19:01:44 <RRSAgent> RRSAgent has joined #webappsec
19:01:44 <RRSAgent> logging to http://www.w3.org/2015/10/05-webappsec-irc
19:01:46 <bblfish> bblfish has joined #webappsec
19:01:46 <trackbot> RRSAgent, make logs world
19:01:46 <Zakim> Zakim has joined #webappsec
19:01:48 <trackbot> Zakim, this will be WASWG
19:01:48 <Zakim> I do not see a conference matching that name scheduled within the next hour, trackbot
19:01:49 <trackbot> Meeting: Web Application Security Working Group Teleconference
19:01:49 <trackbot> Date: 05 October 2015
19:02:02 <bhill2> present+ bhill2
19:02:12 <mkwst> present+ mkwst
19:02:19 <bhill2> Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2015Oct/0005.html
19:02:48 <jww> jww has joined #webappsec
19:03:32 <francois> present+ francois
19:03:54 <dveditz> present+ dveditz
19:04:17 <bhill2> zakim, who is here?
19:04:17 <Zakim> Present: bhill2, mkwst, francois, dveditz
19:04:19 <Zakim> On IRC I see jww, Zakim, bblfish, RRSAgent, estark, deian, mikeoneill, JonathanKingston, bhill2, francois, jmajnert, schuki, timeless, Josh_Soref, dveditz, freddyb, tobie,
19:04:19 <Zakim> ... slightlyoff, mkwst, terri, mounir, trackbot, wseltzer
19:04:20 <wseltzer> present+ wseltzer
19:04:34 <estark> present+ estark
19:04:34 <jww> present+
19:04:38 <jww> present+ jww
19:04:40 <terri> present+ terri
19:04:45 <dveditz> present+ ckerschb
19:04:46 <JonathanKingston> present+ JonathanKingston
19:04:50 <mikeoneill> present+ mikeoneill
19:04:50 <wseltzer> present+ moneill2
19:05:05 <mounir> present+ mounir
19:05:39 <wseltzer> present+ crispin
19:05:43 <wseltzer> present+ rob_trace
19:06:45 <ckerschb> ckerschb has joined #webappsec
19:06:46 <crispin_microsoft> crispin_microsoft has joined #webappsec
19:07:04 <bhill2> Rob Trace is replacing David Walp from MSFT on this group and browser team
19:07:14 <crispin_microsoft> +present
19:07:19 <bhill2> Mike O'Neill is from the TPWG and interested in Permissions API.
19:07:54 <bblfish> Do you want me to introduce myself
19:07:58 <bblfish> ?
19:08:33 <bhill2> Henry, are you on the phone?
19:08:41 <bblfish> yes
19:09:02 <deian> present+ deian
19:10:01 <bhill2> TOPIC: Minutes Approval
19:10:06 <bhill2> http://www.w3.org/2011/webappsec/draft-minutes/2015-09-21-webappsec-minutes.html
19:10:21 <bhill2> hearing no objections, minutes approved
19:10:29 <bhill2> TOPIC: News
19:10:46 <mkwst> bhill2: TPAC is coming. Brace yourselves.
19:10:57 <mkwst> bhill2: Dan will run the next call, I'm out.
19:11:05 <mkwst> ... Think about agenda items.
19:11:25 <mkwst> ... Good chance to brainstorm, collaborate with other groups, etc.
19:11:29 <mkwst> ... Remote participation?
19:11:38 <mkwst> ... If you're interested, let me know.
19:12:03 <mkwst> ... One More Thing:
19:12:10 <deian> I think I can make it in person, but should know for sure in the next few days. (If I can't remote join would be great.)
19:12:26 <RobTrace> RobTrace has joined #webappsec
19:12:30 <mkwst> ... Time slot for the meeting. Perhaps we should alternate again after TPAC?
19:12:42 <terri> Alas, my regrets for TPAC.  It's looking highly unlikely that I'll get travel budget approval at this point
19:12:42 <mkwst> ... Next call, same time. Perhaps change the call after that.
