14:38:45 <RRSAgent> RRSAgent has joined #webappsec
14:38:45 <RRSAgent> logging to http://www.w3.org/2014/04/23-webappsec-irc
14:38:47 <trackbot> RRSAgent, make logs world
14:38:47 <Zakim> Zakim has joined #webappsec
14:38:49 <trackbot> Zakim, this will be WASWG
14:38:49 <Zakim> ok, trackbot; I see SEC_WASWG()11:00AM scheduled to start in 22 minutes
14:38:50 <trackbot> Meeting: Web Application Security Working Group Teleconference
14:38:50 <trackbot> Date: 23 April 2014
14:55:13 <glenn> glenn has joined #webappsec
14:59:59 <terri> terri has joined #webappsec
15:01:00 <grobinson> grobinson has joined #webappsec
15:01:22 <Zakim> SEC_WASWG()11:00AM has now started
15:01:29 <Zakim> + +1.866.294.aaaa
15:01:48 <klee> klee has joined #webappsec
15:02:00 <Zakim> + +49.162.102.aabb
15:02:05 <bhill2> bhill2 has joined #webappsec
15:02:05 <gmaone> gmaone has joined #webappsec
15:02:21 <bhill2> bhill2 has changed the topic to: http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0024.html
15:02:30 <Zakim> +glenn
15:02:39 <bhill2> Meeting: WebAppSec WG Teleconference 23-April-2014
15:02:42 <Zakim> +??P4
15:02:49 <freddyb> Zakim, I am P4
15:02:49 <Zakim> sorry, freddyb, I do not see a party named 'P4'
15:02:55 <freddyb> Zakim, I am ??P4
15:02:55 <Zakim> +freddyb; got it
15:02:56 <Zakim> + +1.503.712.aacc
15:02:59 <Zakim> +WSeltzer
15:03:06 <bhill2> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0024.html
15:03:07 <terri> Zakim: I am aacc
15:03:13 <terri> Zakim, I am aacc
15:03:13 <Zakim> +terri; got it
15:03:14 <Zakim> +BHill
15:03:24 <bhill2> Chairs: bhill2 ekr
15:03:29 <Zakim> +??P7
15:03:39 <gmaone> Zakim, I am ??P7
15:03:39 <Zakim> +gmaone; got it
15:03:43 <Zakim> +[GVoice]
15:04:06 <mkwst_> Zakim, I am aabb
15:04:06 <Zakim> +mkwst_; got it
15:04:18 <tanvi> tanvi has joined #webappsec
15:04:24 <bhill2> zakim, who is here?
15:04:24 <Zakim> On the phone I see +1.866.294.aaaa, mkwst_, glenn, freddyb, terri, WSeltzer, BHill, gmaone, [GVoice]
15:04:26 <Zakim> On IRC I see tanvi, gmaone, bhill2, klee, grobinson, terri, glenn, Zakim, RRSAgent, richt, timeless_, mkwst_, trackbot, wseltzer, freddyb, tobie__
15:04:38 <Zakim> + +1.310.597.aadd
15:04:42 <bhill2> Glenn, will you be able to scribe today?
15:04:49 <richt> richt has left #webappsec
15:04:53 <tanvi> zakim, aadd is tanvi
15:04:54 <Zakim> +tanvi; got it
15:05:09 <grobinson> Zakim, I am [GVoice]
15:05:09 <Zakim> ok, grobinson, I now associate you with [GVoice]
15:05:22 <glenn> scribenick: glenn
15:05:31 <glenn> chair: bhill2
15:06:55 <glenn> bhill2: JS conf coming up in portland or, aug 1-2, testing CSP
15:07:24 <glenn> ... TTWF activity
15:07:53 <bhill2> TTWF at CascadiaJS, August 2, focusing on CSP
15:08:10 <bhill2> following Cascadia JS  CascadiaJS 2014 | Portland, OR
15:08:17 <bhill2> http://2014.cascadiajs.com/
15:08:43 <glenn> bhill2: minutes approval
15:08:50 <bhill2> Draft minutes at: http://www.w3.org/2011/webappsec/draft-minutes/2014-04-09-webappsec-minutes.html
15:09:02 <glenn> ... any objections to approve?
