IRC log of webappsec on 2014-09-10
Timestamps are in UTC.
- 14:23:58 [RRSAgent]
- RRSAgent has joined #webappsec
- 14:23:58 [RRSAgent]
- logging to http://www.w3.org/2014/09/10-webappsec-irc
- 14:59:19 [gmaone]
- gmaone has joined #webappsec
- 15:02:20 [mkwst]
- Zakim. :(
- 15:03:20 [bhill2]
- bhill2 has joined #webappsec
- 15:04:06 [bhill2]
- bhill2 has changed the topic to: http://lists.w3.org/Archives/Public/public-webappsec/2014Sep/0047.html
- 15:04:15 [bhill2]
- zakim, who is here?
- 15:04:15 [Zakim]
- sorry, bhill2, I don't know what conference this is
- 15:04:17 [Zakim]
- On IRC I see bhill2, gmaone, RRSAgent, Zakim, dveditz, terri, freddyb, mkwst, timeless, tobie, wseltzer, trackbot
- 15:04:20 [bhill2]
- zakim, this is 92794
- 15:04:20 [Zakim]
- ok, bhill2; that matches SEC_WASWG()11:00AM
- 15:04:24 [bhill2]
- zakim, who is here?
- 15:04:24 [Zakim]
- On the phone I see dveditz, BHill, mkwst
- 15:04:26 [Zakim]
- On IRC I see bhill2, gmaone, RRSAgent, Zakim, dveditz, terri, freddyb, mkwst, timeless, tobie, wseltzer, trackbot
- 15:04:40 [bhill2]
- Meeting: WebAppSec WG Teleconference 10-September-2014
- 15:04:42 [bhill2]
- Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Sep/0047.html
- 15:04:58 [bhill2]
- Chairs: dveditz, bhill
- 15:04:59 [Zakim]
- +??P13
- 15:05:25 [gmaone]
- zakim, ??P13 is me
- 15:05:25 [Zakim]
- +gmaone; got it
- 15:06:15 [Zakim]
- + +1.360.562.aaaa
- 15:06:58 [bhill2]
- zakim, aaaa is kevinhill
- 15:06:58 [Zakim]
- +kevinhill; got it
- 15:08:07 [ShijunS]
- ShijunS has joined #webappsec
- 15:08:31 [dveditz]
- zakim, who is here?
- 15:08:31 [Zakim]
- On the phone I see dveditz, BHill, mkwst, gmaone, kevinhill
- 15:08:33 [Zakim]
- On IRC I see ShijunS, bhill2, gmaone, RRSAgent, Zakim, dveditz, terri, freddyb, mkwst, timeless, tobie, wseltzer, trackbot
- 15:09:04 [dveditz]
- topic: minutes approval
- 15:09:06 [dveditz]
- http://www.w3.org/2011/webappsec/draft-minutes/2014-08-27-webappsec-minutes.html
- 15:09:51 [mkwst]
- dveditz: Any objections to publishing minutes?
- 15:09:52 [dveditz]
- scribenick: mkwst
- 15:09:54 [mkwst]
- <crickets>
- 15:10:05 [mkwst]
- dveditz: No objections, approved.
- 15:10:24 [dveditz]
- TOPIC: Review of Open Actions in the Tracker
- 15:11:14 [dveditz]
- TOPIC: agenda bashing
- 15:11:17 [mkwst]
- bhill2: Perhaps we can skip around a bit, due to low attendence.
- 15:11:27 [mkwst]
- bhill2: Are there particular topics of interest?
- 15:11:38 [mkwst]
- kevinhill: child-src looks interesting.
- 15:11:48 [mkwst]
- dveditz: I drop my objection.
- 15:12:15 [mkwst]
- kevinhill: Working on 1.0 implementation.
- 15:12:30 [mkwst]
- kevinhill: Level 2 looks interesting. We think it's a good spec.
