20:57:56 <RRSAgent> RRSAgent has joined #webappsec
20:57:56 <RRSAgent> logging to http://www.w3.org/2012/09/11-webappsec-irc
20:58:05 <bhill21> zakim, this is 92794
20:58:05 <Zakim> ok, bhill21; that matches SEC_WASWG()5:00PM
20:58:10 <abarth> abarth has joined #webappsec
20:58:27 <bhill21> Meeting: WebAppSec WG Teleconference, 11-Sep-2012
20:58:42 <bhill21> Chair: Brad Hill, Eric Rescorla
20:58:49 <Zakim> +??P4
20:58:52 <bhill21> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0030.html
20:59:03 <Zakim> +??P5
20:59:25 <Zakim> + +1.360.793.aacc
20:59:30 <Zakim> + +1.866.317.aadd
20:59:39 <ma1> zakim, ??P5 is gioma1
20:59:39 <Zakim> +gioma1; got it
20:59:41 <bhill21> zakim, 360 is aacc
20:59:41 <Zakim> sorry, bhill21, I do not recognize a party named '360'
20:59:56 <bhill21> zakim, aacc is bhill21
20:59:56 <Zakim> +bhill21; got it
21:00:02 <jeffh> is aadd me ?
21:00:21 <bhill21> zakim, who is here?
21:00:21 <Zakim> On the phone I see +1.425.865.aaaa, +1.650.648.aabb, ??P4, gioma1, bhill21, +1.866.317.aadd
21:00:24 <Zakim> On IRC I see abarth, RRSAgent, Zakim, ccarson, bhill21, ma1, jeffh, annevk, bhill2, Velmont, odinho, erlend, timeless, mkwst, tobie, trackbot
21:00:48 <ccarson> zakim, aaaa is ccarson
21:00:48 <Zakim> +ccarson; got it
21:01:04 <abarth> Zakim: aabb is abarth
21:01:11 <ma1> zakim, ??P5 is ma1
21:01:11 <Zakim> I already had ??P5 as gioma1, ma1
21:01:13 <abarth> Zakim, aabb is abarth
21:01:13 <Zakim> +abarth; got it
21:01:30 <jeffh> Zakim, aadd is jeffh
21:01:30 <Zakim> +jeffh; got it
21:01:35 <gopal> gopal has joined #webappsec
21:02:09 <Zakim> + +1.650.678.aaee
21:02:37 <ekr> ekr has joined #webappsec
21:02:37 <bhill21> zakim, aaee is ekr
21:02:37 <Zakim> +ekr; got it
21:02:49 <ekr> scribe is ekr
21:03:29 <ekr> ScribeNick+ ekr
21:03:47 <ekr> zakim, who is here?
21:03:47 <Zakim> On the phone I see ccarson, abarth, ??P4, gioma1, bhill21, jeffh, ekr
21:03:49 <Zakim> On IRC I see ekr, gopal, abarth, RRSAgent, Zakim, ccarson, bhill21, gioma1, jeffh, annevk, bhill2, Velmont, odinho, erlend, timeless, mkwst, tobie, trackbot
21:05:00 <Zakim> + +1.781.218.aaff
21:05:06 <ekr> bhill: anhy objections to the previous minutes?
21:05:10 <ekr> none seen.
21:06:20 <ekr> bhill: friday wrapped up official call for consensus on CSP. No objections within WG to consensus. Some LC comments recorded as issues.
21:06:42 <ekr> … if you object to moving to CR for CSP 1.0, speak now
21:06:48 <ekr> no objections heard
21:06:49 <Zakim> +??P10
21:06:58 <ekr> bhill: on to issues.
21:07:04 <ekr> … Issue 11
21:07:31 <Zakim> + +1.415.832.aagg
21:08:03 <ekr> Issue 11: http://www.w3.org/2011/webappsec/track/issues/11
21:08:10 <ekr> abarth: I don't understand this issue.
21:08:13 <puhley> puhley has joined #webappsec
21:08:29 <ekr> bhill: me neither
21:09:12 <ekr> dveditz: it does reveal the CSP header, but it's the same server sending it out
21:09:44 <ekr> … I don't think this is a users' issue. At most it's an attack from one server onto another
21:10:21 <ekr> bhill: is this revealing information about the user's configuration that wouldn't have been anticipated by the CSP policy author.
