- From: Brad Hill <hillbrad@gmail.com>
- Date: Tue, 19 Apr 2016 17:55:22 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEeYn8gCZJNwap0F9-4fxHmyc842V1jUxTuGmTqfcNhLqSp1uQ@mail.gmail.com>
Note that this meeting is at 9:00 am Pacific _Daylight_ Time. Please check your local time zone as the commencement of daylight savings time may be out of sync with the USA your locale. TOPIC: Agenda Bashing TOPIC: Minutes Approval https://www.w3.org/2016/03/23-webappsec-minutes.html *thanks to everyone who helped out with my IRC troubles! TOPIC: May F2F is coming... TOPIC: References to Fetch The TAG is grumpy about the confusingness of CORS: https://github.com/w3ctag/meetings/blob/gh-pages/2016/03-london/30-03-2016-minutes.md#topic-cors-fetch-credentials-etc Our proposed non-conformance-changing update to the CORS REC that mentions Fetch as the current authoritative source was rejected. And at the last AC meeting this group was volunteered in absentia to own producing a W3C version of Fetch. Does anyone want to work with Anne to produce a version of Fetch under W3C licensing with stable references, similar to the work being done in the Web Platform WG for HTML? For my part, I hope that de-confusifying CORS for developers in an official document might be good enough to unblock our specs on the road to REC. I made a start on such a document here that might become a WG note or TAG finding: https://docs.google.com/document/d/1AtxTDw-g9BSRW9n9kGTTqNkDTGcVfSKPAOjVGkPFu2k/edit?usp=sharing See also: https://github.com/whatwg/fetch/issues/204#issuecomment-201220147 TOPIC: CSP Level 2 - Welcome Safari Technical Preview! http://w3c.github.io/webappsec/implementation_reports/CSP2_implementation_report.html Anyone want to review some CSP testsuite fixes for Firefox and Safari? https://critic.hoppipolla.co.uk/r/6323 https://critic.hoppipolla.co.uk/r/6327 https://critic.hoppipolla.co.uk/r/6334 TOPIC: 'unsafe-dynamic' https://github.com/w3c/webappsec-csp/issues/70#event-631031432 TOPIC: default-src definition in CSP2 https://github.com/w3c/webappsec/issues/514#issuecomment-211587068 Here is what the current specification says: Let the default sources be the result of parsing the default-src directive’s value as a source list if a default-src directive is explicitly specified, and otherwise the U+002A ASTERISK character (*). Which is incorrect, as it reads that these two statements are equivalent: Content-Security-Policy: default-src *; upgrade-insecure-requests Content-Security-Policy: upgrade-insecure-requests The statement should probably read something like: Let the default sources be the result of parsing the default-src directive’s value as a source list if a default-src directive is explicitly specified, and otherwise the list of all possible sources. TOPIC: Block all non-SRI resources https://github.com/w3c/webappsec-csp/pull/64#issuecomment-211482914 https://lists.w3.org/Archives/Public/public-webappsec/2016Apr/0001.html (in which Dan suggests punting on * for now...) TOPIC: Further granularity of unsafe-inline styles https://github.com/w3c/webappsec-csp/issues/45 Providing safer referrer policy states https://lists.w3.org/Archives/Public/public-webappsec/2016Apr/0004.html To Join: #webappsec on irc.w3.org:6665 or http://irc.w3.org/?channels=webappsec By phone: US Toll Number: +1-617-324-0000 Meeting Number: 641 834 499 Meeting Password: webappsec ------------------------------------------------------- To join the online meeting (Now from mobile devices!) ------------------------------------------------------- 1. Go to https://mit.webex.com/mit/j.php?MTID=m12575b534e506abae4b7a9f445c0e53e 2. If requested, enter your name and email address. 3. If a password is required, enter the meeting password: webappsec 4. Click "Join". To view in other time zones or languages, please click the link: https://mit.webex.com/mit/j.php?MTID=m3f8188061759c9d387834efb90e1335e ------------------------------------------------------- To join the audio conference only ------------------------------------------------------- To receive a call back, provide your phone number when you join the meeting, or call the number below and enter the access code. US Toll Number: +1-617-324-0000 Access code:641 834 499 Mobile Auto Dial:+1-617-324-0000,,,641834499# ------------------------------------------------------- For assistance ------------------------------------------------------- 1. Go to https://mit.webex.com/mit/mc 2. On the left navigation bar, click "Support". DRAFT minutes for the teleconference will be available immediately following the minutes at the following URL: (where [YYYY] is the four-digit year, e.g. 2015, [MM] is the two-digit month, e.g. 02, and [DD] is the two-digit day, e.g. 07)
Received on Tuesday, 19 April 2016 17:56:00 UTC