14:23:58 <RRSAgent> RRSAgent has joined #webappsec
14:23:58 <RRSAgent> logging to http://www.w3.org/2014/09/10-webappsec-irc
14:59:19 <gmaone> gmaone has joined #webappsec
15:02:20 <mkwst> Zakim. :(
15:03:20 <bhill2> bhill2 has joined #webappsec
15:04:06 <bhill2> bhill2 has changed the topic to: http://lists.w3.org/Archives/Public/public-webappsec/2014Sep/0047.html
15:04:15 <bhill2> zakim, who is here?
15:04:15 <Zakim> sorry, bhill2, I don't know what conference this is
15:04:17 <Zakim> On IRC I see bhill2, gmaone, RRSAgent, Zakim, dveditz, terri, freddyb, mkwst, timeless, tobie, wseltzer, trackbot
15:04:20 <bhill2> zakim, this is 92794
15:04:20 <Zakim> ok, bhill2; that matches SEC_WASWG()11:00AM
15:04:24 <bhill2> zakim, who is here?
15:04:24 <Zakim> On the phone I see dveditz, BHill, mkwst
15:04:26 <Zakim> On IRC I see bhill2, gmaone, RRSAgent, Zakim, dveditz, terri, freddyb, mkwst, timeless, tobie, wseltzer, trackbot
15:04:40 <bhill2> Meeting: WebAppSec WG Teleconference 10-September-2014
15:04:42 <bhill2> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Sep/0047.html
15:04:58 <bhill2> Chairs: dveditz, bhill
15:04:59 <Zakim> +??P13
15:05:25 <gmaone> zakim, ??P13 is me
15:05:25 <Zakim> +gmaone; got it
15:06:15 <Zakim> + +1.360.562.aaaa
15:06:58 <bhill2> zakim, aaaa is kevinhill
15:06:58 <Zakim> +kevinhill; got it
15:08:07 <ShijunS> ShijunS has joined #webappsec
15:08:31 <dveditz> zakim, who is here?
15:08:31 <Zakim> On the phone I see dveditz, BHill, mkwst, gmaone, kevinhill
15:08:33 <Zakim> On IRC I see ShijunS, bhill2, gmaone, RRSAgent, Zakim, dveditz, terri, freddyb, mkwst, timeless, tobie, wseltzer, trackbot
15:09:04 <dveditz> topic: minutes approval
15:09:06 <dveditz> http://www.w3.org/2011/webappsec/draft-minutes/2014-08-27-webappsec-minutes.html
15:09:51 <mkwst> dveditz: Any objections to publishing minutes?
15:09:52 <dveditz> scribenick: mkwst
15:09:54 <mkwst> <crickets>
15:10:05 <mkwst> dveditz: No objections, approved.
15:10:24 <dveditz> TOPIC: Review of Open Actions in the Tracker
15:11:14 <dveditz> TOPIC: agenda bashing
15:11:17 <mkwst> bhill2: Perhaps we can skip around a bit, due to low attendence.
15:11:27 <mkwst> bhill2: Are there particular topics of interest?
15:11:38 <mkwst> kevinhill: child-src looks interesting.
15:11:48 <mkwst> dveditz: I drop my objection.
15:12:15 <mkwst> kevinhill: Working on 1.0 implementation.
15:12:30 <mkwst> kevinhill: Level 2 looks interesting. We think it's a good spec.
15:12:37 <mkwst> kevinhill: Adoption is a topic I'd like to cover.
15:12:55 <mkwst> kevinhill: CSP is struggling with adoption. Working in MS to get services to adopt CSP.
15:13:12 <mkwst> kevinhill: Worthwhile to band together to help websites adopt?
15:13:28 <mkwst> kevinhill: Yelp, for instance, is doing interesting work.
15:14:14 <mkwst> mkwst: I agree that it's important to get adoption.
15:14:36 <mkwst> mkwst: internal google properties are adopting: Gmail, Plus, YouTube, etc.
15:14:43 <mkwst> kevinhill: thinking of sites outside MS and Google.
15:14:52 <mkwst> kevinhill: nice to see Yelp, for instance.
15:15:19 <mkwst> kevinhill: important to highlight folks in the community, help the wider net understand the value.
15:15:31 <mkwst> dveditz: people come up with super-complex policies that break all the time.
15:15:50 <mkwst> dveditz: suggesting that folks come up with simpler policies, focusing on script-src.
15:16:05 <mkwst> dveditz: not a first-line of defense.
15:16:26 <mkwst> dveditz: other complaint is reporting: discover how terrible the web is, lots of unexpected errors.
15:16:33 <mkwst> dveditz: add-ons, ISPs, etc.
15:16:45 <mkwst> dveditz: separating real attacks from noise is difficult.
15:17:48 <mkwst> kevinhill: This is more or less what the Yelp article addresses.
15:18:10 <mkwst> bhill2: setting up some sort of CSP-support mailing list would be helpful.
15:18:45 <mkwst> bhill2: shared report-processing mechanisms, code would be excellent
15:19:00 <mkwst> kevinhill: want to go to tooling folks at MS to see what could be done.
15:19:13 <mkwst> kevinhill: perhaps VS could help developers construct policies.
