20:58:01 <RRSAgent> RRSAgent has joined #webappsec
20:58:01 <RRSAgent> logging to http://www.w3.org/2013/10/08-webappsec-irc
20:58:07 <bhill2> zakim, this will be 92794
20:58:07 <Zakim> ok, bhill2; I see SEC_WASWG()5:00PM scheduled to start in 2 minutes
20:58:36 <Zakim> SEC_WASWG()5:00PM has now started
20:58:44 <Zakim> + +49.898.393.0.aaaa
20:59:30 <neilm> neilm has joined #webappsec
20:59:48 <Zakim> + +1.303.229.aabb
20:59:57 <tanvi> tanvi has joined #webappsec
21:00:00 <Zakim> + +1.650.678.aacc
21:00:00 <bhill2> zakim, aabb is bhill2
21:00:01 <Zakim> +bhill2; got it
21:00:25 <bhill2> Meeting: WebAppSec WG Teleconference 8-Oct-2013
21:00:26 <Zakim> +glenn
21:00:31 <bhill2> Chairs: bhill2, ekr
21:00:32 <ekr> ekr has joined #webappsec
21:00:57 <Zakim> + +1.714.488.aadd
21:00:59 <bhill2> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013Oct/0046.html
21:01:06 <bhill2> zakim, who is here?
21:01:06 <Zakim> On the phone I see +49.898.393.0.aaaa, bhill2, +1.650.678.aacc, glenn, +1.714.488.aadd
21:01:08 <Zakim> On IRC I see ekr, tanvi, neilm, RRSAgent, Zakim, bhill2, glenn, timeless, bhill, wseltzer, trackbot
21:01:14 <neilm> Zakim: aadd is neilm
21:01:27 <neilm> zakim, aadd is neilm
21:01:27 <Zakim> +neilm; got it
21:01:31 <ekr> zakim, aacc is ekr
21:01:31 <Zakim> +ekr; got it
21:01:34 <ccarson> ccarson has joined #webappsec
21:01:41 <mkwst_> mkwst_ has joined #webappsec
21:01:58 <Zakim> + +1.206.304.aaee
21:02:09 <ccarson> Zakim, aaee is ccarson
21:02:09 <Zakim> +ccarson; got it
21:03:28 <dveditz> dveditz has joined #webappsec
21:03:49 <mkwst_> I think I was the first one in, but I wasn't in IRC yet.
21:03:58 <Zakim> +[Mozilla]
21:03:59 <Zakim> -ccarson
21:04:03 <bhill2> zakim, who is here?
21:04:03 <Zakim> On the phone I see +49.898.393.0.aaaa, bhill2, ekr, glenn, neilm, [Mozilla]
21:04:05 <Zakim> On IRC I see dveditz, mkwst, ccarson, ekr, tanvi, neilm, RRSAgent, Zakim, bhill2, glenn, timeless, bhill, wseltzer, trackbot
21:04:14 <mkwst> Zakim, aaaa is mkwst
21:04:15 <Zakim> +mkwst; got it
21:04:16 <tanvi> ekr - are you in a roomin MV?
21:04:23 <ekr> tanvi: no, I am in my office in Palo Alto
21:04:29 <Zakim> +ccarson
21:04:35 <bhill2> zakim, aaaa is mkwst
21:04:36 <Zakim> sorry, bhill2, I do not recognize a party named 'aaaa'
21:04:47 <bhill2> zakim, [Mozilla] has garrett
21:04:48 <Zakim> +garrett; got it
21:04:48 <mkwst> bhill2: already took care of it. :)
21:05:05 <Zakim> + +1.310.597.aaff
21:05:15 <tanvi> Zakim, aaff is tanvi
21:05:15 <Zakim> +tanvi; got it
21:05:37 <Zakim> +[IPcaller]
21:05:47 <dveditz> Zakim, IPcaller is dveditz
21:05:47 <Zakim> +dveditz; got it
21:06:15 <grobinson|laptop> grobinson|laptop has joined #webappsec
21:06:42 <ekr> OK, then.
21:06:56 <bhill2> scribenick: ekr
21:06:57 <ekr> scribe is ekr
21:07:14 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Oct/0046.html
21:07:22 <bhill2> zakim, who is here?
21:07:22 <Zakim> On the phone I see mkwst, bhill2, ekr, glenn, neilm, [Mozilla], ccarson, tanvi, dveditz
21:07:24 <Zakim> [Mozilla] has garrett
21:07:24 <Zakim> On IRC I see grobinson|laptop, dveditz, mkwst, ccarson, ekr, tanvi, neilm, RRSAgent, Zakim, bhill2, glenn, timeless, bhill, wseltzer, trackbot
21:07:46 <bhill2> TOPIC: Minutes from previous meeting
21:07:48 <bhill2> http://www.w3.org/2013/09/10-webappsec-minutes.html
21:08:13 <ekr> unanimous consent to approve minutes
21:09:17 <bhill2> TOPIC: Tracker actions
21:09:23 <bhill2> https://www.w3.org/2011/webappsec/track/actions/open?sort=owner
21:09:50 <ekr> bhill2: issues assigned to Adam
21:10:26 <bhill2> trackbot close ACTION-150
21:10:26 <trackbot> Closed ACTION-150.
