IRC log of webappsec on 2013-12-03

Timestamps are in UTC.

21:59:08 [RRSAgent]
RRSAgent has joined #webappsec
21:59:08 [RRSAgent]
logging to http://www.w3.org/2013/12/03-webappsec-irc
21:59:56 [bhill21]
Meeting: WebAppSec WG teleconference, 3 Dec 2013
22:00:01 [bhill21]
Chairs: ekr, bhill2
22:00:05 [bhill21]
Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013Dec/0003.html
22:00:23 [neilm]
neilm has joined #webappsec
22:01:27 [ekr]
ekr has joined #webappsec
22:01:32 [ekr]
zakim, who is here?
22:01:32 [Zakim]
sorry, ekr, I don't know what conference this is
22:01:32 [grobinson|laptop]
Garrett and Eric from Mozilla are here
22:01:33 [Zakim]
On IRC I see ekr, neilm, RRSAgent, Zakim, grobinson|laptop, bhill21, klee, gopal, dhuang3, gmaone, terri, timeless, wseltzer, trackbot
22:01:39 [ekr]
ekr is at Mozilla
22:01:44 [ekr]
zakim, ekr is at Mozilla
22:01:44 [Zakim]
I don't understand 'ekr is at Mozilla', ekr
22:01:45 [bhill21]
zakim, this is 92794
22:01:45 [Zakim]
ok, bhill21; that matches SEC_WASWG()5:00PM
22:01:50 [Zakim]
-??P4
22:01:51 [bhill21]
zakim, who is here?
22:01:51 [Zakim]
On the phone I see +1.866.294.aaaa, +1.781.369.aabb, +1.408.320.aacc, [Mozilla], BHill, +1.714.795.aadd
22:01:54 [Zakim]
On IRC I see ekr, neilm, RRSAgent, Zakim, grobinson|laptop, bhill21, klee, gopal, dhuang3, gmaone, terri, timeless, wseltzer, trackbot
22:01:57 [ekr]
zakim, Mozilla has ekr
22:01:57 [Zakim]
+ekr; got it
22:02:04 [ekr]
zakim, Mozilla has grobinson
22:02:04 [Zakim]
+grobinson; got it
22:02:04 [grobinson|laptop]
zakim, Mozilla has grobinson|laptop
22:02:05 [Zakim]
+grobinson|laptop; got it
22:02:10 [Zakim]
+??P4
22:02:20 [Zakim]
+abarth
22:02:28 [gmaone]
Zakim, ??P4 is gmaone
22:02:28 [Zakim]
+gmaone; got it
22:02:42 [Zakim]
- +1.714.795.aadd
22:02:46 [abarth]
abarth has joined #webappsec
22:02:54 [bhill21]
zakim, who is here?
22:02:54 [Zakim]
On the phone I see +1.866.294.aaaa, +1.781.369.aabb, +1.408.320.aacc, [Mozilla], BHill, gmaone, abarth
22:02:56 [Zakim]
[Mozilla] has grobinson|laptop
22:02:56 [Zakim]
On IRC I see abarth, ekr, neilm, RRSAgent, Zakim, grobinson|laptop, bhill21, klee, gopal, dhuang3, gmaone, terri, timeless, wseltzer, trackbot
22:03:19 [Zakim]
+ +1.714.795.aaee
22:03:24 [neilm]
zakim, neilm has aaee
22:03:24 [Zakim]
sorry, neilm, I do not recognize a party named 'neilm'
22:03:39 [neilm]
zakim, neil has aaee
22:03:39 [Zakim]
sorry, neilm, I do not recognize a party named 'neil'
22:03:40 [puhley]
puhley has joined #webappsec
22:03:44 [dhuang3]
zakim, aacc is dhuang3
22:03:45 [Zakim]
+dhuang3; got it
22:04:04 [neilm]
zakim, aaee is neilm
22:04:04 [Zakim]
+neilm; got it
22:04:26 [bhill21]
TOPIC: minutes approval
22:04:54 [bhill21]
http://www.w3.org/2013/11/19-webappsec-minutes.html
22:04:58 [bhill21]
(corrected from agenda)
22:05:52 [bhill21]
no objections to unanimous approval of minutes
22:07:25 [bhill21]
CORS is approved to be published as a Proposed Rec, just waiting a poll setup to allow AC reps to file comments
22:07:32 [bhill21]
TOPIC: tracker
22:07:38 [bhill21]
https://www.w3.org/2011/webappsec/track/actions/open?sort=owner
22:07:58 [dveditz]
dveditz has joined #webappsec
22:08:30 [Zakim]
+[IPcaller]
22:08:46 [dveditz]
Zakim, IPcaller is dveditz
22:08:46 [Zakim]
+dveditz; got it
22:10:21 [grobinson|laptop]
i'll be around for the 17th
22:10:30 [ekr]
I will be aroundish
22:10:37 [dhuang3]
bhill: a number open actions to resolve next meeting.. Is 17th good time?
22:10:43 [bhill21]
plan on cancelling Dec 31st?
22:10:54 [neilm]
no objections on either
22:11:00 [gopal]
17th ok with me
22:11:06 [bhill21]
Action bhill2 to cancel Dec 31st call
22:11:06 [trackbot]
Created ACTION-157 - Cancel dec 31st call [on Brad Hill - due 2013-12-10].
22:11:28 [bhill21]
TOPIC: Return of CSP policy for Workers, SharedWorkers (ISSUE 146)
22:11:33 [bhill21]
http://lists.w3.org/Archives/Public/public-webappsec/2013Nov/0008.html
22:12:55 [dhuang3]
ekr: .. came to consensus that we needed to update the spec..