19:13:20 <bhill2> mkwst: We have one repo per-spec now, except CSP which has a couple
19:13:29 <bhill2> ... should be more clear as we go forward with that spec
19:14:04 <bhill2> ... github.com/w3c/webappsec has a nice table linking to current editor's drafts, history is preserved, but issues haven't been migrated
19:14:12 <bhill2> ... hoping editors can migrate their own spec's issues
19:14:35 <bhill2> ... not clear there's a lot of value in doing so
19:14:58 <bhill2> ... probably best to put new issues in new repos and let old ones die out as they are resolved
19:15:58 <bhill2> (jww and mkwst note that the way to indicate to do this is to reply to issues opened in wrong repo)
19:16:29 <bhill2> TOPIC: Permissions API
19:17:13 <wseltzer> https://w3c.github.io/permissions/
19:17:19 <bhill2> mounir: last time we discussed being able to revoke
19:17:26 <bblfish> https://w3c.github.io/permissions/
19:17:27 <bhill2> ... extended request is added, is behind a flag
19:17:31 <jww> mkwst: no worries, I got it :-)
19:17:40 <bhill2> ... a few things need to be handled after that, new things for the API
19:17:53 <bhill2> ... some related to WebRTC we need to take care of
19:18:00 <bhill2> ... and for NFC
19:18:19 <bhill2> ... and whether to have those new permissions live in this spec or delegate to the other APIs and specs
19:19:06 <bhill2> ... at moment spec has a big TODO to finish, then we can heartbeat the draft
19:19:32 <mkwst> dveditz: Would prefer to not extend this spec. Modifying spec involves overhead.
19:19:44 <mkwst> ... Perhaps makes sense to add pieces elsewhere and reference them.
19:19:57 <mkwst> ... Would be nice to have a section in this spec to explain how to extend the spec.
19:20:06 <mkwst> mounir: I tend to agree with that.
19:20:17 <mkwst> ... Opened a bug against WebIDL to have partial enums.
19:20:24 <mkwst> ... Some folks very against that idea.
19:20:33 <mkwst> ... That's why I'm doing things on the side.
19:20:41 <mkwst> ... Need to see if folks will change their minds.
19:20:48 <mkwst> ... Will try to make that happen.
19:21:26 <mkwst> mikeoneill: Posted to the list, asking about extensions.
19:21:43 <mkwst> ... https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0207.html
19:21:54 <mkwst> ... Will there be a procedure for extending? Registry, etc?
19:22:06 <mkwst> mounir: Don't know how much extensions should be part of the code of the API.
19:22:16 <mkwst> ... FirefoxOS has their own way of doing extensions.
19:22:27 <mkwst> ... Not clear to me that we need to specify that part in the document.
19:22:33 <mkwst> ... If someone has an opinion, I'd love to hear it.
19:22:41 <mounir> s/own way of doing extensions./own way of doing permissions./
19:22:46 <mkwst> mikeoneill: At the moment, there are just the four permissions.
19:22:55 <mkwst> ... WebRTC, for instance.
19:23:14 <mkwst> ... When they come up, is there going to be a procedure for allocating a name for them, publishing a dictionary?
19:23:27 <mkwst> bhill2: Seems like the simplest way to do that is with an IANA registry.
19:23:35 <mkwst> ... They exist for exactly this purpose.
19:23:45 <mkwst> mikeoneill: Any discussion about that?
19:23:55 <mkwst> mounir: Same as the first question from dveditz.
19:24:06 <mkwst> ... Having a registry, having something in the spec, seem like reasonable solutions.
19:24:12 <mkwst> dveditz: Other thing not in the spec is a section on security.
19:24:22 <mkwst> ... I know some things like push need to be on a secure site.
19:24:28 <bhill2> (I would tend to lean towards going with an IANA registry as the default idea unless there is good reason to do otherwise.)
19:24:28 <mkwst> ... Geolocation headed that way.
19:24:45 <mkwst> ... Should at least note that some permissions will require a secure context.
19:25:07 <mkwst> mounir: Already say that permissions are linked to origins.
