See also: IRC log
<jeffh> zakim aaff is JeffH
<bhill2> irc.w3.org is a pretty good web client if you're somewhere that blocks irc
<jeffh> mibbit is also an option
<ekr> Test
<bhill2> howdy
<bhill2> Scribe: Neil Matatall
<bhill2> Scribenick: neil
<abresee> testing
<bhill2> resolved: minutes approved
bhill2: no objections, minutes
approved
... sent publication request to w3c to publish UI-sec
directives draft, going up later this week
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0032.html
bhill2: checked in example code +
framework for testing CSP
... moving from mercurial -> github
<bhill2> ACTION: abarth to issue CfC to list on new WD publication of CSP 1.1 [recorded in http://www.w3.org/2013/05/07-webappsec-minutes.html#action01]
<trackbot> Created ACTION-136 - Issue CfC to list on new WD publication of CSP 1.1 [on Adam Barth - due 2013-05-14].
<bhill2> one update: http://lists.w3.org/Archives/Public/public-webappsec/2013May/0038.html
bhill2: discussing rechartering -
good group - continue progress
... handle upcoming issues in other groups
... sub resource hashing
... no mixed content
... http[s]? vs http[s]? handling
... custom elements
... any objections to broadening of scope?
abarth: chrome interesting in convering w/ mozilla on this
jeffh: sounds good to me
bhill2: add scope to charter -
annotations to shadow DOM sub trees and web components
model
... imposing strict behaviors for (inner|out)HTML,
standardizing toStaticHTML
... sandboxing components, like iframes + postMessage but
easier to use
ccarson: boeing +1
<jeffh> seems fine
<jeffh> I suggest wordsmithing on the list
<bhill2> https://www.w3.org/2011/webappsec/track/actions/open?sort=owner
<bhill2> ekr, can you man the tracker?
<ekr> brad, working on it
<ekr> my network is sucking
<ekr> OK, I now have it
<ekr> adam: what was the resolution of 115?
<abarth> ekr: move to pending review
bhill2: skipping raised issues, pending cleanup
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0034.html
bhill2: discussing http auth,
handling 401s for CORS + credentials
... no proposed spec text
... should we re-open CORS or will it become part of fetch?
abarth: not worth re-opening, more like on-going refinements
bhill2: to raise on the list
<bhill2> ACTION: bhill2 to query list whether CORS HTTP auth should re-open spec [recorded in http://www.w3.org/2013/05/07-webappsec-minutes.html#action02]
<trackbot> Created ACTION-137 - Query list whether CORS HTTP auth should re-open spec [on Brad Hill - due 2013-05-14].
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0033.html
bhill2: mkwst_ brought up iframe scoped to origin, loading a resource could cause a redirect, leaking identity information
abarth: came up before when full
URLs were part of violations reports
... providing only host name helps address this info
bhill2: issues with leaking
secrets in URL, also what can be inferred from the presence of
a redirect
... e.g. redirect implies an authenticated session
abarth: another example, logged in pages much slower than logged out so there's a timing attack too
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0025.html
<bhill2> was actual list thread
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0033.html
abarth: best thing to do might be
use a new content type
... would people care about the content type?
bhill2: content of request body is constrained, not "arbitrarily horrible" ^TM
<bhill2> ACTION: abarth to update csp report content-type to application/csp-report or similar [recorded in http://www.w3.org/2013/05/07-webappsec-minutes.html#action03]
<trackbot> Created ACTION-138 - Update csp report content-type to application/csp-report or similar [on Adam Barth - due 2013-05-14].
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0009.html
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0010.html
abarth: solicit use cases as well as proposals
bhill2: yeah, we might want to
wait until the new charter is out
... finding a common solution is ideal, we don't want to
further complicate things
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013Apr/0097.html
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0005.html
<ekr> doh, lost call
abarth: spec language is next step, some discussions w/ imelvin
<bhill2> http://lists.w3.org/Archives/Public/public-webappsec/2013May/0004.html
bhill2: pushback on the list to
limiting, feelings that we shouldn't be restricting
interfaces
... adding hooks for specific use cases, need to solicit use
cases
abarth: to clarify, make the proposed change and let people raise objections as needed?
bhill2: it's reasonable and consistent
<bhill2> trackbot, end meeting
This is scribe.perl Revision: 1.138 of Date: 2013-04-25 13:59:11 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Found Scribe: Neil Matatall Found ScribeNick: neil Default Present: +1.303.229.aaaa, bhill2, +1.425.865.aabb, +1.949.273.aacc, neil, ccarson, gmaone, +1.650.648.aadd, abarth, +1.650.678.aaee, +1.866.317.aaff, ekr, JeffH, +1.801.701.aagg, adam(digicert), +1.978.944.aahh, gopal Present: +1.303.229.aaaa bhill2 +1.425.865.aabb +1.949.273.aacc neil ccarson gmaone +1.650.648.aadd abarth +1.650.678.aaee +1.866.317.aaff ekr JeffH +1.801.701.aagg adam(digicert) +1.978.944.aahh gopal Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2013May/0035.html WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Got date from IRC log name: 07 May 2013 Guessing minutes URL: http://www.w3.org/2013/05/07-webappsec-minutes.html People with action items: abarth bhill2[End of scribe.perl diagnostic output]