IRC log of webappsec on 2012-02-14

Timestamps are in UTC.

21:48:17 [RRSAgent]
RRSAgent has joined #webappsec
21:48:17 [RRSAgent]
logging to http://www.w3.org/2012/02/14-webappsec-irc
21:48:20 [Zakim]
Zakim has joined #webappsec
21:51:48 [ptheriault]
ptheriault has joined #webappsec
21:56:33 [jeffh]
jeffh has joined #webappsec
21:57:21 [bhill2]
david huang sent his regrets: would anyone else be willing to scribe?
21:58:51 [bhill2]
zakim, this will be 92794
21:58:51 [Zakim]
ok, bhill2; I see SEC_WASWG()5:00PM scheduled to start in 2 minutes
22:01:20 [bhill2]
zakim, who is talking?
22:01:20 [Zakim]
sorry, bhill2, I don't know what conference this is
22:01:30 [bhill2]
zakim, this is 92794
22:01:30 [Zakim]
ok, bhill2; that matches SEC_WASWG()5:00PM
22:01:33 [bhill2]
zakim who is talking?
22:01:52 [Zakim]
+[Mozilla.a]
22:02:10 [abarth]
abarth has joined #webappsec
22:02:12 [bhill2]
hey busy Mozilla typist (dveditz?), mind muting?
22:02:19 [Zakim]
+ +1.650.678.aaee
22:02:22 [jeffh]
so it seems that someone has a mic very close to keyboard or their built-in-laptop mic is open and keystrokes are very loud
22:02:25 [ekr]
ekr has joined #webappsec
22:02:31 [Zakim]
+ +1.415.832.aaff
22:02:32 [Zakim]
-??P6
22:02:34 [ptheriault]
I'm at mozilla but its not me
22:02:48 [abarth]
probably my fault
22:02:52 [abarth]
muted
22:02:57 [Zakim]
+??P6
22:03:22 [bhill2]
calling again for a scribe volunteer, David can't attend today
22:03:57 [Zakim]
+ +1.831.246.aagg
22:04:27 [ptheriault]
Paul as in me?
22:04:36 [dveditz2]
dveditz2 has joined #webappsec
22:04:41 [jeffh]
plus this weechat instance I'm unFortunately using doesn't do a lower-case F For some weird reason
22:04:44 [puhley]
puhley has joined #webappsec
22:05:23 [jeffh]
i built irssi on another box, i thot w/o error, but the load module exits with an unFound symbol error.....
22:05:47 [ekr]
Zakim, scribe is erescorl
22:05:47 [Zakim]
sorry, ekr, I do not recognize a party named 'scribe'
22:05:50 [bhill2]
http://www.w3.org/2011/webappsec/draft-minutes/2012-01-17-webappsec-minutes.html
22:05:55 [gioma1]
Zakim, ??P6 is gioma1
22:05:55 [Zakim]
+gioma1; got it
22:06:16 [ekr]
resolved: minutes approves
22:06:18 [bhill2]
zakim, who is here?
22:06:18 [Zakim]
On the phone I see +1.650.648.aaaa, +1.866.317.aabb, +1.206.245.aacc, +1.408.234.aadd, [Mozilla] (muted), [Mozilla.a], +1.650.678.aaee, +1.415.832.aaff, gioma1, +1.831.246.aagg
22:06:21 [Zakim]
On IRC I see puhley, dveditz2, ekr, abarth, jeffh, ptheriault, Zakim, RRSAgent, bhill2, gioma1, dveditz, anne, trackbot
22:06:30 [ekr]
scribe: ekr
22:06:38 [bhill2]
zakim, aacc is bhill2
22:06:38 [Zakim]
+bhill2; got it
22:06:47 [ekr]
scribe: erescorl
22:06:51 [abarth]
Zakim: aaaa is abarth
22:07:01 [ptheriault]
[Mozilla] (muted) is me
22:07:05 [ekr]
bhill: agenda bashing?
22:07:17 [bhill2]
zakim, aaaa is abarth
22:07:17 [Zakim]
+abarth; got it
22:07:17 [abarth]
zakim: aaaa is abarth
22:07:20 [jeffh]
how Find which line # I'm on ?