21:11:56 <ekr> https://www.w3.org/2011/webappsec/track/actions/146
21:12:14 <ekr> dveditz: seems to be consensus on this
21:12:30 <ekr> bhill2: also an issue for blob URIs
21:12:44 <ekr> dveditz: cannot have a header-based policy if the info comes from non-HTTP
21:13:02 <ekr> … we don't have a syntax for a meta policy
21:13:42 <ekr> … workers don't have access to the DOM
21:14:05 <ekr> … no reason we can't make the API accessible to workers global object
21:14:59 <ekr> bhill2: this brings us to the next issue. I had proposed on the list that filesystem/blob/etc. would be matched only by self.
21:15:07 <ekr> https://www.w3.org/2011/webappsec/track/actions/149
21:17:45 <ekr> dveditz: feedback from Google?
21:17:58 <ekr> mwest: I think there are reasons to make the change. put together some text
21:18:30 <ekr> https://www.w3.org/2011/webappsec/track/actions/130
21:19:06 <bhill2> TOPIC: CSP and user script + extensions
21:19:44 <ekr> glenn: review by cablelabs and a number of commercial TV operators
21:19:53 <ekr> … cox, comcast, etc.
21:20:00 <ekr> … web and tv interest group
21:20:33 <ekr> … for certain services and TV we have a regulatory requirement for best effort emergency notification
21:20:45 <ekr> … CSP could help prevent attacks that prevent delivery of messages
21:21:25 <ekr> … there is an open-ended clause that doesn't specify how add-ons/extensions behave
21:21:37 <ekr> … would be good if we could treat this issue more in depth
21:21:50 <ekr> … little support for making any behavioral change in the spec at this time.
21:22:11 <ekr> … I continue to feel that the current behavior doesn't do an adequate job of describing the overall issues around this area.
21:22:21 <ekr> … remove that text
21:22:38 <ekr> … perhaps in another document?
21:22:47 <Zakim> +Wendy
21:22:55 <ekr> … I withdraw a request for adding new directives/extensions
21:23:04 <ekr> … request that the specific recommendation in the text be removed
21:23:53 <ekr> bhill2: poll doesn't show a lot of support for making any changes
21:23:59 <ekr> … does anyone want ot weigh in now?
21:24:13 <ekr> glenn: I don't believe I am asking for a change in behavior.
21:24:32 <ekr> … it's implementation dependent
21:24:39 <ekr> bhill2: all the implementations behave the way you would like them to.
21:25:00 <ekr> … but there was consensus that it should behave the way the spec says, but implementors have been having trouble followin the spec recommendation
21:25:17 <ekr> … asks dveditz what mozilla's plans were
21:26:23 <ekr> dveditz: looking at an API for add-ons to alter the policy but not letting the add-ons blindly changing pages regardless of policy.
21:26:37 <ekr> … add-ons should be able to modify the page if they want to, but they shouldn't do so accidentally
21:27:39 <ekr> bhill2: chromium and firefox are rather different
21:28:04 <ekr> … should there be a recommendation with a normative should?
21:28:51 <ekr> mkwst: code executed from a content script, we do our best to let it do the things it wants to do.
21:29:13 <ekr> … we have most of the problems fixed, but some we don't know how, e.g., bookmarklets
21:29:30 <ekr> dveditz: same for firefox
21:29:44 <ekr> mkwst: all extensions in chrome are subject to relatively strict CSP policy
21:30:07 <ekr> … evaluating the next version of manifest.
21:30:31 <mkwst> http://crbug.com/181602
21:30:56 <ekr> dveditz: does the extension CSP apply to the document or to the extension context
21:31:04 <ekr> mkwst: applies to the all extension pages
21:33:06 <glenn> q+
21:33:31 <bhill2> ack glenn
21:33:49 <ekr> glenn: one of the objections to the line of thinking I was propposing was priority of constituencies
21:34:05 <ekr> … having the user install an add-on is an explicit permission to execute it
21:34:16 <ekr> … the policy we would like to see is that the user might have more than one intent
21:34:40 <ekr> … e.g., user may feel it is appropriate to use those extensions but may have given permission to a content service provider to disable those extensions
21:35:05 <ekr> … having a static policy that doesn't enable this is clearly damaging
21:35:28 <ekr> …maybe having error reporting disabled would be more appropriate
21:36:11 <ekr> mkwst: I don't have an objection to removing the line in the spec that says do your best to avoid messing with extensions and since browser vendors have decided that extensions can do what they want
21:36:52 <ekr> ekr: maybe replace with a sentence that's descriptive rather than normative
21:37:29 <ekr> "Enforcing a CSP policy should not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets." is the relevant text?
