14:32:09 RRSAgent has joined #webappsec 14:32:09 logging to http://www.w3.org/2014/03/12-webappsec-irc 14:32:11 RRSAgent, make logs world 14:32:11 Zakim has joined #webappsec 14:32:13 Zakim, this will be WASWG 14:32:13 ok, trackbot; I see SEC_WASWG()11:00AM scheduled to start in 28 minutes 14:32:14 Meeting: Web Application Security Working Group Teleconference 14:32:14 Date: 12 March 2014 14:32:34 oh right. timezones.... 14:32:57 wseltzer has changed the topic to: Agenda 12 March: http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0024.html 14:33:21 -> http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0024.html Agenda 14:45:01 glenn has joined #webappsec 14:57:31 gmaone has joined #webappsec 14:58:04 neilm has joined #webappsec 14:59:40 SEC_WASWG()11:00AM has now started 14:59:42 bhill2 has joined #webappsec 14:59:46 +mkwst 14:59:47 +??P5 14:59:49 -??P5 14:59:51 +[IPcaller] 14:59:55 bhill2 has changed the topic to: http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0024.html 15:00:06 +??P5 15:00:29 jww has joined #webappsec 15:00:30 Zakim, ??P5 is gmaone 15:00:30 +gmaone; got it 15:00:43 Zakim, IPcaller is neilm 15:00:43 +neilm; got it 15:00:47 zakim, this is 92794 15:00:47 bhill2, this was already SEC_WASWG()11:00AM 15:00:48 ok, bhill2; that matches SEC_WASWG()11:00AM 15:00:57 +BHill 15:01:07 + +1.510.761.aaaa 15:01:13 Meeting: WebAppSec Teleconference 12-Mar-2014 15:01:19 Chairs: bhill2, ekr 15:01:23 Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0024.html 15:01:33 +??P15 15:01:43 Zakim: ??P15 is freddyb 15:01:47 +[GVoice] 15:01:59 -[GVoice] 15:02:23 +[GVoice] 15:02:36 jww is the 510 # 15:02:56 Zakim, ??P15 is freddyb 15:02:56 +freddyb; got it 15:03:04 zakim, [GVoice] has grobinson 15:03:04 +grobinson; got it 15:03:19 thanks gmaone :) 15:03:35 grobinson has joined #webappsec 15:03:52 Are these "scribe instructions" up to date? http://www.w3.org/2008/04/scribe.html 15:04:13 yes, pretty much 15:04:30 I usually handle the start/end bits 15:04:36 we just need transcription during the call 15:04:49 zakim, who is making noise 15:04:49 I don't understand 'who is making noise', bhill2 15:04:55 + +1.720.897.aabb 15:04:56 zakim, who is making noise? 15:05:00 +ekr 15:05:03 terri has joined #webappsec 15:05:07 bhill2, listening for 10 seconds I heard sound from the following: neilm (18%), [GVoice] (94%), +1.720.897.aabb (4%) 15:05:11 zakim, aabb is me 15:05:11 +glenn; got it 15:05:15 +terri 15:05:16 ekr has joined #webappsec 15:06:01 zakim, who is here? 15:06:01 On the phone I see mkwst, neilm, gmaone, BHill, +1.510.761.aaaa, freddyb, [GVoice], glenn, ekr, terri 15:06:03 [GVoice] has grobinson 15:06:03 On IRC I see ekr, terri, grobinson, jww, bhill2, neilm, gmaone, glenn, Zakim, RRSAgent, freddyb, mkwst, timeless, tobie__, wseltzer, trackbot 15:06:29 agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0024.html 15:06:45 TOPIC: Minutes Approval 15:06:47 http://www.w3.org/2011/webappsec/draft-minutes/2014-02-26-webappsec-minutes.html 15:07:01 zaim, +1.510.761.aaaa is jww 15:07:09 zakim, +1.510.761.aaaa is jww 15:07:10 +jww; got it 15:07:30 RESOLVED: Minutes approved 15:07:39 TOPIC: Agenda Bashing 15:08:11 TOPIC: [integrity] What should we hash? 15:08:16 http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0023.html 15:09:25 + +1.831.246.aacc 15:10:43 freddyb: hoping this is well-defined elsewhere; mark nottingham or boris zbarsky might have a solution 15:11:09 abarth: need a good way to specify the body of the entity (wording) 15:11:25 grobinson: that's me, not abarth. :) 15:11:30 sorry! 15:11:32 s/abarth/mkwst 15:11:35 no worries! 