22:07:30 [ekr]
… next agenda item: open issues
22:07:48 [puhley]
aaff is puhley
22:08:14 [ekr]
… widgets was published in the last few weeks. they have their own origin-restriction methodology. need to reconcile with them eventually, but right now they are going to proceed to CR.
22:08:17 [Tanvi]
Tanvi has joined #webappsec
22:08:35 [ekr]
… action 35: advice for server operators [abarth]
22:08:39 [ekr]
abarth: no progress yet
22:08:43 [ekr]
… will work on it some more
22:08:54 [puhley]
zakim, aaff is puhley
22:08:54 [Zakim]
+puhley; got it
22:09:07 [ekr]
bhill2: action 36 [huang]. he has a paper deadline so can't get to it
22:09:11 [ekr]
… wil do soon
22:09:16 [ekr]
… moving on to actions pending review.
22:10:08 [ekr]
bhill2: action 34: ekr was to do review. he did. action 39 to respond, he did.
22:10:48 [ekr]
… action 40 [abarth]. the spec already requires this. this action arose out of a difference in behavior because of a webkit bug. I will fix.
22:11:08 [ekr]
[NOTE: need to edit that to be abarth above]
22:11:48 [ekr]
bhill2: issue 10 [abarth] can it be closed?
22:11:55 [ekr]
abarth: yes, it's in pending review.
22:12:03 [ekr]
bhill2: noticed we have a new editor's draft. gfood
22:12:53 [ekr]
… anyone have a problem with only having the referrer header in the reports
22:13:05 [ekr]
abarth: would just have a new field called referrer
22:13:10 [anne]
I'm gonna get some sleep, but if people find issues with http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html please file a bug as suggested in the "Participate" box rather than file ACTIONS on me; I'd like to keep the number of systems I need to track to a minimum
22:13:10 [ekr]
ACTION: abarth to add this
22:13:11 [trackbot]
Created ACTION-47 - Add this [on Adam Barth - due 2012-02-21].
22:13:33 [ekr]
ACTION: abarth to add referrer field for reporting
22:13:33 [trackbot]
Created ACTION-48 - Add referrer field for reporting [on Adam Barth - due 2012-02-21].
22:14:53 [ekr]
bhill2: action 43. This was on me. We were changing processing model on what URI is in reports to not be the direct HTTP request but rather URI as seen by user agent. The main consequence of this is that it does not include fragments.
22:15:05 [Zakim]
- +1.408.234.aadd
22:15:15 [ekr]
… needed to clarify what to do with the fragment?
22:16:05 [ekr]
… there are deployed systems today that rely on having secrets i the fragment.
22:16:12 [ekr]
… in 1.0, propose not including fragment in report
22:16:25 [ekr]
… might want to add the ability to have fragments as a new feature request, e.g., 1.1
22:16:56 [ekr]
dveditz: but there are AJAX pages which rely on the fragment and you can't tell much about what's going on withou tit.
22:17:10 [ekr]
… maybe this is bad, but e.g., twitter does this and wants CSP
22:17:21 [ekr]
… if we're going to exclude it, is there a way to make opt-in part of initial dragt
22:17:29 [ekr]
s/dragt/draft/
22:17:54 [ekr]
bhill2: the current status quo is not to have fragment. we're not breaking anyone's reliance on these reports
22:18:06 [ekr]
dveditz: would be easy to write down the option in 1.0
22:18:12 [ekr]
… but would we have two implementations in time?
22:19:06 [ekr]
abarth: we earlier agreed on a criterion based on whether there were existing implementations
22:19:23 [ekr]
… and this seems to clearly have no implementations at all, so it should be 1.1
22:19:44 [jeffh]
? = abarth
22:20:17 [jeffh]
or was the "?" not intended to represent the speaker ?
22:20:35 [ekr]
?
22:21:10 [ekr]
bhill2: issue 44
22:21:58 [ekr]
abarth: unfortunately, there was an inconsistency in the document between requirements and examples. my question is: is there a normative requirement to include self, or have some other way of indicating self separately.
22:22:04 [ekr]
bhill2: any commentary on this on the list?
22:22:07 [ekr]
abarth: I don't know.
22:22:13 [Zakim]
- +1.831.246.aagg
22:22:46 [Zakim]
+ +1.831.246.aahh
22:23:13 [ekr]
bhill2: last remaining issue was ACTION-45. I think this is done. Any objections?
