WebAppSec Teleconference 4 Dec 2012 -- 04 Dec 2012

<tanvi> yes, I figured you wouldn't Zakim

<bhill> :)

i think it was the "and"

<bhill> +present ekr

<bhill> hmm... that doesn't work either

there u go

<mkwst> Trying to get in. Zakim doesnt like me. :/

<jimio> ^^ 508.574 is me... jim o'leary from twitter

<abarth> Hi

I got scribe

bhill: hearing no objections, minutes sent to list yesterday are approved
... agenda bash....? no updates to agenda.

<bhill> CORS test status: http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0098.html

bhill: CORS test status

bhill steps into breech

bhill: recounts test rates; search email archives for this group and find link for an oracle vbox VM that contains test environment
... need to have test suite fully approved to go to next maturity level
... thinks we need to goto candidate rec, then goto proposed rec

gopal: there's some discrepancy between tests i've run and ones on w3 test server..... concerned about not getting complete test coverage....

bhill: followup with Mike Smith on w3 test servers?

<bhill> ACTION gopal to follow up with Mike Smith at w3c on test server config, re: Options headers, etc.

<trackbot> Created ACTION-101 - Follow up with Mike Smith at w3c on test server config, re: Options headers, etc. [on Gopal Raghavan - due 2012-12-11].

<bhill> http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0072.html

<abarth> Yay

bhill: wrt CfC on advancing CORS to candidate rcmd --- any objections? -- hearing none, we will advance CORS

<bhill> no objections to CORS advancing

<bhill> RESOLVED: Advance Cross-Origin Resource Sharing to Candidate Recommendation

<applause, cheers>

<bhill> http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0112.html

bhill: CfC on new charter
... members should do be prepared to make IPR commitments wrt new deliverables in new charter, discuss with IPR counsel as approp, eg SubResource Integrity, hence keeping this CfC open until mid-Jan
... any objections to canceling first meeting in Jan, and instead having first 2013 meeting be 15-Jan (and be deadline for charter CfC)? didn't hear any objections, so be it

<mkwst> ugh.

<bhill> http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0105.html

bhill: the sub resource integrity work (SRI) will most likely invent various new HTML attrs that will need to be mapped to various HTML tags and so will need HTML WG liaison, we're missing the HTML5 train, but can likely get on the next revision train

next topic: DOM Event on CSP violation

(did we skip CfC: CSP 1.1 to FPWD ?)

<bhill> whoops - yes!

mkwst: < recounts basic idea >
... folks more or less agee it seems about having a DOM event for violations, there's various subtle issues, and whether info is included in reports

<abresee> Not me

<jimio> me :)

jimio -- see http://www.w3.org/2011/webappsec/track/issues/open

<mkwst> jeffh: jimio.

heh

jimio: recounts how using CSP stuff

abarth: wrt goog's experimentation, if csp violations xlated to dom events, easier to capture to reports (? scribed correctly?)

who was that?

mkwst: some implr's think if get info via dom event, then can send it to subsys that already understands dom evnts, rather than custom code parsing of csp policy violations themselves
... would be happy to impl as a "csp event" on doc object, rather than overload dom evnt

abarth: write it up as strawman?

mkwst: will take that action and work with dveditz

<bhill> ACTION mkwst to write up strawman for event on violation of CSP, coordinate w/dveditz

<trackbot> Sorry, couldn't find mkwst. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.

<mkwst> mwest2

<bhill> ACTION mwest2 to write up strawman for event on violation of CSP, coordinate w/dveditz

<trackbot> Created ACTION-102 - Write up strawman for event on violation of CSP, coordinate w/dveditz [on Mike West - due 2012-12-11].

CfC: CSP 1.1 to FPWD

bhill: any objections to advancing CSP 1.1 to FPWD ? hearing none, so be it

<bhill> RESOLVED: Advance CSP 1.1 to First Public Working Draft

<applause, cheers>

<bhill> http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0096.html

UI Obstruction check

bhill: raised by one Fred Andrews
... is this an actual concern as described?

< several folks>: short answer: yes

bhill: continues reading the mail msg

<gioma1> http://www.w3.org/TR/UISafety/#unsafe-attribute-for-the-uievent-interface

bhill: have tried to not have any user interactions in that spec for various reasons -- is this just a "recognized hazard" we should provide advice about in the spec? <no answer>

<dveditz> echo echo

<dveditz> whoever just joined or unmuted please fix it

bhill: I'll take action to try to answer this;

<dveditz> someone dropped bhill into a subway tunnel

<bhill> ACTION bhill2 to follow up on http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0096.html and solicit new proposals, suggest unsafe attribute

<trackbot> Created ACTION-103 - Follow up on http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0096.html and solicit new proposals, suggest unsafe attribute [on Brad Hill - due 2012-12-11].

dveditz: do we put the manhole cover back on now?

<bhill> http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0100.html

A11y review for anti-clickjacking

A11y apparently means: ?

<ekr> Accessibility

<mkwst> accessibility

<ekr> sunday...sunday...sunday....

<mkwst> s4y

bhill: < recounts concerns, in echo chamber>

<dveditz> now it's more like the PA at the stadium

<ekr> w3c....c...c...c...

<tanvi> please everyone mute

bhill: <poses long question>

<dveditz> yay

<dveditz> thx

<mkwst> I'm muted, but I'll reconnect. sorry.

bhill: if i have accessiblity tech added to UI Safety directive, need way to turn that (?) off in case the accessbility stuff messes things up (?)

<dveditz> it's fine now

<mkwst> voip is hard. :/

<dveditz> mkwst

abarth: need to check with folks who know about this. in chrome it's done via the extension system

<dveditz> mkwst: I've found sometimes with Skype if I mute in the headset I can still get echo and instead I need to mute using skype itself

abarth: UI team needs to be invoved in chrome world

<dveditz> the application is adding noise all on its own (feedback?)

bhill: would like to get info from them about this

abarth: suspect that accsbility tools have their own UI, but need to check on it

<bhill> ACTION abarth to follow up with Goog A11Y and UI teams on disabling browser features (UISafety obstruction check) for A11Y compatibility

<trackbot> Created ACTION-104 - Follow up with Goog A11Y and UI teams on disabling browser features (UISafety obstruction check) for A11Y compatibility [on Adam Barth - due 2012-12-11].

Review of open actions / issues in tracker

http://www.w3.org/2011/webappsec/track/issues/open

bhill: haven't transcribed info from TPAC as yet, so suggest we adjourn and punt this till next time once the most esteemed chair can catch up

any obj to adjourn?

mkwst: great that implmentrs such as twitter here -- v. interested to hear from them wrt issues with impl'g and deploying this

jimio: top 10 blocked url's have been chrome extensions it turns out

abarth: have noted that, it should be getting better soon

<abresee> Thank you

bhill: ok, call/meeting adjourned

- DRAFT -

WebAppSec Teleconference 4 Dec 2012

04 Dec 2012

Attendees

Contents

Summary of Action Items

Scribe.perl diagnostic output