IRC log of webappsec on 2012-12-04

Timestamps are in UTC.

21:53:09 [RRSAgent]: RRSAgent has joined #webappsec
21:53:09 [RRSAgent]: logging to http://www.w3.org/2012/12/04-webappsec-irc
21:53:33 [bhill]: Meeting: WebAppSec Teleconference 4 Dec 2012
21:53:38 [bhill]: Chair: bhill2, ekr
21:53:55 [bhill]: Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2012Dec/0006.html
21:55:50 [Zakim]: SEC_WASWG()5:00PM has now started
21:55:57 [Zakim]: + +1.801.701.aaaa
21:56:49 [imelven]: imelven has joined #webappsec
21:56:59 [Zakim]: +[IPcaller]
21:57:12 [Zakim]: +[Mozilla]
21:57:16 [Zakim]: + +1.866.317.aabb
21:57:21 [bhill]: zakim, IPcaller is bhill
21:57:21 [Zakim]: +bhill; got it
21:57:33 [jeffh]: zakim, aabb is jeffh
21:57:33 [Zakim]: +jeffh; got it
21:57:38 [tanvi]: Zakim, Mozilla is ekr, abarth, imelven, and tanvi
21:57:38 [Zakim]: I don't understand you, tanvi
21:57:46 [tanvi]: yes, I figured you wouldn't Zakim
21:58:03 [ekr]: ekr has joined #webappsec
21:58:05 [bhill]: :)
21:58:08 [tanvi]: Zakim, Mozilla is ekr | abarth | imelven | tanvi
21:58:08 [Zakim]: I don't understand you, tanvi
21:58:18 [jeffh]: i think it was the "and"
21:58:20 [bhill]: +present ekr
21:58:27 [bhill]: hmm... that doesn't work either
21:58:41 [tanvi]: Zakim, Mozilla is ekr,abarth,imelven,tanvi
21:58:41 [Zakim]: +ekr,abarth,imelven,tanvi; got it
21:58:50 [jeffh]: there u go
21:59:05 [Zakim]: +??P4
21:59:19 [gioma1]: zakim, ??P4 is gioma1
21:59:19 [Zakim]: +gioma1; got it
22:00:45 [Zakim]: + +1.508.574.aacc
22:00:57 [mkwst]: Trying to get in. Zakim doesnt like me. :/
22:01:25 [jimio]: ^^ 508.574 is me... jim o'leary from twitter
22:01:37 [Zakim]: +??P6
22:01:37 [bhill]: zakim, aacc is jimio
22:01:38 [Zakim]: +jimio; got it
22:02:06 [mkwst]: zakim, ??P6 is mkwst.
22:02:06 [Zakim]: +mkwst; got it
22:02:09 [Zakim]: + +1.978.944.aadd
22:02:42 [bhill]: zakim, aadd is gopal
22:02:42 [Zakim]: +gopal; got it
22:02:53 [bhill]: zakim, who is here?
22:02:53 [Zakim]: On the phone I see +1.801.701.aaaa, bhill, ekr,abarth,imelven,tanvi, jeffh, gioma1, jimio, mkwst, gopal
22:02:55 [Zakim]: On IRC I see ekr, imelven, RRSAgent, Zakim, tanvi, jeffh, abresee, gioma1, jimio, trackbot, bhill, mkwst, tobie, caribou, timeless, odinho, erlend
22:03:30 [bhill]: zakim, aaaa is abresee
22:03:31 [Zakim]: +abresee; got it
22:04:19 [abarth]: abarth has joined #webappsec
22:04:26 [abarth]: Hi
22:04:56 [ekr]: zakim, who is here?
22:04:56 [Zakim]: On the phone I see abresee, bhill, ekr,abarth,imelven,tanvi, jeffh, gioma1, jimio, mkwst, gopal
22:04:58 [Zakim]: On IRC I see abarth, ekr, imelven, RRSAgent, Zakim, tanvi, jeffh, abresee, gioma1, jimio, trackbot, bhill, mkwst, tobie, caribou, timeless, odinho, erlend
22:05:56 [jeffh]: I got scribe
22:07:00 [jeffh]: bhill: hearing no objections, minutes sent to list yesterday are approved
22:07:15 [jeffh]: bhill: agenda bash....? no updates to agenda.