15:11:48 mkwst: let's let this play out on the list 15:11:51 zakim, aacc is dveditz 15:11:51 +dveditz; got it 15:12:02 TOPIC: Call for Consensus: Subresource Integrity to FPWD. 15:12:07 http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0021.html 15:13:12 mkwst: objections to FPWD? 15:13:52 ACTION: bhill2 to open SRI issues in tracker from spec text 15:13:52 Created ACTION-165 - Open sri issues in tracker from spec text [on Brad Hill - due 2014-03-19]. 15:14:44 dveditz: general concern, this could be used for tracking 15:15:00 dveditz: may want to note it so it's there when someone else brings it up 15:15:13 mkwst: we should add "privacy considerations" 15:15:25 ACTION: mkwst to add an explicit "Privacy Considerations" section to SRI 15:15:25 Error finding 'mkwst'. You can review and register nicknames at . 15:15:38 mwest2, i think 15:15:53 gopal has joined #webappsec 15:15:53 ACTION mwest2 to add an explicit "Privacy Considerations" section to SRI 15:15:53 Created ACTION-166 - to add an explicit "privacy considerations" section to sri [on Mike West - due 2014-03-19]. 15:17:43 bhill2: motion to approve? 15:17:48 dveditz moves to approve, ekr seconds 15:18:09 no objections; resolve to publish FPWD 15:18:17 RESOLVED: WG to publish Subresource Integrity as FPWD 15:18:24 TOPIC: Meta tag verification 15:18:31 http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0008.html 15:19:35 + +1.781.262.aadd 15:20:06 Thread digressed into question: can adding CSP policies weaken, or only strengthen? 15:21:57 jww: clarify proposed meta-hash directive is optional 15:23:24 bhill2: heuristic is to see if 2 people speak up in support of a proposal 15:24:38 dveditz: not totally in favor, but interested. currently wants policy where meta policy is ignored if there is a header policy 15:24:52 gopal has joined #webappsec 15:24:54 dveditz: proposes similar idea using a nonce from the header 15:25:26 dveditz: prefer to see this discussed in 1.2 15:25:34 jww: concurs 15:25:44 TOPIC: Removal of the note about extensions 15:26:28 bhill2: asks mkwst if the spec is updated to match agreement from last call 15:26:34 mkwst: it is 15:26:38 concur 15:27:16 TOPIC: Remove paths from CSP? 15:27:21 Language in the spec is "Note that user agents may allow users to modify or bypass policy enforcement through user preferences, bookmarklets, third-party additions to the user agent, and other such mechanisms.", FYI. 15:27:30 no objections to current language re: extensions 15:27:43 bhill2: we can keep discussing this in last call if necessary 15:27:45 http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0006.html 15:27:56 (I have to leave early today) 15:29:51 mkwst: sums up current state. says he is behind on drafting language for the spec 15:30:35 -ekr 15:30:51 - +1.781.262.aadd 15:30:59 -neilm 15:31:02 -mkwst 15:31:04 -jww 15:31:07 zakim, list attendees 15:31:07 As of this point the attendees have been mkwst, gmaone, neilm, BHill, freddyb, grobinson, +1.720.897.aabb, ekr, glenn, terri, jww, +1.831.246.aacc, dveditz, +1.781.262.aadd 15:31:10 -dveditz 15:31:11 -terri 15:31:14 rrsagent, make minutes 15:31:14 I have made the request to generate http://www.w3.org/2014/03/12-webappsec-minutes.html bhill2 15:31:18 -gmaone 15:31:22 rrsagent, set logs public-visible 15:31:29 -BHill 15:31:53 -glenn 15:36:49 -[GVoice] 15:40:35 bhill2 has left #webappsec 16:05:01 disconnecting the lone participant, freddyb, in SEC_WASWG()11:00AM 16:05:03 SEC_WASWG()11:00AM has ended 16:05:03 Attendees were mkwst, gmaone, neilm, BHill, freddyb, grobinson, +1.720.897.aabb, ekr, glenn, terri, jww, +1.831.246.aacc, dveditz, +1.781.262.aadd 17:32:37 ekr has joined #webappsec 17:44:27 Zakim has left #webappsec 18:27:12 terri has joined #webappsec 18:42:46 anssik has joined #webappsec 18:47:04 ekr has joined #webappsec 19:03:47 ekr has joined #webappsec 19:31:50 ekr has joined #webappsec 19:59:41 glenn has joined #webappsec 20:37:32 glenn has joined #webappsec 21:35:49 terri_ has joined #webappsec 22:14:54 ekr has joined #webappsec