21:10:29 <ekr> dveditz: we o know that this happens
21:11:07 <ekr> … twitter reported it, e.g., people's addons or carriers injecting content and then being blocked
21:11:40 <ekr> bhill: this seems to be related to issue #17
21:12:03 <ekr> bhill: should we expand on this more in the implementation considerations
21:12:06 <Zakim> +[Mozilla]
21:12:28 <ekr> dveditz: does anything stop the UA from injecting policies?
21:12:42 <ekr> if so, who cares.
21:13:15 <tanvi> tanvi has joined #webappsec
21:13:24 <ekr> a well-behaved add-on should take this into account
21:14:02 <ekr> bhill: is this something we should add in implementation considerations?
21:14:28 <ekr> abarth: right now just says don't interfere with operation of extensions but doesn't say how. Maybe add advice about providing some way to let add-ons modify polocy
21:14:38 <ekr> … my instinct is to wait
21:14:51 <ekr> bhill: this wouldn't need to be standardized
21:15:14 <ekr> bhill: will add notes to issues and close them out
21:15:42 <ekr> moving to issues: http://www.w3.org/2011/webappsec/track/issues/12
21:15:47 <ekr> http://www.w3.org/2011/webappsec/track/issues/15
21:16:30 <dveditz> dveditz has joined #webappsec
21:17:42 <ekr> abarth: for issue 12 decided to leave self but report document uri
21:17:56 <ekr> … maybe we can wait since there is only one src doc implementation
21:18:12 <ekr> … there was a thread with hickson but I forget what he wanted to do. let me find it
21:18:51 <ekr> … discussion on June 24-29 on public webappsec. decided to wait until 1.1
21:19:27 <ekr> bhill: will mark this as postpone and re-raise for 1.1
21:20:25 <ekr> abarth: for src doc, there's no url so it's hard to express
21:21:49 <ekr> Issue 16 is editorial: http://www.w3.org/2011/webappsec/track/issues/16
21:25:29 <ekr> bhill: resolved to issue at CR and issue a call for implementations
21:25:33 <ekr> No objections
21:25:44 <ekr> bhill: will wait wor adam to tell me he's done
21:25:56 <erlend> zakim, ??P4 is erlend
21:25:56 <Zakim> +erlend; got it
21:26:06 <ekr> bhill: next step is CORS
21:26:11 <ekr> … issue is lacking an editor
21:26:47 <ekr> … is there anyone extremely comfortable with CORS who could co-edit with cory
21:26:55 <ekr> abarth: I could help out with htis
21:27:32 <ekr> bhill: if you [abarth] could just help him get over the line. Mostly the comments from Jeff that are editorial/pedagogical
21:28:45 <ekr> bhill: probably will be ready to issue a CfC once we incorporate last set of changes
21:29:01 <ekr> bhill: last item is my proposed user safety stuff
21:30:03 <bhill21> http://dvcs.w3.org/hg/user-interface-safety/raw-file/tip/user-interface-safety.html
21:30:16 <ekr> bhill: I made a big edit pass...
21:31:08 <ekr> … how to import definitions from CSP?
21:31:24 <ekr> abarth: propose to reference the TR URL
21:31:44 <jeffh> http://www.w3.org/TR/CSP/
21:33:05 <ekr> [bunch of discussion about editorial toolchain]
21:34:07 <annevk> annevk has left #webappsec
21:34:14 <ekr> bhill: host-src is the current behavior of x-frame options
21:34:43 <ekr> … with csp we could use a source expression so have more granularit
21:35:17 <ekr> dveditz: default should respect host and port. agnostic about pathc
21:35:46 <ekr> abarth: hoping to convince them to allow >1 source
21:35:51 <ekr> dveditz: this seems more useful
21:36:27 <ekr> dveditz: the problem is that if you can only do 1 you can't construct the CSP header until you have seen the refererer.
21:37:12 <ekr> abarth: people to convince here are tobias and david ross
21:37:39 <ekr> bhill: will bring them into the discussion
21:37:40 <jeffh> agreed
21:37:46 <jeffh> yes, this is fine for fpwd
21:37:47 <ekr> … is this a good enough starting point for FPWD
21:37:54 <ekr> general consensus yes
21:38:06 <ekr> dveditz: even if ultimate consensus was only 1, still better han inventing something new
21:38:31 <ekr> bhill: other options i frame ancestors CSP directive
21:39:10 <ekr> bhill: next directive is input protection
21:39:39 <dveditz> what list are we working through now?