22:07:22 [bhill]: CORS test status: http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0098.html
22:07:25 [jeffh]: bhill: CORS test status
22:08:15 [jeffh]: <not hearing Odin nor Gopal>
22:08:20 [Zakim]: +[IPcaller]
22:08:25 [jeffh]: bhill steps into breech
22:09:16 [jeffh]: bhill: recounts test rates; search email archives for this group and find link for an oracle vbox VM that contains test environment
22:09:51 [jeffh]: bhill: need to have test suite fully approved to go to next maturity level
22:10:08 [jeffh]: bhill: thinks we need to goto candidate rec, then goto proposed rec
22:11:12 [jeffh]: gopal: there's some discrepancy between tests i've run and ones on w3 test server..... concerned about not getting complete test coverage....
22:11:34 [jeffh]: bhill: followup with Mike Smith on w3 test servers?
22:11:47 [bhill]: ACTION gopal to follow up with Mike Smith at w3c on test server config, re: Options headers, etc.
22:11:47 [trackbot]: Created ACTION-101 - Follow up with Mike Smith at w3c on test server config, re: Options headers, etc. [on Gopal Raghavan - due 2012-12-11].
22:12:20 [bhill]: http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0072.html
22:13:02 [abarth]: Yay
22:13:08 [jeffh]: bhill: wrt CfC on advancing CORS to candidate rcmd --- any objections? -- hearing none, we will advance CORS
22:13:08 [bhill]: no objections to CORS advancing
22:13:21 [bhill]: RESOLVED: Advance Cross-Origin Resource Sharing to Candidate Recommendation
22:13:27 [jeffh]: <applause, cheers>
22:13:36 [bhill]: http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0112.html
22:13:40 [jeffh]: bhill: CfC on new charter
22:13:54 [Zakim]: -gopal
22:15:04 [jeffh]: bhill: members should do be prepared to make IPR commitments wrt new deliverables in new charter, discuss with IPR counsel as approp, eg SubResource Integrity, hence keeping this CfC open until mid-Jan
22:15:53 [jeffh]: bhill: any objections to canceling first meeting in Jan, and instead having first 2013 meeting be 15-Jan (and be deadline for charter CfC)? didn't hear any objections, so be it
22:16:50 [Zakim]: + +1.503.712.aaee
22:16:54 [Zakim]: -mkwst
22:17:05 [mkwst]: ugh.
22:17:09 [bhill]: zakim, aaee is rware
22:17:09 [Zakim]: +rware; got it
22:17:24 [Zakim]: +??P6
22:17:31 [bhill]: http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0105.html
22:17:34 [mkwst]: zakim, ??P6 is mkwst.
22:17:34 [Zakim]: +mkwst; got it
22:17:53 [jeffh]: bhill: the sub resource integrity work (SRI) will most likely invent various new HTML attrs that will need to be mapped to various HTML tags and so will need HTML WG liaison, we're missing the HTML5 train, but can likely get on the next revision train
22:18:14 [jeffh]: next topic: DOM Event on CSP violation
22:18:25 [jeffh]: (did we skip CfC: CSP 1.1 to FPWD ?)
22:18:35 [dveditz]: dveditz has joined #webappsec
22:18:48 [bhill]: whoops - yes!
22:18:50 [jeffh]: mkwst: < recounts basic idea >
22:19:37 [jeffh]: mkwst: folks more or less agee it seems about having a DOM event for violations, there's various subtle issues, and whether info is included in reports
22:21:03 [abresee]: Not me
22:21:08 [jimio]: me :)
22:21:15 [jeffh]: jimio -- see http://www.w3.org/2011/webappsec/track/issues/open
22:22:05 [jeffh]: zakim, who is speaking?
22:22:17 [mkwst]: jeffh: jimio.
22:22:19 [Zakim]: jeffh, listening for 10 seconds I could not identify any sounds
22:22:25 [jeffh]: heh
22:22:41 [dveditz]: Zakim, who is here?
22:22:41 [Zakim]: On the phone I see abresee, bhill, ekr,abarth,imelven,tanvi, jeffh, gioma1, jimio, [IPcaller], rware, mkwst
22:22:43 [Zakim]: On IRC I see dveditz, abarth, ekr, imelven, RRSAgent, Zakim, tanvi, jeffh, abresee, gioma1, jimio, trackbot, bhill, mkwst, tobie, caribou, timeless, odinho, erlend
22:22:44 [jeffh]: jimio: recounts how using CSP stuff
22:23:10 [dveditz]: Zakim, [IPcaller] is dveditz
22:23:10 [Zakim]: +dveditz; got it
22:23:23 [jeffh]: abarth: wrt goog's experimentation, if csp violations xlated to dom events, easier to capture to reports (? scribed correctly?)