- 15:12:37 [mkwst]
- kevinhill: Adoption is a topic I'd like to cover.
- 15:12:55 [mkwst]
- kevinhill: CSP is struggling with adoption. Working in MS to get services to adopt CSP.
- 15:13:12 [mkwst]
- kevinhill: Worthwhile to band together to help websites adopt?
- 15:13:28 [mkwst]
- kevinhill: Yelp, for instance, is doing interesting work.
- 15:14:14 [mkwst]
- mkwst: I agree that it's important to get adoption.
- 15:14:36 [mkwst]
- mkwst: internal google properties are adopting: Gmail, Plus, YouTube, etc.
- 15:14:43 [mkwst]
- kevinhill: thinking of sites outside MS and Google.
- 15:14:52 [mkwst]
- kevinhill: nice to see Yelp, for instance.
- 15:15:19 [mkwst]
- kevinhill: important to highlight folks in the community, help the wider net understand the value.
- 15:15:31 [mkwst]
- dveditz: people come up with super-complex policies that break all the time.
- 15:15:50 [mkwst]
- dveditz: suggesting that folks come up with simpler policies, focusing on script-src.
- 15:16:05 [mkwst]
- dveditz: not a first-line of defense.
- 15:16:26 [mkwst]
- dveditz: other complaint is reporting: discover how terrible the web is, lots of unexpected errors.
- 15:16:33 [mkwst]
- dveditz: add-ons, ISPs, etc.
- 15:16:45 [mkwst]
- dveditz: separating real attacks from noise is difficult.
- 15:17:48 [mkwst]
- kevinhill: This is more or less what the Yelp article addresses.
- 15:18:10 [mkwst]
- bhill2: setting up some sort of CSP-support mailing list would be helpful.
- 15:18:45 [mkwst]
- bhill2: shared report-processing mechanisms, code would be excellent
- 15:19:00 [mkwst]
- kevinhill: want to go to tooling folks at MS to see what could be done.
- 15:19:13 [mkwst]
- kevinhill: perhaps VS could help developers construct policies.
- 15:19:20 [mkwst]
- kevinhill: tooling around IIS for analysis.
- 15:19:34 [mkwst]
- kevinhill: the more public we can be in the community, the more helpful for folks.
- 15:19:48 [mkwst]
- kevinhill: publish stats about what's being prevented, etc.
- 15:20:37 [mkwst]
- kevinhill: smartscreen filter in the browser. publish statistics.
- 15:21:25 [mkwst]
- dveditz: telemetry reporting to the browser? could report what is being blocked for users.
- 15:21:34 [mkwst]
- dveditz: might be interesting. will talk to folks about that.
- 15:22:20 [mkwst]
- kevinhill: comcast example.
- 15:22:53 [mkwst]
- mkwst: https is necessary.
- 15:23:05 [mkwst]
- bhill2: CSP is a discovery mechanism to understand why HTTPS is critical.
- 15:24:08 [mkwst]
- dveditz: browser helper objects that inject content?
- 15:24:14 [mkwst]
- kevinhill: Haven't thought about it much.
- 15:24:21 [gmaone2]
- gmaone2 has joined #webappsec
- 15:24:38 [mkwst]
- dveditz: it's a problem everyone has. chrome tries to allow extensions to work.
- 15:24:57 [Zakim]
- +??P0
- 15:24:59 [mkwst]
- kevinhill: progress is being made there. i agree that it's important.
- 15:25:37 [gmaone2]
- zakim, ??P0 is me
- 15:25:37 [Zakim]
- +gmaone2; got it
- 15:26:18 [dveditz]
- thx
- 15:26:50 [mkwst]
- mkwst: 1. CSP2 to CR? 2. What does "widely review" mean in the context of the WG?
- 15:27:09 [mkwst]
- bhill: 1. Take the doc we're working on and bring it to Director for publication.
