W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2016

[webappsec] Teleconference Agenda, 20-Apr-2016

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 19 Apr 2016 17:55:22 +0000
Message-ID: <CAEeYn8gCZJNwap0F9-4fxHmyc842V1jUxTuGmTqfcNhLqSp1uQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Note that this meeting is at 9:00 am Pacific _Daylight_ Time. Please check
your local time zone as the commencement of daylight savings time may be
out of sync with the USA your locale.

TOPIC: Agenda Bashing

TOPIC: Minutes Approval

*thanks to everyone who helped out with my IRC troubles!

TOPIC: May F2F is coming...

TOPIC: References to Fetch

The TAG is grumpy about the confusingness of CORS:

Our proposed non-conformance-changing update to the CORS REC that mentions
Fetch as the current authoritative source was rejected.

And at the last AC meeting this group was volunteered in absentia to own
producing a W3C version of Fetch.

Does anyone want to work with Anne to produce a version of Fetch under W3C
licensing with stable references, similar to the work being done in the Web
Platform WG for HTML?

For my part, I hope that de-confusifying CORS for developers in an official
document might be good enough to unblock our specs on the road to REC. I
made a start on such a document here that might become a WG note or TAG

See also:

TOPIC: CSP Level 2 - Welcome Safari Technical Preview!

Anyone want to review some CSP testsuite fixes for Firefox and Safari?

TOPIC: 'unsafe-dynamic'

TOPIC: default-src definition in CSP2

Here is what the current specification says:

Let the default sources be the result of parsing the default-src
directive’s value as a source list if a default-src directive is explicitly
specified, and otherwise the U+002A ASTERISK character (*).
Which is incorrect, as it reads that these two statements are equivalent:

Content-Security-Policy: default-src *; upgrade-insecure-requests
Content-Security-Policy: upgrade-insecure-requests

The statement should probably read something like:

Let the default sources be the result of parsing the default-src
directive’s value as a source list if a default-src directive is explicitly
specified, and otherwise the list of all possible sources.

TOPIC: Block all non-SRI resources
https://lists.w3.org/Archives/Public/public-webappsec/2016Apr/0001.html (in
which Dan suggests punting on * for now...)

TOPIC: Further granularity of unsafe-inline styles

Providing safer referrer policy states

To Join:

#webappsec on irc.w3.org:6665 or http://irc.w3.org/?channels=webappsec

By phone:
US Toll Number: +1-617-324-0000
Meeting Number: 641 834 499
Meeting Password: webappsec

To join the online meeting (Now from mobile devices!)
1. Go to
2. If requested, enter your name and email address.
3. If a password is required, enter the meeting password: webappsec
4. Click "Join".

To view in other time zones or languages, please click the link:

To join the audio conference only
To receive a call back, provide your phone number when you join the
meeting, or call the number below and enter the access code.
US Toll Number: +1-617-324-0000

Access code:641 834 499
Mobile Auto Dial:+1-617-324-0000,,,641834499#

For assistance
1. Go to https://mit.webex.com/mit/mc
2. On the left navigation bar, click "Support".

DRAFT minutes for the teleconference will be available immediately
following the minutes at the following URL: (where [YYYY] is the
four-digit year, e.g. 2015, [MM] is the two-digit month, e.g. 02, and
[DD] is the two-digit day, e.g. 07)
Received on Tuesday, 19 April 2016 17:56:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:55 UTC