15:09:10 <glenn> ... none, minutes approved
15:09:15 <glenn> topic: agenda bashing
15:09:28 <Zakim> +ekr
15:09:52 <bhill2> TOPIC: Review of Open Actions in the Tracker
15:09:57 <bhill2> http://www.w3.org/2011/webappsec/track/actions/open?sort=owner
15:10:23 <glenn> ... no owners here ... should we reassign?
15:10:43 <glenn> mkwst_: sounds reasonable
15:10:51 <bhill2> Github repo for SRI: https://github.com/w3c/webappsec/issues
15:11:04 <glenn> bhill2: we have an alternate issues tracked on SRI on above repo
15:11:27 <glenn> mkwst_: important topic
15:11:51 <puhley> puhley has joined #webappsec
15:11:52 <glenn> bhill2: any thoughts?
15:12:03 <wseltzer> q+
15:12:05 <glenn> tanvi: fine with either
15:12:23 <glenn> ... didn't include in prev mtgs
15:12:31 <freddyb> s/tanvi/freddyb :-)
15:12:41 <glenn> bhill2: wrote new agenda generator
15:12:57 <glenn> ... will come up regularly from now on
15:13:08 <glenn> ... do we want to migrate action items? issues?
15:13:30 <glenn> mkwst_: can assign milestones
15:13:36 <glenn> ... can use one or the other
15:13:53 <glenn> ... github issues more likely to be seen outside WG
15:14:02 <glenn> ... OTOH W3C integrates better with zakim
15:14:21 <glenn> ... vague pref for github, but either way is ok
15:14:49 <glenn> bhill2: for now, cont fwd with both
15:14:57 <glenn> ... sync up with doc edits
15:15:17 <glenn> ... may be a little extra work
15:15:36 <glenn> wseltzer: could have a script to sync?
15:15:42 <wseltzer> s/wseltzer/tanvi/
15:15:50 <terri> that was me
15:15:59 <wseltzer> s/tanvi/terri/
15:15:59 <glenn> s/tanvi/terri/
15:16:32 <glenn> wseltzer: we don't care which tools are used, but do want to make clear IP commitments on contributions
15:16:53 <glenn> ... further vetting needed on input from outside WG
15:17:07 <Zakim> + +1.831.246.aaee
15:17:56 <glenn> ?: ietf has similar issues
15:18:21 <bhill2> ekr: suggests any substantive issue must also be raised to the list to make IPR commitments clear
15:19:16 <glenn> s/?/ekr/
15:20:29 <bhill2> zakim, aaee is dveditz
15:20:29 <Zakim> +dveditz; got it
15:20:56 <bhill2> TOPIC: [CSP] SVG-in-img implementation difference
15:21:08 <glenn> bhill2: new recent questions
15:21:12 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0044.html
15:21:38 <glenn> ... CSP rules should cascade into SVG
15:21:53 <glenn> ... e.g., img src=svg with embedded image in svg
15:22:37 <glenn> ?: diff between FF and CHROME
15:22:47 <glenn> ... svg as an image vs svg as inline
15:23:10 <glenn> ... what FF does is render SVG in own doc, sort of like an iframe
15:23:26 <glenn> ... regardless what CSP says, then incorporate results into page
15:24:26 <glenn> ?: supposes inline styles should be allowed for SVG
15:24:40 <bhill2> New draft from last week: http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0043.html
15:24:40 <freddyb> 1st "?" was dveditz, 2nd was me
15:24:47 <bhill2> http://www.w3.org/TR/svg-integration/
15:24:57 <wseltzer> s/?: diff/dveditz: diff/
15:25:08 <glenn> s/?: diff/dveditz: diff/
15:25:16 <wseltzer> s/?: supposes/freddyb: supposes/
15:25:49 <glenn> bhill2: how CSP policies apply to incorporating SVG
15:26:19 <glenn> ... should arrange a call with SVG WG to discuss
15:26:54 <bhill2> ISSUE clarify SVG rules for CSP in 1.1
15:27:31 <glenn> terri: really need to treat SVG as active content
15:28:03 <bhill2> ACTION bhill2 to arrange some joint meeting time with SVG WG
15:28:03 <trackbot> Created ACTION-170 - Arrange some joint meeting time with svg wg [on Brad Hill - due 2014-04-30].
