IRC log of webappsec on 2014-08-13
Timestamps are in UTC.
- 14:09:49 [RRSAgent]
- RRSAgent has joined #webappsec
- 14:09:49 [RRSAgent]
- logging to http://www.w3.org/2014/08/13-webappsec-irc
- 14:46:13 [wuwei]
- wuwei has joined #webappsec
- 14:48:47 [wseltzer]
- trackbot, prepare teleconf
- 14:48:49 [trackbot]
- RRSAgent, make logs world
- 14:48:51 [trackbot]
- Zakim, this will be WASWG
- 14:48:51 [Zakim]
- ok, trackbot; I see SEC_WASWG()11:00AM scheduled to start in 12 minutes
- 14:48:52 [trackbot]
- Meeting: Web Application Security Working Group Teleconference
- 14:48:52 [trackbot]
- Date: 13 August 2014
- 14:51:56 [wseltzer]
- Chair: Dan_Veditz
- 14:52:05 [wseltzer]
- Regrets+ bhill, wseltzer
- 14:58:29 [gmaone]
- gmaone has joined #webappsec
- 14:58:52 [Zakim]
- SEC_WASWG()11:00AM has now started
- 14:58:59 [Zakim]
- +??P1
- 14:59:32 [Zakim]
- +dveditz
- 14:59:53 [Zakim]
- +mkwst
- 14:59:54 [dveditz]
- Zakim, who is here?
- 14:59:54 [Zakim]
- On the phone I see ??P1, dveditz, mkwst
- 14:59:56 [Zakim]
- On IRC I see gmaone, wuwei, RRSAgent, Zakim, dveditz, greghuc, glenn, edulix, tobie, terri, freddyb, timeless, mkwst___, wseltzer, trackbot
- 15:00:06 [Zakim]
- +??P7
- 15:00:19 [gmaone]
- zakim, ??P7 is me
- 15:00:19 [Zakim]
- +gmaone; got it
- 15:00:59 [greghuc]
- zakim, ??P1 is me
- 15:00:59 [Zakim]
- +greghuc; got it
- 15:01:54 [Zakim]
- +glenn
- 15:02:41 [Zakim]
- +terri
- 15:03:16 [dveditz]
- Zakim, who is here?
- 15:03:16 [Zakim]
- On the phone I see greghuc, dveditz, mkwst, gmaone, glenn, terri
- 15:03:18 [Zakim]
- On IRC I see gmaone, wuwei, RRSAgent, Zakim, dveditz, greghuc, glenn, edulix, tobie, terri, freddyb, timeless, mkwst___, wseltzer, trackbot
- 15:03:27 [Zakim]
- +WuWei
- 15:06:21 [dveditz]
- scribenick dveditz
- 15:06:35 [dveditz]
- scribenick: dveditz
- 15:06:43 [dveditz]
- scribe: Dan Veditz
- 15:06:57 [dveditz]
- Zakim, who is here?
- 15:06:57 [Zakim]
- On the phone I see greghuc, dveditz, mkwst, gmaone, glenn, terri, WuWei
- 15:06:59 [Zakim]
- On IRC I see gmaone, wuwei, RRSAgent, Zakim, dveditz, greghuc, glenn, edulix, tobie, terri, freddyb, timeless, mkwst___, wseltzer, trackbot
- 15:07:43 [dveditz]
- Minutes Approval
- 15:07:43 [dveditz]
- http://www.w3.org/2014/07/16-webappsec-minutes.html
- 15:08:14 [dveditz]
- dveditz: hearing no objections the minutes are approved
- 15:08:23 [dveditz]
- TOPIC: News
- 15:08:44 [dveditz]
- Welcome David Ross from Google
- 15:08:45 [dveditz]
- Call for exclusions for Mixed Content issued July 22
- 15:08:45 [dveditz]
- period ends December 19, 2014
- 15:08:45 [dveditz]
- FPWD of Referrer Policy published Aug 7
- 15:08:45 [dveditz]
- http://www.w3.org/TR/referrer-policy/
- 15:08:45 [dveditz]
- Call for exclusions for Referrer policy issued Aug 7
- 15:08:45 [dveditz]
- period ends January 4, 2015
- 15:08:46 [dveditz]
- CSP2 Last Call period ends today
- 15:08:46 [dveditz]
- http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0017.html
- 15:11:35 [dveditz]
- dveditz: I propose extending the csp2 last call until the next call given light summer attendance and a specific request from Microsoft
- 15:11:53 [dveditz]
- mkwst: I don't want to keep extending, but a limited extension to next week would be OK
- 15:12:15 [dveditz]
- s/next week/next call/
- 15:12:32 [dveditz]
- dveditz: that would be August 27
- 15:13:49 [dveditz]
- mkwst: I'm fine to extend further if there really are things to talk about, but not so much extending just because of lack of response
- 15:14:05 [dveditz]
- glenn: Kevin Hill responded on the list that 2 wks is reasonable
- 15:14:28 [dveditz]
- greghuc: what actually happens when CfCLC is over? is it set in stone?
- 15:15:02 [dveditz]
- mkwst: no, errors can still be corrected, we just can't change the feature set
- 15:15:25 [dveditz]
- mkwst: I've been waiting for this period to end before starting on CSP3 features so I'd like to get this out the door
- 15:15:41 [dveditz]
- TOPIC: [CSP] img-src and inline svg
- 15:15:41 [dveditz]
- http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0113.html
- 15:16:12 [dveditz]
- dveditz: I believe this was resolved in the list -- inline svg is NOT governed by img-src
- 15:17:26 [dveditz]
- TOPIC: [CSP] new directive: "not a ServiceWorker"
- 15:17:27 [dveditz]
- http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0083.html
- 15:17:46 [dveditz]
- dveditz: inspired by the sandbox attribute perhaps?