22:23:56 [ware]: ware has joined #webappsec
22:23:59 [jeffh]: who was that?
22:24:58 [jeffh]: mkwst: some implr's think if get info via dom event, then can send it to subsys that already understands dom evnts, rather than custom code parsing of csp policy violations themselves
22:25:56 [jeffh]: mkwst: would be happy to impl as a "csp event" on doc object, rather than overload dom evnt
22:26:19 [jeffh]: abarth: write it up as strawman?
22:26:28 [jeffh]: mkwst: will take that action and work with dveditz
22:26:44 [bhill]: ACTION mkwst to write up strawman for event on violation of CSP, coordinate w/dveditz
22:26:44 [trackbot]: Sorry, couldn't find mkwst. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.
22:26:58 [mkwst]: mwest2
22:27:07 [bhill]: ACTION mwest2 to write up strawman for event on violation of CSP, coordinate w/dveditz
22:27:08 [trackbot]: Created ACTION-102 - Write up strawman for event on violation of CSP, coordinate w/dveditz [on Mike West - due 2012-12-11].
22:27:27 [jeffh]: CfC: CSP 1.1 to FPWD
22:28:12 [jeffh]: bhill: any objections to advancing CSP 1.1 to FPWD ? hearing none, so be it
22:28:19 [bhill]: RESOLVED: Advance CSP 1.1 to First Public Working Draft
22:28:19 [jeffh]: <applause, cheers>
22:28:55 [bhill]: http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0096.html
22:29:05 [jeffh]: UI Obstruction check
22:29:19 [jeffh]: bhill: raised by one Fred Andrews
22:30:06 [jeffh]: bhill: is this an actual concern as described?
22:30:20 [jeffh]: < several folks>: short answer: yes
22:31:04 [jeffh]: bhill: continues reading the mail msg
22:31:59 [gioma1]: http://www.w3.org/TR/UISafety/#unsafe-attribute-for-the-uievent-interface
22:32:03 [jeffh]: bhill: have tried to not have any user interactions in that spec for various reasons -- is this just a "recognized hazard" we should provide advice about in the spec? <no answer>
22:32:28 [dveditz]: echo echo
22:32:38 [dveditz]: whoever just joined or unmuted please fix it
22:33:03 [jeffh]: bhill: I'll take action to try to answer this;
22:33:09 [dveditz]: someone dropped bhill into a subway tunnel
22:33:16 [bhill]: ACTION bhill2 to follow up on http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0096.html and solicit new proposals, suggest unsafe attribute
22:33:16 [trackbot]: Created ACTION-103 - Follow up on http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0096.html and solicit new proposals, suggest unsafe attribute [on Brad Hill - due 2012-12-11].
22:33:27 [jeffh]: dveditz: do we put the manhole cover back on now?
22:33:28 [bhill]: http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0100.html
22:33:34 [dveditz]: Zakim, who is here?
22:33:34 [Zakim]: On the phone I see abresee, bhill, ekr,abarth,imelven,tanvi, jeffh, gioma1, jimio, dveditz, rware, mkwst
22:33:35 [jeffh]: A11y review for anti-clickjacking
22:33:36 [Zakim]: On IRC I see ware, dveditz, abarth, ekr, imelven, RRSAgent, Zakim, tanvi, jeffh, abresee, gioma1, jimio, trackbot, bhill, mkwst, tobie, caribou, timeless, odinho, erlend
22:33:45 [jeffh]: A11y apparently means: ?
22:33:49 [ekr]: Accessibility
22:33:51 [mkwst]: accessibility
22:34:07 [ekr]: sunday...sunday...sunday....
22:34:18 [mkwst]: s4y
22:34:23 [jeffh]: bhill: < recounts concerns, in echo chamber>
22:34:26 [dveditz]: now it's more like the PA at the stadium
22:34:31 [ekr]: w3c....c...c...c...
22:35:06 [tanvi]: please everyone mute
22:35:10 [bhill]: zakim, who is making noise?
22:35:14 [jeffh]: bhill: <poses long question>
22:35:24 [Zakim]: bhill, listening for 10 seconds I heard sound from the following: bhill (94%), mkwst (81%)
22:35:32 [Zakim]: -mkwst
22:35:38 [dveditz]: yay
22:35:39 [dveditz]: thx
22:35:49 [mkwst]: I'm muted, but I'll reconnect. sorry.
22:35:54 [jeffh]: bhill: if i have accessiblity tech added to UI Safety directive, need way to turn that (?) off in case the accessbility stuff messes things up (?)
