public-webappsec@w3.org from November 2012 by thread

[webappsec] ACTION REQUIRED: Call for Consensus on new WebAppSec WG Charter Hill, Brad (Tuesday, 27 November)

• Re: [webappsec] ACTION REQUIRED: Call for Consensus on new WebAppSec WG Charter Arthur Barstow (Thursday, 29 November)
  • RE: [webappsec] ACTION REQUIRED: Call for Consensus on new WebAppSec WG Charter Hill, Brad (Thursday, 29 November)

[webappsec] Call for Consensus: CSP 1.1 to FPWD Hill, Brad (Tuesday, 27 November)

• RE: [webappsec] Call for Consensus: CSP 1.1 to FPWD Fred Andrews (Tuesday, 27 November)
  • Re: [webappsec] Call for Consensus: CSP 1.1 to FPWD Adam Barth (Wednesday, 28 November)
    • RE: [webappsec] Call for Consensus: CSP 1.1 to FPWD Jacob Rossi (Wednesday, 28 November)
      • Re: [webappsec] Call for Consensus: CSP 1.1 to FPWD Eric Chen (Wednesday, 28 November)
        • RE: [webappsec] Call for Consensus: CSP 1.1 to FPWD Jacob Rossi (Wednesday, 28 November)
          • Re: [webappsec] Call for Consensus: CSP 1.1 to FPWD Adam Barth (Wednesday, 28 November)
            • Re: [webappsec] Call for Consensus: CSP 1.1 to FPWD Mike West (Thursday, 29 November)
            • RE: [webappsec] Call for Consensus: CSP 1.1 to FPWD Jacob Rossi (Thursday, 29 November)
• Re: [webappsec] Call for Consensus: CSP 1.1 to FPWD Adam Barth (Tuesday, 27 November)

Re: Trigger a DOM event/error when a CSP violation happens. Mike West (Thursday, 22 November)

• Re: Trigger a DOM event/error when a CSP violation happens. Eduardo' Vela (Thursday, 22 November)
  • Re: Trigger a DOM event/error when a CSP violation happens. Mike West (Thursday, 22 November)
    • Re: Trigger a DOM event/error when a CSP violation happens. Devdatta Akhawe (Tuesday, 27 November)
      • Re: Trigger a DOM event/error when a CSP violation happens. Mike West (Tuesday, 27 November)
        • Re: Trigger a DOM event/error when a CSP violation happens. Devdatta Akhawe (Tuesday, 27 November)
          • Re: Trigger a DOM event/error when a CSP violation happens. Dan Veditz (Wednesday, 28 November)
• Re: Trigger a DOM event/error when a CSP violation happens. Dan Veditz (Wednesday, 28 November)
  • Re: Trigger a DOM event/error when a CSP violation happens. Mike West (Thursday, 29 November)

[webappsec] Teleconference Poll: time unchanged Hill, Brad (Wednesday, 21 November)

RfR: CORS tests - deadline 6 December Odin Hørthe Omdal (Wednesday, 21 November)

• Re: RfR: CORS tests - deadline 6 December Boris Zbarsky (Wednesday, 21 November)
• Re: RfR: CORS tests - deadline 6 December Karl Dubost (Thursday, 22 November)

Re: CORS test status Odin Hørthe Omdal (Wednesday, 21 November)

• RE: CORS test status Hill, Brad (Wednesday, 21 November)

UI Safety Obstruction check and transforms Fred Andrews (Wednesday, 21 November)

• Re: UI Safety Obstruction check and transforms David Lin-Shung Huang (Wednesday, 28 November)
  • Re: UI Safety Obstruction check and transforms Mountie Lee (Wednesday, 28 November)
  • RE: UI Safety Obstruction check and transforms Fred Andrews (Wednesday, 28 November)
    • Re: UI Safety Obstruction check and transforms David Lin-Shung Huang (Wednesday, 28 November)

Call for Exclusions: User Interface Safety Directives for Content Security Policy Ian Jacobs (Tuesday, 20 November)

[webappsec] New draft charter for discussion Hill, Brad (Tuesday, 20 November)

[webappsec] Agenda for Teleconference of Nov 20, 2012 Hill, Brad (Tuesday, 20 November)

RE: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP] Hill, Brad (Tuesday, 20 November)

• Re: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP] Carine Bournez (Tuesday, 20 November)
  • Re: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP] Robin Berjon (Tuesday, 20 November)
    • Re: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP] Carine Bournez (Tuesday, 20 November)

[webappsec] TPAC chatlog cleanup Hill, Brad (Monday, 19 November)

A11y for Web App Sec Anti clickjacking spec Léonie Watson (Sunday, 18 November)

• RE: A11y for Web App Sec Anti clickjacking spec Hill, Brad (Wednesday, 21 November)

how to protect javascript codes Mountie Lee (Saturday, 17 November)

