14:52:18 RRSAgent has joined #webappsec 14:52:18 logging to http://www.w3.org/2014/04/09-webappsec-irc 14:52:20 RRSAgent, make logs world 14:52:20 Zakim has joined #webappsec 14:52:22 Zakim, this will be WASWG 14:52:22 ok, trackbot; I see SEC_WASWG()11:00AM scheduled to start in 8 minutes 14:52:23 Meeting: Web Application Security Working Group Teleconference 14:52:23 Date: 09 April 2014 14:53:29 SEC_WASWG()11:00AM has now started 14:53:36 +??P2 14:54:06 -??P2 14:54:07 SEC_WASWG()11:00AM has ended 14:54:07 Attendees were 14:54:31 SEC_WASWG()11:00AM has now started 14:54:37 +??P2 14:54:49 I think I am ??P2 but I forgot how to tell Zakim :) 14:55:28 thanks wendy 14:57:24 gmaone has joined #webappsec 14:59:25 bhill2 has joined #webappsec 14:59:35 ekr has joined #webappsec 14:59:46 bhill2 has changed the topic to: http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0005.html 15:00:09 Meeting: WebAppSec Teleconference 09-April-2014 15:00:11 Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0005.html 15:00:15 Chairs: ekr, bhill2 15:00:28 zakim, this is 92794 15:00:28 bhill2, this was already SEC_WASWG()11:00AM 15:00:29 ok, bhill2; that matches SEC_WASWG()11:00AM 15:00:36 +ekr 15:00:53 zakim, who is here 15:00:53 ekr, you need to end that query with '?' 15:00:56 +Wendy 15:00:57 zakim, who is here? 15:00:59 On the phone I see freddyb, ekr, Wendy 15:00:59 On IRC I see ekr, bhill2, gmaone, Zakim, RRSAgent, richt, freddyb, tobie__, mkwst, timeless_, wseltzer, trackbot 15:01:17 +[GVoice] 15:01:25 +??P11 15:01:26 richt has left #webappsec 15:01:39 zakim, ??P11 is gmaone 15:01:41 +gmaone; got it 15:02:01 gmaone is Giorgio Maone, not Garrett Robinson :-) 15:02:19 +[Paypal] 15:02:29 garrettr has joined #webappsec 15:02:37 zakim, GVoice is garrettr 15:02:37 +garrettr; got it 15:02:40 zakim, [Paypal] has bhill2 15:02:40 +bhill2; got it 15:02:56 zakim, who is here? 15:02:56 On the phone I see freddyb, ekr, Wendy, garrettr, gmaone, [Paypal] 15:02:58 [Paypal] has bhill2 15:02:58 On IRC I see garrettr, ekr, bhill2, gmaone, Zakim, RRSAgent, freddyb, tobie__, mkwst, timeless_, wseltzer, trackbot 15:03:13 terri has joined #webappsec 15:03:13 I will have to duck out early today 15:04:19 tanvi has joined #webappsec 15:04:29 + +1.310.597.aaaa 15:04:34 +terri 15:04:47 Zakim aaaa is tanvi 15:05:06 zakim, who is talking? 15:05:17 ekr, listening for 10 seconds I heard sound from the following: ekr (49%), +1.310.597.aaaa (9%) 15:05:30 zakim, aaaa is tanvi 15:05:30 +tanvi; got it 15:05:38 zakim, who is here? 15:05:38 On the phone I see freddyb, ekr, Wendy, garrettr, gmaone, [Paypal], tanvi, terri 15:05:41 [Paypal] has bhill2 15:05:41 On IRC I see tanvi, terri, garrettr, ekr, bhill2, gmaone, Zakim, RRSAgent, freddyb, tobie__, mkwst, timeless_, wseltzer, trackbot 15:06:35 bhill2: call for minutes approval; minutes approved 15:07:08 terri: that's ekr talking today 15:07:18 s/bhill2/ekr 15:07:22 + +1.510.725.aabb 15:08:18 freddyb: thanks. I'm not so great with everyone's voices yet, and he sounds a little garbled 15:08:29 sure, np. 15:09:40 review of open issues in the tracker. Skipping those associated with those not on the call right now... 15:09:43 mkwst: have you done actions 164 and 166? 15:10:14 epoch fail! 15:10:31 no response from mwest so we're assuming those have not been completed 15:10:52 resolution to Action 149 is in https://github.com/w3c/webappsec/pull/10 15:11:28 wseltzer: reminder of call for exclusions on UISecurity and SRI, details on mailing list 15:11:49 http://manifest.sysapps.org/#csp-member 15:11:54 [UISecurity call for exclusions ends 17 May; SRI ends 15 August. Details were mailed to AC reps on the member-cfe list] 15:12:23 bhill2: meeting on sysapps is discussing CSP for packaged webapps and there is concern about when and how to enforce the policy in the manifest 15:14:14 bhill2: there may be no issue given appropriate recommendations for loading of manifest 15:14:28 zakim, who is talking? 