14:09:49 RRSAgent has joined #webappsec 14:09:49 logging to http://www.w3.org/2014/08/13-webappsec-irc 14:46:13 wuwei has joined #webappsec 14:48:47 trackbot, prepare teleconf 14:48:49 RRSAgent, make logs world 14:48:51 Zakim, this will be WASWG 14:48:51 ok, trackbot; I see SEC_WASWG()11:00AM scheduled to start in 12 minutes 14:48:52 Meeting: Web Application Security Working Group Teleconference 14:48:52 Date: 13 August 2014 14:51:56 Chair: Dan_Veditz 14:52:05 Regrets+ bhill, wseltzer 14:58:29 gmaone has joined #webappsec 14:58:52 SEC_WASWG()11:00AM has now started 14:58:59 +??P1 14:59:32 +dveditz 14:59:53 +mkwst 14:59:54 Zakim, who is here? 14:59:54 On the phone I see ??P1, dveditz, mkwst 14:59:56 On IRC I see gmaone, wuwei, RRSAgent, Zakim, dveditz, greghuc, glenn, edulix, tobie, terri, freddyb, timeless, mkwst___, wseltzer, trackbot 15:00:06 +??P7 15:00:19 zakim, ??P7 is me 15:00:19 +gmaone; got it 15:00:59 zakim, ??P1 is me 15:00:59 +greghuc; got it 15:01:54 +glenn 15:02:41 +terri 15:03:16 Zakim, who is here? 15:03:16 On the phone I see greghuc, dveditz, mkwst, gmaone, glenn, terri 15:03:18 On IRC I see gmaone, wuwei, RRSAgent, Zakim, dveditz, greghuc, glenn, edulix, tobie, terri, freddyb, timeless, mkwst___, wseltzer, trackbot 15:03:27 +WuWei 15:06:21 scribenick dveditz 15:06:35 scribenick: dveditz 15:06:43 scribe: Dan Veditz 15:06:57 Zakim, who is here? 15:06:57 On the phone I see greghuc, dveditz, mkwst, gmaone, glenn, terri, WuWei 15:06:59 On IRC I see gmaone, wuwei, RRSAgent, Zakim, dveditz, greghuc, glenn, edulix, tobie, terri, freddyb, timeless, mkwst___, wseltzer, trackbot 15:07:43 Minutes Approval 15:07:43 http://www.w3.org/2014/07/16-webappsec-minutes.html 15:08:14 dveditz: hearing no objections the minutes are approved 15:08:23 TOPIC: News 15:08:44 Welcome David Ross from Google 15:08:45 Call for exclusions for Mixed Content issued July 22 15:08:45 period ends December 19, 2014 15:08:45 FPWD of Referrer Policy published Aug 7 15:08:45 http://www.w3.org/TR/referrer-policy/ 15:08:45 Call for exclusions for Referrer policy issued Aug 7 15:08:45 period ends January 4, 2015 15:08:46 CSP2 Last Call period ends today 15:08:46 http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0017.html 15:11:35 dveditz: I propose extending the csp2 last call until the next call given light summer attendance and a specific request from Microsoft 15:11:53 mkwst: I don't want to keep extending, but a limited extension to next week would be OK 15:12:15 s/next week/next call/ 15:12:32 dveditz: that would be August 27 15:13:49 mkwst: I'm fine to extend further if there really are things to talk about, but not so much extending just because of lack of response 15:14:05 glenn: Kevin Hill responded on the list that 2 wks is reasonable 15:14:28 greghuc: what actually happens when CfCLC is over? is it set in stone? 15:15:02 mkwst: no, errors can still be corrected, we just can't change the feature set 15:15:25 mkwst: I've been waiting for this period to end before starting on CSP3 features so I'd like to get this out the door 15:15:41 TOPIC: [CSP] img-src and inline svg 15:15:41 http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0113.html 15:16:12 dveditz: I believe this was resolved in the list -- inline svg is NOT governed by img-src 15:17:26 TOPIC: [CSP] new directive: "not a ServiceWorker" 15:17:27 http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0083.html 15:17:46 dveditz: inspired by the sandbox attribute perhaps? 