15:28:22 <bhill2> TOPIC: [Integrity] Comments/Questions on Subresource Integrity spec
15:28:30 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0022.html
15:28:59 <glenn> terri: default should be fallback mode
15:29:06 <terri> s/terri/tanvi
15:30:05 <glenn> tanvi: 2nd item was non-canonical src
15:30:19 <glenn> ... if fails should fallback be over https? brad says no
15:30:41 <glenn> ... agrees should not require... let author decide
15:31:37 <glenn> mkwst_: pushback in chrome team on doing some integrity tests
15:32:05 <glenn> ... specifically for resources served by means other than https
15:32:20 <glenn> ... push for using https everywhere
15:32:31 <glenn> ... see blink-dev
15:33:04 <glenn> ekr: is this chrome or google position?
15:33:25 <ekr> ekr has joined #webappsec
15:33:49 <glenn> mkwst_: some diffs in opinion; chrome infrastructure team more interested
15:33:59 <ekr> mkwst: can you repost that link....
15:34:02 <tanvi> in the spec in general?
15:34:30 <glenn> ?: should forbid fallback to protocols other than https?
15:34:43 <glenn> ... how should UAs regard fallback
15:34:43 <tanvi> brad
15:34:47 <mkwst_> https://groups.google.com/a/chromium.org/d/msg/blink-dev/hTDUpMk_TV8/t_rjlkKfgGgJ is the thread I'm thinking about.
15:34:53 <glenn> s/?/bhill2/
15:35:34 <glenn> bhill2: separate UI impact
15:35:54 <glenn> ekr: lot of discussion of this topic in london
15:36:11 <glenn> ... worried about pushback from chrome
15:36:32 <glenn> mkwst_: intent to implement was approved, but only for https
15:36:40 <glenn> ... see how it works on a small sample
15:37:04 <glenn> ... wants basic checks on functionality ... wants data to proceed with further issues
15:37:23 <glenn> ... blink pos at moment is: let's see if it works
15:37:26 <glenn> ... then we
15:37:35 <glenn> ... we will look further
15:38:55 <glenn> terri: could be used to test for lib version change then fallback to known version
15:39:27 <glenn> bhill2: further comments? tanvi?
15:39:36 <glenn> tanvi: not now
15:40:03 <terri> s/terri/tanvi/
15:40:13 <glenn> TOPIC: what to hash?
15:40:25 <glenn> terri, tanvi: sorry haven't registered voices yet
15:40:33 <bhill2> TOPIC: CSP no-external-navigation
15:40:40 <terri> glenn, don't worry, I had the same problem scribing last week!
15:40:44 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0023.html
15:41:38 <glenn> mkwst_: sounds reasonable (no-external-navigation)
15:41:48 <glenn> ... first concern is nav by script injection
15:41:54 <glenn> ... meta redirects not covered
15:42:03 <glenn> ... talked about before but not much support then
15:42:09 <glenn> ... e.g., redirect to JS url
15:42:22 <glenn> ... didn't talk about meta redirects at that time
15:42:37 <glenn> ... worried about one thread dan pointed to (blocking from pages maliciously)
15:42:49 <glenn> ... but NOT FOR 1.1
15:43:53 <glenn> dveditz: CSP currently does nothing to prevent injecting links or clickable images (possibly image)
15:44:01 <glenn> ... folks concerned about these cases
15:44:08 <glenn> ... who would use this?
15:44:29 <Zakim> -dveditz
15:44:32 <glenn> mkwst_: some would use to hold user on page
15:44:48 <glenn> bhill2: some confusion on what CSP is trying to do
15:44:59 <glenn> ... possibly beyond scope
15:45:19 <glenn> ... maybe "meta" is interesting case
15:45:40 <glenn> ... think more about meta in 1.2?
