21:00:03 <RRSAgent> RRSAgent has joined #webappsec
21:00:03 <RRSAgent> logging to http://www.w3.org/2012/04/10-webappsec-irc
21:00:12 <bhill21> zakim this will be 92794
21:00:20 <bhill21> zakim, this is 92794
21:00:20 <Zakim> ok, bhill21; that matches SEC_WASWG()5:00PM
21:00:26 <bhill21> rrsagent begin
21:00:28 <Zakim> +Joseph_Scheuhammer
21:00:34 <bhill21> rrsagent, begin
21:00:43 <Zakim> +??P6
21:00:53 <bhill21> Meeting: WebAppSec WG Teleconference, April 10, 2012
21:00:59 <bhill21> Chair: bhill2, ekr
21:01:24 <Zakim> + +1.650.648.aaee
21:01:26 <gioma1> Zakim, ??P6 is gioma1
21:01:26 <Zakim> +gioma1; got it
21:01:43 <bhill21> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2012Apr/0009.html
21:01:53 <abarth> abarth has joined #webappsec
21:01:55 <Zakim> + +1.503.712.aaff
21:02:07 <bhill21> zakim, who is here?
21:02:07 <Zakim> On the phone I see +1.978.944.aaaa, +1.303.229.aabb, +1.650.678.aacc, +1.866.317.aadd, Joseph_Scheuhammer, gioma1, +1.650.648.aaee, +1.503.712.aaff
21:02:10 <Zakim> On IRC I see abarth, RRSAgent, Zakim, ekr, bhill21, jeffh, tanvi1, EC, gioma1, dveditz, bhill2, anne, trackbot
21:02:13 <bhill21> zakim, aabb is bhill2
21:02:13 <Zakim> +bhill2; got it
21:02:28 <abarth> Zakim, aaee is abarth
21:02:28 <Zakim> +abarth; got it
21:02:40 <Zakim> +[Mozilla]
21:02:51 <bhill21> zakim, aaff is rware
21:02:51 <Zakim> +rware; got it
21:02:57 <tanvi> tanvi has joined #webappsec
21:04:15 <Zakim> + +1.831.246.aagg
21:04:48 <bhill21> scribenick: ekr
21:05:21 <bhill21> zakim, who is here
21:05:21 <Zakim> bhill21, you need to end that query with '?'
21:05:26 <bhill21> zakim, who is here?
21:05:26 <Zakim> On the phone I see +1.978.944.aaaa, bhill2, +1.650.678.aacc, +1.866.317.aadd, Joseph_Scheuhammer, gioma1, abarth, rware, [Mozilla], +1.831.246.aagg
21:05:28 <Zakim> On IRC I see tanvi, abarth, RRSAgent, Zakim, ekr, bhill21, jeffh, EC, gioma1, dveditz, bhill2, anne, trackbot
21:05:28 <Zakim> + +1.425.865.aahh
21:05:53 <Zakim> +[Microsoft]
21:05:56 <dveditz> Zakim, dveditz is aagg
21:05:56 <Zakim> sorry, dveditz, I do not recognize a party named 'dveditz'
21:06:08 <ekr> zakim, aagg is dveditz
21:06:08 <Zakim> +dveditz; got it
21:06:09 <dveditz> Zakim, aagg is dveditz
21:06:09 <Zakim> sorry, dveditz, I do not recognize a party named 'aagg'
21:06:10 <jrossi> jrossi has joined #webappsec
21:06:57 <jrossi> scribenick: jrossi
21:07:46 <cory> cory has joined #webappsec
21:07:59 <jrossi> topic: last call's minutes
21:08:14 <jrossi> bhill: any objections to approval?
21:08:24 <jrossi> bhill: no objections, minutes approved
21:08:48 <jrossi> topic:  F2F at TPAC
21:09:08 <jrossi> bhill: This is year in France.  W3C wants to know if WebAppSec should meet.
21:09:21 <jrossi> bhill: provide input on whether folks will be able to attend
21:09:27 <jrossi> bhill: still having our F2F in May
21:09:45 <jrossi> topic: CORs published LCWD
21:09:54 <jrossi> bhill: This triggers a new call for exclusions.
