Social Web Working Group Teleconference
29 Mar 2016
See also: IRC log
- tantek, annbass, ben_thatmustbeme, Arnaud, aaronpk, eprodrom, tsyesika, KevinMarks
- Ben Roberts
- Summary of Action Items
- Summary of Resolutions
we only have 5 people on the phone right now
<eprodrom> sorry, just joining
<annbass> whoops .. I said I would, but guess I'm muted
<scribe> scribenick: ben_thatmustbeme
<scribe> Scribe: Ben Roberts
Chair Evan Prodrom
eprodrom: lets get started, we have a few minutes to review
<annbass> I really appreciate Amy's summary notes: http://rhiaro.co.uk/2016/03/socialwg5-summary
approval of minutes
eprodrom: this is a little bit of catch up, but from 3 weeks ago. +1's
eprodrom: without any objections
RESOLUTION: approve https://www.w3.org/wiki/Socialwg/2016-03-08-minutes
<tantek> (btw it's ok to ask for more time to review)
eprodrom: as annbass mentioned in IRC, rhiaro did a very nice summary of minutes from f2f
<tantek> (I admit I was at the f2f and have not reviewed the minutes, but if everyone else is ok, I'm not objecting)
eprodrom: i have only given a slight look but they look ok to me. Would anyone like to defer to next week?
... if not we'll just call this resolved
RESOLUTION: approve the minutes for 3/16 and 3/17
<Loqi> Cwebber2 made 1 edit to Socialwg/2016-03-29 https://www.w3.org/wiki/index.php?diff=97979&oldid=97977
eprodrom: i think this covers all our administrative issues, but its worth noting that we set up a schedule for face to faces for the next 9 months
... our plan is to have them in June, Sept, and i think November
<tantek> see https://www.w3.org/wiki/Socialwg#Future_Meetings for next f2fs
eprodrom: if you were not at the F2F you should check that to see that they fit your schedule
... see link in IRC, thank you tantek
<tantek> in particular please RSVP ASAP to https://www.w3.org/wiki/Socialwg/2016-06-07
eprodrom: we have Portland in June, Lisbon in September
<tantek> (only 7 RSVPs so far https://www.w3.org/wiki/Socialwg/2016-06-07#Participation everyone should say if they can go or not)
eprodrom: maybe i can, as unfortunately both chair and editor today, you'll hear me a lot
<tantek> ack eprodrom :)
eprodrom: where we got at the F2F is that a couple of the big items for AS2 we got worked out
... conformance clause and ?
... test suite
... unfortunately by the time we got to Boston, we had a number of issues that arose
... our current list is 13 issues, we addressed a number of these at f2f
... a majority of the ones tha required input from the group we resolved
... unfortunately some of them, the main editor who was not participating in boston, -1'd them and so we may have to resolve some of those again
eprodrom: it comes down to an issue of an editor is opposed to a group resolution so i suggest we re-open some of these issues and try to resolve them again
... i think james is not on the call
<Zakim> tantek, you wanted to discuss procedural clarification
eprodrom: I think that we pushed these forward while james wasn't there, he pushed back on them, and I'd like to come to a resolution with him on these, if we can't we'll have to figure out the proceedure
tantek: for w3c, we do try to get consensus, we try to get the dissenter to explain their position. Its possible that person has found a flaw that no one else sees
... when they present that, often others see the issue and change their vote
... if after the explanation, no one else is still opposed, after that it becomes an issue for the chairs and a chair can declare consensus and just note the official objection
... but to do that we need james to call in
... the next step would be to get james to commit to a specific telcon where he can call in and give his explanation, we really need him to explain it himself, since there is usually back and forth
... if he is not on the call, that falls to the chair, to decide how long to wait and if it runs too long we have to make a judgement call on that
... maybe we could action you evan to contact james
<Loqi> Tantekelik made 1 edit to Socialwg/2016-03-29 https://www.w3.org/wiki/index.php?diff=97980&oldid=97979
eprodrom: that sounds good, i'll take it as an action on myself to get in contact with james and try to resolve these
... if we can get these resolutions done the rest is just editorial issues
tantek: and remind james that these are blocking CR for us, so the sooner he can get them done, the better
eprodrom: hopefully we can get james in for next weeks telcon
... hopefully we can get some resolutions online
status of as2 test suite
i think this is a left-over from before, as we haven't had much movement in the past two weeks
eprodrom: i gave a demo at f2f, there is still quite a bit of work to be done as far as making it look better and such, but it is at a usable point for people to test their as2 documents
eprodrom: at the f2f we felt this met our needs for our test suite. I think there is some additional work that is going to go on there. There are a few open issues that i will link in IRC, but thats going to be an ongoing developement effort
... any questions about validator or test suite?
... hearing none, lets move on
document status for our various documents
eprodrom: we've already discussed as2 lets start discussing other documents
... i'm not sure it makes sense to just highlight changes in the last week
... i note that aaronpk has added a seperate discussion item around webmention
... for any of the OTHER documents, have we had any significant developements since 2 weeks ago
aaronpk: with micropub i don't have a new draft published, but i do have an editors draft with the combined micropub and activitypub syntax. I'd say it is very much in progress right now
eprodrom: excellent and you are coordinating with amy chris and jessica about that?
