22:00:12 <RRSAgent> RRSAgent has joined #webappsec
22:00:12 <RRSAgent> logging to http://www.w3.org/2011/12/06-webappsec-irc
22:00:20 <bhill2> zakim, this is 92794
22:00:20 <Zakim> ok, bhill2; that matches SEC_WASWG()5:00PM
22:00:26 <bhill2> rrsagent, begin
22:00:38 <bhill2> meeting: WebAppSec WG Call Dec 6, 2011
22:00:51 <bhill2> Chairs: bhill2, ekr
22:01:21 <bhill2> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0001.html
22:01:28 <bhill2> zakim, who is here
22:01:28 <Zakim> bhill2, you need to end that query with '?'
22:01:33 <bhill2> zakim, who is here?
22:01:33 <Zakim> On the phone I see [IPcaller], +1.866.317.aaaa, ekr
22:01:35 <Zakim> On IRC I see RRSAgent, Zakim, bhill2, gma1, jrossi, gopal, bsterne, anne, trackbot
22:01:45 <Zakim> +[Microsoft]
22:02:02 <bhill2> zakim, who is talking?
22:02:15 <Zakim> bhill2, listening for 12 seconds I heard sound from the following: [IPcaller] (3%), +1.866.317.aaaa (16%)
22:02:34 <jeffh> jeffh has joined #webappsec
22:03:30 <bhill2> zakim, aaaa is [PayPal]
22:03:30 <Zakim> +[PayPal]; got it
22:03:44 <Zakim> +??P5
22:04:48 <bhill2> zakim, who is talking?
22:04:50 <gma1> zakim, ??P5 is gma1
22:04:50 <Zakim> +gma1; got it
22:04:51 <Zakim> + +1.978.944.aabb
22:05:01 <Zakim> bhill2, listening for 10 seconds I could not identify any sounds
22:05:07 <bsterne> bhill2: I tried two weeks ago but couldn't figure out how to let Zakim know that [IPcaller] is me
22:05:29 <bhill2> zakim, aabb is gopal
22:05:29 <Zakim> +gopal; got it
22:06:23 <bhill2> scribe: bhill2
22:06:35 <jrossi> scribenick: bhill2
22:06:35 <bhill2> zakim, who is here?
22:06:35 <Zakim> On the phone I see [IPcaller], [PayPal], ekr, [Microsoft], gma1, gopal
22:06:36 <Zakim> On IRC I see jeffh, RRSAgent, Zakim, bhill2, gma1, jrossi, gopal, bsterne, anne, trackbot
22:06:56 <Zakim> + +1.415.832.aacc
22:07:56 <bhill2> zakim, aacc is peleus
22:07:56 <Zakim> +peleus; got it
22:08:15 <bsterne> bhill2: can you link to the agenda here? (mozilla mail servers have been down for 48 hours)
22:08:29 <bhill2> brandon: http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0001.html
22:08:32 <bsterne> thanks
22:09:24 <Zakim> +abarth
22:09:51 <bsterne> http://www.w3.org/2011/webappsec/track/actions/open
22:10:10 <bhill2> topic: open issues in tracker
22:10:16 <abarth> abarth has joined #webappsec
22:10:32 <bhill2> bhill2: I am coordinating with w3c staff to get mercurial repository mirrored to w3c-test.org
22:10:36 <bhill2> issue remains open
22:10:53 <bhill2> ekr: second open issue to abarth
22:11:08 <bhill2> action 9
22:11:08 <trackbot> Sorry, bad ACTION syntax
22:11:09 <linshunghuang> linshunghuang has joined #webappsec
22:11:30 <bhill2> abarth: failed to complete this, please postpone due date to next call
22:11:31 <jrossi> anne, are you around?
22:11:44 <jrossi> question regarding Action-11 for you
22:11:45 <EC> EC has joined #webappsec
22:12:31 <bhill2> bhill2: anne can't make this call generally, so his issues may  need to have the call moved temporarily if live discussion needed
22:12:56 <bhill2> ekr: next item, number 19, clarify policy on html loaded via object tag.  remains open, to be discussed later on this call
22:12:57 <Zakim> + +1.408.320.aadd
22:13:53 <bhill2> ekr: next item, number 20, widgets liason
22:14:04 <bhill2> bhill2: didn't get to it, please postpone due date one month
22:14:33 <bhill2> ekr: next item, number 23, draft spec language for sandbox directive
22:14:34 <anne> jrossi: what's the question?