- 15:27:52 [mkwst]
- bhill: Notify other groups, invite them to take a look at CSP2. Point to blog posts, and presentations, etc.
- 15:29:02 [dveditz]
- <mkwst: less concerned about CSP2 than MIX and Referrer which are less visible. I understand the new process doesn't include a last call period>
- 15:30:39 [Zakim]
- +[Microsoft]
- 15:30:49 [dveditz]
- <mkwst: we don't seem to get much feedback /until/ last call, worried about what happens if we don't have that>
- 15:31:06 [dveditz]
- <bhill2: we can always have an informal Last Call ourselves>
- 15:31:34 [bhill2]
- zakim, Microsoft has David Walp
- 15:31:34 [Zakim]
- +David, Walp; got it
- 15:31:38 [mkwst]
- mkwst: MIX? Do we wait until the next call? I'd like to get a draft out.
- 15:31:41 [bhill2]
- zakim, who is here?
- 15:31:41 [Zakim]
- On the phone I see dveditz, BHill, mkwst, gmaone, kevinhill, gmaone2, [Microsoft]
- 15:31:44 [Zakim]
- [Microsoft] has David, Walp
- 15:31:44 [Zakim]
- On IRC I see gmaone2, ShijunS, bhill2, RRSAgent, Zakim, dveditz, terri, freddyb, mkwst, timeless, tobie, wseltzer, trackbot
- 15:32:07 [mkwst]
- bhill2: Any objections to publishing a new WD of MIX?
- 15:32:21 [mkwst]
- <various>: No objections.
- 15:32:51 [mkwst]
- bhill2: Ok, we'll take it to the list.
- 15:33:06 [mkwst]
- mkwst: Perhaps we could move the call down again? I can do a slightly later call.
- 15:33:16 [bhill2]
- ACTION bhill2 to reconsider call time
- 15:33:16 [trackbot]
- Created ACTION-187 - Reconsider call time [on Brad Hill - due 2014-09-17].
- 15:33:50 [Zakim]
- -BHill
- 15:33:50 [mkwst]
- bhill2: Dropping to hit the WebCrypto workshop.
- 15:34:01 [dveditz]
- TOPIC: [CSP] kill or delay child-src?
- 15:34:16 [mkwst]
- dveditz: My confusion. Widthdraw question.
- 15:34:47 [mkwst]
- davidwalk: Last item: XHR.
- 15:35:06 [dveditz]
- TOPIC: XMLHttpRequest. Support for OPTIONS* method.
- 15:36:13 [mkwst]
- mkwst: That's a thread that's probably best dealt with on the list, as the folks on that thread don't generally call into WebAppSec.
- 15:36:40 [mkwst]
- dveditz: Started in public-webapps@. Probably best to do it via mail.
- 15:37:37 [mkwst]
- dveditz: Ok. Let's call it early today.
- 15:38:23 [Zakim]
- -kevinhill
- 15:38:25 [Zakim]
- -[Microsoft]
- 15:38:25 [Zakim]
- -dveditz
- 15:38:29 [Zakim]
- -mkwst
- 15:38:30 [Zakim]
- -gmaone2
- 15:39:00 [bhill2]
- rrsagent, make minutes
- 15:39:00 [RRSAgent]
- I have made the request to generate http://www.w3.org/2014/09/10-webappsec-minutes.html bhill2
- 15:39:04 [bhill2]
- rrsagent, set logs public-visible
- 16:05:00 [Zakim]
- disconnecting the lone participant, gmaone, in SEC_WASWG()11:00AM
- 16:05:02 [Zakim]
- SEC_WASWG()11:00AM has ended
- 16:05:02 [Zakim]
- Attendees were dveditz, BHill, mkwst, gmaone, +1.360.562.aaaa, kevinhill, gmaone2, David, Walp
- 16:28:44 [bhill2]
- bhill2 has left #webappsec
- 17:52:03 [Zakim]
- Zakim has left #webappsec