See also: IRC log
<dveditz> https://www.w3.org/2017/08/16-webappsec-minutes.html
dveditz: minutes approved
... TPAC is coming; register before Oct. 7 for early-bird
rates
ArturJanc: I will most likely be there
mkwst: I'll be there too
dveditz: Mozilla will send me, Tanvi, and Christoph
https://www.w3.org/2002/09/wbs/101147/cors-obs-2017-09/results
wseltzer: Currently AC review of Obsoleting Fetch
dveditz: there was also a request
on the chairs' list to publish a snapshot of Fetch
... my sense is that this group would support doing that
mkwst: I'm surprised; let's find a venue in which to discuss response
dveditz: even a supporter prefers the term "Superseded"
wseltzer: I'll ping some AC reps too
dveditz: and I'll encourage
Mozilla
... what specs should we push at TPAC?
mkwst: Mixed Content and Upgrade
Insecure Requests
... we have test suites
... and a couple of others
... Some specs with lesser implementation status
... Credential Management, webauthn dependence
... Clear Site Data is shipping in Chrome
... Embedded Enforcement too
... so we could move those toward CR
... For me, the elephant is CSP3
... plodding along; a colleague will be giving more attention
to it
... probably not ready for CR by TPAC, but we should be
thinking about it
... Some new things, including some from Artur, that I hope we
can discuss F2F
ArturJanc: A couple things
... Origin Policy and Isolation proposal Tanvi and Emily have
been talking about
... also Suborigins and Origin Attributes
dveditz: Some of those things are in WICG.
mkwst: I think WebAppSec has the
right group of people, it's a reasonable target destination for
many of these specs when they're ready
... I'd like them to be on WebAppSec's radar
dveditz: want to work nicely with WICG
mkwst: I don't think they'll mind
if we talk about their work
... for the things I'm working on, I'd love to talk about them
here
wseltzer: I believe these are in
general scope of WebAppSec charter;
... doesn't hurt to communicate with WICG
dveditz: anything else n
TPAC?
... First day (Monday) will focus on specs that are nearly
done, moving those forward
... and second day, continue that if necessary, then move on to
potential new work, WICG
dveditz: one thing challengign
Moz
... if opener is insecure page, then it's not secure
context
... that doesn't appear to be the way Chrome works,
... and it's not what we'd want
mkwst: sounds like a bug; I
messed up the implementation
... unfortunate, because some people have started to rely on
it
... especially around notifications
... folks have been popping up push notifications from insecure
page
... that's unfriendly
dveditz: it's asymmetric
mkwst: suggestion of rolling back this requirement would make developers happy
dveditz: maybe instead there's a way to break the opener relationship
mkwst: service workers @@
... Please file a bug
... and we can discuss there
dveditz: If Boris hasn't already
filed an issue, I'll check and file one
... AOB?
ArturJanc: A possible topic
... features that possibly subvert CSP
... Safe Types proposal
... can we discuss interactions between browsers and JS
frameworks and what they're providing to developers
?
scribe: Is there interest?
<mkwst> Trusted Types: https://github.com/mikewest/trusted-types
mkwst: research on gadgets is
intriguing
... Trusted Types might eventually lead to better
patterns
... so it would be useful to talk about those things
dveditz: Artur, what name should we give that topic?
ArturJanc: Script Gadgets will be understandable to security folks
dveditz: risks raised by script gadgets?
ArturJanc: sounds good
mkwst: Let's also reach out again
to Apple
... they had raised a few topics a few months ago
... something like single-origin app, and domain binding
... If they were interested in presenting in more detail, would
be good
[no one from Apple on the call today]
dveditz: some fits with Origin Attributes discussion
mkwst: there's currently a call
for adoption in DNSOP WG at IETF
... re let Localhost be bound to loopback addresses only
... relevant to secure contexts
... namely, question whether localhost can be secure
context
... please think about whether you support, and say so
on-list
<mkwst> https://www.ietf.org/mail-archive/web/dnsop/current/msg20963.html
mkwst: call closes today, so add if you support
jeffh: you support it?
<mkwst> https://datatracker.ietf.org/doc/draft-west-let-localhost-be-localhost/
mkwst: I wrote it, so yes
dveditz: I personally support
it
... not sure the concerns of our networking folks
mkwst: would be good to hear more
dveditz: see you next month and at TPAC
This is scribe.perl Revision: 1.152 of Date: 2017/02/06 11:04:15 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/@@/Mixed Content/ Succeeded: s/proposal/proposal Tanvi and Emily have been talking about/ Succeeded: s/interes/interest/ Succeeded: s/dunno as yet// Present: ArturJanc dveditz jeffh mkwst weiler wseltzer No ScribeNick specified. Guessing ScribeNick: wseltzer Inferring Scribes: wseltzer Got date from IRC log name: 20 Sep 2017 Guessing minutes URL: http://www.w3.org/2017/09/20-webappsec-minutes.html People with action items:[End of scribe.perl diagnostic output]