<pimpbot> planet: How to evaluate Web Applications security designs? <11http://www.w3.org/QA/2008/12/web_applications_security_requ.html>
@planet
<pimpbot> MikeSmith: How to evaluate Web Applications security designs? <11http://www.w3.org/QA/2008/12/web_applications_security_requ.html> 4** HTML5 Parsing in Gecko: A Build <11http://hsivonen.iki.fi/html5-gecko-build/> 4** HTML5 in Gecko <11http://intertwingly.net/blog/2008/12/03/HTML5-in-Gecko> 4** WebKit's week - #6 <11http://hanblog.info/blog/post/2008/11/28/WebKit-s-week-6> 4** Dev.Opera: Creating pseudo (16 more messages)
<phenny> Wed, 03 Dec 2008 23:33:37 EST
<phenny> Thu, 04 Dec 2008 06:19:54 CET
heycam: what's the timezone abbreviation for where you are?
<heycam> it's EST
<heycam> which unfortunately clashes with US EST :)
<heycam> sometimes people use AEST
<heycam> "Australia/Melbourne" works, too
<heycam> with e.g.: $ TZ=Australia/Melbourne date
<heycam> (which is how i usually determine the current time somewhere)
<heycam> tho actually it's DST here.... so make that EDT or AEDT
<phenny> Thu, 04 Dec 2008 15:48:58 AEST
<pimpbot> planet: Compatibility View Improvements to come in IE8 <11http://blogs.msdn.com/ie/archive/2008/12/03/compatibility-view-improvements-to-come-in-ie8.aspx>
<phenny> MikeSmith: Sorry, I don't know about the 'DST' timezone.
<phenny> Thu, 04 Dec 2008 16:49:29 AEDT
<heycam> cool
http://dev.opera.com/articles/view/presto-2-2-and-opera-10-a-first-look/#selectorsapi
<pimpbot> Title: Presto 2.2 and Opera 10 — a first look - Opera Developer Community (at dev.opera.com)
<anne> oh right
<anne> DanC, I tried commenting on your QA blog entry btw
<DanC> ah; good. I prolly should have sent mail to the webapps comments list 1st
<anne> oh, we've got feed readers
trackbot, start meeting
<trackbot> Date: 04 December 2008
<ChrisWilson> wow, that's weird.
<ChrisWilson> Mike, are you joining on the telephone?
ChrisWilson: yeah, in one minute
<Julian> agenda: maybe the charter issue?
Julian: charter issue?
<pimpbot> Title: HTML WG telcon 2008-12-04 - headers attribute, Origin header from Michael(tm) Smith on 2008-12-03 (public-html-wg-announce@w3.org from October to December 2008) (at lists.w3.org)
<scribe> Scribenick: MikeSmith
[no additions to agenda]
Joshue: we are basically waiting
until Hixie makes movement on this
... we could talk about Ben Millard's recent messages [but
perhaps not necessary]
http://lists.w3.org/Archives/Public/public-html/2008Dec/0004.html
<pimpbot> Title: Comparison of Smart Headers and HTML5 (ACTION-85) from Ben Millard on 2008-12-01 (public-html@w3.org from December 2008) (at lists.w3.org)
<DanC> ACTION-84?
<trackbot> ACTION-84 -- Joshue O Connor to prepare status report on @headers discussion by next week -- due 2008-11-19 -- OPEN
<trackbot> http://www.w3.org/html/wg/tracker/actions/84
<pimpbot> Title: ACTION-84 - HTML Weekly Tracker (at www.w3.org)
<DanC> action-84: http://lists.w3.org/Archives/Public/public-html/2008Dec/0004.html
<pimpbot> Title: Comparison of Smart Headers and HTML5 (ACTION-85) from Ben Millard on 2008-12-01 (public-html@w3.org from December 2008) (at lists.w3.org)
<trackbot> ACTION-84 Prepare status report on @headers discussion by next week notes added
Joshue: that action is done and can be closed (action 84)
<Lachy> hi
<DanC> action-85?
<trackbot> ACTION-85 -- Ben Millard to compare "Smart Headers" with HTML5 algorithm -- due 2008-12-01 -- OPEN
<trackbot> http://www.w3.org/html/wg/tracker/actions/85
<pimpbot> Title: ACTION-85 - HTML Weekly Tracker (at www.w3.org)
DanC: looking at action-85, I see
a forward from Laura Carlson
... saw an admin message that Laura Carlson had left the group.
Do we know why?
Joshue: I think she's had some other things that are taking a lot of her time.
DanC: somewhere in WCAG 2.0, there's an example of this technique
Joshue: otoh, dunno
<DanC> (photo of Ben? have I met him?)