22:24:40 [ekr]
… I think that makes a pretty serious dent on what we have
22:24:53 [bhill2]
next agenda item:
22:24:53 [bhill2]
http://lists.w3.org/Archives/Public/public-webappsec/2012Feb/0014.html
22:25:48 [ekr]
abarth: probably useful to a small audience. might be useful in 1.1 or future version
22:25:53 [ekr]
… I don't have strong feeling
22:26:02 [ekr]
abarth: why don't we put it on the list of things to consider for 1.1
22:27:33 [ekr]
bhill2: this seems like something you could accomplish wit sandbox
22:28:58 [ekr]
ACTION: bhill2 to followup on list to http://lists.w3.org/Archives/Public/public-webappsec/2012Feb/0014.html
22:28:58 [trackbot]
Created ACTION-49 - Followup on list to http://lists.w3.org/Archives/Public/public-webappsec/2012Feb/0014.html [on Brad Hill - due 2012-02-21].
22:29:16 [ekr]
bhill2: next item is to look at all open raised issues. I think we're pretty much there.
22:29:40 [ekr]
… new editors draft. outstanding items on policy-uri and sandbox.
22:29:51 [ekr]
… to resolve by vote of implementations
22:30:08 [ekr]
… todo section on server advice.
22:30:14 [ekr]
abarth: just need a solid day to write this
22:30:31 [ekr]
bhill2: any objections once these are fixed to do a CfC for LC on 1.0 on next call
22:30:55 [ekr]
abarth: last issue is issue #7--the policy-uri issue
22:31:13 [ekr]
bhill2: was this one of the ones where we going to let implementations vote, or is the debate about if we want it at all
22:31:20 [ekr]
abarth: I think it's not a good feature. I know Dan disagrees
22:31:33 [ekr]
… was hoping some other WG members could contribute
22:31:40 [ekr]
jeffh: is there a thread on the list
22:31:49 [ekr]
abarth: not yet, but I think this may be a good time
22:31:58 [ekr]
ACTION: abarth to start discussion on ISSUE 7
22:31:58 [trackbot]
Created ACTION-50 - Start discussion on ISSUE 7 [on Adam Barth - due 2012-02-21].
22:32:50 [ekr]
bhill2: any other issues anyone wants to raise on CSP 1.0?
22:32:59 [ekr]
… moving on to next item: moving CORS to LC
22:33:21 [ekr]
… we issued a CfC over a month ago. Issues were raised privately. Some parties were not interested in engaging publicly?
22:33:42 [ekr]
… chairs and editors engaged with them and then came back with some suggested language.
22:33:57 [ekr]
… intent wasn't to keep anyone in the dark, just to preemptively cut off some of the political probelms.
22:34:10 [ekr]
… I proposed some security considerations text.
22:34:17 [bhill2]
http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html
22:34:19 [ekr]
… Anne incorporated it into latest draft.
22:35:00 [ekr]
… deals mostly with how to avoid confused deputy attacks.
22:35:15 [ekr]
… also ACTION-46 was added to clarify setting of origin header when following redirect.
22:35:55 [ekr]
… appears that web origin and CORS evolved independently to point at each other for how to handle this. ACTION-46 is to take the previous origin RFC text and put it in CORS
22:36:07 [ekr]
… Anne has also done that. I
22:36:16 [ekr]
… I believe this addresses all the outstanding consensus objections
22:36:55 [ekr]
jeffh: were these written down?
22:37:08 [ekr]
bhill2: they were private comments. people didn't want to engage publicly.
22:37:28 [ekr]
… was an unfortunate situation, but I tried to keep the group looped in
22:37:47 [ekr]
… idea was to get ahead of public objections.
22:37:59 [ekr]
… does anyone have any objections to the proposed text in the latest editor's draft
22:38:04 [ekr]
jeffh: I haven't had time to read it
22:38:36 [ekr]
abarth: can I ask a process question. To what extent can private objections prevent the spec from moving forward? Do these folks need to eventually come into public to make these points.
22:38:48 [ekr]
bhill2: you can't prevent the spec from advancing purely by private objections
22:39:07 [ekr]
… but in this case the objectors would have raised it through influencing members of the TAG.
