21:59:08 RRSAgent has joined #webappsec 21:59:08 logging to http://www.w3.org/2013/12/03-webappsec-irc 21:59:56 Meeting: WebAppSec WG teleconference, 3 Dec 2013 22:00:01 Chairs: ekr, bhill2 22:00:05 Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013Dec/0003.html 22:00:23 neilm has joined #webappsec 22:01:27 ekr has joined #webappsec 22:01:32 zakim, who is here? 22:01:32 sorry, ekr, I don't know what conference this is 22:01:32 Garrett and Eric from Mozilla are here 22:01:33 On IRC I see ekr, neilm, RRSAgent, Zakim, grobinson|laptop, bhill21, klee, gopal, dhuang3, gmaone, terri, timeless, wseltzer, trackbot 22:01:39 ekr is at Mozilla 22:01:44 zakim, ekr is at Mozilla 22:01:44 I don't understand 'ekr is at Mozilla', ekr 22:01:45 zakim, this is 92794 22:01:45 ok, bhill21; that matches SEC_WASWG()5:00PM 22:01:50 -??P4 22:01:51 zakim, who is here? 22:01:51 On the phone I see +1.866.294.aaaa, +1.781.369.aabb, +1.408.320.aacc, [Mozilla], BHill, +1.714.795.aadd 22:01:54 On IRC I see ekr, neilm, RRSAgent, Zakim, grobinson|laptop, bhill21, klee, gopal, dhuang3, gmaone, terri, timeless, wseltzer, trackbot 22:01:57 zakim, Mozilla has ekr 22:01:57 +ekr; got it 22:02:04 zakim, Mozilla has grobinson 22:02:04 +grobinson; got it 22:02:04 zakim, Mozilla has grobinson|laptop 22:02:05 +grobinson|laptop; got it 22:02:10 +??P4 22:02:20 +abarth 22:02:28 Zakim, ??P4 is gmaone 22:02:28 +gmaone; got it 22:02:42 - +1.714.795.aadd 22:02:46 abarth has joined #webappsec 22:02:54 zakim, who is here? 22:02:54 On the phone I see +1.866.294.aaaa, +1.781.369.aabb, +1.408.320.aacc, [Mozilla], BHill, gmaone, abarth 22:02:56 [Mozilla] has grobinson|laptop 22:02:56 On IRC I see abarth, ekr, neilm, RRSAgent, Zakim, grobinson|laptop, bhill21, klee, gopal, dhuang3, gmaone, terri, timeless, wseltzer, trackbot 22:03:19 + +1.714.795.aaee 22:03:24 zakim, neilm has aaee 22:03:24 sorry, neilm, I do not recognize a party named 'neilm' 22:03:39 zakim, neil has aaee 22:03:39 sorry, neilm, I do not recognize a party named 'neil' 22:03:40 puhley has joined #webappsec 22:03:44 zakim, aacc is dhuang3 22:03:45 +dhuang3; got it 22:04:04 zakim, aaee is neilm 22:04:04 +neilm; got it 22:04:26 TOPIC: minutes approval 22:04:54 http://www.w3.org/2013/11/19-webappsec-minutes.html 22:04:58 (corrected from agenda) 22:05:52 no objections to unanimous approval of minutes 22:07:25 CORS is approved to be published as a Proposed Rec, just waiting a poll setup to allow AC reps to file comments 22:07:32 TOPIC: tracker 22:07:38 https://www.w3.org/2011/webappsec/track/actions/open?sort=owner 22:07:58 dveditz has joined #webappsec 22:08:30 +[IPcaller] 22:08:46 Zakim, IPcaller is dveditz 22:08:46 +dveditz; got it 22:10:21 i'll be around for the 17th 22:10:30 I will be aroundish 22:10:37 bhill: a number open actions to resolve next meeting.. Is 17th good time? 22:10:43 plan on cancelling Dec 31st? 22:10:54 no objections on either 22:11:00 17th ok with me 22:11:06 Action bhill2 to cancel Dec 31st call 22:11:06 Created ACTION-157 - Cancel dec 31st call [on Brad Hill - due 2013-12-10]. 22:11:28 TOPIC: Return of CSP policy for Workers, SharedWorkers (ISSUE 146) 22:11:33 http://lists.w3.org/Archives/Public/public-webappsec/2013Nov/0008.html 22:12:55 ekr: .. came to consensus that we needed to update the spec.. 22:13:06 http://lists.w3.org/Archives/Public/public-webappsec/2013Nov/0025.html 22:13:12 dhuan3: that wasn't me talking. probably bhill2? 22:13:18 sorry 22:14:49 bhill: do we see in future that workers might not be same-origin? 