19:55:23 <RRSAgent> RRSAgent has joined #webappsec
19:55:23 <RRSAgent> logging to http://www.w3.org/2014/11/17-webappsec-irc
19:55:25 <trackbot> RRSAgent, make logs world
19:55:25 <Zakim> Zakim has joined #webappsec
19:55:27 <trackbot> Zakim, this will be WASWG
19:55:27 <Zakim> ok, trackbot, I see SEC_WASWG()3:00PM already started
19:55:28 <trackbot> Meeting: Web Application Security Working Group Teleconference
19:55:28 <trackbot> Date: 17 November 2014
19:55:34 <bhill2_> bhill2_ has joined #webappsec
19:55:39 <wseltzer> Chair: bhill, dveditz
19:56:10 <wseltzer> zakim, who is here?
19:56:10 <Zakim> On the phone I see ??P0
19:56:12 <Zakim> On IRC I see bhill2_, Zakim, RRSAgent, moneill2, gmaone, bhill2, piochu, schuki, renoirb, terri, freddyb, mkwst___, tobie, Josh_Soref, timeless, wseltzer, trackbot
19:56:28 <moneill2> thats me on the phone i think
19:56:29 <deian> deian has joined #webappsec
19:56:41 <wseltzer> zakim, ??p0 is moneill2
19:56:41 <Zakim> +moneill2; got it
19:58:51 <bhill2_> bhill2_ has changed the topic to: http://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0261.html
19:59:10 <bhill2_> Meeting: WebAppSec WG Teleconference, 17 November 2014
19:59:16 <bhill2_> Chairs: bhill2, dveditz
19:59:23 <bhill2_> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0261.html
19:59:56 <bhill2_> I may be a few minutes late joining the call - meeting room I booked is still occupied, sorry.
20:00:25 <Zakim> +Wendy
20:00:32 <Zakim> + +1.646.821.aaaa
20:00:49 <ckerschb> ckerschb has joined #webappsec
20:00:56 <wseltzer> zakim, aaaa is Dan
20:00:56 <Zakim> +Dan; got it
20:01:01 <Zakim> +??P3
20:01:10 <freddyb> Zakim, I am ??p3
20:01:10 <Zakim> +freddyb; got it
20:01:46 <deian> zakim, I am +1.646.821
20:01:46 <Zakim> sorry, deian, I do not see a party named '+1.646.821'
20:01:54 <deian> zakim, I am +1.646.821.aaaa
20:01:54 <Zakim> sorry, deian, I do not see a party named '+1.646.821.aaaa'
20:01:56 <wseltzer> zakim, Dan is really deian
20:01:56 <Zakim> +deian; got it
20:02:31 <Zakim> + +1.206.753.aabb
20:02:37 <bhill2_> zakim, aabb is bhill2
20:02:37 <Zakim> +bhill2; got it
20:02:40 <Zakim> +[Mozilla]
20:03:09 <dveditz> dveditz has joined #webappsec
20:03:28 <Zakim> +mkwst
20:03:57 <wseltzer> zakim, Mozilla has dveditz, ckerschb
20:03:57 <Zakim> +dveditz, ckerschb; got it
20:04:41 <bhill2_> scribenick: dveditz
20:04:43 <bhill2_> Scribe: Dan Veditz
20:04:50 <bhill2_> zakim, who is here?
20:04:50 <Zakim> On the phone I see moneill2, Wendy, deian, freddyb, bhill2, [Mozilla], mkwst
20:04:52 <Zakim> [Mozilla] has dveditz, ckerschb
20:04:52 <Zakim> On IRC I see dveditz, ckerschb, deian, bhill2_, Zakim, RRSAgent, moneill2, gmaone, piochu, schuki, renoirb, terri, freddyb, mkwst___, tobie, Josh_Soref, timeless, wseltzer,
20:04:52 <Zakim> ... trackbot
20:05:07 <bhill2_> TOPIC: Minutes Approval
20:05:10 <dveditz> bhill2_: 1st topic, minutes approval
20:05:12 <bhill2_> http://www.w3.org/2014/11/03-webappsec-minutes.html
20:05:20 <Zakim> +[IPcaller]
20:05:24 <Zakim> -moneill2
20:05:38 <moneill2> zakim, [IPCaller] is me
20:05:38 <Zakim> +moneill2; got it
20:05:43 <dveditz> ... any objections?
