22:00:01 <RRSAgent> RRSAgent has joined #webappsec
22:00:02 <RRSAgent> logging to http://www.w3.org/2013/01/29-webappsec-irc
22:00:04 <ekr> ekr has joined #webappsec
22:00:17 <ekr> zakim, who is here?
22:00:17 <Zakim> sorry, ekr, I don't know what conference this is
22:00:19 <Zakim> On IRC I see ekr, RRSAgent, Zakim, nilemato_, gopal, jeffh, erlend, gmaone, rrware, abresee, bhill2, bhill, mkwst_, tobie, timeless, yoav, trackbot, caribou
22:00:28 <bhill> zakim, this is 92794
22:00:28 <Zakim> ok, bhill; that matches SEC_WASWG()5:00PM
22:00:33 <bhill> zakim, who is here?
22:00:33 <Zakim> On the phone I see abresee, +1.650.488.aaaa, ekr_, bhill2
22:00:34 <Zakim> On IRC I see ekr, RRSAgent, Zakim, neil, gopal, jeffh, erlend, gmaone, rrware, abresee, bhill2, bhill, mkwst_, tobie, timeless, yoav, trackbot, caribou
22:01:05 <Zakim> + +358.718.00aabb
22:01:14 <Zakim> +??P10
22:01:32 <mkwst_> zakim, aaaa is mkwst
22:01:32 <Zakim> +mkwst; got it
22:01:35 <Zakim> +??P8
22:01:42 <gmaone> Zakim, ??P10 is gmaone
22:01:42 <Zakim> +gmaone; got it
22:01:45 <Zakim> + +1.866.317.aacc
22:01:54 <jimio> jimio has joined #webappsec
22:01:57 <jeffh> zakim, aacc is jeffh
22:01:57 <Zakim> +jeffh; got it
22:02:02 <bhill> Meeting: WebAppSec Teleconference, January 29, 2013
22:02:04 <Zakim> -??P8
22:02:07 <bhill> Chair: ekr, bhill2
22:02:09 <Zakim> + +1.260.226.aadd
22:02:11 <bhill> Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0053.html
22:02:17 <bhill> Scribe: Brad Hill
22:02:22 <bhill> Scribenick: bhill2
22:02:36 <neil> zakim, aadd is neil
22:02:36 <ekr> zakim, who is here?
22:02:37 <Zakim> +neil; got it
22:02:37 <Zakim> On the phone I see abresee, mkwst, ekr_, bhill2, +358.718.00aabb, gmaone, jeffh, neil
22:02:37 <Zakim> On IRC I see jimio, ekr, RRSAgent, Zakim, neil, gopal, jeffh, erlend, gmaone, rrware, abresee, bhill2, bhill, mkwst_, tobie, timeless, yoav, trackbot, caribou
22:02:42 <Zakim> + +1.503.712.aaee
22:02:48 <Zakim> +??P8
22:02:51 <rrware> zakim, aaee is rrware
22:02:51 <Zakim> +rrware; got it
22:02:58 <erlend> zakim, ??P8 is erlend
22:02:58 <Zakim> +erlend; got it
22:03:33 <Zakim> + +1.415.426.aaff
22:03:48 <jimio> zakim, aaff is jimio
22:03:48 <Zakim> +jimio; got it
22:05:19 <bhill> bhill2: Minutes up since yesterday
22:05:25 <bhill> Objections to approving minutes?
22:05:51 <gopal> gopal has joined #webappsec
22:06:04 <erlend> anyone else having poor audio reception?
22:06:30 <bhill> ekr: actually link to Dec 18 minutes is broken
22:06:31 <Zakim> +[IPcaller]
22:06:44 <bhill> ekr: any additions to agenda? http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0053.html
22:07:19 <jeffh> CORS is now at CR <applause>
22:08:18 <bhill> bhill2: need to add test cases for 308 status code, currently only implemented in FF
22:08:23 <bhill> bhill2: before we go to PR
22:08:27 <bhill> ekr: next: tracker
22:08:35 <bhill> http://www.w3.org/2011/webappsec/track/
22:09:11 <bhill> ISSUE-15 : http://www.w3.org/2011/webappsec/track/issues/15
22:09:11 <trackbot> Notes added to ISSUE-15 How to handle srcdoc, blob:, di: and ways of directly creating content.
22:09:25 <Zakim> +[Mozilla]
22:10:12 <jeffh> http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-18-Dec-2012.html    404's for me  (?)
22:11:04 <bhill> ACTION abarth to raise ISSUE-15 on the mailing list
22:11:04 <trackbot> Created ACTION-115 - Raise ISSUE-15 on the mailing list [on Adam Barth - due 2013-02-05].
22:11:19 <bhill> Associate ACTION-115 with ISSUE-15
22:11:19 <trackbot> ACTION-115 (Raise ISSUE-15 on the mailing list) associated with ISSUE-15.
22:12:07 <dveditz> dveditz has joined #webappsec
22:12:20 <dveditz> Zakim, who is here
22:12:20 <Zakim> dveditz, you need to end that query with '?'