19:25:15 <mkwst> ... I think "secure or not" is already mentioned.
19:26:08 <mkwst> bhill2: I don't see "secure" or "https" in the body of the spec.
19:26:22 <mkwst> dveditz: In any case, most recent specs have a "security considerations" section.
19:26:28 <mkwst> ... Should at least say "There aren't any."
19:26:43 <mkwst> ... These things were considered, these discussions were had, etc.
19:26:49 <bblfish> there should probably even be privacy considerations, ( realaying from the Privcay WG )
19:26:59 <wseltzer> +1 to Security Considerations. There is already a Privacy Considerations
19:27:14 <mkwst> dveditz: Will be easier to get through approvals if you have such a section.
19:27:23 <mkwst> ... Otherwise, kneejerk rejections.
19:27:38 <mkwst> wseltzer: Good work already having a "privacy considerations" section.
19:27:46 <mkwst> dveditz: Yup, I noticed that. Thank you.
19:27:50 <mkwst> bhill2: Anything else?
19:27:52 <bblfish> :-)
19:27:56 <bhill2> TOPIC: Upgrade Insecure Requests
19:28:19 <bhill2> mkwst: implemented in Chrome & FF and on W3C website for about a day
19:28:21 <wseltzer> https://w3c.github.io/webappsec/specs/upgrade/
19:28:32 <bhill2> ... implementation in browsers seems to work the way it is supposed to
19:28:49 <wseltzer> now at https://w3c.github.io/webappsec-upgrade-insecure-requests/
19:29:25 <bhill2> ... transition request submitted, first attempt blocked to resolve reference issues with Workers and review from WebApps
19:29:35 <wseltzer> q+
19:29:56 <bhill2> ... hoping transition request will resolve in the near future.  Secure Contexts is next and has many of the same transition request issues.
19:30:00 <bhill2> ack wseltzer
19:30:18 <bhill2> wseltzer: will be speaking with Ralph acting as Director's designate re: this transition request
19:31:44 <bhill2> dveditz: done in Firefox but signaling header not implemented yet
19:31:47 <bhill2> ... in FF43
19:32:02 <bhill2> mkwst: next steps are create a test suite
19:32:14 <bhill2> dveditz: actually in 42, so released 1st week of November
19:33:11 <bhill2> http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html
19:33:23 <mkwst> bhill2: I wrote an explainer doc after our Berlin meeting.
19:33:32 <mkwst> ... Interest in exploring that document.
19:33:40 <mkwst> ... Probably a breakout session at TPAC.
19:34:03 <mkwst> ... If you're interested in helping, I'd be very interested in comments and participation.
19:34:11 <bhill2> TOPIC: Clear Site Data
19:34:14 <deian> +1 I gave it a read last night, I really like the idea
19:34:27 <bhill2> mkwst: not much since FPWD
19:34:40 <wseltzer> https://w3c.github.io/webappsec-clear-site-data/
19:34:56 <bhill2> ... some interest from Google in using this feature, may have someone lined up to implement in Q4 so we can see if it solves the problems we think
19:35:09 <bhill2> ... includesSubdomains is less important to google than I thought, and we probably won't use it
19:35:18 <bhill2> ... so I would like to remove it if there are no other use cases
19:35:33 <bhill2> dveditz: can be used destructively, so needs extra considerations if we leave it in
19:35:55 <bhill2> ... this assumes that superdomain owns subdomains in many specs, but can cause problems when not strictly true
19:36:08 <bhill2> mkwst: can remove a lot of complexity if we remove the feature
19:37:24 <bhill2> ... feedback appreciated, esp from other implementers and users!
19:37:54 <bhill2> mikeoneill: has anyone discussed having a time-delay on this?