22:14:58 <bhill2> abarth: defined correctly, ready for closure, will get refined as HTML closes their changes to the spec
22:15:21 <anne> jrossi: I added a comment to http://www.w3.org/2011/webappsec/track/actions/11
22:15:28 <anne> jrossi: last week I think
22:15:44 <bhill2> anne, we will close 11
22:15:46 <anne> jrossi: the week before last week even :)
22:16:05 <bhill2> action 16 remains open, if you want to provide new milestones
22:16:05 <trackbot> Sorry, couldn't find user - 16
22:16:32 <jrossi> anne:  adam's going to look at your comment and confirm for you
22:16:40 <jrossi> anne: I'm just IRC proxying from the call :-)
22:17:06 <bhill2> ekr: back to issue-26, basic test setup
22:17:16 <anne> bhill2: so I did realize today http://lists.w3.org/Archives/Public/ietf-http-wg/2011OctDec/0341.html might be problematic, but then I've no idea when HTTP will be done so whether you want to wait for that, dunno
22:17:41 <anne> bhill2: as for milestones, we can go to Last Call as I said on the list; after that it's up in the air
22:17:42 <bhill2> gopal: we now have a repository with two tests checked in and folders setup, quite a few CORS tests already exist for webkit
22:17:57 <bhill2> gopal: figuring out how to automate tests and how to use test harness
22:18:14 <bhill2> gopal: also figuring out how to use multiple domains
22:18:23 <bhill2> ekr: so issue remains open?
22:18:58 <bhill2> gopal: this is a long running thing
22:19:06 <bhill2> gopal: in repository there a lot of tests
22:20:44 <bhill2> bhill2: testing including server-side php execution is paused pending mirroring of repo to w3c-test.org by w3c techncial staff
22:21:17 <bhill2> erk: can we close this>?
22:21:41 <bhill2> bhill2: mirroring to working server is in critical path, move to pending review once we can see if they're resovled?
22:22:00 <ekr> ekr has joined #webappsec
22:22:01 <bhill2> ekr: remaining issues are for abarth to raise some discussions on the list
22:22:08 <abarth> hi ekr 
22:22:13 <bhill2> abarth: didn't get to for Thanksgiving week, will do soon
22:24:50 <bhill2> bhill2: proxying anne to voice, ready for LC, further progression may be path dependency on HTTPbis in IETF
22:25:16 <bhill2> bhill2: proposes to issue formal CfC on LC of CORS
22:25:47 <bhill2> ACTION to ekr to send out CfC for CORS advancement to Last Call to mailing list of public-webappsec and public-webapps
22:25:47 <trackbot> Sorry, couldn't find user - to
22:26:09 <bhill2> ACTION ekr to send out CfC for CORS advancement to Last Call to public-webappsec and public-webapps
22:26:09 <trackbot> Sorry, couldn't find user - ekr
22:26:26 <bhill2> ACTION bhill2 to send out CfC for CORS advancement to Last Call to public-webappsec and public-webapps
22:26:26 <trackbot> Created ACTION-29 - Send out CfC for CORS advancement to Last Call to public-webappsec and public-webapps [on Brad Hill - due 2011-12-13].
22:26:47 <bhill2> bhill2: (ekr, I'm assigning that action to myself since trackbot can't find you)
22:26:51 <ekr> ACTION erescorl: test
22:26:51 <trackbot> Created ACTION-30 - Test [on Eric Rescorla - due 2011-12-13].
22:28:24 <ekr> ACTION abarth: Edit Firefox compatible CSP/Workers interaction into document
22:28:25 <trackbot> Created ACTION-31 - Edit Firefox compatible CSP/Workers interaction into document [on Adam Barth - due 2011-12-13].
22:28:47 <bsterne> consensus on CSP interaction with Worker is that new Worker inherits the CSP of the page that created it and will be subject to restrictions imposed by the inherited policy
22:29:11 <bhill2> ekr: next agenda item: what is the policy for html generated by plugins or object tag?
22:29:36 <bhill2> abarth: object tag is very flexible thing that can hold plugin or iframe, when it holds an iframe, should it be held to iframe or object src directive?