15:45:44 <glenn> mkwst_: yes
15:46:24 <bhill2>  TOPIC: CSP, Blob Workers, and Firefox
15:46:30 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0021.html
15:46:41 <glenn> bhill2: have talked about this a number of times
15:46:45 <glenn> ... but keeps coming up
15:46:58 <glenn> ... make sure we have consensus reflected in 1.1 spec text
15:47:46 <glenn> ... what made it into spec text was that blob uris and similar file uris must be explicitly listed: won't match * policy
15:47:46 <Zakim> +dveditz
15:48:04 <glenn> ... does that reflect consensus?
15:48:19 <glenn> ... no objections, will stand as specified
15:48:32 <glenn> mkwst_: keeps coming up because chrome doesn't implement this yet
15:48:48 <bhill2> TOPIC: webappsec-ISSUE-58 (Late binding of CSP): Late binding of CSP policies [CSP 1.1]
15:48:58 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0004.html
15:49:29 <glenn> bhill2: mutability after doc load
15:49:37 <glenn> ... current policy is NOT MUTABLE
15:49:56 <glenn> ... but may need to revisit, as keeps coming up: service workers, installable webapps
15:50:18 <glenn> ... e.g., policy to take effect after service worker launched
15:50:28 <glenn> ... may differ from initial policy
15:50:45 <glenn> ... possible inconsistency between policies
15:50:59 <glenn> dveditz: is that really late binding?
15:51:07 <glenn> ... one visit and a later visit?
15:51:15 <glenn> bhill2: depends on model of doc life cycle
15:51:36 <glenn> ... is an installed app a single resource, or for each instantiation a new life cycle?
15:52:04 <glenn> dveditz: page might bounce around server farms on different visits
15:52:11 <glenn> ... could get diff CSP on diff visits
15:52:16 <glenn> ... may be bug or intentional
15:52:27 <glenn> ... what is in spec doesn't prevent or allow...
15:53:00 <glenn> ?: no guarantee that diff loads produce same content or same policy
15:54:13 <bhill2> ACTION bhill2 to propose text to list on ISSUE-58
15:54:13 <trackbot> Created ACTION-171 - Propose text to list on issue-58 [on Brad Hill - due 2014-04-30].
15:54:22 <glenn> topic: AOB
15:54:29 <glenn> bhill2: aob?
15:54:37 <glenn> topic: Adjournment
15:54:44 <Zakim> -ekr
15:54:45 <Zakim> -tanvi
15:54:46 <bhill2> rrsagent, make minutes
15:54:46 <RRSAgent> I have made the request to generate http://www.w3.org/2014/04/23-webappsec-minutes.html bhill2
15:54:48 <glenn> bhill2: adjourned, next meeting in 2 weeks
15:54:52 <Zakim> -dveditz
15:54:53 <bhill2> rrsagent, set logs public-visible
15:54:54 <Zakim> -freddyb
15:54:57 <Zakim> -gmaone
15:54:59 <Zakim> -[GVoice]
15:55:01 <Zakim> -mkwst_
15:56:00 <Zakim> -terri
15:58:12 <Zakim> -glenn
15:58:17 <Zakim> -WSeltzer
15:58:22 <Zakim> -BHill
15:58:35 <Zakim> - +1.866.294.aaaa
15:58:36 <Zakim> SEC_WASWG()11:00AM has ended
15:58:36 <Zakim> Attendees were +1.866.294.aaaa, +49.162.102.aabb, glenn, freddyb, +1.503.712.aacc, WSeltzer, terri, BHill, gmaone, [GVoice], mkwst_, +1.310.597.aadd, tanvi, ekr, +1.831.246.aaee,
15:58:36 <Zakim> ... dveditz
17:10:51 <tanvi> tanvi has joined #webappsec
17:41:00 <Zakim> Zakim has left #webappsec
17:52:11 <tanvi> tanvi has left #webappsec
18:07:56 <puhley> puhley has left #webappsec