19:38:04 <bhill2> mkwst: makes sense to me as a browser feature that a user could opt themselves into
19:38:16 <bhill2> ... less clear to me that an origin having a self destruct would be useful
19:38:42 <bhill2> mikeoneill: site might want to extend control to the user, like with cookies to time out storage
19:39:09 <bhill2> mkwst: sounds more like an expiration for things like local storage, but that's a bit of a distinct use case from this app
19:39:17 <bhill2> ... this is more for a logout case
19:39:34 <bhill2> ... e.g. google+, docs, to make sure that offline cached stuff is removed when you log out
19:40:46 <wseltzer> q+
19:40:55 <bhill2> ack wseltzer
19:40:59 <wseltzer> https://www.w3.org/wiki/TPAC/2015/SessionIdeas
19:41:11 <bhill2> wseltzer: if you are thinking of TPAC, Wednesday is the plenary day, submit ideas
19:41:13 <mkwst> q+ CSP3 update: https://w3c.github.io/webappsec-csp/
19:41:26 <dveditz> heh
19:41:26 <francois> q+
19:41:59 <bhill2> ack
19:42:03 <bhill2> ack CSP3...
19:42:16 <wseltzer> q-
19:42:36 <dveditz> Zakim: ack CSP3
19:42:47 <wseltzer> q- https
19:42:51 <bhill2> mkwst: CSP3 is starting to shape up, good time for folks interested in integration with Fetch and HTML to take a look and comment
19:43:05 <bhill2> ack CSP3
19:43:09 <bhill2> ack update:
19:43:11 <wseltzer> q=francois
19:43:16 <wseltzer> queue=francois
19:43:21 <bhill2> ack francois
19:43:31 <mkwst> francois: SRI is basically ready for the next step.
19:43:37 <mkwst> ... merged all the outstanding PRs.
19:43:45 <mkwst> ... resolved all issues before LC/RC.
19:43:49 <mkwst> ... What's the next step?
19:43:55 <mkwst> ... Ask the chair to take it for wide review?
19:44:09 <mkwst> bhill2: Next step is to document the review and implementation experience we have.
19:44:22 <mkwst> ... Send it for comments to places that might be interested (IETF?)
19:44:38 <mkwst> ... Two implementations + test suite mean that we can probably rapidly advance to CR.
19:44:54 <mkwst> francois: Next step is to write to the list? Ask for people who might be interested?
19:45:03 <mkwst> bhill2: Yup. That'd be great.
19:45:14 <mkwst> ... Can point to blog posts (GitHub, etc) as well.
19:45:22 <mkwst> ... Qualifies as part of "wide review".
19:45:41 <mkwst> ... Excited to take that to CR. Awesome.
19:45:49 <bblfish> which one is going to CR?
19:45:50 <mkwst> wseltzer: Good work group in getting so many specs moving forward.
19:45:55 <mkwst> bblfish: SRI.
19:46:03 <mkwst> (and Upgrade.)
19:46:08 <mkwst> (and Secure Contexts.)
19:46:16 <bblfish> ah this one: https://w3c.github.io/webappsec-subresource-integrity/
19:46:17 <mkwst> bhill2: Bye!
19:46:17 <bhill2> rrsagent, make minutes
19:46:17 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/05-webappsec-minutes.html bhill2
19:46:17 <bblfish> thanks
19:46:27 <bhill2> rrsagent, set logs world
19:46:33 <bhill2> zakim, list attendees
19:46:34 <Zakim> As of this point the attendees have been bhill2, mkwst, francois, dveditz, wseltzer, estark, jww, terri, ckerschb, JonathanKingston, mikeoneill, moneill2, mounir, crispin,
19:46:36 <Zakim> ... rob_trace, present, deian
19:46:39 <bhill2> rrsagent, make minutes
19:46:39 <RRSAgent> I have made the request to generate http://www.w3.org/2015/10/05-webappsec-minutes.html bhill2
19:46:46 <bhill2> rrsagent, set logs world
19:50:33 <bhill2> bhill2 has joined #webappsec
19:52:34 <bhill2> bhill2 has joined #webappsec
19:55:37 <bblfish> bblfish has joined #webappsec
20:17:01 <ckerschb> ckerschb has left #webappsec
20:56:28 <bblfish> bblfish has joined #webappsec
23:26:12 <bblfish> bblfish has joined #webappsec