21:53:09 RRSAgent has joined #webappsec 21:53:09 logging to http://www.w3.org/2012/12/04-webappsec-irc 21:53:33 Meeting: WebAppSec Teleconference 4 Dec 2012 21:53:38 Chair: bhill2, ekr 21:53:55 Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2012Dec/0006.html 21:55:50 SEC_WASWG()5:00PM has now started 21:55:57 + +1.801.701.aaaa 21:56:49 imelven has joined #webappsec 21:56:59 +[IPcaller] 21:57:12 +[Mozilla] 21:57:16 + +1.866.317.aabb 21:57:21 zakim, IPcaller is bhill 21:57:21 +bhill; got it 21:57:33 zakim, aabb is jeffh 21:57:33 +jeffh; got it 21:57:38 Zakim, Mozilla is ekr, abarth, imelven, and tanvi 21:57:38 I don't understand you, tanvi 21:57:46 yes, I figured you wouldn't Zakim 21:58:03 ekr has joined #webappsec 21:58:05 :) 21:58:08 Zakim, Mozilla is ekr | abarth | imelven | tanvi 21:58:08 I don't understand you, tanvi 21:58:18 i think it was the "and" 21:58:20 +present ekr 21:58:27 hmm... that doesn't work either 21:58:41 Zakim, Mozilla is ekr,abarth,imelven,tanvi 21:58:41 +ekr,abarth,imelven,tanvi; got it 21:58:50 there u go 21:59:05 +??P4 21:59:19 zakim, ??P4 is gioma1 21:59:19 +gioma1; got it 22:00:45 + +1.508.574.aacc 22:00:57 Trying to get in. Zakim doesnt like me. :/ 22:01:25 ^^ 508.574 is me... jim o'leary from twitter 22:01:37 +??P6 22:01:37 zakim, aacc is jimio 22:01:38 +jimio; got it 22:02:06 zakim, ??P6 is mkwst. 22:02:06 +mkwst; got it 22:02:09 + +1.978.944.aadd 22:02:42 zakim, aadd is gopal 22:02:42 +gopal; got it 22:02:53 zakim, who is here? 22:02:53 On the phone I see +1.801.701.aaaa, bhill, ekr,abarth,imelven,tanvi, jeffh, gioma1, jimio, mkwst, gopal 22:02:55 On IRC I see ekr, imelven, RRSAgent, Zakim, tanvi, jeffh, abresee, gioma1, jimio, trackbot, bhill, mkwst, tobie, caribou, timeless, odinho, erlend 22:03:30 zakim, aaaa is abresee 22:03:31 +abresee; got it 22:04:19 abarth has joined #webappsec 22:04:26 Hi 22:04:56 zakim, who is here? 22:04:56 On the phone I see abresee, bhill, ekr,abarth,imelven,tanvi, jeffh, gioma1, jimio, mkwst, gopal 22:04:58 On IRC I see abarth, ekr, imelven, RRSAgent, Zakim, tanvi, jeffh, abresee, gioma1, jimio, trackbot, bhill, mkwst, tobie, caribou, timeless, odinho, erlend 22:05:56 I got scribe 22:07:00 bhill: hearing no objections, minutes sent to list yesterday are approved 22:07:15 bhill: agenda bash....? no updates to agenda. 22:07:22 CORS test status: http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0098.html 22:07:25 bhill: CORS test status 22:08:15 22:08:20 +[IPcaller] 22:08:25 bhill steps into breech 22:09:16 bhill: recounts test rates; search email archives for this group and find link for an oracle vbox VM that contains test environment 22:09:51 bhill: need to have test suite fully approved to go to next maturity level 22:10:08 bhill: thinks we need to goto candidate rec, then goto proposed rec 22:11:12 gopal: there's some discrepancy between tests i've run and ones on w3 test server..... concerned about not getting complete test coverage.... 22:11:34 bhill: followup with Mike Smith on w3 test servers? 22:11:47 ACTION gopal to follow up with Mike Smith at w3c on test server config, re: Options headers, etc. 22:11:47 Created ACTION-101 - Follow up with Mike Smith at w3c on test server config, re: Options headers, etc. [on Gopal Raghavan - due 2012-12-11]. 22:12:20 http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0072.html 22:13:02 Yay 22:13:08 bhill: wrt CfC on advancing CORS to candidate rcmd --- any objections? -- hearing none, we will advance CORS 22:13:08 no objections to CORS advancing 22:13:21 RESOLVED: Advance Cross-Origin Resource Sharing to Candidate Recommendation 22:13:27 22:13:36 http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0112.html 22:13:40 bhill: CfC on new charter 22:13:54 -gopal 22:15:04 bhill: members should do be prepared to make IPR commitments wrt new deliverables in new charter, discuss with IPR counsel as approp, eg SubResource Integrity, hence keeping this CfC open until mid-Jan 22:15:53 bhill: any objections to canceling first meeting in Jan, and instead having first 2013 meeting be 15-Jan (and be deadline for charter CfC)? didn't hear any objections, so be it 22:16:50 + +1.503.712.aaee 22:16:54 -mkwst 22:17:05 ugh. 22:17:09 zakim, aaee is rware 22:17:09 +rware; got it 22:17:24 +??P6 22:17:31 http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0105.html 22:17:34 zakim, ??P6 is mkwst. 