21:11:43 <Zakim> - +1.978.944.aaaa
21:13:32 <jrossi> topics: Report on IETF 83 in Paris
21:13:42 <jrossi> topic: Report on IETF 83 in Paris
21:14:12 <jrossi> jeffh: Sent mail to list with updates from IETF 83
21:14:31 <keeler> keeler has joined #webappsec
21:15:19 <Zakim> + +1.781.218.aaii
21:15:30 <jrossi> jeffh: review presentations for your information (links in mail)
21:16:23 <gopal> gopal has joined #webappsec
21:16:31 <jrossi> http://lists.w3.org/Archives/Public/public-webappsec/2012Apr/0011.html
21:17:24 <jrossi> jeffh: WebSec WG's HSTS spec is in WG Last Call, comments received, no showstoppers
21:17:35 <gopal> present+ gopal
21:17:54 <jrossi> jeffh: IAB Tech Plenary presentations (slides and PDFs included here: http://lists.w3.org/Archives/Public/public-webappsec/2012Apr/0011.html)
21:18:30 <jrossi> jeffh:  work on a new DNS API, one that accomodates async operations
21:19:08 <Zakim> -Joseph_Scheuhammer
21:19:14 <jrossi> jeffh: PKIX  revocation and SSL Replacements/Enhancements
21:20:45 <jrossi> jeffh:  HTTPbis,  provide comments on HTTP/1.1,  parts 4-7 in WG LC, parts 1-3 entering WG LC soon
21:21:36 <jrossi> jeffh:  entertaining proposals for an HTTP 2.0, firm rechartering this summer where the proposal has been nailed down
21:21:52 <jrossi> jeffh:  process/requirements gathering at  http://bit.ly/http2reqs
21:22:19 <jrossi> jeffh:  Mark Nottingham's overview of process & reqs is worth reviewing (  https://www.ietf.org/proceedings/83/slides/slides-83-httpbis-6.pdf  )
21:22:37 <jrossi> jeffh: 3 proposals were presented, SPDY, HTTP Speed+Mobility, and WAKA
21:25:31 <Zakim> + +1.614.465.aajj
21:25:38 <Zakim> + +1.415.596.aakk
21:25:51 <gopal> gopal has joined #webappsec
21:26:28 <bhill21> http://tools.ietf.org/html/draft-pettersen-subtld-structure-09
21:26:46 <puhley> puhley has joined #webappsec
21:28:53 <bhill21> various rumblings about fixing the "publicsuffix.org" problem at IETF.. possibly in a new list or discussion area
21:29:23 <bhill21> https://www.w3.org/2011/webappsec/track/actions/open
21:29:23 <jrossi> topic:  Reviewing open tracker actions
21:29:34 <jrossi> Action-20?
21:29:34 <trackbot> ACTION-20 -- Brad Hill to liason with widgets activity on policy placeholder for widgets -- due 2012-05-15 -- OPEN
21:29:34 <trackbot> http://www.w3.org/2011/webappsec/track/actions/20
21:29:44 <jrossi> Action-35?
21:29:45 <trackbot> ACTION-35 -- Adam Barth to add advice for server operators about combining policies -- due 2012-03-13 -- OPEN
21:29:45 <trackbot> http://www.w3.org/2011/webappsec/track/actions/35
21:29:57 <jeffh> see also: dra-sullivan-zone-policy-assertions-01
21:30:01 <jrossi> bhill: hasn't been touched lately, need to find a new owner?
21:30:16 <jrossi> abarth: if this is the last thing to do, i can do this
21:30:24 <jrossi> bhill: will evaluate after the call
21:30:28 <jrossi> action-36?
21:30:28 <trackbot> ACTION-36 -- David Huang to copy clicking jacking info to wiki and email list -- due 2012-03-13 -- OPEN
21:30:28 <trackbot> http://www.w3.org/2011/webappsec/track/actions/36
21:30:37 <jrossi> bhill: will close this
21:31:02 <jrossi> action-51?
