16:54:16 RRSAgent has joined #webappsec 16:54:16 logging to http://www.w3.org/2016/12/21-webappsec-irc 16:54:19 Zakim has joined #webappsec 16:54:22 present= 16:54:26 present+ 16:57:33 estark has joined #webappsec 16:57:50 bhill2_ has joined #webappsec 16:57:59 present+ 16:59:25 present+ gmaone 16:59:29 present+ 17:00:39 Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2016Dec/0012.html 17:00:47 present+ bhill2 17:00:52 Chairs: bhill2, dveditz 17:01:04 zakim, who is here? 17:01:06 Present: wseltzer, mkwst, gmaone, estark, bhill2 17:01:06 On IRC I see bhill2_, estark, Zakim, RRSAgent, bhill2, Agent_Smith_BR, yoav, Mek, jyasskin, sangwhan, ojan, timeless, Josh_Soref, rrware, Domenic, hadleybeeman, tobie, adrianba, 17:01:06 ... dbaron, jkt, dveditz, schuki, mkwst, slightlyoff, jww, jochen___, MattN, mounir, Jb, freddyb, terri, jcj_moz, wseltzer, trackbot 17:01:08 ckerschb__ has joined #webappsec 17:03:02 present+ ckerschb__ 17:03:03 Meeting: WebAppSec Teleconference 21-Dec-2016 17:03:10 Chairs:bhill2, dveditz 17:03:18 Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2016Dec/0012.html 17:03:28 regrets+ Terri 17:04:21 -> https://rawgit.com/w3c/webappsec/master/admin/webappsec-charter-2017.html Draft Charter for review 17:04:34 bhill2_: agenda-bashing 17:04:46 ... short agenda, approve recharter request 17:05:02 ... issue on redacting origins in referrer policy 17:05:20 mkwst: I can give an update on clear site data and embedded enforcement 17:05:21 mkwst: can update on Clear Site Data and Embedded Enforcement 17:05:33 Topic: Charter 17:05:35 q+ 17:05:36 https://rawgit.com/w3c/webappsec/master/admin/webappsec-charter-2017.html 17:05:47 gmaone has joined #webappsec 17:06:01 present+ dveditz 17:06:11 gmaone has joined #webappsec 17:06:22 did we change the access #? the one I memorized didn't work 17:06:37 wseltzer: Director approved a 3-month extension while review 17:06:44 bhill2_: a few comments on list 17:06:46 present maone 17:06:56 present+ maone 17:07:21 ... scope: note vulnerability mitigation, security model 17:07:32 ... I need to make PR to update meeting schedule to monthly 17:07:50 mkwst: mostly seems reasonable 17:07:59 ... should we mention github, since most of our discussion is there? 17:08:03 bhill2_: I'll make that update 17:08:16 ... should update the workmode document on public webpage too 17:08:18 q+ 17:08:47 mkwst: webperf is sending weekly summary of changes via github. should we look into that? 17:09:07 ... mailing list is helpful in reaching more people; maybe a github summary could help reach them 17:09:22 bhill2_: digest would be extraordinarily useful 17:10:04 mkwst: look at what other groups are doing 17:10:14 ... webperf is using a mechanical gathering 17:10:21 ... that's a reasonable place to start, no extra work 17:10:33 ... agree that a human-generated summary would be even more useful 17:11:18 wseltzer: W3C has mechanical digest tooling 17:11:19 q- 17:11:59 @@: permissions API, authors aren't in WG 17:12:10 s/@@/tanvi/ 17:12:10 bhill2_: we talked about at TPAC 17:12:19 ... we should make sure they join the group 17:12:43 dveditz: did web perf take permissions in scope? 17:12:48 s/web perf/web platform/ 17:13:24 bhill2_: looks as though no 17:13:33 dveditz: better for us to take it than not be owned 17:14:05 bhill2_: updates to meeting frequency; github preferred workmode for spec issues 17:14:16 ... with that, any objections to sendig that for AC review? 17:14:24 [no objections] 17:14:35 RESOLVED: Update draft charter and send for AC Review 17:14:40 Topic: Referrer Policy 17:14:57 bhill2_: current state, moving to CR 17:15:00 https://github.com/w3c/webappsec-referrer-policy/pull/77#issuecomment-255429675 17:15:08 ... last issue open PR 77 17:15:24 ... proposal to redact ancestor origins property according to whether referrer 17:15:55 ... Boris proposed @@ 17:17:02 ... I'm happy with that solution 17:17:07 +1, I think boris's proposal makes sense 17:17:12 s/@@/[as described in issue] 17:17:38 bhill2_: any objections to closing CfC to move Referrer Policy to CR? 17:17:56 mkwst: I think Jochen has something on clarifying style sheets referrers 17:18:09 ... it would be good for that to land 17:18:16 ... he sent for review yesterday 17:18:28 ... would be nice to get that patch in 17:18:31 present+ 17:18:32 PR 83 17:18:32 