22:39:37 [ekr]
… figured the best course of action was to address it privately before it became a formal objection
22:40:28 [ekr]
bhill2: this has been out for comment for a long the and most of the changes seem to have been dealt with
22:40:36 [ekr]
… objections to requesting advancement to LC at this point?
22:40:43 [ekr]
… Jeff, do you want time to read this before giving assent.
22:41:16 [ekr]
jeffh: will need a little while to look through it. I also have some editorial comments.
22:42:36 [ekr]
… now that this security considerations thing has bubbled up, I now think it's time to address these editorial issues, including precise security considerations.
22:42:55 [ekr]
bhill2: I don't think there is harm in waiting for another two weeks to get your comments
22:43:08 [ekr]
ACTION: jeffh to review new sec cons language and provide editorial fixes
22:43:08 [trackbot]
Sorry, couldn't find user - jeffh
22:43:26 [ekr]
Jeff, what is your W3C name?
22:43:46 [jeffh]
pls stand by
22:44:05 [ekr]
bhill2: last item is proposed F2F in bay area.
22:44:48 [jeffh]
jhodges3
22:45:05 [ekr]
… topics would include hashing out ideas for new CSP directives and dig down deeper into anti-clickjacking
22:45:25 [ekr]
ACTION: jhodges3 to review CORS new sec cons language and provide editorial fixes
22:45:25 [trackbot]
Created ACTION-51 - Review CORS new sec cons language and provide editorial fixes [on Jeff Hodges - due 2012-02-21].
22:45:45 [ekr]
bhill2: would mostly be April 10-11
22:45:52 [jeffh]
have we Found a location For the F2F ?
22:46:03 [ptheriault]
Australia ;)
22:46:09 [jeffh]
:)
22:46:16 [ekr]
jeffh: it's going to be california
22:46:36 [jeffh]
i realize that -- we checked into hosting here @paypal, but the rooms are already booked :(
22:46:40 [ekr]
bhill2: I will create another google poll.
22:46:59 [ekr]
s/google/doodle/
22:47:21 [Zakim]
- +1.866.317.aabb
22:47:22 [Zakim]
- +1.650.678.aaee
22:47:23 [Zakim]
- +1.831.246.aahh
22:47:24 [Zakim]
-abarth
22:47:24 [Zakim]
-puhley
22:47:25 [Zakim]
-[Mozilla]
22:47:27 [Zakim]
-gioma1
22:47:33 [ekr]
rrsagent, stop log
22:47:33 [RRSAgent]
I'm logging. I don't understand 'stop log', ekr. Try /msg RRSAgent help
22:47:38 [bhill2]
zakim, list attendees
22:47:38 [Zakim]
As of this point the attendees have been +1.650.648.aaaa, +1.866.317.aabb, +1.206.245.aacc, +1.408.234.aadd, [Mozilla], +1.650.678.aaee, +1.415.832.aaff, +1.831.246.aagg, gioma1,
22:47:41 [Zakim]
... bhill2, abarth, puhley, +1.831.246.aahh
22:47:47 [ekr]
rrsagent, create minutes
22:47:47 [RRSAgent]
I have made the request to generate http://www.w3.org/2012/02/14-webappsec-minutes.html ekr
22:47:52 [puhley]
puhley has left #webappsec
22:47:55 [Zakim]
-bhill2
22:48:08 [ptheriault]
ptheriault has left #webappsec
22:48:16 [Zakim]
-[Mozilla.a]
22:48:17 [Zakim]
SEC_WASWG()5:00PM has ended
22:48:17 [Zakim]
Attendees were +1.650.648.aaaa, +1.866.317.aabb, +1.206.245.aacc, +1.408.234.aadd, [Mozilla], +1.650.678.aaee, +1.415.832.aaff, +1.831.246.aagg, gioma1, bhill2, abarth, puhley,
22:48:17 [Zakim]
... +1.831.246.aahh
22:56:22 [bhill2]
rrsagent, set logs public-visible
22:56:40 [bhill2]
rrsagent, create minutes
22:56:40 [RRSAgent]
I have made the request to generate http://www.w3.org/2012/02/14-webappsec-minutes.html bhill2
23:18:41 [abarth]
abarth has joined #webappsec
23:23:52 [bhill21]
bhill21 has joined #webappsec