21:31:02 <trackbot> ACTION-51 -- Jeff Hodges to review CORS new sec cons language and provide editorial fixes -- due 2012-03-25 -- OPEN
21:31:02 <trackbot> http://www.w3.org/2011/webappsec/track/actions/51
21:31:17 <jrossi> bhill: generally in the phase of providing last call comments for CORs
21:31:40 <jrossi> bhill: think we should pay special attention to this one
21:31:58 <jrossi> bhill: CORS has a security model for the developer that's easy to misunderstand
21:32:19 <jrossi> bhill: good idea to make sure we make the right comments and the spec is clear to browser authors and the other audiences who will use this
21:32:45 <jrossi> bhill: this action is on Jeff, but everyone should review
21:33:33 <jrossi> action-56?
21:33:33 <trackbot> ACTION-56 -- Adam Barth to remove policy-uri directive -- due 2012-04-10 -- OPEN
21:33:33 <trackbot> http://www.w3.org/2011/webappsec/track/actions/56
21:33:39 <jrossi> bhill: is that complete?
21:33:42 <jrossi> abarth: yes
21:34:15 <jrossi> action-54 will follow up with adam,  item later to talk about action-55
21:34:30 <jrossi> topic: META tag support
21:34:38 <jrossi> bhill: discussion on list about keeping/removing
21:34:43 <jrossi> bhill: resolved to remove from spec
21:35:04 <jrossi> bhill: any particular opinions or data points we didn't hear on the mailing list?
21:35:43 <jrossi> tanvi: at Mozilla we feel we don't want to muddle the policy that determines what's in the HTML document to also be in the HTML document
21:35:52 <jrossi> tanvi: this is why we don't like the idea of the META tag
21:36:20 <jrossi> tanvi: at the same time, understand that pages may wish to dynamically apply the policy after loading content
21:36:29 <jrossi> abarth:  sounds like a good thing to consider in the 1.1 version of the spec
21:36:32 <jrossi> tanvi: I agree
21:36:43 <jrossi> bhill: probably should put on agenda for F2F to talk about use cases
21:37:07 <jrossi> topic: Header definitions have cross-responsibility between IETF/W3C
21:37:26 <jrossi> bhill: fine to keep working on here since it's relevant to other topics related to W3C work
21:37:39 <jrossi> bhill: abarth has volunteered to take that up and provide a draft
21:37:47 <bhill21> http://dvcs.w3.org/hg/content-security-policy/rev/91163bbd2daf
21:38:17 <jrossi> action: abarth to cross-post proposal to HTTP and WebSec WG at IETF
21:38:17 <trackbot> Created ACTION-57 - Cross-post proposal to HTTP and WebSec WG at IETF [on Adam Barth - due 2012-04-17].
21:39:42 <jrossi> topic: Sandbox directive
21:40:06 <jrossi> bhill: IE has implementation, WebKit has the HTML implementation
21:40:20 <jrossi> abarth: sandbox directive is implemented in CSP implementation in WebKit
21:40:28 <jrossi> bhill: tanvi, is Mozilla working on it?
21:40:45 <jrossi> tanvi: working on iframe sandbox, not complete yet, hopefully will land in a month or so (won't be out for a few more months)
21:40:55 <jrossi> bhill: would mozilla be agreeable to including it in CSP?
21:41:57 <jeffh> who's speaking ?
21:42:56 <jrossi> I am
21:43:50 <jeffh> so jrossi querying dveditz wrt support For iFame sandbox, yes?
21:44:07 <jrossi> yes
21:45:08 <jeffh> dveditz: moz wanting to push iFrame sandbox to CSP 1.1
21:45:58 <jeffh> jrossi: arguing For including it in CSP 1.0, other browsers support it already, so need it documented/spec'd to avoid interop issues in Future
21:47:48 <jeffh> bhill: (summarizing) keep iFrame sandbox in spec For now, have more detailed discussion on list
21:48:30 <jeffh> jrossi: "sandbox" is more general than just on an iFrame, can be top-level page -- so let's keep it in spec For now, have more discussion on list
21:48:42 <jeffh> scribe back to u jrossi ?
