IRC log of webappsec on 2014-09-10

Timestamps are in UTC.

14:23:58 [RRSAgent]
RRSAgent has joined #webappsec
14:23:58 [RRSAgent]
logging to http://www.w3.org/2014/09/10-webappsec-irc
14:59:19 [gmaone]
gmaone has joined #webappsec
15:02:20 [mkwst]
Zakim. :(
15:03:20 [bhill2]
bhill2 has joined #webappsec
15:04:06 [bhill2]
bhill2 has changed the topic to: http://lists.w3.org/Archives/Public/public-webappsec/2014Sep/0047.html
15:04:15 [bhill2]
zakim, who is here?
15:04:15 [Zakim]
sorry, bhill2, I don't know what conference this is
15:04:17 [Zakim]
On IRC I see bhill2, gmaone, RRSAgent, Zakim, dveditz, terri, freddyb, mkwst, timeless, tobie, wseltzer, trackbot
15:04:20 [bhill2]
zakim, this is 92794
15:04:20 [Zakim]
ok, bhill2; that matches SEC_WASWG()11:00AM
15:04:24 [bhill2]
zakim, who is here?
15:04:24 [Zakim]
On the phone I see dveditz, BHill, mkwst
15:04:26 [Zakim]
On IRC I see bhill2, gmaone, RRSAgent, Zakim, dveditz, terri, freddyb, mkwst, timeless, tobie, wseltzer, trackbot
15:04:40 [bhill2]
Meeting: WebAppSec WG Teleconference 10-September-2014
15:04:42 [bhill2]
Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Sep/0047.html
15:04:58 [bhill2]
Chairs: dveditz, bhill
15:04:59 [Zakim]
+??P13
15:05:25 [gmaone]
zakim, ??P13 is me
15:05:25 [Zakim]
+gmaone; got it
15:06:15 [Zakim]
+ +1.360.562.aaaa
15:06:58 [bhill2]
zakim, aaaa is kevinhill
15:06:58 [Zakim]
+kevinhill; got it
15:08:07 [ShijunS]
ShijunS has joined #webappsec
15:08:31 [dveditz]
zakim, who is here?
15:08:31 [Zakim]
On the phone I see dveditz, BHill, mkwst, gmaone, kevinhill
15:08:33 [Zakim]
On IRC I see ShijunS, bhill2, gmaone, RRSAgent, Zakim, dveditz, terri, freddyb, mkwst, timeless, tobie, wseltzer, trackbot
15:09:04 [dveditz]
topic: minutes approval
15:09:06 [dveditz]
http://www.w3.org/2011/webappsec/draft-minutes/2014-08-27-webappsec-minutes.html
15:09:51 [mkwst]
dveditz: Any objections to publishing minutes?
15:09:52 [dveditz]
scribenick: mkwst
15:09:54 [mkwst]
<crickets>
15:10:05 [mkwst]
dveditz: No objections, approved.
15:10:24 [dveditz]
TOPIC: Review of Open Actions in the Tracker
15:11:14 [dveditz]
TOPIC: agenda bashing
15:11:17 [mkwst]
bhill2: Perhaps we can skip around a bit, due to low attendence.
15:11:27 [mkwst]
bhill2: Are there particular topics of interest?
15:11:38 [mkwst]
kevinhill: child-src looks interesting.
15:11:48 [mkwst]
dveditz: I drop my objection.
15:12:15 [mkwst]
kevinhill: Working on 1.0 implementation.
15:12:30 [mkwst]
kevinhill: Level 2 looks interesting. We think it's a good spec.
15:12:37 [mkwst]
kevinhill: Adoption is a topic I'd like to cover.
15:12:55 [mkwst]
kevinhill: CSP is struggling with adoption. Working in MS to get services to adopt CSP.
15:13:12 [mkwst]
kevinhill: Worthwhile to band together to help websites adopt?
15:13:28 [mkwst]
kevinhill: Yelp, for instance, is doing interesting work.
15:14:14 [mkwst]
mkwst: I agree that it's important to get adoption.
15:14:36 [mkwst]
mkwst: internal google properties are adopting: Gmail, Plus, YouTube, etc.
15:14:43 [mkwst]
kevinhill: thinking of sites outside MS and Google.
15:14:52 [mkwst]
kevinhill: nice to see Yelp, for instance.
15:15:19 [mkwst]
kevinhill: important to highlight folks in the community, help the wider net understand the value.
15:15:31 [mkwst]
dveditz: people come up with super-complex policies that break all the time.
15:15:50 [mkwst]
dveditz: suggesting that folks come up with simpler policies, focusing on script-src.
15:16:05 [mkwst]
dveditz: not a first-line of defense.
15:16:26 [mkwst]
dveditz: other complaint is reporting: discover how terrible the web is, lots of unexpected errors.
15:16:33 [mkwst]
dveditz: add-ons, ISPs, etc.
15:16:45 [mkwst]
dveditz: separating real attacks from noise is difficult.
15:17:48 [mkwst]
kevinhill: This is more or less what the Yelp article addresses.
15:18:10 [mkwst]
bhill2: setting up some sort of CSP-support mailing list would be helpful.
15:18:45 [mkwst]
bhill2: shared report-processing mechanisms, code would be excellent
15:19:00 [mkwst]
kevinhill: want to go to tooling folks at MS to see what could be done.