<Lachy> DanC, photos of Ben here http://projectcerbera.com/me/
<pimpbot> Title: About Me - Project Cerbera (at projectcerbera.com)
<pimpbot> Title: Site Surgeon (at sitesurgeon.co.uk)
<DanC> found the example from wcag 2 http://www.w3.org/TR/WCAG20-TECHS/H43.html
Ben Millard ↑
<pimpbot> Title: H43: Using id and headers attributes to associate data cells with header cells in data tables | Techniques for WCAG 2.0 (at www.w3.org)
DanC: Joshue, can you take a look at that (H43)?
[Joshue takes a look]
DanC: I understand that
represents something that is fairly widely practiced.
... so Ben's comparison doesn't say anything one way or the
other about H43?
Joshue: yeah
<DanC> issue-20?
<trackbot> ISSUE-20 -- Improvements to the table-headers algorithm in the HTML 5 spec -- OPEN
<trackbot> http://www.w3.org/html/wg/tracker/issues/20
<pimpbot> Title: ISSUE-20 - HTML Weekly Tracker (at www.w3.org)
Joshue: but worth looking at, definitely .. relevant to what we're doing
DanC: I understand that people marking up complex financial data use that technique
<DanC> my earlier work where I got a thumbs-down from a validator: http://lists.w3.org/Archives/Public/public-html/2008Jun/0334.html
<pimpbot> Title: headers on th too or just td? from Dan Connolly on 2008-06-26 (public-html@w3.org from June 2008) (at lists.w3.org)
<Joshue> +q
MikeSmith: Hixie has the ball on this.
<DanC> action-87?
<trackbot> ACTION-87 -- Michael(tm) Smith to ensure Ian Hickson follows up on semantics-tables messages -- due 2008-12-04 -- OPEN
<trackbot> http://www.w3.org/html/wg/tracker/actions/87
(MikeSmith is supposed to have an action on this.)
<pimpbot> Title: ACTION-87 - HTML Weekly Tracker (at www.w3.org)
<DanC> action-87 due next week
<trackbot> ACTION-87 Ensure Ian Hickson follows up on semantics-tables messages due date now next week
Joshue: comparison of smart-headers algo to HTML5 is valuable, but we still have the issue of how to mark up.. two separate issues
<DanC> (two separate issues? hmm. I'm not following closely enough to see that.)
Joshue: HTML5 still does not allow chained headers, and without that, it's difficult to mark up complex tables
<Lachy> The smart headers algorithm handles that H43 without the headers attribute
Joshue: there are some different suggestions on the wiki about how to mark up chained headers
<anne> (you blogged about it)
<Lachy> what's this origin stuff about?
close action-84
<trackbot> ACTION-84 Prepare status report on @headers discussion by next week closed
<anne> Lachy, I'm guessing it's about the HTTP header defined by Access Control
<Lachy> oh
<abarth> (i'm on the call, btw)
<anne> hey abarth!
<abarth> hi anne
http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-November/017593.html
<pimpbot> Title: [whatwg] CSRFs and Origin header and s (at lists.whatwg.org)
<collinjackson> I'm on the call too
http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-November/thread.html#17593
<pimpbot> Title: The whatwg November 2008 Archive by thread (at lists.whatwg.org)
http://crypto.stanford.edu/websec/specs/origin-header/
<pimpbot> Title: Origin Header for CSRF Mitigation (at crypto.stanford.edu)
"This document describes the use of the Origin header for mitigating cross-site request forgery (CSRF) vulnerabilities in web sites. To help sites defend against CSRF attacks, user agents send a Origin header with HTTP requests that identities the origin that initiated the request. If the user agent cannot determine the origin, the user agents sends the value null."
scribe:
"I'm not sure if the HTTP spec is the most appropriate place because
the spec has a dependency on HTML 5 to compute the ASCII serialization
of the origin.
"
<DanC> compute it from what, I wonder. sigh. struggling to keep up
<abarth> DanC compute it from a URL
<anne> well, from an origin
<DanC> ah. thanks. clearly that can be separated from HTML
Julian: HTTPbis wg is not
chartered to add anything new to the protocol
... so it would not be a work item of the HTTPbis WG
<anne> and origin depends on browsing contexts and scripting contexts and such
<DanC> compute an origin from an origin?
Julian: we would need to talk to one of the App Area directors
<anne> you compute a serialization
<DanC> ok
Julian: isn't Lisa D. in the loop on this already?
MikeSmith: yeah, I think so.
abarth: basic idea is to help
sites defend themselves against CRSF attacks
... there are some issues on trying to do this with the Refer
header
...
<DanC> (how does/would Referer mitigate CSRF attacks? I'm short a few clues.)
abarth: there's an experimental implementation in WebKit
<anne> (Referer is often filtered out or simply not included as it included privacy sensitive path information)
abarth: the Refer header implicates who sent the request
<DanC> (attacker.com sends a request to vicitim.net via browser... referer shows victim.net that request comes from attacker.com)
<collinjackson> Julian: null is not a valid URL, so it's not really ambiguous
abarth: Origin in that case would point to attacker.com
<anne> collinjackson, in theory it could be a valid origin, no?
