Zakim> +puhley; got it
21:02:18 <Zakim> +??P4
21:02:24 <gmaone> Zakim, ??P4 is gmaone
21:02:24 <Zakim> +gmaone; got it
21:03:56 <Zakim> + +1.978.944.aabb
21:04:02 <Zakim> +mkwst_
21:04:08 <bhill2> zakim, aabb is gopal
21:04:08 <Zakim> +gopal; got it
21:05:16 <ekr> bhill2: I can scribe
21:05:30 <ekr> scribenick ekr
21:05:32 <bhill2> scribenick: ekr
21:05:42 <bhill2> zakim, who is here?
21:05:42 <Zakim> On the phone I see bhill2, [Mozilla], puhley, gmaone, gopal, mkwst_
21:05:43 <Zakim> [Mozilla] has ekr
21:05:44 <Zakim> On IRC I see ekr, RRSAgent, Zakim, bhill2, gmaone, mkwst_, timeless, trackbot, odinho, tlr, wseltzer
21:05:51 <bhill2> topic: Minutes Approval
21:05:55 <bhill2> http://www.w3.org/2013/07/16-webappsec-minutes.html
21:06:18 <bhill2> Topic: Tracker
21:06:18 <bhill2> https://www.w3.org/2011/webappsec/track/actions/open?sort=owner
21:06:29 <bhill2> https://www.w3.org/2011/webappsec/track/actions/pendingreview
21:06:56 <puhley> puhley has joined #webappsec
21:07:35 <bhill2> trackbot close action-148
21:07:35 <trackbot> Closed action-148.
21:09:03 <ekr> mwest: there has been a proposal that we add a much bigger API (#127). Don't know if we would get it done by 1.1
21:09:08 <ekr> … we should discuss on the list
21:09:27 <ekr> bhill2: would like to create a burndown list of outstanding issues
21:10:24 <ekr> Topic: Closing CORS Open Isues
21:10:26 <bhill2> Topic: CORS CfC and open issues
21:10:41 <bhill2> https://www.w3.org/Bugs/Public/buglist.cgi?list_id=22771&query_format=advanced&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&component=CORS&product=WebAppsSec
21:11:04 <ekr> bhill2: do we intend to respond to any of these issues in the tracker?
21:11:17 <ekr> bhill2: wanted to get consensus on the call.
21:11:24 <ekr> … does anyone object to closing these out?
21:11:43 <ekr> https://www.w3.org/Bugs/Public/show_bug.cgi?id=14663 : CORS and Caches
21:11:54 <ekr> bhill2: I don't think there is a need for this at this point
21:12:01 <ekr> any objections to closing this bug?
21:12:09 <ekr> no objections
21:12:20 <ekr> https://www.w3.org/Bugs/Public/show_bug.cgi?id=14664 : Defining CORS headers
21:12:35 <ekr> bhill2: Not clear what the contents of this bug is. Open since 2011 with no activity
21:12:46 <ekr> … might be about header changes in ABNF with HTTP bis
21:12:49 <ekr> any objections to closing?
21:12:51 <ekr> no objections
21:13:03 <ekr> https://www.w3.org/Bugs/Public/show_bug.cgi?id=14700 : Point out that Access-Control-Allow-Origin:* is safe for servers not behind a firewall
21:13:12 <ekr> bhill2: security considerations has been completely rewritten
21:13:16 <ekr> any objections to closing?
21:13:21 <ekr> no objections heard.
21:13:32 <ekr> https://www.w3.org/Bugs/Public/show_bug.cgi?id=19920 : Don't allow space-separated origins in the syntax
21:13:49 <ekr> Related to 21608: https://www.w3.org/Bugs/Public/show_bug.cgi?id=21608 7.2 "Resource Sharing Check" does not specify how to handle a space separated list in Access-Control-Allow-Origin
21:14:33 <ekr> bhill2: implicitly access control sharing check forbids >1 oriign
21:14:43 <ekr> … my opinion is behavior is already specified and implemented
21:14:53 <ekr> … propose we don't change it
21:14:59 <ekr> any objections to closing these without change?
21:15:06 <ekr> no objections heard
21:15:37 <ekr> https://www.w3.org/Bugs/Public/show_bug.cgi?id=21012 : Add more text on Vary
21:15:48 <ekr> bhill2: seems that this is an edge case.
21:16:06 <ekr> … minor editorial suggestion, not worth opening spec
21:16:12 <ekr> any objections to closing these without change?
21:16:14 <ekr> no objections heard
21:16:24 <ekr> https://www.w3.org/Bugs/Public/show_bug.cgi?id=21013: Credentials and HTTP authentication
21:16:40 <bhill2> http://lists.w3.org/Archives/Public/public-webapps/2013JanMar/thread.html#msg366
21:16:44 <ekr> bhill2: discussion more  recently on the list.
21:17:17 <ekr> … does anyone feel spec needs additional clarification?
21:17:28 <ekr> … I have not seen any actual text proposed
21:17:45 <ekr> any objections to closing this without changes?
21:17:47 <ekr> no objections heard
21:18:14 <ekr> bhill2: call to formally close CfC for advancement from Candidate Recommendation to Proposed Recommendation
21:19:03 <ekr> peleus moves to advance CORS to PR
21:19:05 <ekr> seconded by ekr
21:19:11 <ekr> no objections to unanimous consent
21:19:22 <ekr> decision: move CORS to proposed recommendation
21:19:35 <ekr> bhill2: I will check with Art in WebApps
21:19:38 <bhill2> Topic: SOS proposal
21:19:40 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Aug/0037.html
21:20:19 <ekr> bhill2: proposed modiification to prevent against CSRF. Header to determne whether cookies would be sent or not
21:20:32 <ekr> … a few items of discussion on the list
21:20:40 <ekr> … anyone interested in taking this up?
21:20:55 <ekr> nothing heard
21:21:00 <ekr> bhill2: continue to discuss on the list
21:21:16 <ekr> … but we will not take it up without more show of interest
21:21:19 <ekr> in 1.1
21:21:34 <Zakim> -[Mozilla]
21:21:39 <Zakim> -gopal
21:21:42 <Zakim> -bhill2
21:21:43 <Zakim> -mkwst_
21:21:43 <ekr> rrsagent, generate minutes
21:21:43 <RRSAgent> I have made the request to generate http://www.w3.org/2013/08/27-webappsec-minutes.html ekr
21:21:43 <Zakim> -puhley
21:21:47 <Zakim> -gmaone
21:21:48 <Zakim> SEC_WASWG()5:00PM has ended
21:21:48 <Zakim> Attendees were bhill2, +1.415.832.aaaa, gioma1, ekr, puhley, gmaone, +1.978.944.aabb, mkwst_, gopal
21:21:50 <bhill2> thanks for scribing, ekr
21:21:55 <ekr> np.
21:22:22 <ekr> zakim, please part
21:22:22 <Zakim> Zakim has left #webappsec
21:22:28 <ekr> rrsagent, draft minutes
21:22:28 <RRSAgent> I have made the request to generate http://www.w3.org/2013/08/27-webappsec-minutes.html ekr
21:22:32 <ekr> rrsagent, please part
21:22:54 <ekr> rrsagent, set logs world-visible
21:23:00 <ekr> rrsagent, please part
21:23:00 <RRSAgent> I see no action items