20:56:07 <RRSAgent> RRSAgent has joined #webappsec
20:56:07 <RRSAgent> logging to http://www.w3.org/2012/05/08-webappsec-irc
20:56:22 <puhley> puhley has joined #webappsec
20:56:28 <jeffh> jeffh has joined #webappsec
20:58:04 <bhill2> zakim, this will be 92794
20:58:04 <Zakim> ok, bhill2; I see SEC_WASWG()5:00PM scheduled to start in 2 minutes
20:58:28 <bhill2> Meeting: WebAppSec Teleconference, May 8, 2012
20:58:34 <bhill2> Chair: bhill2, ekr
20:59:10 <puhley> Scribe: Peleus Uhley
20:59:14 <bhill2> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2012May/0047.html
20:59:22 <puhley> ScribeNick: puhley
20:59:55 <puhley> rrsagent, begin
21:00:17 <abarth> abarth has joined #webappsec
21:00:48 <abarth> Zakim, who is on the phone
21:00:48 <Zakim> I don't understand 'who is on the phone', abarth
21:01:15 <bhill2> zakim, who is here
21:01:15 <Zakim> bhill2, you need to end that query with '?'
21:01:20 <bhill2> zakim, who is here?
21:01:20 <Zakim> SEC_WASWG()5:00PM has not yet started, bhill2
21:01:21 <Zakim> On IRC I see abarth, jeffh, puhley, RRSAgent, Zakim, bhill2, dhuang3, tanvi, gioma1, dveditz, odinho, anne, timeless, mkwst, trackbot, bhill22, caribou
21:01:34 <abarth> Zakim, who is on the phone?
21:01:34 <Zakim> SEC_WASWG()5:00PM has not yet started, abarth
21:01:36 <Zakim> On IRC I see abarth, jeffh, puhley, RRSAgent, Zakim, bhill2, dhuang3, tanvi, gioma1, dveditz, odinho, anne, timeless, mkwst, trackbot, bhill22, caribou
21:02:07 <cory> cory has joined #webappsec
21:02:12 <bhill2> zakim, who is speaking?
21:02:12 <Zakim> sorry, bhill2, I don't know what conference this is
21:02:18 <bhill2> zakim, this is 92794
21:02:18 <Zakim> ok, bhill2; that matches SEC_WASWG()5:00PM
21:02:24 <bhill2> zakim, who is on the phone?
21:02:24 <Zakim> On the phone I see +1.650.678.aaaa, +1.866.317.aabb, +1.415.832.aacc, abarth, ??P5, +1.650.386.aadd, +1.360.793.aaee, +1.425.865.aaff, +1.408.320.aagg
21:02:34 <Zakim> -??P5
21:02:34 <bhill2> zakim aadd is bhill2
21:02:40 <bhill2> zakim, aadd is bhill2
21:02:40 <Zakim> +bhill2; got it
21:02:48 <bhill2> zakim, who is speaking?
21:02:53 <abarth> it remembered my phone number!  amazing
21:02:59 <Zakim> bhill2, listening for 10 seconds I heard sound from the following: +1.650.678.aaaa (15%), +1.415.832.aacc (26%), bhill2 (4%)
21:02:59 <dhuang3> zakim, aagg is dhuang3
21:03:01 <Zakim> +dhuang3; got it
21:03:04 <tanvi> i'm aadd
21:03:06 <Zakim> +??P5
21:03:09 <puhley> zakim aacc is puhley
21:03:29 <puhley> zakim, aacc is puhley
21:03:29 <Zakim> +puhley; got it
21:03:32 <gioma1> zakim, ??P5 is gioma1
21:03:32 <Zakim> +gioma1; got it
21:04:04 <timeless> s/zakim aacc is puhley//
21:04:06 <bhill2> zakim, aaee is bhill2
21:04:06 <Zakim> +bhill2; got it
21:04:10 <timeless> RRSAgent, draft minutes
21:04:10 <RRSAgent> I have made the request to generate http://www.w3.org/2012/05/08-webappsec-minutes.html timeless
21:04:13 <tanvi> zakim, aadd is tanvi
21:04:13 <Zakim> sorry, tanvi, I do not recognize a party named 'aadd'
21:04:26 <timeless> Zakim, who is on the call?
