20:59:39 <RRSAgent> RRSAgent has joined #webappsec
20:59:39 <RRSAgent> logging to http://www.w3.org/2012/07/03-webappsec-irc
20:59:49 <bhill2> zakim, this is 92794
20:59:49 <Zakim> ok, bhill2; that matches SEC_WASWG()5:00PM
20:59:56 <bhill2> rrsagent, begin
21:00:18 <bhill2> Meeting: WebAppSec Teleconference, 7 Jul 2012
21:00:23 <bhill2> Chair: bhill2, ekr
21:00:38 <jeffh> jeffh has joined #webappsec
21:00:40 <bhill2> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2012Jul/0003.html
21:00:52 <bhill2> zakim, who is here?
21:00:52 <Zakim> On the phone I see abarth, ccarson, +1.866.317.aaaa, +1.303.229.aabb
21:00:54 <Zakim> On IRC I see jeffh, RRSAgent, Zakim, ccarson, gopal, abarth, gioma1, bhill2, timeless, annevk, trackbot, caribou, odinho
21:00:56 <Zakim> + +1.781.218.aacc
21:00:57 <bhill2> zakim, aabb is bhill2
21:00:58 <Zakim> +bhill2; got it
21:01:27 <bhill2> zakim, aacc is gopal
21:01:27 <Zakim> +gopal; got it
21:01:50 <bhill2> zakim, aaaa is jeffh
21:01:50 <Zakim> +jeffh; got it
21:02:01 <Zakim> +??P11
21:02:57 <Zakim> + +1.408.320.aadd
21:03:03 <dhuang3> dhuang3 has joined #webappsec
21:03:17 <Zakim> +tanvi
21:03:36 <jeffh> hm, who has all that bkground noise ?
21:03:51 <bhill2> Scribe: David Huang
21:03:59 <bhill2> ScribeNick: dhuang3
21:04:32 <timeless> Zakim, who is making noise?
21:04:47 <Zakim> timeless, listening for 14 seconds I could not identify any sounds
21:05:04 <Zakim> +ekr
21:05:10 <bhill2> zakim, aadd is dhuang3
21:05:10 <Zakim> +dhuang3; got it
21:06:39 <dhuang3> bhill: updating scribe lists
21:08:05 <gioma1> zakim, ??P11 is gioma1
21:08:05 <Zakim> +gioma1; got it
21:08:24 <dhuang3> ekr: minutes except last meeting posted
21:08:49 <Zakim> +[Microsoft]
21:08:50 <dhuang3> bhill: approve minutes of previous meeting
21:08:57 <jrossi> jrossi has joined #webappsec
21:09:50 <Zakim> +??P19
21:10:05 <dhuang3> adding csp/sandbox discussion to agenda?
21:10:26 <jeffh> uri for actions and issues ?
21:10:28 <bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2012Jul/0003.html
21:10:47 <bhill2> http://www.w3.org/2011/webappsec/track/
21:10:52 <jeffh> thx
21:11:19 <dveditz> dveditz has joined #webappsec
21:11:49 <dhuang3> abarth: action 67 not yet
21:12:15 <dhuang3> bhill: action 68 closed, have draft
21:12:40 <dhuang3> bhill: action 69, not yet
21:13:49 <dhuang3> abarth: action 70-72,58 in agenda
21:14:04 <jeffh> you can close action 58
21:17:14 <dhuang3> bhill: any last comment issues on csp?
21:17:14 <dhuang3> abarth: working on draft today, no controversial issue
21:19:21 <dhuang3> bhill: next issue, how to handle granular list..?
21:19:55 <dhuang3> abarth: suggest discussing on mailinglist
21:20:57 <dhuang3> abarth: truncation in 1.0 is simple
21:21:39 <dhuang3> bhill: next issue, csp and srcdoc
21:22:24 <dhuang3> abarth: iframe srcdoc inherits characteristics of parent doc
21:22:52 <dhuang3> abarth: CSP is url-based, doesn't notice other ways of loading docs
21:23:09 <dhuang3> abarth: might lead to xss holes..
