Re: Agenda for January 29 Teleconference from Eric Rescorla on 2013-01-29 (public-webappsec@w3.org from January 2013)

From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 29 Jan 2013 12:32:26 -0800
To: Neil Matatall <neilm@twitter.com>
Cc: public-webappsec <public-webappsec@w3.org>
Message-ID: <CABcZeBNqEfea9AadAv-4dHEZ41bMSF8dbqhb62ovjofjb01awg@mail.gmail.com>
Revised Agenda

DATE: Jan, 29 2013
TIME: 22:00-23:00 UTC (14:00-15:00 PST)

+1.617.761.6200; PIN 92794 ('WASWG') and  #webappsec on irc.w3.org:6665
(Or VoIP via the Zakim SIP bridge:
http://www.w3.org/2006/tools/wiki/Zakim-SIP)

22:00 - 22:03    Scribe Selection (Default -> Eric Rescorla)
22:03 - 22:05    Roll Call
22:05 - 22:06    Minutes Approval
22:07 - 22:08    Agenda Bashing
22:08 - 22:09    News: CSP 1.0 to CR
22:10 - 22:15    Review of open actions in tracker
22:15 - 22:30    Review raised+open issues, assign actions
22:30 - 22:33    default-src violation types
    http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0036.html
22:33 - 22:37    CSP and HSTS
    http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0034.html
22:37 - 22:40    Line #s in CSP reports only for same-origin, CORS?
    http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0004.htm
22:40 - 22:45    Defaults for clipping and selectors
    http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0045.html
22:45 - 22:57    UI Safety ISSUE 2
    "The restriction to a single additional host source value was
    based on the request of the Websec WG as part of moving this
    feature to this document. This decision should be evaluated in the
    context of CSP. For example, while standalone implementations of
    X-Frame-Options may not have wanted to incur the complexity of
    parsing potentially large lists of origins, CSP implementaions
    must already be robust in their handling of such lists. The
    inclusion of multiple origins may reveal details of the security
    model of a resource that chooses to publish such a policy and
    risks associated with this should be discussed in the Security
    Considerations section if any change is made."
22:57 - 23:00    Move of testing repos to github
    http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0044.html

Scribe Rotation. We go down the list in order. Please advise if you
cannot scribe for some reason, or if you are not listed here and
should be.

Adam Barth
Jeff Hodges
David Huang
Gopal Raghavan
Eric Rescorla <--
Jacob Rossi
Tanvi Vyas
Peleus Uhley
Dan Veditz
Ryan Ware
Jim O'Leary
Adam Bresee
Ian Melven



On Tue, Jan 29, 2013 at 10:19 AM, Eric Rescorla <ekr@rtfm.com> wrote:

> Let's add it to today's agenda.
>
>
> On Mon, Jan 28, 2013 at 6:36 PM, Neil Matatall <neilm@twitter.com> wrote:
>
>>  Did this item drop off from last time? Or has there been some consensus?
>>
>> 22:37 - 22:39 Line #s in CSP reports only for same-origin, CORS?
>>
>> - Neil
>>
>> On Monday, January 28, 2013 at 6:01 PM, Eric Rescorla wrote:
>>
>>
>> DATE: Jan, 29 2013
>> TIME: 22:00-23:00 UTC (14:00-15:00 PST)
>>
>> +1.617.761.6200; PIN 92794 ('WASWG') and  #webappsec on irc.w3.org:6665
>> (Or VoIP via the Zakim SIP bridge:
>> http://www.w3.org/2006/tools/wiki/Zakim-SIP)
>>
>> 22:00 - 22:03    Scribe Selection (Default -> Eric Rescorla)
>> 22:03 - 22:05    Roll Call
>> 22:05 - 22:06    Minutes Approval
>> 22:07 - 22:08    Agenda Bashing
>> 22:08 - 22:09    News: CSP 1.0 to CR
>> 22:10 - 22:15    Review of open actions in tracker
>> 22:15 - 22:30    Review raised+open issues, assign actions
>> 22:30 - 22:35    default-src violation types
>>
>> http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0036.html
>> 22:35 - 22:40    CSP and HSTS
>>
>> http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0034.html
>> 22:40 - 22:45    Defaults for clipping and selectors
>>
>> http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0045.html
>> 22:45 - 22:57    UI Safety ISSUE 2
>>     "The restriction to a single additional host source value was
>>     based on the request of the Websec WG as part of moving this
>>     feature to this document. This decision should be evaluated in the
>>     context of CSP. For example, while standalone implementations of
>>     X-Frame-Options may not have wanted to incur the complexity of
>>     parsing potentially large lists of origins, CSP implementaions
>>     must already be robust in their handling of such lists. The
>>     inclusion of multiple origins may reveal details of the security
>>     model of a resource that chooses to publish such a policy and
>>     risks associated with this should be discussed in the Security
>>     Considerations section if any change is made."
>> 22:57 - 23:00    Move of testing repos to github
>>
>> http://lists.w3.org/Archives/Public/public-webappsec/2013Jan/0044.html
>>
>> Scribe Rotation. We go down the list in order. Please advise if you
>> cannot scribe for some reason, or if you are not listed here and
>> should be.
>>
>> Adam Barth
>> Jeff Hodges
>> David Huang
>> Gopal Raghavan
>> Eric Rescorla <--
>> Jacob Rossi
>> Tanvi Vyas
>> Peleus Uhley
>> Dan Veditz
>> Ryan Ware
>> Jim O'Leary
>> Adam Bresee
>> Ian Melven
>>
>>
>>
>
Received on Tuesday, 29 January 2013 20:33:34 UTC