15:14:41 garrett robinson, I believe 15:14:42 tanvi, listening for 10 seconds I could not identify any sounds 15:14:50 mozilla thinks that manifest is loaded first, so perhaps not an issue 15:15:06 may be worth considering a default policy 15:15:18 (that was grobinson talking) 15:15:29 err, garrettr 15:15:38 richt has joined #webappsec 15:16:51 garrettr: not sure if a note belongs in app manifest spec or 15:17:02 [sorry, missed the other option; everyone's sounding a little garbled to m etoday] 15:17:41 ekr: next topic, using hashes to locate the resource 15:17:47 ACTION grobinson to raise handling of CSP policies associated with installed apps (like firefox apps) to the list 15:17:47 Error finding 'grobinson'. You can review and register nicknames at . 15:18:28 ACTION garrettr to raise to the list handling of CSP associated with installed apps as possible spec note 15:18:28 Error finding 'garrettr'. You can review and register nicknames at . 15:18:28 ekr: the major objection is that the privacy policies may not be optimal 15:19:31 zakim, who is here? 15:19:31 On the phone I see freddyb, ekr, Wendy, garrettr, gmaone, [Paypal], tanvi, terri, +1.510.725.aabb 15:19:33 [Paypal] has bhill2 15:19:33 On IRC I see richt, tanvi, terri, garrettr, ekr, bhill2, gmaone, Zakim, RRSAgent, freddyb, tobie__, mkwst, timeless_, wseltzer, trackbot 15:21:39 action, devdatta to read and respond to use of SRI hashes for caching/alternate locations: http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0103.html 15:21:52 http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0047.html 15:22:00 klee has joined #webappsec 15:22:45 ACTION bhill2 to respond to list queries about hints for content-addressable storage 15:22:45 Created ACTION-167 - Respond to list queries about hints for content-addressable storage [on Brad Hill - due 2014-04-16]. 15:23:17 @@: what content should we hash to compare values? issue is that browsers silently deal with unzipping files, so we may need to strip content encodings 15:23:37 ACTION bhill2 to raise to the list handling of CSP associated with installed apps as possible spec note 15:23:37 Created ACTION-168 - Raise to the list handling of csp associated with installed apps as possible spec note [on Brad Hill - due 2014-04-16]. 15:24:06 ACTION devdatta to read and respond to use of SRI hashes for caching/alternate locations: http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/0103.html 15:24:06 Created ACTION-169 - Read and respond to use of sri hashes for caching/alternate locations: http://lists.w3.org/archives/public/public-webappsec/2014mar/0103.html [on Devdatta Akhawe - due 2014-04-16]. 15:24:43 terri: @@ was devdatta 15:24:56 s/@@/devdatta/ 15:25:33 rrsagent make minutes 15:25:35 thanks everyone 15:25:36 -ekr 15:25:37 - +1.510.725.aabb 15:25:38 -garrettr 15:25:39 -Wendy 15:25:40 -freddyb 15:25:43 rrsagent, make minutes 15:25:43 I have made the request to generate http://www.w3.org/2014/04/09-webappsec-minutes.html bhill2 15:25:50 -terri 15:25:51 rrsagent, set logs public-visible 15:25:51 -tanvi 15:26:27 -gmaone 15:26:48 present+ devdatta 15:26:55 trackbot, end teleconf 15:26:55 Zakim, list attendees 15:26:55 As of this point the attendees have been freddyb, ekr, Wendy, gmaone, garrettr, bhill2, +1.310.597.aaaa, terri, tanvi, +1.510.725.aabb 15:27:03 RRSAgent, please draft minutes 15:27:03 I have made the request to generate http://www.w3.org/2014/04/09-webappsec-minutes.html trackbot 15:27:04 RRSAgent, bye 15:27:04 I see no action items