<Julian> collinjackson: I'd prefer something like: "none" | "<" URL ">"
<anne> collinjackson, sorry, nm me
abarth: when you include a
script, it becomes part of the current document
... just as if you embedded it in the document
... there are some situations where the UA gets confused about
what the origin is
... attacker can cause a Referer header to be omitted from a
request
... Origin solves that problem by adding two states
<anne> Julian, either way is unambiguous
<DanC> "If the user agent issues an HTTP request to one origin in response to an HTTP redirect from another origin, that HTTP request MUST NOT include a non-null Origin header. If the redirected request had an Origin header, the user agent SHOULD include an null Origin header in the request to the new origin."
<DanC> -- http://crypto.stanford.edu/websec/specs/origin-header/
<pimpbot> Title: Origin Header for CSRF Mitigation (at crypto.stanford.edu)
<Lachy> http://www.w3.org/TR/access-control/
<pimpbot> Title: Access Control for Cross-Site Requests (at www.w3.org)
<Lachy> DanC, http://www.w3.org/TR/access-control/#origin0
<pimpbot> Title: Access Control for Cross-Site Requests (at www.w3.org)
<anne> (The header is defined in the Access Control for Cross-Site Requests specification, see link above. Depends on origin definition in HTML5 though.)
http://html5.org/tools/web-apps-tracker?from=2524&to=2525
<pimpbot> Title: (X)HTML5 Tracking (at html5.org)
<DanC> (did the Origin: header appear in drafts previous to 12 September 2008 ? )
<DanC> (I'm getting a better understanding of why hixie's spec was called "Web Applications")
<DanC> I don't see "origin" in the draft of 17 May 2006 http://www.w3.org/TR/2006/WD-access-control-20060517/
<pimpbot> Title: Authorizing Read Access to XML Content Using the Processing Instruction 1.0 (at www.w3.org)
collinjackson: it was called Access-Control-Origin
<Julian> http://www.w3.org/TR/2008/WD-access-control-20080214/#access-control-origin0
collinjackson: before
<pimpbot> Title: Access Control for Cross-site Requests (at www.w3.org)
<anne> Access-Control-Allow-Origin is the "new" response header
<anne> fwiw
<DanC> (I don't see anything like origin: in any WD-access-control drafts previous to 20080912 )
Julian: it doesn't seem like a
very HTML-related feature to me
... seems generic to HTTP
... if it's standardized, it should be outside the HTML5
spec
abarth: it relates closely to HTML5 because it depends on HTML5 for the definition of "origin"
<Lachy> http://www.whatwg.org/specs/web-apps/current-work/multipage/#origin
<pimpbot> Title: HTML 5 (at www.whatwg.org)
<DanC> (what does SVG do about this stuff?)
<anne> DanC, currently not much
<DanC> anybody know the rules for the HTTP header registry?
<anne> meh, it seems I can't speak
<abarth> DanC, my understanding is that the header is already registered
<anne> afaict the SVG situation is like HTML4
<anne> details are not defined and browser vendors are inventing some kind of security model on top of it, using same origin and such for some features
Julian: has Thomas Roessler been involved in this discussion?
MikeSmith: he's aware of it, I've talked with him a bit
tlr: can you join the call briefly?
<DanC> well, abarth , origin: is not registered in http://www.iana.org/assignments/message-headers/perm-headers.html
<pimpbot> Title: IANA | Permanent Message Header Field Registry (at www.iana.org)
<DanC> I do see http://www.iana.org/assignments/message-headers/prov/access-control-allow-origin
<anne> DanC, that was because IANA messed up
<anne> DanC, and they didn't reply to my follow-up e-mail so I guess I should try again at some point
<DanC> is your follow-up email archived? I could perhaps escalate
<anne> is iana@iana.org archived?
<Julian> anne: what did they miss up? Are you complaining about the inability to unregister the old header name?
tlr: the change to the HTML5 draft states what the Origin header should be set to under certain circumstances ...
