WebAppSec Teleconference 21-Dec-2016

21 Dec 2016


See also: IRC log


wseltzer, mkwst, gmaone, estark, bhill2, ckerschb__, dveditz, maone, tanvi
bhill2, dveditz



<bhill2_> Chairs:bhill2, dveditz

<bhill2_> Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2016Dec/0012.html

-> https://rawgit.com/w3c/webappsec/master/admin/webappsec-charter-2017.html Draft Charter for review

bhill2_: agenda-bashing
... short agenda, approve recharter request
... issue on redacting origins in referrer policy

mkwst: I can give an update on clear site data and embedded enforcement

<bhill2_> mkwst: can update on Clear Site Data and Embedded Enforcement


<bhill2_> https://rawgit.com/w3c/webappsec/master/admin/webappsec-charter-2017.html

<dveditz> did we change the access #? the one I memorized didn't work

wseltzer: Director approved a 3-month extension while review

bhill2_: a few comments on list

<gmaone> present maone

bhill2_: scope: note vulnerability mitigation, security model
... I need to make PR to update meeting schedule to monthly

mkwst: mostly seems reasonable
... should we mention github, since most of our discussion is there?

bhill2_: I'll make that update
... should update the workmode document on public webpage too

mkwst: webperf is sending weekly summary of changes via github. should we look into that?
... mailing list is helpful in reaching more people; maybe a github summary could help reach them

bhill2_: digest would be extraordinarily useful

mkwst: look at what other groups are doing
... webperf is using a mechanical gathering
... that's a reasonable place to start, no extra work
... agree that a human-generated summary would be even more useful

wseltzer: W3C has mechanical digest tooling

tanvi: permissions API, authors aren't in WG

bhill2_: we talked about at TPAC
... we should make sure they join the group

dveditz: did web platform take permissions in scope?

bhill2_: looks as though no

dveditz: better for us to take it than not be owned

bhill2_: updates to meeting frequency; github preferred workmode for spec issues
... with that, any objections to sendig that for AC review?

[no objections]

RESOLUTION: Update draft charter and send for AC Review

Referrer Policy

bhill2_: current state, moving to CR

<bhill2_> https://github.com/w3c/webappsec-referrer-policy/pull/77#issuecomment-255429675

bhill2_: last issue open PR 77
... proposal to redact ancestor origins property according to whether referrer
... Boris proposed [as described in issue]
... I'm happy with that solution

<estark> +1, I think boris's proposal makes sense

bhill2_: any objections to closing CfC to move Referrer Policy to CR?

mkwst: I think Jochen has something on clarifying style sheets referrers
... it would be good for that to land
... he sent for review yesterday
... would be nice to get that patch in

PR 83

<bhill2_> https://github.com/w3c/webappsec-referrer-policy/pull/83

mkwst: fairly confident we can get that in this week
... would be useful before move to CR

mkwest: given publication moratorium, I suggest we can resolve to move to CR
... and update with this patch before CR publication

bhill2_: sound good. Emily?

estark: sounds good to me

RESOLUTION: Referrer Policy to CR after Jochen's patch goes in

Embedded Enforcement, Clear Site Data

mkwst: I had a great intern working on Embedded Enforcement
... Malika did very complicated work of figuring out a reasonable algorithm
... I'm now working to clean up the text
... made lots of progress, ahve an implementation in Chrome Canary I'd like folks to play with
... Clear Site Data, also lots of work last quarter
... Chrome Beta has an implementation
... mechanism for clearing origin-related data
... we have it working for navigational requqests
... close to working on subresource requests too
... e.g.. photos team wants to clear personal photos when you log out
... we'd like to get feedback on current spec
... would be great if folks can review
... a few syntax changes to come
... comments would be very useful.

bhill2_: I've been looking for consumers of Embedded Enforcement
... e.g. measurement tools, pixels or iframes

mkwst: on the one hand, I'd love EE not to be useful because you never embed untrusted stuff
... but, folks still embed 3d party stuff
... EE requires some work from 3d parties too
... look forward to feedback to make more rapid progress in new year

bhill2_: AOB?
... next call Jan 18
... thanks for a great year, lots of accomplishments

wseltzer: you'll see first an "advance notice of work in progress" and then a call for AC Review (after W3C management reviews)
... on recharter
... Thanks for all the good work!
... including CSP2 to Rec

Summary of Action Items

Summary of Resolutions

  1. Update draft charter and send for AC Review
  2. Referrer Policy to CR after Jochen's patch goes in
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.148 (CVS log)
$Date: 2017/02/15 22:32:51 $