See also: IRC log
Zakim [IPcaller] is neilm
<freddyb> I am this "??P2", Zakim reports...and have yet to find out how this all works :)
<freddyb> Zakim: I am ??P2
<freddyb> gmaone: thanks :)
<bhill2> Scribe: Neil Matatall
<bhill2> Scribenick: neilm
<terri> can't tell if the call dropped or what.
<freddyb> it's completely quiet for me
<bhill2> today's agenda
<bhill2> http://www.w3.org/2013/12/17-webappsec-minutes.html < - real minutes link
bhill2: not going to close voting today, perhaps 8 or 9 PST
<freddyb> I considered this a representative week, fwiw
bhill2: Monday 8:30 PST and
Friday ??? likely candidates
... who is security lover? Speak up :)
<klee> 8:30 pm or am?
klee: AM PST
<klee> I'd be down with that
mkwst: 1. removed most of script
interface, needs to be reworked
... suggested push out to 1.2 (policy violation event still exists)
... 2. meta element changes converting todos
... 3: Workers no longer inherit policy automatically, rather when generated from origins w/ unique urls.
... 4: new child-src directive, default context source list, used for frame/worker/popup-src directives
... and child-src inherits from default-src
... nothing governs window.open
<freddyb> in general, if you're not talking: please mute. the feedback is indeed annoying
<terri> I'm having trouble hearing much of anything because of it.
<freddyb> on a sidenote, when it comes to directives: was it discussed in this WG whether it makes sense to put html imports into script-src?
<bhill2> freddy: yes, that was the conclusion we came to
dveditz: potential issues around workers [noise]
<freddyb> bhill2: thanks. I'll read up first then
dveditz: no need for child-src && worker-src, or just have separate frame/worker-src
???: complexity is a leading blocker for adoption
<dveditz> who is speaking? apf?
<bhill2> was that terri oda speaking?
<terri> yes, I'm the former academic on the call
<mkwst> bah. dialing back in.
bhill2: Ian's ideas around CSSOM
appear to have no objections and decent support
... frame-ancestors in 1.1 (not frame-options)
bhill2: requiring eval for cssom might break things
mkwst: if we feel it's an issue,
we need to base decisions on data
... adding eval to style-src
bhill2: does this impact chrome extensions and the like?
<dveditz> FIrefox OS privileged apps have a default CSP of "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'"
<dveditz> but we could easily add "unsafe-eval' to the style-src if we make this change
<freddyb> certified apps (internal things like dialer, sms, ..) don't have 'unsafe-inline' for styles yet
<freddyb> privileged do
1) pros: ensure unauth'd code alerts, cons: might slow things down, might break things
terri: intro needs to be clarified to distinguish from what CSP does
2) "cdn integrity" pros: no brainer, cons:
3) "integrity for downloads" cons: result of navigation before direct download might cause issues in a new context
bhill2: is this meaningful? copy/pasting urls is a workaround as well
4) "Ensure UI elements aren't manipulated before being displayed"
interaction with about:// could be controlled
mkwst: chrome new tab page is another example
freddyb: some of these pages are privileged as well
mkwst: 1, 2, 4, 5 can probably be consolidated
<bhill2> next call will probably be Friday, Jan 31
This is scribe.perl Revision: 1.138 of Date: 2013-04-25 13:59:11 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 0.99) Found Scribe: Neil Matatall Found ScribeNick: neilm Default Present: BHill, neilm, gopal, +1.503.712.aaaa, dveditz, gmaone, mkwst, freddyb, Wendy, terri, +1.415.832.aabb, [Mozilla], +49.162.102.aacc Present: BHill neilm gopal +1.503.712.aaaa dveditz gmaone mkwst freddyb Wendy terri +1.415.832.aabb [Mozilla] +49.162.102.aacc Regrets: ekr Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Jan/0068.html Got date from IRC log name: 14 Jan 2014 Guessing minutes URL: http://www.w3.org/2014/01/14-webappsec-minutes.html People with action items:[End of scribe.perl diagnostic output]