22:17:34 +mkwst; got it 22:17:53 bhill: the sub resource integrity work (SRI) will most likely invent various new HTML attrs that will need to be mapped to various HTML tags and so will need HTML WG liaison, we're missing the HTML5 train, but can likely get on the next revision train 22:18:14 next topic: DOM Event on CSP violation 22:18:25 (did we skip CfC: CSP 1.1 to FPWD ?) 22:18:35 dveditz has joined #webappsec 22:18:48 whoops - yes! 22:18:50 mkwst: < recounts basic idea > 22:19:37 mkwst: folks more or less agee it seems about having a DOM event for violations, there's various subtle issues, and whether info is included in reports 22:21:03 Not me 22:21:08 me :) 22:21:15 jimio -- see http://www.w3.org/2011/webappsec/track/issues/open 22:22:05 zakim, who is speaking? 22:22:17 jeffh: jimio. 22:22:19 jeffh, listening for 10 seconds I could not identify any sounds 22:22:25 heh 22:22:41 Zakim, who is here? 22:22:41 On the phone I see abresee, bhill, ekr,abarth,imelven,tanvi, jeffh, gioma1, jimio, [IPcaller], rware, mkwst 22:22:43 On IRC I see dveditz, abarth, ekr, imelven, RRSAgent, Zakim, tanvi, jeffh, abresee, gioma1, jimio, trackbot, bhill, mkwst, tobie, caribou, timeless, odinho, erlend 22:22:44 jimio: recounts how using CSP stuff 22:23:10 Zakim, [IPcaller] is dveditz 22:23:10 +dveditz; got it 22:23:23 abarth: wrt goog's experimentation, if csp violations xlated to dom events, easier to capture to reports (? scribed correctly?) 22:23:56 ware has joined #webappsec 22:23:59 who was that? 22:24:58 mkwst: some implr's think if get info via dom event, then can send it to subsys that already understands dom evnts, rather than custom code parsing of csp policy violations themselves 22:25:56 mkwst: would be happy to impl as a "csp event" on doc object, rather than overload dom evnt 22:26:19 abarth: write it up as strawman? 22:26:28 mkwst: will take that action and work with dveditz 22:26:44 ACTION mkwst to write up strawman for event on violation of CSP, coordinate w/dveditz 22:26:44 Sorry, couldn't find mkwst. You can review and register nicknames at . 22:26:58 mwest2 22:27:07 ACTION mwest2 to write up strawman for event on violation of CSP, coordinate w/dveditz 22:27:08 Created ACTION-102 - Write up strawman for event on violation of CSP, coordinate w/dveditz [on Mike West - due 2012-12-11]. 22:27:27 CfC: CSP 1.1 to FPWD 22:28:12 bhill: any objections to advancing CSP 1.1 to FPWD ? hearing none, so be it 22:28:19 RESOLVED: Advance CSP 1.1 to First Public Working Draft 22:28:19 22:28:55 http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0096.html 22:29:05 UI Obstruction check 22:29:19 bhill: raised by one Fred Andrews 22:30:06 bhill: is this an actual concern as described? 22:30:20 < several folks>: short answer: yes 22:31:04 bhill: continues reading the mail msg 22:31:59 http://www.w3.org/TR/UISafety/#unsafe-attribute-for-the-uievent-interface 22:32:03 bhill: have tried to not have any user interactions in that spec for various reasons -- is this just a "recognized hazard" we should provide advice about in the spec? 22:32:28 echo echo 22:32:38 whoever just joined or unmuted please fix it 22:33:03 bhill: I'll take action to try to answer this; 22:33:09 someone dropped bhill into a subway tunnel 22:33:16 ACTION bhill2 to follow up on http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0096.html and solicit new proposals, suggest unsafe attribute 22:33:16 Created ACTION-103 - Follow up on http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0096.html and solicit new proposals, suggest unsafe attribute [on Brad Hill - due 2012-12-11]. 