20:05:43 <bhill2_> minutes approved by unanimous consent
20:05:44 <Zakim> +??P7
20:05:49 <bhill2_> TOPIC: Agenda Bashing
20:05:53 <gmaone> Zakim, ??P7 is me
20:05:53 <Zakim> +gmaone; got it
20:06:14 <dveditz> ... mkwst suggested we move the bug tracking subject earlier in the mtg
20:06:33 <dveditz> ... any other topics? we've had an active list and I didn't get to put everything into the agenda
20:07:17 <dveditz> deian: <wanted to bring up something that wasn't mentioned first on the list>
20:07:31 <dveditz> bhill2_: we try to make the list our first mention for people who can't make the calls
20:07:42 <bhill2_> TOPIC: which bug tracker to use?
20:07:49 <bhill2_> http://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0097.html
20:08:04 <dveditz> bhill2_: Anne had a comment that he was losing track of issues and what's been resolved
20:08:27 <dveditz> ... wanted to have a link in each spec for instant bug reporting like some whatwg specs
20:08:42 <dveditz> ... we have bugzilla, w3 issue tracker, and github now
20:09:37 <dveditz> mkwst___: not interested in the w3 issue tracker. agnostic between github and bugzilla
20:09:55 <dveditz> ... github is nice because the spec is there, bugzilla seems to be where other things are
20:10:33 <dveditz> bhill2_: the benefits of the w3 tracker is that it's integrated with the rest of our tooling, group members are already added, etc
20:11:17 <dveditz> ... I have a negative preference for bugzilla because it's #3. we have a history of not using it so far so seems odd to suddenly start using it
20:11:35 <dveditz> freddyb: I haven't used them for this group, but I like using github
20:11:59 <dveditz> bhill2_: postive to neutral sentiment for github, some negatives for the other two
20:12:23 <freddyb> I used github as a co-editor of SRI - but the others not.
20:12:35 <dveditz> ... it does have a good REST api, could collaborate with other WGs to make better tooling
20:12:46 <bhill2_> ACTION bhill2 to investigate git issue tooling with other w3c groups
20:12:46 <trackbot> Created ACTION-200 - Investigate git issue tooling with other w3c groups [on Brad Hill - due 2014-11-24].
20:12:56 <bhill2_> TOPIC: Mixed Content enters Last Call
20:13:03 <dveditz> yay
20:13:50 <wseltzer> thanks Mike and contributors!
20:13:50 <dveditz> ... mixed content entered LC on Thursday. this triggers the exclusions period. if your group has IP exclusions to raise the clock is ticking
20:14:15 <dveditz> ... things are moving fast, if you have friends and colleagues that might have opinions on it please invite their review
20:14:23 <bhill2_> TOPIC: Informally extend comment period for CSP Level 2?
20:15:03 <dveditz> ... we've officially completed the comment period for CSP2 and close to moving to candidate recommendation
20:15:31 <dveditz> ... but we've gotten a bunch of late feedback (from Brian Smith) and Mike mentioned he'd like some time to incorporate that
20:15:47 <bhill2_> I'm going to have to rejoin from my desk.
20:15:50 <Zakim> -bhill2
20:15:58 <Zakim> + +1.503.712.aacc
20:16:03 <dveditz> mkwst___: the question is whether we want to extend the comment period so we can incorporate that feedback
20:16:03 <Zakim> + +1.415.857.aadd
20:16:08 <dveditz> ... any other thoughts on that
20:16:19 <terri> Zakim, aacc is me
20:16:19 <Zakim> +terri; got it
20:16:29 <dev> dev has joined #webappsec
20:16:30 <dveditz> dveditz: I agree, especially since he mentioned having more feedback to come
20:17:02 <dveditz> dveditz: is there anyone in favor of NOT extending LC?
20:17:08 <wseltzer> PROPOSED: Extend LC comment period
20:17:25 <Zakim> + +1.206.753.aaee
20:17:30 <bhill2_> zakim, aaee is bhill2
20:17:30 <Zakim> +bhill2; got it
20:18:39 <dveditz> wseltzer: there are two things you could be doing -- just extend the time without doing anything, or formally reopen the comment period (and respond to comments)
20:19:14 <dveditz> mkwst___: I don't have an opinion on the formal status but I do want to take a week or two to work through brian's feedback
20:19:44 <dveditz> bhill2_: do you think you could be done before the holiday period or do you want to build in some slack and say wait until Jan 15?