• Re: how to protect javascript codes Dan Veditz (Saturday, 17 November)
  • Re: how to protect javascript codes Mountie Lee (Saturday, 17 November)
    • Re: how to protect javascript codes Dan Veditz (Saturday, 17 November)
      • Re: how to protect javascript codes Mountie Lee (Monday, 19 November)
        • Re: how to protect javascript codes Dan Veditz (Monday, 19 November)
• RE: how to protect javascript codes Hill, Brad (Saturday, 17 November)
  • Re: how to protect javascript codes Mountie Lee (Saturday, 17 November)

Call for Consensus: CORS to Candidate Recommendation Hill, Brad (Thursday, 15 November)

• Re: Call for Consensus: CORS to Candidate Recommendation Odin Hørthe Omdal (Friday, 16 November)
• Re: Call for Consensus: CORS to Candidate Recommendation Arthur Barstow (Friday, 16 November)
• Re: [websec] Call for Consensus: CORS to Candidate Recommendation Adam Barth (Wednesday, 21 November)

[webappsec] PLEASE RESPOND: poll for new teleconference time Hill, Brad (Thursday, 15 November)

[Bug 19920] New: Don't allow space-separated origins in the syntax bugzilla@jessica.w3.org (Friday, 9 November)

webappsec-ISSUE-40 (X-XSS-Protection): Look at incorporating X-XSS-Protection functionality into CSP 1.1 Web Application Security Working Group Issue Tracker (Thursday, 8 November)

[webappsec] subsume X-XSS-Protection into CSP 1.1? Hill, Brad (Thursday, 8 November)

• Re: [webappsec] subsume X-XSS-Protection into CSP 1.1? Adam Barth (Thursday, 8 November)
  • Re: [webappsec] subsume X-XSS-Protection into CSP 1.1? neil matatall (Thursday, 8 November)
    • RE: [webappsec] subsume X-XSS-Protection into CSP 1.1? Hill, Brad (Thursday, 8 November)
      • Re: [webappsec] subsume X-XSS-Protection into CSP 1.1? Adam Barth (Friday, 9 November)
        • Re: [webappsec] subsume X-XSS-Protection into CSP 1.1? Mike West (Monday, 12 November)
          • Re: [webappsec] subsume X-XSS-Protection into CSP 1.1? Adam Barth (Tuesday, 13 November)
• Re: [webappsec] subsume X-XSS-Protection into CSP 1.1? Mike West (Saturday, 17 November)
  • Re: [webappsec] subsume X-XSS-Protection into CSP 1.1? Adam Barth (Saturday, 17 November)
    • Re: [webappsec] subsume X-XSS-Protection into CSP 1.1? Mike West (Saturday, 17 November)

Re: [webappsec] updated draft SVG: simple CORS request Arthur Barstow (Wednesday, 7 November)

• RE: [webappsec] updated draft SVG: simple CORS request Hill, Brad (Wednesday, 7 November)
  • Re: [webappsec] updated draft SVG: simple CORS request Mike West (Wednesday, 7 November)

Security model review CSS Masking Dirk Schulze (Tuesday, 6 November)

[webappsec] Reminder, today's call is CANCELLED Hill, Brad (Tuesday, 6 November)

Batching CSP violation reports. Mike West (Monday, 5 November)

• Re: Batching CSP violation reports. Ian Melven (Monday, 5 November)
  • Re: Batching CSP violation reports. Mike West (Monday, 5 November)
    • RE: Batching CSP violation reports. Hill, Brad (Monday, 5 November)
• Re: Batching CSP violation reports. Alex Russell (Monday, 5 November)
  • RE: Batching CSP violation reports. Jacob Rossi (Monday, 5 November)

[webappsec] call for reportURIs DOM API use cases Hill, Brad (Monday, 5 November)

[webappsec] Remote participation in IETF websec meeting Hill, Brad (Monday, 5 November)

Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP] Carine Bournez (Monday, 5 November)

• RE: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP] Hill, Brad (Monday, 5 November)
  • Re: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP] Thomas Roessler (Monday, 5 November)
    • Re: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP] Hill, Brad (Monday, 5 November)

Re: Script-nonce policies Adam Barth (Friday, 2 November)

• Re: Script-nonce policies Joel Howard Willis Weinberger (Friday, 2 November)
  • Re: Script-nonce policies Adam Barth (Friday, 2 November)
    • RE: Script-nonce policies Hill, Brad (Sunday, 4 November)

TPAC meeting adjourned Hill, Brad (Friday, 2 November)

Restricting APIs in CSP Eric Rescorla (Friday, 2 November)

• Re: Restricting APIs in CSP Dan Veditz (Friday, 2 November)
  • Re: Restricting APIs in CSP Ian Melven (Tuesday, 20 November)

ISSUE-39: Discuss CSP relevant use cases for possibly including Meta Referrer as a CSP directive Web Application Security Working Group Issue Tracker (Friday, 2 November)

Re: CSP and inline styles L. David Baron (Friday, 2 November)

