See also: IRC log
<scribe> Scribe: Peleus Uhley
<scribe> ScribeNick: puhley
<bhill2> zakim aadd is bhill2
<abarth> it remembered my phone number! amazing
<tanvi> i'm aadd
bhill: I haven't posted day 2 minutes yet
<scribe> ACTION: bhill to add day 2 minutes [recorded in http://www.w3.org/2012/05/08-webappsec-minutes.html#action01]
<trackbot> Sorry, couldn't find user - bhill
<scribe> ACTION: bhill2 to add day 2 minutes from face to face meeting [recorded in http://www.w3.org/2012/05/08-webappsec-minutes.html#action02]
<trackbot> Created ACTION-64 - Add day 2 minutes from face to face meeting [on Brad Hill - due 2012-05-15].
<bhill2> agenda substitution: discuss more granular origin handling behavior in 1.0 in place of content type matching in 1.1
jrossi: Should sandbox directive be included in CSP 1.0?
abarth: There is an implementation in WebKit
bhill2: It was considered for 1.1 because it did not change the header or the syntax for CSP. Therefore, it could be supported in browsers without being in the 1.0 spec.
jrossi: Microsoft would like to
get it into 1.0 so that they could officially validate their
implementation.
... It meets the criteria for W3C requirements of two
implementations.
bhill2: This may cause confusion with regards to declaring CSP support if individual sub-features are not supported. For instance, if IE supports sandbox but does not support all of the directives and Firefox supports all of the directives but not the sandbox implementation.
<scribe> ACTION: bhill2 to put question out to the list. [recorded in http://www.w3.org/2012/05/08-webappsec-minutes.html#action03]
<trackbot> Created ACTION-65 - Put question out to the list. [on Brad Hill - due 2012-05-15].
abarth: When receiving multiple
policies, the browser should combine them.
... For experimental headers, the browser vendors implementing
the experimental header will determine what works best for
combining the header.
tanvi: Should there be same-origin restrictions for report-uri headers?
abarth: We will not allow report-uri in meta tag but we won't restrict it for headers.
bhill2: Should we allow more granular origins than just the domain?
dveditz: It would be good to define this in 1.0 so that expectations are set correctly going forward.
<scribe> ACTION: abarth to add error handling behavior in 1.0 spec [recorded in http://www.w3.org/2012/05/08-webappsec-minutes.html#action04]
<trackbot> Created ACTION-66 - Add error handling behavior in 1.0 spec [on Adam Barth - due 2012-05-15].
<jeffh> lots oF noise on some line
I am on mute right now so it isn't me.
<tanvi> someone who is typing
<gioma1> neither me. Someone typing
<scribe> ACTION: abarth to add a description for how to handle content-type in CSP 1.1 - 06/30/2012 [recorded in http://www.w3.org/2012/05/08-webappsec-minutes.html#action05]
<trackbot> Created ACTION-67 - Add a description for how to handle content-type in CSP 1.1 - 06/30/2012 [on Adam Barth - due 2012-05-15].
bhill2: For clickjacking, we would pursue something similar to ClearClick. Giorgio is nominated as editor.
dhuang3 volunteers to be an additional editor.
<scribe> ACTION: dhuang3 to coordinate with Giorgi on a draft proposal - 07/2012 [recorded in http://www.w3.org/2012/05/08-webappsec-minutes.html#action06]
<trackbot> Created ACTION-68 - Coordinate with Giorgi on a draft proposal - 07/2012 [on David Huang - due 2012-05-15].
RRSAgenet, make minutes
<timeless> trackbot, end meeting
This is scribe.perl Revision: 1.136 of Date: 2011/05/12 12:01:43 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/zakim aacc is puhley// Succeeded: s/issue-35?// Succeeded: s/ISSUE-35 does not exist// Succeeded: s/issue-8?// Succeeded: s|ISSUE-8 -- Identify proper behavior for html added via plubins / object tag -- closed|| Succeeded: s|http://www.w3.org/2011/webappsec/track/issues/8|| Succeeded: s|rrsagent set logs public-visible|| Succeeded: s/thank you, Josh// Succeeded: s/quit// Found Scribe: Peleus Uhley Found ScribeNick: puhley WARNING: No "Topic:" lines found. Default Present: +1.650.678.aaaa, +1.866.317.aabb, +1.415.832.aacc, abarth, +1.650.386.aadd, +1.360.793.aaee, +1.425.865.aaff, +1.408.320.aagg, bhill2, dhuang3, puhley, gioma1, [Microsoft], dveditz Present: +1.650.678.aaaa +1.866.317.aabb +1.415.832.aacc abarth +1.650.386.aadd +1.360.793.aaee +1.425.865.aaff +1.408.320.aagg bhill2 dhuang3 puhley gioma1 [Microsoft] dveditz Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2012May/0047.html Got date from IRC log name: 08 May 2012 Guessing minutes URL: http://www.w3.org/2012/05/08-webappsec-minutes.html People with action items: abarth bhill bhill2 dhuang3 WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option. WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report[End of scribe.perl diagnostic output]