21:38:50 <ekr> Proposed text: "Generally, CSP policies will not not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets, though the precise details by which such scripts are allowed to override CSP policies may vary between browsers."
21:39:37 <ekr> mkwst: if we don't let extensions override policies, then they will just remove them
21:40:02 <ekr> garrett: I think we should make this clear
21:40:08 <ekr> dvedits: that's why we have the text we have
21:40:23 <ekr> s/dvedits/dveditz/
21:41:26 <ekr> glenn: is there any thought of removing the extensions ability to modify headers so that, for instance, they can't modify CSP headers.
21:41:38 <ekr> mkwst ??? : anything is possible
21:41:45 <ekr> glenn: maybe we should have more restrictions
21:41:56 <ekr> bhill2: one thing people do is use extensions to *add* CSP headers
21:43:23 <ekr> mkwst and glenn to own providing some text to the list
21:43:46 <ekr> ACTION: mkwst to provide text to list about interaction btwn extensions and CSP is
21:43:46 <trackbot> Error finding 'mkwst'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.
21:43:56 <mkwst> mwest2 <--
21:44:09 <ekr> ACTION: mwest2  to provide text to list about interaction btwn extensions and CSP is
21:44:09 <trackbot> Created ACTION-151 -  to provide text to list about interaction btwn extensions and csp is [on Mike West - due 2013-10-15].
21:44:14 <bhill2> TOPIC: DOM API for CSP 1.1
21:44:46 <ekr> mkwst: DOM API is currently read-only
21:44:58 <ekr> … topic is whether we should make it read/write
21:46:05 <ekr> … alex's proposal involves taking the internal API, cleaning it up, and letting the web page construct policies and apply them to the page
21:47:17 <ekr> bhill2: what are your feelings in terms of timelines
21:47:46 <ekr> mkwst: would like to see it included. not sure it's realistic. give me until the next call to see if I can deliver something
21:48:56 <bhill2> TOPIC: Poll on closing CSP 1.1 feature set
21:49:35 <ekr> bhill2: sticking to our charter to deliver finished products on a reasonable time frame
21:50:20 <ekr> … like CSP to be a living standard
21:50:34 <ekr> … have received poll requests from a bunch of people
21:50:34 <glenn> s/removing the extensions ability/restricting the extension's ability/
21:51:29 <ekr> glenn: thanks for the correction
21:51:37 <ekr> bhill2: universal assent to close the feature set
21:52:07 <ekr> … only question with a real lack of consensus was the second question.
21:53:21 <ekr> … this poll was only about 1.1 not about forever
21:53:41 <ekr> … declaring feature set closed
21:54:44 <ekr> … please think about question 2. Would like to come to consensus on the next call
21:54:58 <ekr> glenn: are you suggesting that the CSS object model be a normative dependency of CSP
21:55:18 <ekr> bhill2: ian's proposal was to restrict inline script
21:55:25 <ekr> … ande eval
21:56:23 <ekr> dveditz: we do block inline style
21:57:18 <ekr> … for consistency unsafe-eval should apply to attempts to modify the style
21:57:31 <ekr> glenn: my question was about normative references
21:57:52 <Zakim> -neilm
21:58:14 <ekr> bhill2: something to think about
21:59:55 <ekr> … the question is if this is ready for csp 1.1
22:00:39 <Zakim> -ccarson
22:00:43 <Zakim> -dveditz
22:00:45 <Zakim> -glenn
22:00:46 <Zakim> -Wendy
22:00:50 <Zakim> -tanvi
22:00:55 <Zakim> -ekr
22:01:04 <ekr> rrsagent, draft minutes
22:01:04 <RRSAgent> I have made the request to generate http://www.w3.org/2013/10/08-webappsec-minutes.html ekr
22:01:10 <bhill2> rrsagent, set logs public-visible
22:01:11 <Zakim> -[Mozilla]
22:01:14 <ekr> zakim, please part
22:01:14 <Zakim> leaving.  As of this point the attendees were +49.898.393.0.aaaa, +1.303.229.aabb, +1.650.678.aacc, bhill2, glenn, +1.714.488.aadd, neilm, ekr, +1.206.304.aaee, ccarson, mkwst,
22:01:14 <Zakim> Zakim has left #webappsec
22:01:17 <Zakim> ... garrett, +1.310.597.aaff, tanvi, dveditz, Wendy
22:01:21 <wseltzer> RRSAgent, make logs public
22:01:26 <ekr> wseltzer: thanks
22:01:41 <wseltzer> thanks, ekr
22:12:14 <tanvi> tanvi has left #webappsec
22:36:25 <glenn> glenn has joined #webappsec
23:01:34 <bhill2> bhill2 has left #webappsec
23:16:26 <neilm_> neilm_ has joined #webappsec