22:12:25 <dveditz> Zakim, who is here?
22:12:25 <Zakim> On the phone I see abresee, mkwst, ekr_, bhill2, +358.718.00aabb, gmaone, jeffh, neil, rrware, erlend, jimio, [IPcaller], [Mozilla]
22:12:28 <Zakim> On IRC I see dveditz, gopal, jimio, ekr, RRSAgent, Zakim, neil, jeffh, erlend, gmaone, rrware, abresee, bhill2, bhill, mkwst_, tobie, timeless, yoav, trackbot, caribou
22:12:37 <tanvi> tanvi has joined #webappsec
22:12:40 <dveditz> Zakim, IPcaller is dveditz
22:12:40 <Zakim> +dveditz; got it
22:12:48 <tanvi> Zakim, who is here?
22:12:48 <Zakim> On the phone I see abresee, mkwst, ekr_, bhill2, +358.718.00aabb, gmaone, jeffh, neil, rrware, erlend, jimio, dveditz, [Mozilla]
22:12:51 <Zakim> On IRC I see tanvi, dveditz, gopal, jimio, ekr, RRSAgent, Zakim, neil, jeffh, erlend, gmaone, rrware, abresee, bhill2, bhill, mkwst_, tobie, timeless, yoav, trackbot, caribou
22:13:19 <tanvi> Zakim, [Mozilla] is tanvi_and_imelven
22:13:19 <Zakim> +tanvi_and_imelven; got it
22:13:28 <imelven> imelven has joined #webappsec
22:14:01 <bhill> bhill2: action 91 proposed as part of joint F2F at PayPal week of April 24-27, will resolve with email to list
22:15:06 <bhill> action 94 - mkwest just proposed something to the list, will keep open until replies there
22:15:06 <trackbot> Error finding '94'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.
22:16:07 <bhill> dveditz: is anyone actually still interested in policy-uri?
22:16:14 <bhill> mkwest: should probably ask on the list
22:17:13 <bhill> re: 101, part of blob of updates to do to test environment
22:17:29 <bhill> mkwest: 102 not done yet, hope to have done soon
22:18:35 <bhill> re: 105, bhill to move due-date out, not needed until new WD of UI Security
22:18:46 <bhill> mkwst: re 106, text just sent out to the list
22:19:47 <bhill> re: 107, relevant to testing of UI Security, not done yet by bhill
22:20:47 <bhill> re: 109, may need to be raised to list
22:20:53 <bhill> mkwst: yes, META in general needs work
22:21:28 <gmaone> Sent http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0045.html to the list
22:23:57 <Zakim> + +1.415.832.aagg
22:24:18 <puhley> puhley has joined #webappsec
22:26:43 <bhill> mkwest: issue 33, vaguely remember doing something like that
22:27:44 <bhill> remaining issues are depenent on bhill to assign appropriate actions to abarth to raise on list
22:27:54 <bhill> Topic: violation types for default-src
22:28:00 <bhill> http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0036.html
22:28:39 <bhill> neil: in violation reports, we could not tell what the violation was because it was triggered under default-src
22:29:07 <bhill> mkwest: that makes sense, we should give you the granularity, default-src is same as creating multiple directives, I will update the spec if nobody objects
22:29:28 <bhill> ACTION mkwst to update CSP 1.1 spec to indicate violation type for default-src violations
22:29:28 <trackbot> Error finding 'mkwst'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.
22:29:31 <ekr> http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0034.html
22:29:36 <mkwst_> mwest2
22:29:53 <bhill> ACTION mwest2 to update CSP 1.1 spec to indicate violation type for default-src violations
22:29:53 <trackbot> Created ACTION-116 - Update CSP 1.1 spec to indicate violation type for default-src violations [on Mike West - due 2013-02-05].
22:30:19 <bhill> Topic: CSP and HSTS breaking http src URIs
22:30:21 <bhill> http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0034.html
22:30:46 <bhill> imelvin: just an issue to be aware of, HSTS creates implicit redirects
22:31:01 <bhill> imelvin: proposal at Mozilla that http sources implicitly also include same source as https
22:31:45 <bhill> imelvin: if a site turns on HSTS, your resource using http sources in CSP will stop working
22:33:11 <bhill> bhill: previously leaving out the scheme implied automatic upgrades possible
22:33:39 <bhill> bhill: but now that we support paths, we may want to re-visit auto-upgrade policy since src URIs now require a scheme to be well-formed
22:34:29 <bhill> dveditz: if there are redirects, you want the failure,  HSTS is an implicit redirect without the initial request
22:34:59 <bhill> (was that Jim?)
22:35:01 <imelven> yes
22:35:12 <imelven> (i think)
22:35:20 <jimio> yeah, 'twas me
22:35:25 <bhill> jimio: we use both CSP and HSTS at Twitter, we never want to allow overrides of HSTS, we want CSP to break
22:35:32 <bhill> jeffh: yes, that is my concern as well
22:35:41 <bhill> jeffh: probably worth mentioning this scenario in the CSP spec
22:36:09 <bhill> ACTION mwest2 to mention HSTS in implementation note as a reason things might stop working
22:36:09 <trackbot> Created ACTION-117 - Mention HSTS in implementation note as a reason things might stop working [on Mike West - due 2013-02-05].