21:04:26 <Zakim> On the phone I see +1.650.678.aaaa, +1.866.317.aabb, puhley, abarth, bhill2, bhill2.a, +1.425.865.aaff, dhuang3, gioma1
21:04:30 <jeffh> zakim, aagg is jeFFh
21:04:30 <Zakim> sorry, jeffh, I do not recognize a party named 'aagg'
21:04:40 <bhill2> zakim, mute puhley
21:04:40 <Zakim> puhley should now be muted
21:05:11 <bhill2> zakim, unmute puhley
21:05:11 <Zakim> puhley should no longer be muted
21:06:13 <Zakim> +[Microsoft]
21:06:37 <puhley> bhill: I haven't posted day 2 minutes yet
21:07:03 <puhley> ACTION: bhill to add day 2 minutes
21:07:03 <trackbot> Sorry, couldn't find user - bhill
21:07:37 <jrossi> jrossi has joined #webappsec
21:07:41 <puhley> ACTION: bhill2 to add day 2 minutes from face to face meeting
21:07:42 <trackbot> Created ACTION-64 - Add day 2 minutes from face to face meeting [on Brad Hill - due 2012-05-15].
21:09:01 <bhill2> agenda substitution: discuss more granular origin handling behavior in 1.0 in place of content type matching in 1.1
21:11:04 <Zakim> +dveditz
21:15:33 <puhley> jrossi: Should sandbox directive be included in CSP 1.0?
21:15:47 <puhley> abarth: There is an implementation in WebKit
21:16:39 <puhley> bhill2: It was considered for 1.1 because it did not change the header or the syntax for CSP. Therefore, it could be supported in browsers without being in the 1.0 spec.
21:18:16 <puhley> jrossi: Microsoft would like to get it into 1.0 so that they could officially validate their implementation.
21:19:15 <puhley> jrossi: It meets the criteria for W3C requirements of two implementations.
21:23:06 <timeless> issue-35?
21:23:06 <trackbot> ISSUE-35 does not exist
21:23:15 <timeless> s/issue-35?//
21:23:18 <timeless> s/ISSUE-35 does not exist//
21:27:46 <timeless> issue-8?
21:27:46 <trackbot> ISSUE-8 -- Identify proper behavior for html added via plubins / object tag -- closed
21:27:46 <trackbot> http://www.w3.org/2011/webappsec/track/issues/8
21:27:53 <timeless> s/issue-8?//
21:27:59 <timeless> s|ISSUE-8 -- Identify proper behavior for html added via plubins / object tag -- closed||
21:28:04 <timeless> s|http://www.w3.org/2011/webappsec/track/issues/8||
21:28:13 <timeless> RRSAgent, draft minutes
21:28:13 <RRSAgent> I have made the request to generate http://www.w3.org/2012/05/08-webappsec-minutes.html timeless
21:28:39 <puhley> bhill2: This may cause confusion with regards to declaring CSP support if individual sub-features are not supported. For instance, if IE supports sandbox but does not support all of the directives and Firefox supports all of the directives but not the sandbox implementation.
21:29:16 <puhley> ACTION: bhill2 to put question out to the list.
21:29:17 <trackbot> Created ACTION-65 - Put question out to the list. [on Brad Hill - due 2012-05-15].
21:29:23 <bhill2> rrsagent set logs public-visible
21:29:33 <bhill2> rrsagent, set logs public-visible
21:29:42 <timeless> s|rrsagent set logs public-visible||
21:29:45 <timeless> RRSAgent, draft minutes
21:29:45 <RRSAgent> I have made the request to generate http://www.w3.org/2012/05/08-webappsec-minutes.html timeless
21:31:10 <puhley> abarth: When receiving multiple policies, the browser should combine them.
21:34:05 <puhley> abarth: For experimental headers, the browser vendors implementing the experimental header will determine what works best for combining the header.
21:34:52 <puhley> tanvi: Should there be same-origin restrictions for report-uri headers?
21:35:32 <puhley> abarth: We will not allow report-uri in meta tag but we won't restrict it for headers.
21:38:28 <puhley> bhill2: Should we allow more granular origins than just the domain?
21:39:54 <puhley> dveditz: It would be good to define this in 1.0 so that expectations are set correctly going forward.
21:43:53 <puhley> ACTION: abarth to add error handling behavior in 1.0 spec
21:43:53 <trackbot> Created ACTION-66 - Add error handling behavior in 1.0 spec [on Adam Barth - due 2012-05-15].
21:46:54 <jeffh> lots oF noise on some line
21:47:24 <puhley> I am on mute right now so it isn't me.