https://github.com/w3c/webappsec-referrer-policy/pull/83 17:19:04 mkwst: fairly confident we can get that in this week 17:19:10 ... would be useful before move to CR 17:19:57 tanvi has joined #webappsec 17:20:04 Zakim, who is here? 17:20:04 Present: wseltzer, mkwst, gmaone, estark, bhill2, ckerschb__, dveditz, maone 17:20:07 On IRC I see tanvi, gmaone, ckerschb__, bhill2_, estark, Zakim, RRSAgent, Agent_Smith_BR, yoav, Mek, jyasskin, sangwhan, ojan, timeless, Josh_Soref, rrware, Domenic, hadleybeeman, 17:20:07 ... tobie, adrianba, dbaron, jkt, dveditz, schuki, mkwst, slightlyoff, jww, jochen___, MattN, mounir, Jb, freddyb, terri, jcj_moz, wseltzer, trackbot 17:20:14 present+ tanvi 17:20:33 mkwest: given publication moratorium, I suggest we can resolve to move to CR 17:20:41 ... and update with this patch before CR publication 17:20:51 bhill2_: sound good. Emily? 17:20:57 estark: sounds good to me 17:21:11 Topic: Embedded Enforcement, Clear Site Data 17:21:22 mkwst: I had a great intern working on Embedded Enforcement 17:21:48 ... Malika did very complicated work of figuring out a reasonable algorithm 17:21:55 ... I'm now working to clean up the text 17:22:11 ... made lots of progress, ahve an implementation in Chrome Canary I'd like folks to play with 17:22:19 ... Clear Site Data, also lots of work last quarter 17:22:33 ... Chrome Beta has an implementation 17:22:42 ... mechanism for clearing origin-related data 17:22:49 ... we have it working for navigational requqests 17:22:57 ... close to working on subresource requests too 17:23:09 ... e.g.. photos team wants to clear personal photos when you log out 17:23:16 ... we'd like to get feedback on current spec 17:23:31 ... would be great if folks can review 17:23:46 ... a few syntax changes to come 17:23:52 ... comments would be very useful. 17:24:08 bhill2_: I've been looking for consumers of Embedded Enforcement 17:24:33 ... e.g. measurement tools, pixels or iframes 17:24:58 mkwst: on the one hand, I'd love EE not to be useful because you never embed untrusted stuff 17:25:08 ... but, folks still embed 3d party stuff 17:25:20 ... EE requires some work from 3d parties too 17:26:14 ... look forward to feedback to make more rapid progress in new year 17:26:27 bhill2_: AOB? 17:26:39 ... next call Jan 18 17:26:46 q+ 17:27:07 ... thanks for a great year, lots of accomplishments 17:28:26 ckerschb__ has left #webappsec 17:28:29 zakim, list attendees 17:28:29 As of this point the attendees have been wseltzer, mkwst, gmaone, estark, bhill2, ckerschb__, dveditz, maone, tanvi 17:28:33 q- 17:28:43 rrsagent, make minutes 17:28:43 I have made the request to generate http://www.w3.org/2016/12/21-webappsec-minutes.html bhill2_ 17:28:47 rrsagent, set logs world 17:29:10 wseltzer: you'll see first an "advance notice of work in progress" and then a call for AC Review (after W3C management reviews) 17:29:24 ... on recharter 17:29:37 ... Thanks for all the good work! 17:29:45 ... including CSP2 to Rec 17:29:49 rrsagent, make minutes 17:29:49 I have made the request to generate http://www.w3.org/2016/12/21-webappsec-minutes.html wseltzer 17:30:36 rrsagent, when will you start giving HTTPS links? 17:30:36 I'm logging. Sorry, nothing found for 'when will you start giving HTTPS links' 17:32:26 i/Topic: Embedded/RESOLVED: Referrer Policy to CR after Jochen's patch goes in 17:32:31 rrsagent, make minutes 17:32:31 I have made the request to generate http://www.w3.org/2016/12/21-webappsec-minutes.html wseltzer 17:38:58 bhill2 has joined #webappsec 17:49:43 yoav has joined #webappsec 17:56:57 gmaone2 has joined #webappsec 17:58:14 gmaone3 has joined #webappsec 18:18:03 yoav has joined #webappsec 18:23:14 gmaone has joined #webappsec 18:29:05 gmaone2 has joined #webappsec 18:31:34 timbl has joined #webappsec 18:36:18 gmaone has joined #webappsec 18:50:28 yoav has joined #webappsec 18:54:46 bhill2_ has joined #webappsec 19:23:25 bhill2 has joined #webappsec 19:30:45 yoav has joined #webappsec 19:32:15 tanvi has joined #webappsec 21:21:00 timbl has joined #webappsec 21:43:35 gmaone2 has joined #webappsec 21:56:02 gmaone has joined #webappsec 22:00:46 bhill2_ has joined #webappsec 22:30:49 bhill2 has joined #webappsec 22:37:36 gmaone has joined #webappsec 22:56:04 gmaone2 has joined #webappsec 23:08:17 yoav has joined #webappsec 23:55:17 gmaone has joined #webappsec