22:36:20 <bhill> dveditz: there are other reasons for the same
22:36:22 <ekr> http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0045.html
22:37:38 <bhill> dveditz: cannot comment before trying to implement, will take Giorgio's experience since he has
22:38:33 <bhill> bhill: defaults seem sane for what we (PayPal) would want to set, can refine as we have more impls and test cases
22:39:26 <bhill> ekr: any objections to this?  does it seem reasonable?
22:39:27 <puhley> puhley has joined #webappsec
22:39:35 <bhill> dveditz: seems reasonable, can't commit until we try it
22:39:45 <bhill> ekr: any schedule for implementations?
22:39:57 <bhill> dveditz: no idea when we will get to this, will require arguing with lots of people
22:39:58 <ekr> http://www.w3.org/TR/UISafety/
22:40:43 <bhill> ekr: issue 2 asks whether we should be allowed to have multiple values in Frame-Options directive?
22:41:03 <bhill> dveditz: when we had original frame-ancestors, we allowed multiple values from the beginning
22:42:40 <bhill> bhill: concern was about large lists of sites (from Tobias and David Ross)
22:42:53 <bhill> bhill: but CSP already has parsers to handle multiple values
22:43:13 <bhill> dveditz: multiple values also allows nested iframes in a more comprehensive value
22:43:35 <bhill> dveditz: not enough list discussion, this call should be to ratify discussions that take place in a less time-constrained fashion
22:44:05 <ekr> http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0044.html
22:44:06 <bhill> ACTION bhill2 to email list on UISecurity issue 2 - multiple values for Frame-Options ALLOW FROM
22:44:06 <trackbot> Created ACTION-118 - Email list on UISecurity issue 2 - multiple values for Frame-Options ALLOW FROM [on Brad Hill - due 2013-02-05].
22:45:08 <neil> I stepped out for a second, did I miss 22:37 - 22:40    Line #s in CSP reports only for same-origin, CORS?
22:45:22 <bhill> any other topics?
22:45:39 <bhill> imelvin: what about line numbers in CSP violations?
22:45:48 <ekr> http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0004.html
22:46:26 <Zakim> -erlend
22:46:42 <imelven> that wasn't me actually :)
22:47:04 <puhley> puhley has joined #webappsec
22:47:05 <bhill> mkwst: in WebKit we are currently stripping out GET parameters
22:47:29 <bhill> dveditz: concerned about sending content/context, that's a cross-origin data leak
22:47:38 <bhill> dveditz: but line numbers should be ok
22:47:48 <bhill> who was just speaking?
22:47:55 <jimio> that's neil
22:48:13 <bhill> neil: original concern was line numbers for in-line scripts to get some context where it is happening
22:48:23 <Zakim> -jeffh
22:48:25 <Zakim> -ekr_
22:48:27 <Zakim> -jimio
22:48:27 <Zakim> -mkwst
22:48:28 <Zakim> -neil
22:48:32 <Zakim> -dveditz
22:48:34 <bhill> ACTION mwest2 to update CSP 1.1 to indicate line number reports for in-line scripts
22:48:34 <trackbot> Created ACTION-119 - Update CSP 1.1 to indicate line number reports for in-line scripts [on Mike West - due 2013-02-05].
22:48:35 <Zakim> -tanvi_and_imelven
22:48:39 <bhill> zakim, list attendees
22:48:39 <Zakim> As of this point the attendees have been abresee, +1.650.488.aaaa, ekr_, bhill2, +358.718.00aabb, mkwst, gmaone, +1.866.317.aacc, jeffh, +1.260.226.aadd, neil, +1.503.712.aaee,
22:48:43 <Zakim> ... rrware, erlend, +1.415.426.aaff, jimio, dveditz, tanvi_and_imelven, +1.415.832.aagg
22:48:43 <Zakim> - +1.415.832.aagg
22:48:44 <Zakim> -abresee
22:48:46 <bhill> rrsagent, make minutes
22:48:46 <RRSAgent> I have made the request to generate http://www.w3.org/2013/01/29-webappsec-minutes.html bhill
22:48:54 <Zakim> -gmaone
22:48:54 <bhill> rrsagent, set logs public-visible
22:49:01 <Zakim> - +358.718.00aabb
22:49:14 <Zakim> -bhill2
22:50:34 <Zakim> -rrware
22:50:36 <Zakim> SEC_WASWG()5:00PM has ended
22:50:36 <Zakim> Attendees were abresee, +1.650.488.aaaa, ekr_, bhill2, +358.718.00aabb, mkwst, gmaone, +1.866.317.aacc, jeffh, +1.260.226.aadd, neil, +1.503.712.aaee, rrware, erlend,
22:50:36 <Zakim> ... +1.415.426.aaff, jimio, dveditz, tanvi_and_imelven, +1.415.832.aagg
23:50:22 <dveditz> dveditz has joined #webappsec