W3C

- DRAFT -

WebAppSec Teleconference, 7 Jul 2012

03 Jul 2012

Agenda

See also: IRC log

Attendees

Present
abarth, ccarson, +1.866.317.aaaa, +1.303.229.aabb, +1.781.218.aacc, bhill2, gopal, jeffh, +1.408.320.aadd, tanvi, ekr, dhuang3, gioma1, [Microsoft]
Regrets
Chair
bhill2, ekr
Scribe
David Huang

Contents

<jeffh> hm, who has all that bkground noise ?

<bhill2> Scribe: David Huang

<bhill2> ScribeNick: dhuang3

bhill: updating scribe lists

ekr: minutes except last meeting posted

bhill: approve minutes of previous meeting

adding csp/sandbox discussion to agenda?

<jeffh> uri for actions and issues ?

<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2012Jul/0003.html

<bhill2> http://www.w3.org/2011/webappsec/track/

<jeffh> thx

abarth: action 67 not yet

bhill: action 68 closed, have draft
... action 69, not yet

abarth: action 70-72,58 in agenda

<jeffh> you can close action 58

bhill: any last comment issues on csp?

abarth: working on draft today, no controversial issue

bhill: next issue, how to handle granular list..?

abarth: suggest discussing on mailinglist
... truncation in 1.0 is simple

bhill: next issue, csp and srcdoc

abarth: iframe srcdoc inherits characteristics of parent doc
... CSP is url-based, doesn't notice other ways of loading docs
... might lead to xss holes..

dveditz?: similar issues in blob url?

abarth: csp can block unknown blobs, other interesting interactions here?

bhill: similar issues in digest uri schemes?
... creating new task
... next issue, obsolete xfo?

<bhill2> need to raise issue on list and cross-post with IETF WebSec

<bhill2> should UI safety overrride/obsolete XFO, should FO (minus X) be subsumed under CSP directives

<bhill2> should overriding XFO in CSP be a different directive vs. default behavior?

<bhill2> action to bhill2 start cross-IETF/W3C discussion on XFO/FO/UI Safety

<trackbot> Sorry, couldn't find user - to

<bhill2> action bhill2 to start cross-IETF/W3C discussion on XFO/FO/UI Safety

<trackbot> Created ACTION-73 - Start cross-IETF/W3C discussion on XFO/FO/UI Safety [on Brad Hill - due 2012-07-10].

http://dvcs.w3.org/hg/user-interface-safety/raw-file/25bb022cd7bc/user-interface-safety.html

gopal: encourage developers to contribute more tests suites.. (dhuang: sorry I missed a lot of scribing)

<jeffh> adam is breaking up

jrossi?: need to improve securrity considerations..

abarth: lacking editor for cors
... clarifying sandbox/meta tag

should discuss on mailinglist

Summary of Action Items

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.136 (CVS log)
$Date: 2012/07/03 22:00:01 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.136  of Date: 2011/05/12 12:01:43  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Found Scribe: David Huang
Found ScribeNick: dhuang3

WARNING: No "Topic:" lines found.

Default Present: abarth, ccarson, +1.866.317.aaaa, +1.303.229.aabb, +1.781.218.aacc, bhill2, gopal, jeffh, +1.408.320.aadd, tanvi, ekr, dhuang3, gioma1, [Microsoft]
Present: abarth ccarson +1.866.317.aaaa +1.303.229.aabb +1.781.218.aacc bhill2 gopal jeffh +1.408.320.aadd tanvi ekr dhuang3 gioma1 [Microsoft]
Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2012Jul/0003.html
Got date from IRC log name: 03 Jul 2012
Guessing minutes URL: http://www.w3.org/2012/07/03-webappsec-minutes.html
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report
[End of scribe.perl diagnostic output]