... do you need anything else from us?
eprodrom: anything for activitypub?
<annbass> aaronpk -- I'll be happy to edit your new draft (for 'English'), when it's ready
tsyesika: we have done some work, but we have been busy and have not had a chance to close all the issues YET
<aaronpk> thanks ann!
eprodrom: lets move on to webmentions
aaronpk: i published a new draft of webmention with things we disucssed (links new version)
... its not a huge change but there is a bunch of language and phrasing clarification, some of that thanks to annbass.
... there is a new section about sending webmentions when you edit posts
... there is a new section on conformance criteria
... and the note about not sending to localhost
... and the note about turning field names in to URIs
... those are the summary of changes in this draft
eprodrom: and this is a live WD, FANTASTIC
... thats a good step forward for us
... are there other issue around WM we need to discuss
aaronpk: yes, i used our new labels and went through all old issues and added appropriate labels to them
aaronpk: in doing that there were a couple that were marked for review by the group
... i wanted to get some group feedback on this
<Loqi> Tantekelik made 1 edit to Socialwg/2016-03-29 https://www.w3.org/wiki/index.php?diff=97981&oldid=97980
aaronpk: issue 20 is a challenging one, we talked about this at F2F, said its similar to how HTML loads external resources, and its actually slightly different in that is does POST not just perform GET
... i am not sure how to word the security warning
... its really an issue about systems outside of webmention
... anyone have any suggestions?
tantek: i just read the updates on the issue, and in terms of the post vs get. There is one more place in HTML you can get similar data. That is Forms. its possible to POST cross site that way
... and presumably HTML has to say something about that
... we could just reference HTML and say that it follows HTMLs security concerns
aaronpk: okay, i can take a look at that and hope i find something there
<KevinMarks> is xmlhttprequest relevant too?
eprodrom: yeah, i'm just wondering if we can make this more general as tantek suggests. I don't think describing each and every possibility is worth it. but noting that a sender can get anyone to post to
... something like "this is an URL that someone is giving to you, and you can't fully trust that"
tantek: its acting just like a browser would when doing a cross-site form POST
... and maybe we just say we should follow the same method browsers use
... at least implementers can look at that as a starting point
eprodrom: it would be nice to find some common language and point to that rather than having to rewrite it all in webmention
tantek: exactly, thats why i say point to HTML unless someone can come up with some way that its actually different
eprodrom: aaronpk, with webmention, are there other issues?
aaronpk: one more
aaronpk: #14, the thread is long but the end of it describes it, basically webmention only requires that source and target exist and doesn't use anything else. Right now there is no access token or cookies or anything
... there is a concern that if a webmention request accidently does have credentials in it, someone might be committed to something they might not be aware of
... however i don't want to disallow tokens, as it will be important for private webmentions
tantek: this happens in CSS a lot, there is some potentially advanced feature that we are not ready for, but we want to allow for, but its to put in a note saying this spec does not define any handling for webmentions that may have additional headers such as authentication headers such as ... etc
... by specifically saying that the spec doesn't specify any special handling, you are basically saying If you implement with them, thats fine
... that leave the possibility open
... just say "this specification does not define ....."
aaronpk: will that handle the origianl issue? is sandro on the call since he commented on it before.
eprodrom: i'm not sure i understand, leaving authentication open, or unspecified, i'm not sure i understand henry's point here, can you break that down?
aaronpk: i can try. He is saying that there is a risk of (as source and target are not uris) the target page could use query parameters in the webmention url you could send any specific values you want
eprodrom: so he wants to disallow authentication why?
aaronpk: no its that it could generate a generic post to some endpoint that could do some action
eprodrom: ahh, i see, if you are logged in, you browser could send your cookies etc
... so if i provide the webmention URL that could be set to "friend someone on facebook" etc
... i've always thought of webmention for server to server only
<Zakim> tantek, you wanted to also note webmention forms people are using on their blogs
aaronpk: me too, but its possible that the server could include cookies
tantek: there is also a growing practice by many to include a form on their site that says "paste your URL here to send me a webmention"
... to allow people who don't support webmention yet to still send a webmention. thats the one existing scenario i know of where there is a browser sending a webmention
... so maybe thats worth mentioning that its only to the site its on
... thats again something that seems HTML level, and not specific for webmention
aaronpk: thats exactly html, this is a standard XSS issue. so maybe the solution is the same as issue 20 which is about preventing these cross site posts
eprodrom: i think thats probably best, saying there is a possibility of XSS here and take necerssary precautions to avoid that
... i realize the issues tend to be pretty esoteric, but thats probably a good sign that we covered the low hanging fruit
... thats the end of the agenda for today, any other discussion items for today?
scribe: i can get into tracker but i don't think there is anything new there
hearing nothing, we can... oh, tantek?
<eprodrom> Arnaud: ?
<Arnaud> I am
tantek: i thought i saw arnaud on the call maybe we can get it resolved now who is chairing next week?
Arnaud: yes, i can do it next week
<annbass> thanks Evan and Ben!
<eprodrom> Thanks for scribing, ben_thatmustbeme
trackbot, end meeting
<Loqi> ben_thatmustbeme has 137 karma