15:19:20 <mkwst> kevinhill: tooling around IIS for analysis.
15:19:34 <mkwst> kevinhill: the more public we can be in the community, the more helpful for folks.
15:19:48 <mkwst> kevinhill: publish stats about what's being prevented, etc.
15:20:37 <mkwst> kevinhill: smartscreen filter in the browser. publish statistics.
15:21:25 <mkwst> dveditz: telemetry reporting to the browser? could report what is being blocked for users.
15:21:34 <mkwst> dveditz: might be interesting. will talk to folks about that.
15:22:20 <mkwst> kevinhill: comcast example.
15:22:53 <mkwst> mkwst: https is necessary.
15:23:05 <mkwst> bhill2: CSP is a discovery mechanism to understand why HTTPS is critical.
15:24:08 <mkwst> dveditz: browser helper objects that inject content?
15:24:14 <mkwst> kevinhill: Haven't thought about it much.
15:24:21 <gmaone2> gmaone2 has joined #webappsec
15:24:38 <mkwst> dveditz: it's a problem everyone has. chrome tries to allow extensions to work.
15:24:57 <Zakim> +??P0
15:24:59 <mkwst> kevinhill: progress is being made there. i agree that it's important.
15:25:37 <gmaone2> zakim, ??P0 is me
15:25:37 <Zakim> +gmaone2; got it
15:26:18 <dveditz> thx
15:26:50 <mkwst> mkwst: 1. CSP2 to CR? 2. What does "widely review" mean in the context of the WG?
15:27:09 <mkwst> bhill: 1. Take the doc we're working on and bring it to Director for publication.
15:27:52 <mkwst> bhill: Notify other groups, invite them to take a look at CSP2. Point to blog posts, and presentations, etc.
15:29:02 <dveditz> <mkwst: less concerned about CSP2 than MIX and Referrer which are less visible. I understand the new process doesn't include a last call period>
15:30:39 <Zakim> +[Microsoft]
15:30:49 <dveditz> <mkwst: we don't seem to get much feedback /until/ last call, worried about what happens if we don't have that>
15:31:06 <dveditz> <bhill2: we can always have an informal Last Call ourselves>
15:31:34 <bhill2> zakim, Microsoft has David Walp
15:31:34 <Zakim> +David, Walp; got it
15:31:38 <mkwst> mkwst: MIX? Do we wait until the next call? I'd like to get a draft out.
15:31:41 <bhill2> zakim, who is here?
15:31:41 <Zakim> On the phone I see dveditz, BHill, mkwst, gmaone, kevinhill, gmaone2, [Microsoft]
15:31:44 <Zakim> [Microsoft] has David, Walp
15:31:44 <Zakim> On IRC I see gmaone2, ShijunS, bhill2, RRSAgent, Zakim, dveditz, terri, freddyb, mkwst, timeless, tobie, wseltzer, trackbot
15:32:07 <mkwst> bhill2: Any objections to publishing a new WD of MIX?
15:32:21 <mkwst> <various>: No objections.
15:32:51 <mkwst> bhill2: Ok, we'll take it to the list.
15:33:06 <mkwst> mkwst: Perhaps we could move the call down again? I can do a slightly later call.
15:33:16 <bhill2> ACTION bhill2 to reconsider call time
15:33:16 <trackbot> Created ACTION-187 - Reconsider call time [on Brad Hill - due 2014-09-17].
15:33:50 <Zakim> -BHill
15:33:50 <mkwst> bhill2: Dropping to hit the WebCrypto workshop.
15:34:01 <dveditz> TOPIC: [CSP] kill or delay child-src?
15:34:16 <mkwst> dveditz: My confusion. Widthdraw question.
15:34:47 <mkwst> davidwalk: Last item: XHR.
15:35:06 <dveditz> TOPIC: XMLHttpRequest. Support for OPTIONS* method.
15:36:13 <mkwst> mkwst: That's a thread that's probably best dealt with on the list, as the folks on that thread don't generally call into WebAppSec.
15:36:40 <mkwst> dveditz: Started in public-webapps@. Probably best to do it via mail.
15:37:37 <mkwst> dveditz: Ok. Let's call it early today.
15:38:23 <Zakim> -kevinhill
15:38:25 <Zakim> -[Microsoft]
15:38:25 <Zakim> -dveditz
15:38:29 <Zakim> -mkwst
15:38:30 <Zakim> -gmaone2
15:39:00 <bhill2> rrsagent, make minutes
15:39:00 <RRSAgent> I have made the request to generate http://www.w3.org/2014/09/10-webappsec-minutes.html bhill2
15:39:04 <bhill2> rrsagent, set logs public-visible
16:05:00 <Zakim> disconnecting the lone participant, gmaone, in SEC_WASWG()11:00AM
16:05:02 <Zakim> SEC_WASWG()11:00AM has ended
16:05:02 <Zakim> Attendees were dveditz, BHill, mkwst, gmaone, +1.360.562.aaaa, kevinhill, gmaone2, David, Walp
16:28:44 <bhill2> bhill2 has left #webappsec
17:52:03 <Zakim> Zakim has left #webappsec