W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

Re: Agenda for January 29 Teleconference

From: Ian Melven <imelven@mozilla.com>
Date: Tue, 29 Jan 2013 09:16:51 -0800 (PST)
To: Neil Matatall <neilm@twitter.com>
Cc: public-webappsec <public-webappsec@w3.org>, Eric Rescorla <ekr@rtfm.com>
Message-ID: <1999943611.1376133.1359479811912.JavaMail.root@mozilla.com>


Hi,

that's the item i was waiting to comment on last teleconference :)

Within Mozilla, we recently discussed something along the same lines for report-uri to replace
our current same eTLD+1 restriction on sending reports. The suggestion was that reports could be
sent to any host a la the spec, but then potentially privacy or security sensitive information
would only be included if the report was going to a same eTLD+1 host.

would this be useful to site implementers ? or would this essentially be the same
as the current restriction because all the available info is desired ? 

i've been meaning to bring this up on the list before today's call, but flu :(

cheers,
ian


----- Original Message -----
From: "Neil Matatall" <neilm@twitter.com>
To: "Eric Rescorla" <ekr@rtfm.com>
Cc: "public-webappsec" <public-webappsec@w3.org>
Sent: Monday, January 28, 2013 6:36:17 PM
Subject: Re: Agenda for January 29 Teleconference


Did this item drop off from last time? Or has there been some consensus? 


22:37 - 22:39 Line #s in CSP reports only for same-origin, CORS? 




- Neil 

On Monday, January 28, 2013 at 6:01 PM, Eric Rescorla wrote: 





DATE: Jan, 29 2013 
TIME: 22:00-23:00 UTC (14:00-15:00 PST) 

+1.617.761.6200 ; PIN 92794 ('WASWG') and #webappsec on irc.w3.org:6665 
(Or VoIP via the Zakim SIP bridge: http://www.w3.org/2006/tools/wiki/Zakim-SIP ) 


22:00 - 22:03 Scribe Selection (Default -> Eric Rescorla) 
22:03 - 22:05 Roll Call 
22:05 - 22:06 Minutes Approval 
22:07 - 22:08 Agenda Bashing 
22:08 - 22:09 News: CSP 1.0 to CR 
22:10 - 22:15 Review of open actions in tracker 
22:15 - 22:30 Review raised+open issues, assign actions 
22:30 - 22:35 default-src violation types 
http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0036.html 
22:35 - 22:40 CSP and HSTS 
http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0034.html 
22:40 - 22:45 Defaults for clipping and selectors 
http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0045.html 
22:45 - 22:57 UI Safety ISSUE 2 
"The restriction to a single additional host source value was 
based on the request of the Websec WG as part of moving this 
feature to this document. This decision should be evaluated in the 
context of CSP. For example, while standalone implementations of 
X-Frame-Options may not have wanted to incur the complexity of 
parsing potentially large lists of origins, CSP implementaions 
must already be robust in their handling of such lists. The 
inclusion of multiple origins may reveal details of the security 
model of a resource that chooses to publish such a policy and 
risks associated with this should be discussed in the Security 
Considerations section if any change is made." 
22:57 - 23:00 Move of testing repos to github 
http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0044.html 


Scribe Rotation. We go down the list in order. Please advise if you 
cannot scribe for some reason, or if you are not listed here and 
should be. 


Adam Barth 
Jeff Hodges 
David Huang 
Gopal Raghavan 
Eric Rescorla <-- 
Jacob Rossi 
Tanvi Vyas 
Peleus Uhley 
Dan Veditz 
Ryan Ware 
Jim O'Leary 
Adam Bresee 
Ian Melven 
Received on Tuesday, 29 January 2013 17:17:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 29 January 2013 17:17:19 GMT