WebAppSec WG Teleconference, 27-August-2013

27 Aug 2013


See also: IRC log


bhill2, +1.415.832.aaaa, gioma1, ekr, puhley, gmaone, +1.978.944.aabb, mkwst_, gopal
bhill2, ekr


bhill2: thanks
... I can scribe

scribenick ekr

<bhill2> scribenick: ekr

Minutes Approval

<bhill2> http://www.w3.org/2013/07/16-webappsec-minutes.html


<bhill2> https://www.w3.org/2011/webappsec/track/actions/open?sort=owner

<bhill2> https://www.w3.org/2011/webappsec/track/actions/pendingreview

<bhill2> trackbot close action-148

<trackbot> Closed action-148.

mwest: there has been a proposal that we add a much bigger API (#127). Don't know if we would get it done by 1.1

… we should discuss on the list

bhill2: would like to create a burndown list of outstanding issues

Closing CORS Open Isues

CORS CfC and open issues

<bhill2> https://www.w3.org/Bugs/Public/buglist.cgi?list_id=22771&query_format=advanced&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&component=CORS&product=WebAppsSec

bhill2: do we intend to respond to any of these issues in the tracker?
... wanted to get consensus on the call.

… does anyone object to closing these out?

https://www.w3.org/Bugs/Public/show_bug.cgi?id=14663 : CORS and Caches

bhill2: I don't think there is a need for this at this point

any objections to closing this bug?

no objections

https://www.w3.org/Bugs/Public/show_bug.cgi?id=14664 : Defining CORS headers

bhill2: Not clear what the contents of this bug is. Open since 2011 with no activity

… might be about header changes in ABNF with HTTP bis

any objections to closing?

no objections

https://www.w3.org/Bugs/Public/show_bug.cgi?id=14700 : Point out that Access-Control-Allow-Origin:* is safe for servers not behind a firewall

bhill2: security considerations has been completely rewritten

any objections to closing?

no objections heard.

https://www.w3.org/Bugs/Public/show_bug.cgi?id=19920 : Don't allow space-separated origins in the syntax

Related to 21608: https://www.w3.org/Bugs/Public/show_bug.cgi?id=21608 7.2 "Resource Sharing Check" does not specify how to handle a space separated list in Access-Control-Allow-Origin

bhill2: implicitly access control sharing check forbids >1 oriign

… my opinion is behavior is already specified and implemented

… propose we don't change it

any objections to closing these without change?

no objections heard

https://www.w3.org/Bugs/Public/show_bug.cgi?id=21012 : Add more text on Vary

bhill2: seems that this is an edge case.

… minor editorial suggestion, not worth opening spec

any objections to closing these without change?

no objections heard

https://www.w3.org/Bugs/Public/show_bug.cgi?id=21013: Credentials and HTTP authentication

<bhill2> http://lists.w3.org/Archives/Public/public-webapps/2013JanMar/thread.html#msg366

bhill2: discussion more recently on the list.

… does anyone feel spec needs additional clarification?

… I have not seen any actual text proposed

any objections to closing this without changes?

no objections heard

bhill2: call to formally close CfC for advancement from Candidate Recommendation to Proposed Recommendation

peleus moves to advance CORS to PR

seconded by ekr

no objections to unanimous consent

decision: move CORS to proposed recommendation

bhill2: I will check with Art in WebApps

SOS proposal

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Aug/0037.html

bhill2: proposed modiification to prevent against CSRF. Header to determne whether cookies would be sent or not

… a few items of discussion on the list

… anyone interested in taking this up?

nothing heard

bhill2: continue to discuss on the list

… but we will not take it up without more show of interest

in 1.1

<bhill2> thanks for scribing, ekr


Summary of Action Items

[End of minutes]