22:33:27 dveditz: do we put the manhole cover back on now? 22:33:28 http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0100.html 22:33:34 Zakim, who is here? 22:33:34 On the phone I see abresee, bhill, ekr,abarth,imelven,tanvi, jeffh, gioma1, jimio, dveditz, rware, mkwst 22:33:35 A11y review for anti-clickjacking 22:33:36 On IRC I see ware, dveditz, abarth, ekr, imelven, RRSAgent, Zakim, tanvi, jeffh, abresee, gioma1, jimio, trackbot, bhill, mkwst, tobie, caribou, timeless, odinho, erlend 22:33:45 A11y apparently means: ? 22:33:49 Accessibility 22:33:51 accessibility 22:34:07 sunday...sunday...sunday.... 22:34:18 s4y 22:34:23 bhill: < recounts concerns, in echo chamber> 22:34:26 now it's more like the PA at the stadium 22:34:31 w3c....c...c...c... 22:35:06 please everyone mute 22:35:10 zakim, who is making noise? 22:35:14 bhill: 22:35:24 bhill, listening for 10 seconds I heard sound from the following: bhill (94%), mkwst (81%) 22:35:32 -mkwst 22:35:38 yay 22:35:39 thx 22:35:49 I'm muted, but I'll reconnect. sorry. 22:35:54 bhill: if i have accessiblity tech added to UI Safety directive, need way to turn that (?) off in case the accessbility stuff messes things up (?) 22:35:56 it's fine now 22:35:59 voip is hard. :/ 22:36:00 mkwst 22:36:26 abarth: need to check with folks who know about this. in chrome it's done via the extension system 22:36:31 mkwst: I've found sometimes with Skype if I mute in the headset I can still get echo and instead I need to mute using skype itself 22:36:43 abarth: UI team needs to be invoved in chrome world 22:36:46 the application is adding noise all on its own (feedback?) 22:37:07 bhill: would like to get info from them about this 22:37:25 +??P6 22:37:32 zakim, ??P6 is mkwst. 22:37:32 +mkwst; got it 22:37:37 abarth: suspect that accsbility tools have their own UI, but need to check on it 22:38:12 ACTION abarth to follow up with Goog A11Y and UI teams on disabling browser features (UISafety obstruction check) for A11Y compatibility 22:38:12 Created ACTION-104 - Follow up with Goog A11Y and UI teams on disabling browser features (UISafety obstruction check) for A11Y compatibility [on Adam Barth - due 2012-12-11]. 22:38:29 Review of open actions / issues in tracker 22:38:45 http://www.w3.org/2011/webappsec/track/issues/open 22:39:40 bhill: haven't transcribed info from TPAC as yet, so suggest we adjourn and punt this till next time once the most esteemed chair can catch up 22:39:53 any obj to adjourn? 22:40:38 mkwst: great that implmentrs such as twitter here -- v. interested to hear from them wrt issues with impl'g and deploying this 22:41:00 jimio: top 10 blocked url's have been chrome extensions it turns out 22:41:15 abarth: have noted that, it should be getting better soon 22:41:24 -rware 22:41:25 -jeffh 22:41:28 -jimio 22:41:30 -ekr,abarth,imelven,tanvi 22:41:31 Thank you 22:41:31 -bhill 22:41:32 -mkwst 22:41:35 -gioma1 22:41:35 zakim, list attendees 22:41:35 bhill: ok, call/meeting adjourned 22:41:36 As of this point the attendees have been +1.801.701.aaaa, +1.866.317.aabb, bhill, jeffh, ekr,abarth,imelven,tanvi, gioma1, +1.508.574.aacc, jimio, mkwst, +1.978.944.aadd, gopal, 22:41:36 ... abresee, +1.503.712.aaee, rware, dveditz 22:41:39 -abresee 22:41:43 rrsagent, make minutes 22:41:43 I have made the request to generate http://www.w3.org/2012/12/04-webappsec-minutes.html bhill 22:41:45 adios to all 22:41:51 rrsagent, set logs public-visible 22:41:59 -dveditz 22:42:00 SEC_WASWG()5:00PM has ended 22:42:00 Attendees were +1.801.701.aaaa, +1.866.317.aabb, bhill, jeffh, ekr,abarth,imelven,tanvi, gioma1, +1.508.574.aacc, jimio, mkwst, +1.978.944.aadd, gopal, abresee, +1.503.712.aaee, 22:42:00 ... rware, dveditz 22:42:05 ~approximately the top 10.. but it was definitely a majority. thanks all, enjoyable first meeting 22:43:24 ware has left #webappsec 22:43:37 ekr has joined #webappsec 22:43:48 SEC_WASWG()5:00PM has now started 22:43:55 +gopal 22:44:07 -gopal 22:44:08 SEC_WASWG()5:00PM has ended 22:44:08 Attendees were gopal 22:45:00 ware has joined #webappsec 22:52:25 tanvi has left #webappsec 22:56:18 ware has left #webappsec 23:20:00 ware has joined #webappsec