- 15:18:11 [dveditz]
- dveditz: is that part of this group or part of SW?
- 15:18:44 [dveditz]
- dveditz: alternate proposals, e.g. content-type
- 15:19:47 [dveditz]
- mkwst: they should design this in the service worker spec and we can then evaluate their solution
- 15:20:12 [dveditz]
- mkwst: don't think we will end up with a SW directive, I prefer the content-type solution or something along those lines
- 15:20:51 [dveditz]
- dveditz: another concept was the browser sending hints
- 15:21:51 [dveditz]
- dveditz: that is send whether a request is an IMG, or script, or XHR, or service worker, etc
- 15:22:14 [dveditz]
- mkwst: would be worthwhile to discuss further on the list
- 15:22:37 [dveditz]
- mkwst: we would probably want to add this kind of thing to the Fetch spec
- 15:24:09 [dveditz]
- mkwst: should be relatively easy to specify as part of fetch if we want to do this. there are certainly benefits but we need to think carefully about whether there are drawbacks
- 15:24:21 [dveditz]
- mkwst: certainly not part of CSP
- 15:24:52 [dveditz]
- TOPIC: [CSP] Request to amend bookmarklet/extensions sentence
- 15:24:52 [dveditz]
- http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0003.html
- 15:26:14 [dveditz]
- greg: having read through the responses to the Evernote concern it does look like everyone is on the same page in terms of not wanting UAs to interfere with addons and bookmarklets
- 15:27:02 [dveditz]
- greg: would like to have future versions of the spec be clearer about these desires, perhaps even specifying the behavior of bookmarks
- 15:27:21 [dveditz]
- mkwst: as a browser vendor I do want extensions to work
- 15:27:50 [dveditz]
- mkwst: it's possible in chrome by modifying the header as the response comes in. unfortunately most people doing that now simply remove the header
- 15:28:43 [dveditz]
- mkwst: we need a more specific extension API so they can simply add (whitelist) origins without conflicting with other extensions rtying to do the same thing
- 15:29:06 [dveditz]
- mkwst: I don't think this belongs in the spec because by nature it's a proprietary API
- 15:29:20 [dveditz]
- mkwst: although a note suggesting the approach might be appropriate
- 15:30:45 [dveditz]
- glenn: we need to recognize that UAs need to have the freedom to disable all extensions if it wishes to do so, such as if users ask it to
- 15:31:39 [dveditz]
- glenn: since there's no new information and we have general agreement I don't think we need to take any action
- 15:31:58 [dveditz]
- greg: mike and dan -- do you see a bigger statement in future versions of the spec?
- 15:32:48 [dveditz]
- mkwst: I don't think the spec will say much more about proprietary extension things. But we consider the current behavior a bug and I don't expect chrome's behavior to change for the worse regardless of the spec
- 15:33:40 [dveditz]
- dveditz: Mozilla also considers the current behavior a bug and is trying to figure out ways to fix it
- 15:35:03 [dveditz]
- greg: as long as browser vendors recognize that there are valid reasons, not an attack, for extensions to be injecting resources and scripts into a page
- 15:37:19 [dveditz]
- TOPIC: [REFERRER] Where does "Determine request’s Referrer" get its URL from?
- 15:37:19 [dveditz]
- http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0101.html
- 15:38:39 [dveditz]
- mkwst: Ian's concern was the spec was very javascript specific. we did make changes to the spec in response to the thread
- 15:40:27 [dveditz]
- mkwst: I dont' think there's anything wrong with the concept in the spec, it's how we've stated it. we may need to find a new wording but we have time to do so
- 15:40:48 [dveditz]
- mkwst: without Ian and Joachin on the call I don't think we can resolve this here. should do this on the list
- 15:41:15 [dveditz]
- TOPIC: Entry Point Regulation (EPR)for web apps
- 15:41:15 [dveditz]
- http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0009.html
- 15:41:37 [dveditz]
- dveditz: David Ross proposed EPR, but he's not on the call
- 15:43:24 [mkwst___]
- (zakim hung up on me, and now isn't letting me back into the meeting. :( )
- 15:43:26 [dveditz]
- dveditz: might be interesting to take on in WASWG (we need to re-charter in September) but we should discuss more on the list
- 15:45:08 [dveditz]
- dveditz: any other topics?
- 15:46:03 [Zakim]
- -greghuc
- 15:46:07 [dveditz]
- meeting adjourned
- 15:46:13 [Zakim]
- -glenn
- 15:46:16 [Zakim]
- -dveditz
- 15:46:18 [Zakim]
- -WuWei
- 15:46:25 [Zakim]
- -terri
- 15:46:29 [dveditz]
- Zakim, who was here?
- 15:46:29 [Zakim]
- I don't understand your question, dveditz.
- 15:46:32 [Zakim]
- -gmaone
- 15:47:09 [dveditz]
- zakim, bye
- 15:47:09 [Zakim]
- leaving. As of this point the attendees were dveditz, mkwst, gmaone, greghuc, glenn, terri, WuWei
- 15:47:09 [Zakim]
- Zakim has left #webappsec
- 15:47:31 [dveditz]
- rrsagent, make logs public
- 15:47:38 [dveditz]
- rrsagent, draft minutes
- 15:47:38 [RRSAgent]
- I have made the request to generate http://www.w3.org/2014/08/13-webappsec-minutes.html dveditz
- 15:48:17 [dveditz]
- rrsagent, bye
- 15:48:17 [RRSAgent]
- I see no action items