21:48:51 <jrossi> topic:  agenda for May F2F topics
21:49:01 <jrossi> bhill: very close to LC for CSP 1.0
21:49:20 <jrossi> bhill: hopefully be ready to finish discussion on sandbox and have a LC draft shortly following
21:49:27 <jrossi> bhill: then move directly into 1.1
21:49:42 <jrossi> bhill: objections of discussion CSP 1.1 and next objectives at F2F?
21:49:50 <jrossi> bhill: no objections
21:50:32 <jrossi> bhilll:  more info on click jacking threats, propose taking time to discuss further on whether we can turn this into a spec, etc...  objections/suggestions on anti-click-jacking agenda items?
21:51:01 <jrossi> bhill: big challenge left in group is getting good test cases
21:51:54 <jrossi> bhill: people interested in taking a significant chunk of time to do a "live hackathon" to work together on some test case momentum?
21:52:06 <jrossi> gopal: think this is a great idea
21:53:20 <jrossi> bhill: encourage everyone to bring laptops and come ready to code then
21:53:56 <jrossi> bhill: any additional agenda items for next F2F?
21:54:01 <jrossi> bhill: no suggestions
21:56:43 <Zakim> -rware
21:58:05 <Zakim> - +1.415.596.aakk
21:58:07 <Zakim> - +1.866.317.aadd
21:58:09 <Zakim> - +1.781.218.aaii
21:58:11 <Zakim> - +1.425.865.aahh
21:58:12 <Zakim> - +1.614.465.aajj
21:58:12 <Zakim> - +1.650.678.aacc
21:58:13 <Zakim> -dveditz
21:58:15 <Zakim> -gioma1
21:58:22 <Zakim> -[Microsoft]
21:58:25 <Zakim> -[Mozilla]
21:58:31 <Zakim> -abarth
21:58:38 <bhill21> zakim, list attendees
21:58:38 <Zakim> As of this point the attendees have been +1.978.944.aaaa, +1.303.229.aabb, Joseph_Scheuhammer, +1.650.678.aacc, +1.866.317.aadd, +1.650.648.aaee, gioma1, +1.503.712.aaff, bhill2,
21:58:41 <Zakim> ... abarth, [Mozilla], rware, +1.831.246.aagg, +1.425.865.aahh, [Microsoft], dveditz, +1.781.218.aaii, +1.614.465.aajj, +1.415.596.aakk
21:58:44 <bhill21> rrsagent, set logs public-visible
21:58:50 <bhill21> rrsagent, make minutes
21:58:50 <RRSAgent> I have made the request to generate http://www.w3.org/2012/04/10-webappsec-minutes.html bhill21
21:58:56 <bhill21> rrsagent, set logs public-visible
21:59:05 <bhill21> thanks, all
21:59:11 <Zakim> -bhill2
21:59:12 <Zakim> SEC_WASWG()5:00PM has ended
21:59:12 <Zakim> Attendees were +1.978.944.aaaa, +1.303.229.aabb, Joseph_Scheuhammer, +1.650.678.aacc, +1.866.317.aadd, +1.650.648.aaee, gioma1, +1.503.712.aaff, bhill2, abarth, [Mozilla], rware,
21:59:12 <Zakim> ... +1.831.246.aagg, +1.425.865.aahh, [Microsoft], dveditz, +1.781.218.aaii, +1.614.465.aajj, +1.415.596.aakk
22:00:53 <puhley> puhley has left #webappsec
22:09:49 <tanvi1> tanvi1 has joined #webappsec
22:30:02 <gopal> gopal has joined #webappsec
22:49:16 <tanvi> tanvi has joined #webappsec
23:17:40 <gopal> gopal has joined #webappsec
23:18:45 <bhill2> bhill2 has left #webappsec
23:26:53 <bhill21> bhill21 has left #webappsec
23:48:55 <bhill2> bhill2 has joined #webappsec