FW: WebAppSec TPAC Day 1 Recap

WebAppSec WG members, the IRC logs of today's session at TPAC are available at:


We covered a lot of ground, but a very few highlights relevant to tomorrow's meeting include:

. The group resolved to not adopt any new features or changes to v1.0 of CSP from the current unofficial editor's draft that are not currently implemented by at least one WG member.  We will revisit this decision if there are objections from members not present today, tomorrow from 10:00-11:00 am.  Microsoft and others, this is your chance to advocate for sandboxed (isolated) origins in CSP as an alternative to the abandoned text/html-sandboxed MIME-type.  Sandboxed origins are currently slated to be CUT from v1.0.

. While FPWD of CSP 1.0 has slipped, we moved up the remaining recommendations track schedule for v1.0 and plan to add a v1.1 CSP deliverable timeline, with near immediate creation of a wiki to cover proposals for 1.1 features.

. We worked ahead of the agenda and covered all CSP items originally on tomorrow's agenda.  The editors are going to incorporate the minor changes agreed to and we will move to open a call for comments period and target advancing CSP 1.0 from unofficial draft to FPWD in short order.

. There are few open issues with CORS.  The WG will work to create a test suite to advance it towards recommendation status.

. Tomorrow's agenda will begin covering the Secure Cross-Frame Mashups charter item at 1:00 PDT through the end of the session.  

Members of the WG mailing list should have seen a number of ISSUES from the tracker, and a number more ACTIONS were created.  View the tracker at:  http://www.w3.org/2011/webappsec/track/ 


Brad Hill

Received on Tuesday, 1 November 2011 05:25:41 UTC