W3C

- DRAFT -

Web Application Security Working Group Teleconference

19 Sep 2018

Agenda

Attendees

Present
weiler, pranjal, jeffh, iclelland, wseltzer, johnwilander, mkwst, ckerschb__, bhill, dveditz, tanvi
Regrets
Chair
SV_MEETING_CHAIR
Scribe
wseltzer

Contents

<mkwst> https://docs.google.com/document/d/1iMMGTxF40TnRwtL9L_pElgYx3mffIuJOj4t7Dhxo40c/edit#

mkwst: TPAC is coming!
... I've listed some topics of potential interest
... Agenda-bashing?

johnwilander: cookie proposal?

mkwst: added to the TPAC doc

TPAC draft agenda doc

mkwst: lots remains from last year, with new problems!
... please add comments and thoughts to the doc
... Categories: things that are basically done
... Mixed content, aiming for PR around TPAC
... CfC got basically no response
... if no objections, we'll push forward
... Referrer Policy
... think we were waiting on a second implementation of CSS aspect
... relating to stylesheets
... Secure Contexts

<dveditz> (sorry, heard 'csf' and couldn't grok the 'f')

mkwst: fairly robust interop

<dveditz> ('csRf'? stuck in my head)

mkwst: Upgrade Insecure Requests
... think we need update re localhost, 127.0.0.1
... hope to get through that by TPAC
... Next, mostly-complete
... CSP3
... can we call it feature-complete at TPAC
... then do debugging?
... CSP Embedded Enforcement
... one implementation in chrome; spec needs work
... Clear Site Data, 2 implementations
... chrome and FF.
... make sure spec reflects feedback from implementers
... also talk with WHATWG re Storage
... Credential Management. stable implementation in chrome
... starting to get framework implementations in other browsers
... supporting webauthn
... todo: split document in 2 pieces: framework, and passowrd/federated credential types
... split would let us move forward where agreement
... Next: work currently laying fallow
... SRI. recent interest but not much movement
... signature-based, other types
... Suborigins.
... is there actually interest?
... or explicitly punt?
... Next: new work we might want to adopt
... Origin Policy, Feature Policy, both starting to get implmentations
... chrome; think I saw intent to implement from Moz
... Specrtre-mitigation
... CO(R/W)P, Sec-Metadata
... Trusted Types
... dveditz adds DOMPurify-type HTML sanitizer

dveditz: CORB?

mkwst: cross-origin read blocking is in Fetch
... think they deserve more explanation than in algorithms in Fetch
... and CORS
... worthwhile to spell out rationale
... while pointing to Fetch
... Things we might want to kill
... ckerschb__ adds require-sri-for
... chrome and FF have implementations
... Other interesting topics

johnwilander: Storage API has shipped in Safari
... and Moz has intent to implement

mkwst: added to interesting topics

johnwilander: I won't be there in person

mkwst: we've made a speakerphone request
... we'll work on putting things into an agenda, trying to accommodate remote folks

dveditz: if you want to participate remotely, please let us know your interests

mkwst: dveditz and I will work on agenda

wseltzer: Dagstuhl seminar recap?

mkwst: maybe add that to TPAC agenda

johnwilander: the co-organizers seem to be super busy, so I don't know when we'll have write-up
... I can share notes from breakouts I attended
... cookie discussion (also have mkwst's proposal)
... and JS capability model + policy

mkwst: we'll look to put that on end of day
... expect Mario and Freddy to have explainer for sanitizer
... Are there any objections to moving Mixed Content Level 1 to PR

RESOLUTION: move Mixed Content Level 1 to PR

mkwst: hearing no objections here or on the list

Summary of Action Items

Summary of Resolutions

  1. move Mixed Content Level 1 to PR
[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.153 (CVS log)
$Date: 2018/09/19 16:31:33 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.153  of Date: 2018/09/19 14:40:21  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/p>/p?/

WARNING: Replacing previous Present list. (Old list: (no, one), weiler, pranjal, jeffh, iclelland, wseltzer, johnwilander, mkwst)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ weiler, pranjal, jeffh, iclelland, wseltzer, johnwilander, mkwst


WARNING: Replacing previous Present list. (Old list: weiler, pranjal, jeffh, iclelland, wseltzer, johnwilander, mkwst, ckerschb__, bhill2, dveditz, tanvi)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ weiler, pranjal, jeffh, iclelland, wseltzer, johnwilander, mkwst, ckerschb__, bhill, dveditz, tanvi

Present: weiler pranjal jeffh iclelland wseltzer johnwilander mkwst ckerschb__ bhill dveditz tanvi
No ScribeNick specified.  Guessing ScribeNick: wseltzer
Inferring Scribes: wseltzer

WARNING: No "Topic:" lines found.

Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2018Sep/0017.html

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Found Date: 19 Sep 2018
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]