22:16:42 ... workers not exactly same as iframes, maybe another directive to cover workers 22:21:39 worker-src? consider issues where workers created from data blobs, etc.. ? should summarize ideas and proposals to list 22:23:27 Zakim, who is here? 22:23:27 On the phone I see +1.866.294.aaaa, +1.781.369.aabb, dhuang3, [Mozilla], BHill, gmaone, abarth, neilm, dveditz 22:23:29 [Mozilla] has grobinson|laptop 22:23:29 On IRC I see dveditz, puhley, abarth, ekr, neilm, RRSAgent, Zakim, grobinson|laptop, bhill21, klee, gopal, dhuang3, gmaone, terri, timeless, wseltzer, trackbot 22:24:31 roughly: dveditz in favor of keeping script-src, brad and garrett in favor of a new directive but not frame-src, abarth neutral 22:27:36 dan: currently, workers don't get access to dom, cookies, but have access to localstorage, indexdb, or possibly more in future 22:28:16 brad wonders what a non-same origin worker would look like from a security model 22:32:50 dan: according to ian, ... we should expect cross-origin workers, ... workers more like frame than script so don't like the idea of lumping into frame-src. .... compatibility issues? 22:33:19 TOPIC: CORS and 304 22:33:23 http://lists.w3.org/Archives/Public/public-webappsec/2013Nov/ 22:33:34 http://lists.w3.org/Archives/Public/public-webappsec/2013Nov/0029.html 22:33:53 http://lists.w3.org/Archives/Public/public-webappsec/2013Nov/0030.html 22:37:33 adam: CORS is more widely used now so might not want to break things.. 22:38:28 bhill: is this apache bug? the CORS allow header should not be stripped? 22:39:05 thanks wendy 22:40:38 spec says that headers should be stripped unless used for caching.. is Access-Control-Allow-Access a header influencing caching? 22:40:50 - +1.781.369.aabb 22:40:51 s/Allow-Access/Allow-Origin 22:42:26 dveditz: likes Firefox's behavior, wants to know what Adam thinks 22:42:39 abarth: understands, but given wide use is a little scared to change the behavior 22:43:21 abarth: and debugging caching issues in the field to understand root causes is difficult 22:43:56 abarth: can do it if important, preference is to be conservative 22:44:39 let's follow up on list 22:44:58 TOPIC: b64 padding in script-hash 22:44:59 http://lists.w3.org/Archives/Public/public-webappsec/2013Nov/0036.html 22:47:06 sounds like garrett's patch has no objections 22:47:41 TOPIC: CfC for UI Security LC WD 22:47:42 http://lists.w3.org/Archives/Public/public-webappsec/2013Nov/0034.html 22:49:15 adam: will merge garrett's patch 22:52:47 dveditz: we may have issues on name change with IETF WebSec 22:53:07 action bhill2 to raise frame-options vs. frame-ancestors name on IETF WebSec list 22:53:07 Created ACTION-158 - Raise frame-options vs. frame-ancestors name on ietf websec list [on Brad Hill - due 2013-12-10]. 22:57:50 dan: frame-ancestors is more self-documenting, but frame-options would work... wouldn't mind either... But frame-options in UI Security is kind of confusing 23:01:16 -gmaone 23:01:17 -neilm 23:01:17 -[Mozilla] 23:01:19 -abarth 23:01:20 - +1.866.294.aaaa 23:01:20 TOPIC: Editors for sub-resource integrity 23:01:27 -dveditz 23:01:41 -dhuang3 23:02:00 I have received interest from Fredrick Braun of Mozilla, Joel Weinberger of Google and Devdatta Akhawe of UCBerkeley to serve as editors. If you have concerns, please bring them directly to ekr or myself. 23:02:03 Adjourned. 23:02:06 -BHill 23:02:07 SEC_WASWG()5:00PM has ended 23:02:07 Attendees were +1.866.294.aaaa, +1.781.369.aabb, +1.408.320.aacc, BHill, +1.714.795.aadd, ekr, grobinson, grobinson|laptop, abarth, gmaone, +1.714.795.aaee, dhuang3, neilm, dveditz 23:02:15 rrsagent, make minutes 23:02:15 I have made the request to generate http://www.w3.org/2013/12/03-webappsec-minutes.html bhill21 23:02:20 rrsagent, set logs public-visible