22:35:56 [dveditz]: it's fine now
22:35:59 [mkwst]: voip is hard. :/
22:36:00 [dveditz]: mkwst
22:36:26 [jeffh]: abarth: need to check with folks who know about this. in chrome it's done via the extension system
22:36:31 [dveditz]: mkwst: I've found sometimes with Skype if I mute in the headset I can still get echo and instead I need to mute using skype itself
22:36:43 [jeffh]: abarth: UI team needs to be invoved in chrome world
22:36:46 [dveditz]: the application is adding noise all on its own (feedback?)
22:37:07 [jeffh]: bhill: would like to get info from them about this
22:37:25 [Zakim]: +??P6
22:37:32 [mkwst]: zakim, ??P6 is mkwst.
22:37:32 [Zakim]: +mkwst; got it
22:37:37 [jeffh]: abarth: suspect that accsbility tools have their own UI, but need to check on it
22:38:12 [bhill]: ACTION abarth to follow up with Goog A11Y and UI teams on disabling browser features (UISafety obstruction check) for A11Y compatibility
22:38:12 [trackbot]: Created ACTION-104 - Follow up with Goog A11Y and UI teams on disabling browser features (UISafety obstruction check) for A11Y compatibility [on Adam Barth - due 2012-12-11].
22:38:29 [jeffh]: Review of open actions / issues in tracker
22:38:45 [jeffh]: http://www.w3.org/2011/webappsec/track/issues/open
22:39:40 [jeffh]: bhill: haven't transcribed info from TPAC as yet, so suggest we adjourn and punt this till next time once the most esteemed chair can catch up
22:39:53 [jeffh]: any obj to adjourn?
22:40:38 [jeffh]: mkwst: great that implmentrs such as twitter here -- v. interested to hear from them wrt issues with impl'g and deploying this
22:41:00 [jeffh]: jimio: top 10 blocked url's have been chrome extensions it turns out
22:41:15 [jeffh]: abarth: have noted that, it should be getting better soon
22:41:24 [Zakim]: -rware
22:41:25 [Zakim]: -jeffh
22:41:28 [Zakim]: -jimio
22:41:30 [Zakim]: -ekr,abarth,imelven,tanvi
22:41:31 [abresee]: Thank you
22:41:31 [Zakim]: -bhill
22:41:32 [Zakim]: -mkwst
22:41:35 [Zakim]: -gioma1
22:41:35 [bhill]: zakim, list attendees
22:41:35 [jeffh]: bhill: ok, call/meeting adjourned
22:41:36 [Zakim]: As of this point the attendees have been +1.801.701.aaaa, +1.866.317.aabb, bhill, jeffh, ekr,abarth,imelven,tanvi, gioma1, +1.508.574.aacc, jimio, mkwst, +1.978.944.aadd, gopal,
22:41:36 [Zakim]: ... abresee, +1.503.712.aaee, rware, dveditz
22:41:39 [Zakim]: -abresee
22:41:43 [bhill]: rrsagent, make minutes
22:41:43 [RRSAgent]: I have made the request to generate http://www.w3.org/2012/12/04-webappsec-minutes.html bhill
22:41:45 [jeffh]: adios to all
22:41:51 [bhill]: rrsagent, set logs public-visible
22:41:59 [Zakim]: -dveditz
22:42:00 [Zakim]: SEC_WASWG()5:00PM has ended
22:42:00 [Zakim]: Attendees were +1.801.701.aaaa, +1.866.317.aabb, bhill, jeffh, ekr,abarth,imelven,tanvi, gioma1, +1.508.574.aacc, jimio, mkwst, +1.978.944.aadd, gopal, abresee, +1.503.712.aaee,
22:42:00 [Zakim]: ... rware, dveditz
22:42:05 [jimio]: ~approximately the top 10.. but it was definitely a majority. thanks all, enjoyable first meeting
22:43:24 [ware]: ware has left #webappsec
22:43:37 [ekr]: ekr has joined #webappsec
22:43:48 [Zakim]: SEC_WASWG()5:00PM has now started
22:43:55 [Zakim]: +gopal
22:44:07 [Zakim]: -gopal
22:44:08 [Zakim]: SEC_WASWG()5:00PM has ended
22:44:08 [Zakim]: Attendees were gopal
22:45:00 [ware]: ware has joined #webappsec
22:52:25 [tanvi]: tanvi has left #webappsec
22:56:18 [ware]: ware has left #webappsec
23:20:00 [ware]: ware has joined #webappsec