21:24:45 <dhuang3> dveditz?: similar issues in blob url?
21:27:31 <dhuang3> abarth: csp can block unknown blobs, other interesting interactions here?
21:28:33 <dhuang3> bhill: similar issues in digest uri schemes?
21:29:59 <dhuang3> bhill: creating new task
21:30:14 <dhuang3> bhill: next issue, obsolete xfo?
21:39:40 <bhill2> need to raise issue on list and cross-post with IETF WebSec
21:39:46 <tanvi> tanvi has joined #webappsec
21:40:09 <bhill2> should UI safety overrride/obsolete XFO, should FO (minus X) be subsumed under CSP directives
21:40:33 <bhill2> should overriding XFO in CSP be a different directive vs. default behavior?
21:42:15 <bhill2> action to bhill2 start cross-IETF/W3C discussion on XFO/FO/UI Safety
21:42:15 <trackbot> Sorry, couldn't find user - to
21:42:34 <bhill2> action bhill2 to start cross-IETF/W3C discussion on XFO/FO/UI Safety
21:42:34 <trackbot> Created ACTION-73 - Start cross-IETF/W3C discussion on XFO/FO/UI Safety [on Brad Hill - due 2012-07-10].
21:46:06 <dhuang3> http://dvcs.w3.org/hg/user-interface-safety/raw-file/25bb022cd7bc/user-interface-safety.html
21:54:30 <dhuang3> gopal: encourage developers to contribute more tests suites..    (dhuang: sorry I missed a lot of scribing)
21:54:37 <jeffh> adam is breaking up
21:54:43 <dhuang3> jrossi?: need to improve securrity considerations..
21:56:04 <dhuang3> abarth: lacking editor for cors
21:58:19 <dhuang3> ...clarifying sandbox/meta tag
21:59:16 <dhuang3> should discuss on mailinglist
21:59:26 <Zakim> -jeffh
21:59:27 <Zakim> -ekr
21:59:28 <Zakim> -[Microsoft]
21:59:28 <bhill2> zakim, list attendees
21:59:29 <Zakim> As of this point the attendees have been abarth, ccarson, +1.866.317.aaaa, +1.303.229.aabb, +1.781.218.aacc, bhill2, gopal, jeffh, +1.408.320.aadd, tanvi, ekr, dhuang3, gioma1,
21:59:29 <Zakim> ... [Microsoft]
21:59:29 <Zakim> -abarth
21:59:31 <Zakim> -dhuang3
21:59:32 <Zakim> -gopal
21:59:34 <Zakim> -??P19
21:59:36 <Zakim> -ccarson
21:59:38 <Zakim> -tanvi
21:59:41 <Zakim> -gioma1
21:59:51 <bhill2> rrsagent, set logs public-visible
21:59:56 <bhill2> rrsagent, make minutes
21:59:56 <RRSAgent> I have made the request to generate http://www.w3.org/2012/07/03-webappsec-minutes.html bhill2
22:00:04 <bhill2> thanks for scribing, david!
22:00:13 <Zakim> -bhill2
22:00:14 <Zakim> SEC_WASWG()5:00PM has ended
22:00:14 <Zakim> Attendees were abarth, ccarson, +1.866.317.aaaa, +1.303.229.aabb, +1.781.218.aacc, bhill2, gopal, jeffh, +1.408.320.aadd, tanvi, ekr, dhuang3, gioma1, [Microsoft]
22:01:29 <jeffh> jeffh has left #webappsec
22:02:37 <jeffh> jeffh has joined #webappsec
22:02:56 <jeffh> jeffh has left #webappsec
22:05:26 <equalsJeffH> equalsJeffH has joined #webappsec
22:06:23 <equalsJeffH> equalsJeffH has joined #webappsec
22:10:10 <equalsJeffH> equalsJeffH has left #webappsec
22:40:10 <abarth> abarth has joined #webappsec