20:20:03 <dveditz> mkwst___: I would very much like it to be done THIS year, and not drag out to January
20:20:27 <dveditz> bhill2_: I have no problem taking this two weeks at a time and checking status on the call
20:21:02 <dveditz> wseltzer: the obligation is to respond to comments that came in deuring the comment period. there's no prohibition on responding to comments that come in after
20:21:16 <bhill2_> TOPIC: Proposed new Charter
20:21:22 <bhill2_> https://w3c.github.io/webappsec/admin/webappsec-charter-2015.html
20:21:25 <dveditz> bhill2_: ok, let's respond to brian and try to move this along as fast as we can
20:21:36 <dveditz> ... new charter based on discussions at TPAC
20:22:11 <dveditz> ... of the ones proposed, making the cut are continuing CSP, retire CPS1,
20:22:28 <wseltzer> https://w3c.github.io/webappsec/admin/webappsec-charter-2015.html#deliverables
20:22:31 <Zakim> -deian
20:22:53 <Zakim> +deian
20:23:01 <dveditz> ... the last one proposed was the permissions API. Dan and I are OK with it as long as there's an editor associated with it
20:23:08 <wseltzer> +1, I've heard interest
20:23:50 <dveditz> ... it's a relatively simple spec and shouldn't cause anyone to withdraw on IPR grounds. hearing no objetions I'll add that to the charter
20:24:17 <dveditz> ... we need to have a voting period where the charter is sent to members to be reapproved.
20:24:28 <dveditz> ... I'll start that on the mailing list. any objections?
20:24:31 <bhill2_> ACTION bhill2 to add permissions API to draft charter
20:24:31 <trackbot> Created ACTION-201 - Add permissions api to draft charter [on Brad Hill - due 2014-11-24].
20:24:39 <bhill2_> ACTION bhill2 to issue CfC on new draft charter
20:24:39 <trackbot> Created ACTION-202 - Issue cfc on new draft charter [on Brad Hill - due 2014-11-24].
20:24:48 <bhill2_> TOPIC:  CSP] PING-- CSP vs. Fetch
20:24:53 <bhill2_> http://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0259.html
20:25:11 <wseltzer> action; wseltzer to work with bhill2 on w3c-side activities for rechartering
20:25:42 <dveditz> mkwst___: we've gone back and forth at least once. the current model is that ping is form action because it can only do things forms can do. sendBeacon is connect-src because it does things that XHR can do
20:26:24 <dveditz> mkwst___: CSP matches this, but the fetch spec does not. I don't feel strongly either way
20:28:25 <dveditz> dveditz: I don't either
20:28:31 <dveditz> mkwst___: let's take it back to the list
20:28:44 <bhill2_> TOPIC: [SRI] Escaping mixed-content blocking for video
20:29:14 <dveditz> bhill2_: Mark watson from Netflix asked us to consider this
20:29:59 <dveditz> devd: should we discuss this as part of SRI or as part of the Mixed content spec?
20:31:04 <dveditz> mkwst___: regardless of what we do with mixed content there is a desire of people  to get large files with integrity
20:31:52 <bhill2_> raise ISSUE SRI for very large files / streaming
20:32:01 <dveditz> devd: I would feel better if the subject of this topic were changed to @@. I agree this could be pushed to SRI v2 and not done in v1
20:32:14 <dveditz> bhill2_: let's shoot for that
20:32:25 <bhill2_> ACTION: bhill2 to raise issue for SRI large object /streaming integrity
20:32:26 <trackbot> Created ACTION-203 - Raise issue for sri large object /streaming integrity [on Brad Hill - due 2014-11-24].
20:32:53 <dveditz> bhill2_: should we reply to Mark that he should split this into two issues?
20:33:34 <dveditz> mkwst___: Mixed content is in last call. If there's a comment we'll have to address it
20:34:29 <dveditz> mkwst___: they want to serve video over http on a site that's https, and we need to decide whether we want to allow that in the browser and what kind of UI.
20:34:51 <bhill2_> ACTION bhill2 reply to Mark Watson that 1/2 of his issue is a Last Call comment to MIX
20:34:51 <trackbot> Created ACTION-204 - Reply to mark watson that 1/2 of his issue is a last call comment to mix [on Brad Hill - due 2014-11-24].
20:36:33 <bhill2_> dev: SRI gives tools for integrity, MIX yields a state, UI treatment of that state is left to browsers
20:36:52 <bhill2_> dveditz: one concern with mixed content is possible leaking of cookies, could add an attribute to suppress cookies
20:37:11 <bhill2_> mkwst: not out of the question, it's not a good idea, but it's better than status quo
20:37:43 <bhill2_> ... not clear how to get there, exceptions for XHR leave holes, maybe need a variant that only allows video
20:39:33 <dveditz> mkwst___: there was some stuff in SRI about XHR but it's out for v1
20:39:34 <bhill2_> TOPIC:  Re: [CSP] Clarifications regarding the HTTP LINK Header
20:39:40 <bhill2_> http://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0251.html
20:41:38 <Zakim> -mkwst
20:41:43 <bhill2_> deian: doesn't hurt to have a few extra lines of text to clarify the interactions
20:42:20 <bhill2_> ACTION bhill2 does LINK really violate CSP guarantees?
20:42:20 <trackbot> Created ACTION-205 - Does link really violate csp guarantees? [on Brad Hill - due 2014-11-24].