21:47:50 <tanvi> someone who is typing
21:47:59 <gioma1> neither me. Someone typing
21:50:14 <puhley> ACTION: abarth to add a description for how to handle content-type in CSP 1.1 - 06/30/2012
21:50:14 <trackbot> Created ACTION-67 - Add a description for how to handle content-type in CSP 1.1 - 06/30/2012 [on Adam Barth - due 2012-05-15].
21:52:33 <puhley> bhill2: For clickjacking, we would pursue something similar to ClearClick. Giorgio is nominated as editor.
21:52:43 <puhley> dhuang3 volunteers to be an additional editor.
21:57:25 <puhley> ACTION: dhuang3 to coordinate with Giorgi on a draft proposal - 07/2012
21:57:25 <trackbot> Created ACTION-68 - Coordinate with Giorgi on a draft proposal - 07/2012 [on David Huang - due 2012-05-15].
21:57:42 <Zakim> - +1.866.317.aabb
21:57:47 <Zakim> -[Microsoft]
21:57:48 <Zakim> - +1.650.678.aaaa
21:57:48 <Zakim> -dveditz
21:57:50 <Zakim> - +1.425.865.aaff
21:57:50 <Zakim> -abarth
21:57:51 <Zakim> -dhuang3
21:57:51 <Zakim> -gioma1
21:57:52 <Zakim> -bhill2.a
21:57:54 <Zakim> -puhley
21:57:56 <Zakim> -bhill2
21:57:57 <Zakim> SEC_WASWG()5:00PM has ended
21:57:59 <Zakim> Attendees were +1.650.678.aaaa, +1.866.317.aabb, +1.415.832.aacc, abarth, +1.650.386.aadd, +1.360.793.aaee, +1.425.865.aaff, +1.408.320.aagg, bhill2, dhuang3, puhley, gioma1,
21:58:03 <Zakim> ... [Microsoft], dveditz
21:58:22 <puhley> RRSAgenet, make minutes
21:58:31 <puhley> RRSAgent, make minutes
21:58:31 <RRSAgent> I have made the request to generate http://www.w3.org/2012/05/08-webappsec-minutes.html puhley
21:59:49 <bhill2> thank you, Josh
22:00:38 <timeless> s/thank you, Josh//
22:01:00 <timeless> trackbot, end meeting
22:01:00 <trackbot> Zakim, list attendees
22:01:00 <Zakim> sorry, trackbot, I don't know what conference this is
22:01:00 <jeffh> quit
22:01:08 <trackbot> RRSAgent, please draft minutes
22:01:08 <RRSAgent> I have made the request to generate http://www.w3.org/2012/05/08-webappsec-minutes.html trackbot
22:01:09 <timeless> s/quit//
22:01:09 <trackbot> RRSAgent, bye
22:01:09 <RRSAgent> I see 6 open action items saved in http://www.w3.org/2012/05/08-webappsec-actions.rdf :
22:01:09 <RRSAgent> ACTION: bhill to add day 2 minutes [1]
22:01:09 <RRSAgent>   recorded in http://www.w3.org/2012/05/08-webappsec-irc#T21-07-03
22:01:09 <RRSAgent> ACTION: bhill2 to add day 2 minutes from face to face meeting [2]
22:01:09 <RRSAgent>   recorded in http://www.w3.org/2012/05/08-webappsec-irc#T21-07-41
22:01:09 <RRSAgent> ACTION: bhill2 to put question out to the list. [3]
22:01:09 <RRSAgent>   recorded in http://www.w3.org/2012/05/08-webappsec-irc#T21-29-16
22:01:09 <RRSAgent> ACTION: abarth to add error handling behavior in 1.0 spec [4]
22:01:09 <RRSAgent>   recorded in http://www.w3.org/2012/05/08-webappsec-irc#T21-43-53
22:01:09 <RRSAgent> ACTION: abarth to add a description for how to handle content-type in CSP 1.1 - 06/30/2012 [5]
22:01:09 <RRSAgent>   recorded in http://www.w3.org/2012/05/08-webappsec-irc#T21-50-14
22:01:09 <RRSAgent> ACTION: dhuang3 to coordinate with Giorgi on a draft proposal - 07/2012 [6]
22:01:09 <RRSAgent>   recorded in http://www.w3.org/2012/05/08-webappsec-irc#T21-57-25
22:01:16 <timeless> RRSAgent, draft minutes
22:01:16 <RRSAgent> I have made the request to generate http://www.w3.org/2012/05/08-webappsec-minutes.html timeless