<anne> Julian, I'm complaining about them not registering a header that was in the registration template that's even archived on their site
tlr: does not seem useful for those needing to deploy support on the server side
<anne> (I'm also annoyed by the not being able to unregister, but that's separate.)
tlr: more needs to be done for this, and it would be better not to put it all in the HTML5 spec
<DanC> I don't know of an archive for iana@iana.org, but there's some "datatracker" thingy that the IETF seems to be pretty good about w.r.t. accountability
<anne> I can probably dig up the message number IANA gives back
<DanC> my experience with iana@iana.org is that it's sort of notoriously unreliable.
tlr: I think there are number of critical parties to this discussion, many of them are on this call
<anne> (ticket number for my latest e-mail is 206755)
tlr: we need to give the HTTP WG
an opportunity to review this
... my conclusion is that it needs to be a document of its
own
<DanC> ACTION: DanC to look into anne's ticket 206755 from iana@iana.org somewhat related to http://www.iana.org/assignments/message-headers/prov/access-control-allow-origin [recorded in http://www.w3.org/2008/12/04-html-wg-minutes.html#action01]
<trackbot> Created ACTION-88 - Look into anne's ticket 206755 from iana@iana.org somewhat related to http://www.iana.org/assignments/message-headers/prov/access-control-allow-origin [on Dan Connolly - due 2008-12-11].
<collinjackson> tlr: would it be useful to write this up as an RFC?
<anne> isn't there buy in already?
<tlr> collin, don't know whether it's more useful to do this as an RFC than a Rec
<DanC> (that's a slight abuse of the HTML WG tracker, but if we just leave it to my memory, I'm not confident I'll remember)
<tlr> anne, mostly, but it makes sense to run it through a process to make sure we're not mistaken about that point.
<DanC> . http://www.w3.org/html/wg/tracker/products/2
<pimpbot> Title: Details on Product HTML Principles/Requirements - HTML Weekly Tracker (at www.w3.org)
MikeSmith: Adam, would you be willing to act as editor for a spec for this if we made it a work item in the WebApps WG?
<DanC> issue-63?
<trackbot> ISSUE-63 -- Origin header: in scope? required for this release? -- RAISED
<trackbot> http://www.w3.org/html/wg/tracker/issues/63
<pimpbot> Title: ISSUE-63 - HTML Weekly Tracker (at www.w3.org)
abarth: Yes
<DanC> ah. spif. thanks, adam
<DanC> mike, wanna make that an action re issue-63? that might help my tiny brain
<scribe> ACTION: MikeSmith to make a proposal to the WebApps WG that we take this on as a work item there, with Adam Barth as the editor [recorded in http://www.w3.org/2008/12/04-html-wg-minutes.html#action02]
<trackbot> Created ACTION-89 - Make a proposal to the WebApps WG that we take this on as a work item there, with Adam Barth as the editor [on Michael(tm) Smith - due 2008-12-11].
[none]
next week's call will be at the regular time, with MikeSmith chairing
[adjourned]
<dsinger> bah
abarth, collinjackson : thanks for being on. will follow up with you early next week
<anne> maybe people didn't understand that this was a problem specific with form submission for which HTML is a pretty good place to solve the problem given that only HTML has this problem?
<abarth> MikeSmith: sounds good
<anne> I don't really see why a separate document for this is needed
<abarth> anne: yeah, it seems very HTML-related to me
<anne> vendors want this, authors want this, bureaucrats may or may not, but that shouldn't really matter :p
heh
I think taking it to WebApps for discussion, if the WebApps WG thinks it should just be done in HTML5, we come back
<tlr> anne, you forgot "bureaucrats" want this, too. ;-)
<phenny> Fri, 05 Dec 2008 03:06:10 JST
<Julian> Anne: I'd like to understand the expectation about server implementations a bit better...
<Julian> Is this some kind of opt-in? That is, if my server doesn
This is scribe.perl Revision: 1.133 of Date: 2008/01/18 18:48:51 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/Julian: so/Joshue: / Succeeded: s/Julian: yeah/Joshue: yeah/ Succeeded: s/DanC:/DanC,/ Succeeded: s/latest number/latest e-mail/ Succeeded: s/with Chris Wilson/with MikeSmith chairing/ Found ScribeNick: MikeSmith Inferring Scribes: MikeSmith WARNING: No "Present: ... " found! Possibly Present: Adam Apple ChrisWilson Christiane_Fellbaum DanC Dsinger_ James_Craig John_Mitchell Joshue Julian Lachy Lionheart MichaelC Microsoft Mike MikeSmith Murray_Maloney P0 P8 ROBOd Sander Scribenick Thomas Title Zeros aabb aaronlev_ abarth action-84 adele anne aroben billmason collinjackson dbaron dsinger gavin_ gsnedders heycam hober maddiin marcos myakura phenny pimpbot planet rubys sierk smedero tH timeless tlr trackbot You can indicate people for the Present list like this: <dbooth> Present: dbooth jonathan mary <dbooth> Present+ amy Regrets: ShawnMedero DaveSinger Agenda: http://lists.w3.org/Archives/Public/public-html-wg-announce/2008OctDec/0011.html Found Date: 04 Dec 2008 Guessing minutes URL: http://www.w3.org/2008/12/04-html-wg-minutes.html People with action items: danc mikesmith WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]