• Re: CSP and inline styles Dan Veditz (Friday, 2 November)

ISSUE-38: Discuss no-mixed-content further as a 1.1 experimental directive Web Application Security Working Group Issue Tracker (Friday, 2 November)

• Re: ISSUE-38: Discuss no-mixed-content further as a 1.1 experimental directive Ian Melven (Friday, 2 November)
  • Re: ISSUE-38: Discuss no-mixed-content further as a 1.1 experimental directive Adam Barth (Friday, 2 November)
    • Re: ISSUE-38: Discuss no-mixed-content further as a 1.1 experimental directive Dan Veditz (Saturday, 3 November)
  • Re: ISSUE-38: Discuss no-mixed-content further as a 1.1 experimental directive Dan Veditz (Saturday, 3 November)

ISSUE-37: How to apply plugin-types in CSP 1.1 to iframes Web Application Security Working Group Issue Tracker (Friday, 2 November)

ISSUE-36: Are we interested in considering script-hash as a CSP 1.1 directive? Web Application Security Working Group Issue Tracker (Friday, 2 November)

CSP, style-src, and what it means to ignore style attributes L. David Baron (Friday, 2 November)

• Re: CSP, style-src, and what it means to ignore style attributes Adam Barth (Friday, 2 November)

ISSUE-35: Should we add an "httpOnly" like directive to CSP to indicate that the state of this policy is not available to the script APIs? Web Application Security Working Group Issue Tracker (Friday, 2 November)

ISSUE-34: Discuss use cases / risks of script access to CSP information, solicit specific public comment on this feature with FPWD Web Application Security Working Group Issue Tracker (Friday, 2 November)

ISSUE-33: Need to address blob, data, filesystem URL types with greater specificity in CSP 1.1 spec Web Application Security Working Group Issue Tracker (Friday, 2 November)

ISSUE-32: Do we specify that path-specificity applies only to hierarchical URI schemes? Web Application Security Working Group Issue Tracker (Friday, 2 November)

ISSUE-31: What specification's definition of URL/URI are we using for path parsing in CSP 1.1? Web Application Security Working Group Issue Tracker (Friday, 2 November)

ISSUE-30: How to address dynamic application of CSP post page load / partial page load via META or script interface Web Application Security Working Group Issue Tracker (Friday, 2 November)

• RE: ISSUE-30: How to address dynamic application of CSP post page load / partial page load via META or script interface Fred Andrews (Monday, 5 November)

ISSUE-29: What are sane defaults for clipping with clipping or selectors? Web Application Security Working Group Issue Tracker (Thursday, 1 November)

ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally? Web Application Security Working Group Issue Tracker (Thursday, 1 November)

• RE: ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally? Fred Andrews (Monday, 5 November)
  • RE: ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally? Hill, Brad (Monday, 5 November)
    • RE: ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally? Hill, Brad (Monday, 5 November)

ISSUE-27: Implementation concern on how to enforce display-time : should we provide more advice on how to do this efficiently? Web Application Security Working Group Issue Tracker (Thursday, 1 November)

ISSUE-26: Does the sandbox directive make sense in a meta tag context? Web Application Security Working Group Issue Tracker (Thursday, 1 November)

• RE: ISSUE-26: Does the sandbox directive make sense in a meta tag context? Fred Andrews (Monday, 5 November)

ISSUE-25: Do frame-options directives (or other UISafety directives) make sense in a meta tag context? Web Application Security Working Group Issue Tracker (Thursday, 1 November)

• RE: ISSUE-25: Do frame-options directives (or other UISafety directives) make sense in a meta tag context? Fred Andrews (Sunday, 4 November)
  • RE: ISSUE-25: Do frame-options directives (or other UISafety directives) make sense in a meta tag context? Fred Andrews (Sunday, 11 November)

ISSUE-24: (); Web Application Security Working Group Issue Tracker (Thursday, 1 November)

ISSUE-23: Are there cases of synthetic UIEvents where it would be useful to set the unsafe attribute even if the policy is block so event is not delivered Web Application Security Working Group Issue Tracker (Thursday, 1 November)

ISSUE-22: Are there cases of synthetic UIEvents where it would be useful to set the unsafe attribute even if the policy is block (so event is not delivered) Web Application Security Working Group Issue Tracker (Thursday, 1 November)

ISSUE-21: Do assistive technologies send real events or synthetic events? Web Application Security Working Group Issue Tracker (Thursday, 1 November)

ISSUE-20: If browsers apply this heuristic without an explicit opt-in policy, should we always block and not have the unsafe UIEvent property Web Application Security Working Group Issue Tracker (Thursday, 1 November)

updated test VM link Hill, Brad (Thursday, 1 November)

Running a few min late Hill, Brad (Thursday, 1 November)

TPAC schedule clarification Hill, Brad (Thursday, 1 November)

Last message date: Thursday, 29 November 2012 20:17:59 UTC