15:18:11 dveditz: is that part of this group or part of SW? 15:18:44 dveditz: alternate proposals, e.g. content-type 15:19:47 mkwst: they should design this in the service worker spec and we can then evaluate their solution 15:20:12 mkwst: don't think we will end up with a SW directive, I prefer the content-type solution or something along those lines 15:20:51 dveditz: another concept was the browser sending hints 15:21:51 dveditz: that is send whether a request is an IMG, or script, or XHR, or service worker, etc 15:22:14 mkwst: would be worthwhile to discuss further on the list 15:22:37 mkwst: we would probably want to add this kind of thing to the Fetch spec 15:24:09 mkwst: should be relatively easy to specify as part of fetch if we want to do this. there are certainly benefits but we need to think carefully about whether there are drawbacks 15:24:21 mkwst: certainly not part of CSP 15:24:52 TOPIC: [CSP] Request to amend bookmarklet/extensions sentence 15:24:52 http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0003.html 15:26:14 greg: having read through the responses to the Evernote concern it does look like everyone is on the same page in terms of not wanting UAs to interfere with addons and bookmarklets 15:27:02 greg: would like to have future versions of the spec be clearer about these desires, perhaps even specifying the behavior of bookmarks 15:27:21 mkwst: as a browser vendor I do want extensions to work 15:27:50 mkwst: it's possible in chrome by modifying the header as the response comes in. unfortunately most people doing that now simply remove the header 15:28:43 mkwst: we need a more specific extension API so they can simply add (whitelist) origins without conflicting with other extensions rtying to do the same thing 15:29:06 mkwst: I don't think this belongs in the spec because by nature it's a proprietary API 15:29:20 mkwst: although a note suggesting the approach might be appropriate 15:30:45 glenn: we need to recognize that UAs need to have the freedom to disable all extensions if it wishes to do so, such as if users ask it to 15:31:39 glenn: since there's no new information and we have general agreement I don't think we need to take any action 15:31:58 greg: mike and dan -- do you see a bigger statement in future versions of the spec? 15:32:48 mkwst: I don't think the spec will say much more about proprietary extension things. But we consider the current behavior a bug and I don't expect chrome's behavior to change for the worse regardless of the spec 15:33:40 dveditz: Mozilla also considers the current behavior a bug and is trying to figure out ways to fix it 15:35:03 greg: as long as browser vendors recognize that there are valid reasons, not an attack, for extensions to be injecting resources and scripts into a page 15:37:19 TOPIC: [REFERRER] Where does "Determine request’s Referrer" get its URL from? 15:37:19 http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0101.html 15:38:39 mkwst: Ian's concern was the spec was very javascript specific. we did make changes to the spec in response to the thread 15:40:27 mkwst: I dont' think there's anything wrong with the concept in the spec, it's how we've stated it. we may need to find a new wording but we have time to do so 15:40:48 mkwst: without Ian and Joachin on the call I don't think we can resolve this here. should do this on the list 15:41:15 TOPIC: Entry Point Regulation (EPR)for web apps 15:41:15 http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0009.html 15:41:37 dveditz: David Ross proposed EPR, but he's not on the call 15:43:24 (zakim hung up on me, and now isn't letting me back into the meeting. :( ) 15:43:26 dveditz: might be interesting to take on in WASWG (we need to re-charter in September) but we should discuss more on the list 15:45:08 dveditz: any other topics? 15:46:03 -greghuc 15:46:07 meeting adjourned 15:46:13 -glenn 15:46:16 -dveditz 15:46:18 -WuWei 15:46:25 -terri 15:46:29 Zakim, who was here? 15:46:29 I don't understand your question, dveditz. 15:46:32 -gmaone 15:47:09 zakim, bye 15:47:09 leaving. As of this point the attendees were dveditz, mkwst, gmaone, greghuc, glenn, terri, WuWei 15:47:09 Zakim has left #webappsec 15:47:31 rrsagent, make logs public 15:47:38 rrsagent, draft minutes 15:47:38 I have made the request to generate http://www.w3.org/2014/08/13-webappsec-minutes.html dveditz 15:48:17 rrsagent, bye 15:48:17 I see no action items