20:43:00 <dveditz> bhill2_: let's skip on to referrer policy issues while Mike is trying to reconnect
20:43:05 <bhill2_> TOPIC: Further Referrer policy stuff
20:43:07 <Zakim> +mkwst
20:43:18 <bhill2_> http://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0160.html
20:44:11 <dveditz> dev: would prefer if i could specify which referrer is used, this is used for all kinds of analytics
20:44:11 <bhill2_> dev: getting more control over referrer string is important for widely deployed analytics tools
20:44:33 <bhill2_> devditz: arbitrary referrer?
20:44:49 <bhill2_> dev: same origin only.  can already do this with history.pushState(), but it is fragile
20:45:06 <dveditz> dev: same origin! but yes. in theory can already do this with pushstate but it's fragile
20:48:03 <dveditz> mkwst___: not clear this would be used and it makes things more complex, but no strong objection if it's necessary and might replace some redirects
20:48:30 <dveditz> dev: suppressing referer completely isn't that useful
20:50:22 <dveditz> bhill2_: facebook does a lot of redirects to make the referer the same on clicked links.
20:51:17 <dveditz> ... is itbetter to use a predefined set of buckets or allow a more expressive syntax that lets them specify exactly what the site wants
20:52:02 <dveditz> mkwst___: I like dev's suggestion because it's simple, "this is the referrer for everything on this page".
20:53:34 <dveditz> bhill2_: it's good to provide the widely used options in a declarative fashion, and complex stuff needs to be punted to an imperative spec (like ServiceWorker?)
20:53:42 <bhill2_> ACTION bhill2 reply on referrer suggest imperative policy controls in ServiceWorker
20:53:42 <trackbot> Created ACTION-206 - Reply on referrer suggest imperative policy controls in serviceworker [on Brad Hill - due 2014-11-24].
20:54:06 <dveditz> mkwst___: webkit, chrome and opera are already shipping a declarative meta header, we should at least specify that
20:54:17 <bhill2_> TOPIC: Clarification of CSP sandbox and workers
20:54:23 <bhill2_> http://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0211.html
20:54:33 <dveditz> bhill2_: skipping back to earlier in the agenda...
20:55:44 <dveditz> deian(?): what happens to a worker created from a sandboxed iframe?
20:55:52 <bhill2_> deian: what if we include sandbox header when returning a worker
20:56:02 <bhill2_> mkwst: that is a good use case, but we should delegate behavior to HTML
20:56:09 <dveditz> mkwst___: I do see value in sandboxing (unique origin) a worker, controlling access to localStorage and so on
20:56:29 <dveditz> ... seems like it should be specified by HTML though, not CSP
20:57:29 <bhill2_> ACTION bhill2 to raise definition of sandboxed worker in HTML spec
20:57:29 <trackbot> Created ACTION-207 - Raise definition of sandboxed worker in html spec [on Brad Hill - due 2014-11-24].
20:58:01 <dveditz> bhill2_: if no objections consider the call adjourned
20:58:06 <Zakim> -moneill2
20:58:09 <Zakim> -deian
20:58:10 <Zakim> - +1.415.857.aadd
20:58:10 <dveditz> ... we'll be back in 2 weeks
20:58:12 <Zakim> -Wendy
20:58:13 <Zakim> -terri
20:58:14 <Zakim> -mkwst
20:58:14 <bhill2_> zakim, list attendees
20:58:15 <Zakim> -gmaone
20:58:15 <Zakim> As of this point the attendees have been moneill2, Wendy, +1.646.821.aaaa, freddyb, deian, +1.206.753.aabb, bhill2, mkwst, dveditz, ckerschb, gmaone, +1.503.712.aacc,
20:58:15 <Zakim> ... +1.415.857.aadd, terri, +1.206.753.aaee
20:58:21 <bhill2_> rrsagent, make minutes
20:58:21 <RRSAgent> I have made the request to generate http://www.w3.org/2014/11/17-webappsec-minutes.html bhill2_
20:58:39 <bhill2_> rrsagent, set logs public-visible
20:58:44 <Zakim> -bhill2
20:58:46 <Zakim> -[Mozilla]
21:00:17 <bhill2> bhill2 has joined #webappsec
21:05:00 <Zakim> disconnecting the lone participant, freddyb, in SEC_WASWG()3:00PM
21:05:02 <Zakim> SEC_WASWG()3:00PM has ended
21:05:02 <Zakim> Attendees were moneill2, Wendy, +1.646.821.aaaa, freddyb, deian, +1.206.753.aabb, bhill2, mkwst, dveditz, ckerschb, gmaone, +1.503.712.aacc, +1.415.857.aadd, terri, +1.206.753.aaee