22:13:06 [bhill21]
http://lists.w3.org/Archives/Public/public-webappsec/2013Nov/0025.html
22:13:12 [ekr]
dhuan3: that wasn't me talking. probably bhill2?
22:13:18 [dhuang3]
sorry
22:14:49 [dhuang3]
bhill: do we see in future that workers might not be same-origin?
22:16:42 [dhuang3]
... workers not exactly same as iframes, maybe another directive to cover workers
22:21:39 [dhuang3]
worker-src? consider issues where workers created from data blobs, etc.. ? should summarize ideas and proposals to list
22:23:27 [dveditz]
Zakim, who is here?
22:23:27 [Zakim]
On the phone I see +1.866.294.aaaa, +1.781.369.aabb, dhuang3, [Mozilla], BHill, gmaone, abarth, neilm, dveditz
22:23:29 [Zakim]
[Mozilla] has grobinson|laptop
22:23:29 [Zakim]
On IRC I see dveditz, puhley, abarth, ekr, neilm, RRSAgent, Zakim, grobinson|laptop, bhill21, klee, gopal, dhuang3, gmaone, terri, timeless, wseltzer, trackbot
22:24:31 [bhill21]
roughly: dveditz in favor of keeping script-src, brad and garrett in favor of a new directive but not frame-src, abarth neutral
22:27:36 [dhuang3]
dan: currently, workers don't get access to dom, cookies, but have access to localstorage, indexdb, or possibly more in future
22:28:16 [bhill21]
brad wonders what a non-same origin worker would look like from a security model
22:32:50 [dhuang3]
dan: according to ian, ... we should expect cross-origin workers, ... workers more like frame than script so don't like the idea of lumping into frame-src. .... compatibility issues?
22:33:19 [bhill21]
TOPIC: CORS and 304
22:33:23 [bhill21]
http://lists.w3.org/Archives/Public/public-webappsec/2013Nov/
22:33:34 [bhill21]
http://lists.w3.org/Archives/Public/public-webappsec/2013Nov/0029.html
22:33:53 [ekr]
http://lists.w3.org/Archives/Public/public-webappsec/2013Nov/0030.html
22:37:33 [dhuang3]
adam: CORS is more widely used now so might not want to break things..
22:38:28 [dhuang3]
bhill: is this apache bug? the CORS allow header should not be stripped?
22:39:05 [bhill21]
thanks wendy
22:40:38 [bhill21]
spec says that headers should be stripped unless used for caching.. is Access-Control-Allow-Access a header influencing caching?
22:40:50 [Zakim]
- +1.781.369.aabb
22:40:51 [bhill21]
s/Allow-Access/Allow-Origin
22:42:26 [bhill21]
dveditz: likes Firefox's behavior, wants to know what Adam thinks
22:42:39 [bhill21]
abarth: understands, but given wide use is a little scared to change the behavior
22:43:21 [bhill21]
abarth: and debugging caching issues in the field to understand root causes is difficult
22:43:56 [bhill21]
abarth: can do it if important, preference is to be conservative
22:44:39 [bhill21]
let's follow up on list
22:44:58 [bhill21]
TOPIC: b64 padding in script-hash
22:44:59 [bhill21]
http://lists.w3.org/Archives/Public/public-webappsec/2013Nov/0036.html
22:47:06 [bhill21]
sounds like garrett's patch has no objections
22:47:41 [bhill21]
TOPIC: CfC for UI Security LC WD
22:47:42 [bhill21]
http://lists.w3.org/Archives/Public/public-webappsec/2013Nov/0034.html
22:49:15 [dhuang3]
adam: will merge garrett's patch
22:52:47 [bhill21]
dveditz: we may have issues on name change with IETF WebSec
22:53:07 [bhill21]
action bhill2 to raise frame-options vs. frame-ancestors name on IETF WebSec list
22:53:07 [trackbot]
Created ACTION-158 - Raise frame-options vs. frame-ancestors name on ietf websec list [on Brad Hill - due 2013-12-10].
22:57:50 [dhuang3]
dan: frame-ancestors is more self-documenting, but frame-options would work... wouldn't mind either... But frame-options in UI Security is kind of confusing
23:01:16 [Zakim]
-gmaone
23:01:17 [Zakim]
-neilm
23:01:17 [Zakim]
-[Mozilla]
23:01:19 [Zakim]
-abarth
23:01:20 [Zakim]
- +1.866.294.aaaa
23:01:20 [bhill21]
TOPIC: Editors for sub-resource integrity
23:01:27 [Zakim]
-dveditz
23:01:41 [Zakim]
-dhuang3
23:02:00 [bhill21]
I have received interest from Fredrick Braun of Mozilla, Joel Weinberger of Google and Devdatta Akhawe of UCBerkeley to serve as editors. If you have concerns, please bring them directly to ekr or myself.
23:02:03 [bhill21]
Adjourned.
23:02:06 [Zakim]
-BHill
23:02:07 [Zakim]
SEC_WASWG()5:00PM has ended
23:02:07 [Zakim]
Attendees were +1.866.294.aaaa, +1.781.369.aabb, +1.408.320.aacc, BHill, +1.714.795.aadd, ekr, grobinson, grobinson|laptop, abarth, gmaone, +1.714.795.aaee, dhuang3, neilm, dveditz
23:02:15 [bhill21]
rrsagent, make minutes
23:02:15 [RRSAgent]
I have made the request to generate http://www.w3.org/2013/12/03-webappsec-minutes.html bhill21
23:02:20 [bhill21]
rrsagent, set logs public-visible