15:19:13 [mkwst]
kevinhill: perhaps VS could help developers construct policies.
15:19:20 [mkwst]
kevinhill: tooling around IIS for analysis.
15:19:34 [mkwst]
kevinhill: the more public we can be in the community, the more helpful for folks.
15:19:48 [mkwst]
kevinhill: publish stats about what's being prevented, etc.
15:20:37 [mkwst]
kevinhill: smartscreen filter in the browser. publish statistics.
15:21:25 [mkwst]
dveditz: telemetry reporting to the browser? could report what is being blocked for users.
15:21:34 [mkwst]
dveditz: might be interesting. will talk to folks about that.
15:22:20 [mkwst]
kevinhill: comcast example.
15:22:53 [mkwst]
mkwst: https is necessary.
15:23:05 [mkwst]
bhill2: CSP is a discovery mechanism to understand why HTTPS is critical.
15:24:08 [mkwst]
dveditz: browser helper objects that inject content?
15:24:14 [mkwst]
kevinhill: Haven't thought about it much.
15:24:21 [gmaone2]
gmaone2 has joined #webappsec
15:24:38 [mkwst]
dveditz: it's a problem everyone has. chrome tries to allow extensions to work.
15:24:57 [Zakim]
+??P0
15:24:59 [mkwst]
kevinhill: progress is being made there. i agree that it's important.
15:25:37 [gmaone2]
zakim, ??P0 is me
15:25:37 [Zakim]
+gmaone2; got it
15:26:18 [dveditz]
thx
15:26:50 [mkwst]
mkwst: 1. CSP2 to CR? 2. What does "widely review" mean in the context of the WG?
15:27:09 [mkwst]
bhill: 1. Take the doc we're working on and bring it to Director for publication.
15:27:52 [mkwst]
bhill: Notify other groups, invite them to take a look at CSP2. Point to blog posts, and presentations, etc.
15:29:02 [dveditz]
<mkwst: less concerned about CSP2 than MIX and Referrer which are less visible. I understand the new process doesn't include a last call period>
15:30:39 [Zakim]
+[Microsoft]
15:30:49 [dveditz]
<mkwst: we don't seem to get much feedback /until/ last call, worried about what happens if we don't have that>
15:31:06 [dveditz]
<bhill2: we can always have an informal Last Call ourselves>
15:31:34 [bhill2]
zakim, Microsoft has David Walp
15:31:34 [Zakim]
+David, Walp; got it
15:31:38 [mkwst]
mkwst: MIX? Do we wait until the next call? I'd like to get a draft out.
15:31:41 [bhill2]
zakim, who is here?
15:31:41 [Zakim]
On the phone I see dveditz, BHill, mkwst, gmaone, kevinhill, gmaone2, [Microsoft]
15:31:44 [Zakim]
[Microsoft] has David, Walp
15:31:44 [Zakim]
On IRC I see gmaone2, ShijunS, bhill2, RRSAgent, Zakim, dveditz, terri, freddyb, mkwst, timeless, tobie, wseltzer, trackbot
15:32:07 [mkwst]
bhill2: Any objections to publishing a new WD of MIX?
15:32:21 [mkwst]
<various>: No objections.
15:32:51 [mkwst]
bhill2: Ok, we'll take it to the list.
15:33:06 [mkwst]
mkwst: Perhaps we could move the call down again? I can do a slightly later call.
15:33:16 [bhill2]
ACTION bhill2 to reconsider call time
15:33:16 [trackbot]
Created ACTION-187 - Reconsider call time [on Brad Hill - due 2014-09-17].
15:33:50 [Zakim]
-BHill
15:33:50 [mkwst]
bhill2: Dropping to hit the WebCrypto workshop.
15:34:01 [dveditz]
TOPIC: [CSP] kill or delay child-src?
15:34:16 [mkwst]
dveditz: My confusion. Widthdraw question.
15:34:47 [mkwst]
davidwalk: Last item: XHR.
15:35:06 [dveditz]
TOPIC: XMLHttpRequest. Support for OPTIONS* method.
15:36:13 [mkwst]
mkwst: That's a thread that's probably best dealt with on the list, as the folks on that thread don't generally call into WebAppSec.
15:36:40 [mkwst]
dveditz: Started in public-webapps@. Probably best to do it via mail.
15:37:37 [mkwst]
dveditz: Ok. Let's call it early today.
15:38:23 [Zakim]
-kevinhill
15:38:25 [Zakim]
-[Microsoft]
15:38:25 [Zakim]
-dveditz
15:38:29 [Zakim]
-mkwst
15:38:30 [Zakim]
-gmaone2
15:39:00 [bhill2]
rrsagent, make minutes
15:39:00 [RRSAgent]
I have made the request to generate http://www.w3.org/2014/09/10-webappsec-minutes.html bhill2
15:39:04 [bhill2]
rrsagent, set logs public-visible
16:05:00 [Zakim]
disconnecting the lone participant, gmaone, in SEC_WASWG()11:00AM
16:05:02 [Zakim]
SEC_WASWG()11:00AM has ended
16:05:02 [Zakim]
Attendees were dveditz, BHill, mkwst, gmaone, +1.360.562.aaaa, kevinhill, gmaone2, David, Walp
16:28:44 [bhill2]
bhill2 has left #webappsec
17:52:03 [Zakim]
Zakim has left #webappsec