21:39:49 <ekr> this is the list of directives on http://dvcs.w3.org/hg/user-interface-safety/raw-file/tip/user-interface-safety.html
21:40:02 <dveditz> thx
21:40:41 <ekr> bhill: If we block an event due to policy should we raise anothr event
21:40:55 <dveditz> Zakim, who's here?
21:40:55 <Zakim> On the phone I see ccarson, abarth, erlend, gioma1, bhill21, jeffh, ekr, +1.781.218.aaff, ??P10, +1.415.832.aagg, [Mozilla]
21:40:58 <Zakim> On IRC I see dveditz, tanvi, puhley, ekr, gopal, abarth, RRSAgent, Zakim, ccarson, bhill21, gioma1, jeffh, bhill2, Velmont, odinho, erlend, timeless, mkwst, tobie, trackbot
21:41:41 <ekr> [unknown]: maybe discuss this on the list since David isn't here
21:41:58 <tanvi> Zakim, [Mozilla] is tanvi
21:41:58 <Zakim> +tanvi; got it
21:41:59 <ekr> bhill: most issues have to do with script interfaces and reporting
21:42:15 <ekr> … how about I raise these issues on the list
21:42:47 <ekr> bhill: we have a little bit of time. Do we have odin and gopal?
21:43:51 <ekr> gopal: trying to get in touch with odin. he had good luck with opera tests.
21:44:53 <ekr> … and I have been having rpoblems with the tests
21:45:07 <ekr> … once this starts running I will need to go annotate the tests for each section
21:46:42 <ekr> … going to try t get a sense of the coverage and let peopl eknbow where to contribute
21:47:04 <erlend> Results from the tests so far: http://csptesting.herokuapp.com/home/results
21:47:22 <ekr> rrsagent, create minutes
21:47:22 <RRSAgent> I have made the request to generate http://www.w3.org/2012/09/11-webappsec-minutes.html ekr
21:47:32 <ekr> zakim, who's here?
21:47:32 <Zakim> On the phone I see ccarson, abarth, erlend, gioma1, bhill21, jeffh, ekr, +1.781.218.aaff, ??P10, +1.415.832.aagg, tanvi
21:47:34 <Zakim> On IRC I see dveditz, tanvi, puhley, ekr, gopal, abarth, RRSAgent, Zakim, ccarson, bhill21, gioma1, jeffh, bhill2, Velmont, odinho, erlend, timeless, mkwst, tobie, trackbot
21:47:38 <ekr> rrsagent, create minutes
21:47:38 <RRSAgent> I have made the request to generate http://www.w3.org/2012/09/11-webappsec-minutes.html ekr
21:47:39 <Zakim> -??P10
21:47:41 <Zakim> -abarth
21:47:42 <Zakim> -jeffh
21:47:43 <Zakim> - +1.415.832.aagg
21:47:45 <Zakim> -ekr
21:47:47 <Zakim> - +1.781.218.aaff
21:47:49 <Zakim> -gioma1
21:47:53 <Zakim> -bhill21
21:47:55 <Zakim> -erlend
21:47:56 <bhill21> rrsagent, set logs public-visible
21:48:08 <Zakim> -tanvi
21:48:22 <Zakim> -ccarson
21:48:23 <Zakim> SEC_WASWG()5:00PM has ended
21:48:23 <Zakim> Attendees were +1.425.865.aaaa, +1.650.648.aabb, +1.360.793.aacc, +1.866.317.aadd, gioma1, bhill21, ccarson, abarth, jeffh, +1.650.678.aaee, ekr, +1.781.218.aaff, +1.415.832.aagg,
21:48:24 <Zakim> ... erlend, tanvi
21:49:13 <gopal> gopal has left #webappsec
21:50:26 <jeffh> jeffh has left #webappsec
21:50:37 <ekr> ekr has left #webappsec
22:19:03 <tanvi> tanvi has joined #webappsec
22:19:12 <tanvi1> tanvi1 has joined #webappsec
22:19:51 <tanvi1> tanvi1 has joined #webappsec
22:27:08 <tanvi> tanvi has joined #webappsec