22:29:53 <bhill2> abarth: thought is that we should test behavior, go with agreed behavior or discuss further if implementations differe
22:30:20 <bhill2> jrossi: for IE's implementation, iframes are treated like a plugin, for purposes of sandbox not just a frame
22:30:58 <bhill2> correction: jrossi: object tag should have object-src, when used through object tag
22:31:15 <bhill2> abarth: agreed, should be syntax-oriented, not semantics-oriented
22:31:25 <bhill2> bsterne: agreed, FF is also syntax-oriented
22:31:44 <bhill2> abarth: will test webkit behavior in this regard
22:32:18 <ekr> ACTION bsterne: Document object tag/HTML interaction (issue 8) as "should be syntax-oriented, not semantics-oriented"
22:32:19 <trackbot> Created ACTION-32 - Document object tag/HTML interaction (issue 8) as "should be syntax-oriented, not semantics-oriented" [on Brandon Sterne - due 2011-12-13].
22:33:21 <bhill2> topic: including HTML sandbox in CSP v 1.0 or not?
22:33:37 <bhill2> bsterne: still my position that sandbox should be a CSP 1.1 feature
22:33:55 <bhill2> ... status is that FF is actively working on it, full time person, but got a late start
22:34:35 <bhill2> ... would prefer that spec reflect current reality of implementation, would be a shame if mozilla were penalized with the perception of an incomplete implementation when there were months to years of time for interested parties to express desire to have this in the spec
22:34:59 <bhill2> ... as MSFT will have an incomplete implementation only, would prefer 1.0 to not have sandbox so Mozilla can "get full credit" as it were
22:35:28 <bhill2> jrossi: Don't think this is right time to decide what should be in the spec, CR is the right time to mark features as at risk by virtue of not being implemented
22:35:44 <bhill2> jrossi: especially as FF is already starting to implement, prefer to keep in the spec, encourage other implementors
22:35:56 <bhill2> ... when CR time comes, if at risk from lack of implementations, strike it then
22:36:23 <bhill2> ... flipside is that there is no 1.1. spec for now, credit wise, MSFT wants credit for shipping something that was in spec as a proposed directive for some time
22:37:29 <bhill2> ekr: brandon, if time comes to go to last call and Mozilla is done, do you object to having sandbox in 1.0? or only if you don't have it done?
22:38:01 <bhill2> bsterne: I would be happy to have it in if we are done, hesitant to say yes though to extra work of having to back it out later
22:38:27 <bhill2> ekr: if decided now, somebody will be unhappy, postponed, only maybe somebody's happy
22:38:42 <bhill2> jrossi: yes, postpone the decision until it will impede progress
22:38:58 <bhill2> q+
22:39:24 <bhill2> bsterne: want to reserve right to back it out if Mozilla can't get it in
22:41:07 <bhill2> bhill2: rules of spec advancement don't allow preferencing a particular implementor
22:41:52 <bhill2> bhill2: current charter requires 2 complete implementations, so we can add it and be in the spirit of Brandon's request
22:42:17 <bhill2> bhill2: but we can't specifically privilege Mozilla to prevent advancement, if, e.g. Opera implements everything in time for CR
22:42:35 <bhill2> ack bhill2
22:42:38 <bhill2> q=
22:42:39 <bhill2> q-
22:44:22 <Zakim> -ekr
22:44:23 <Zakim> - +1.408.320.aadd
22:44:24 <Zakim> -[IPcaller]
22:44:24 <Zakim> -[PayPal]
22:44:26 <Zakim> -[Microsoft]
22:44:28 <Zakim> -gopal
22:44:30 <Zakim> -gma1
22:44:32 <Zakim> -peleus
22:44:33 <Zakim> -abarth
22:44:34 <Zakim> SEC_WASWG()5:00PM has ended
22:44:36 <Zakim> Attendees were [IPcaller], +1.866.317.aaaa, ekr, [Microsoft], [PayPal], gma1, +1.978.944.aabb, gopal, +1.415.832.aacc, peleus, abarth, +1.408.320.aadd
22:45:03 <bhill2> rrsagent, set logs public-visible
22:45:08 <bhill2> rrsagent, make minutes
22:45:08 <RRSAgent> I have made the request to generate http://www.w3.org/2011/12/06-webappsec-minutes.html bhill2
22:46:55 <jeffh> jeffh has joined #webappsec
22:47:15 <jeffh> test
22:56:26 <jeffh> jeffh has joined #webappsec
23:04:08 <bhill2> bhill2 has joined #webappsec
23:04:28 <jeffh> jeffh has joined #webappsec
23:04:57 <jeffh> jeffh has left #webappsec
23:07:32 <jrossi> jrossi has left #webappsec
23:34:14 <bhill2> bhill2 has left #webappsec