W3C

- DRAFT -

WebAppSec Teleconference, 17 DEC 2013

17 Dec 2013

Agenda

See also: IRC log

Attendees

Present
+1.415.832.aaaa, BHill, +1.503.712.aabb, NeilM, +1.781.369.aacc, +1.415.736.aadd, Wendy, [Mozilla], puhley, gmaone, terri, gopal, jww, +1.404.406.aaee, danesh
Regrets
Chair
bhill2
Scribe
Peleus Uhley

Contents


<bhill2> Scribe: Peleus Uhley

<bhill2> Scribenick: puhley

<grobinson> [Mozilla] is grobinson

<grobinson> (i'll add myself)

<grobinson> Zakim: [Mozilla] is grobinson

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Dec/0074.html

Minutes approval

<bhill2> http://www.w3.org/2013/12/03-webappsec-minutes.html

<bhill2> minutes approved, no objection to unanimous approval

Agenda bashing

News

bhill2: CORS is moving to proposed recommendation. Encourage reps to comment on the spec and indicate support.
... Hope for final recommendation status in January and February

Open actions in Tracker

<bhill2> https://www.w3.org/2011/webappsec/track/actions/open?sort=owner

bhill2: Action 158 is complete

Sub-Resource Integrity

<freddyb> <-

<grobinson> hey freddyb :)

bhill2: sub-resource integrity is part of our new charter. Editors recruited: Devdatta, Joel(jww), and Fredrick (freddyb)

<freddyb> puhley: Frederi_k_ please :-)

<freddyb> hi grobinson

My apologies...

<freddyb> np

Hash/nonce source

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Dec/0072.html

bhill2: Good thread on the mailing lists regarding this topic

Neil: Confusion over hashes only applying to inline scripts/event handlers, nonces applying to both inline scripts and external resources

bhill2: Does whitelisting event handlers make sense? What about styles?
... (Summarizing discussion) Supporting edge cases adds complexity that may not be worth effort when there is alternative methods for addressing the issue.
... Neil will take action to reply to the list with summary of the discussion on the phone.

<bhill2> ACTION neilm to respond to list re: consensus that applying hash/nonce to inline handlers not desired as a 1.1 feature

<trackbot> Created ACTION-159 - Respond to list re: consensus that applying hash/nonce to inline handlers not desired as a 1.1 feature [on Neil Matatall - due 2013-12-24].

Cascading style-src onto font-src

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Dec/0011.html

bhill2: Should we apply style-src as an intermediary between font-src and default-src?

<bhill2> ACTION bhill2 to reply to jonas sicking on list re: cascade of style-src to font-src

<trackbot> Created ACTION-160 - Reply to jonas sicking on list re: cascade of style-src to font-src [on Brad Hill - due 2013-12-24].

UISecurity and frame-ancestors

bhill2: Will remain at no action state since no one on the phone had a strong opinion on it

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Dec/0073.html

bhill2: Propose moving directives over into mainline of CSP 1.1

<bhill2> no objections to unanimous consent

<bhill2> ACTION bhill2 to abandon CfC on UISecurity to LCWD for now

<trackbot> Created ACTION-161 - Abandon cfc on uisecurity to lcwd for now [on Brad Hill - due 2013-12-24].

bhill2: Next call will be skipped due to New Years Eve

<freddyb> the ??P9 might have been me

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2013-12-17 22:29:10 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 0.99)

Found Scribe: Peleus Uhley
Found ScribeNick: puhley
Default Present: +1.415.832.aaaa, BHill, +1.503.712.aabb, NeilM, +1.781.369.aacc, +1.415.736.aadd, Wendy, [Mozilla], puhley, gmaone, terri, gopal, jww, +1.404.406.aaee, danesh
Present: +1.415.832.aaaa BHill +1.503.712.aabb NeilM +1.781.369.aacc +1.415.736.aadd Wendy [Mozilla] puhley gmaone terri gopal jww +1.404.406.aaee danesh
Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013Dec/0074.html
Got date from IRC log name: 17 Dec 2013
Guessing minutes URL: http://www.w3.org/2013/12/17-webappsec-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.


[End of scribe.perl diagnostic output]