Re: [webappsec] Teleconference Agenda, 20-Apr-2016 from Wendy Seltzer on 2016-04-19 (public-webappsec@w3.org from April 2016)

From: Wendy Seltzer <wseltzer@w3.org>
Date: Tue, 19 Apr 2016 14:47:20 -0400
To: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <57167D38.7090009@w3.org>
On 04/19/2016 01:55 PM, Brad Hill wrote:
> Note that this meeting is at 9:00 am Pacific _Daylight_ Time. Please check
> your local time zone as the commencement of daylight savings time may be
> out of sync with the USA your locale.
> 
> TOPIC: Agenda Bashing
> 
> TOPIC: Minutes Approval
> https://www.w3.org/2016/03/23-webappsec-minutes.html
> 
> *thanks to everyone who helped out with my IRC troubles!
> 
> TOPIC: May F2F is coming...
> 
> TOPIC: References to Fetch
> 
> The TAG is grumpy about the confusingness of CORS:
> https://github.com/w3ctag/meetings/blob/gh-pages/2016/03-london/30-03-2016-minutes.md#topic-cors-fetch-credentials-etc
> 
> Our proposed non-conformance-changing update to the CORS REC that mentions
> Fetch as the current authoritative source was rejected.
> 
> And at the last AC meeting this group was volunteered in absentia to own
> producing a W3C version of Fetch.
> 
> Does anyone want to work with Anne to produce a version of Fetch under W3C
> licensing with stable references, similar to the work being done in the Web
> Platform WG for HTML?

There's a much simpler work-mode that has been effective in i18n for the
Encoding spec[1] that could work here to create stable snapshots.

--Wendy
[1] https://www.w3.org/TR/encoding/

> 
> For my part, I hope that de-confusifying CORS for developers in an official
> document might be good enough to unblock our specs on the road to REC. I
> made a start on such a document here that might become a WG note or TAG
> finding:
> https://docs.google.com/document/d/1AtxTDw-g9BSRW9n9kGTTqNkDTGcVfSKPAOjVGkPFu2k/edit?usp=sharing
> 
> See also:
> https://github.com/whatwg/fetch/issues/204#issuecomment-201220147
> 
> TOPIC: CSP Level 2 - Welcome Safari Technical Preview!
> http://w3c.github.io/webappsec/implementation_reports/CSP2_implementation_report.html
> 
> Anyone want to review some CSP testsuite fixes for Firefox and Safari?
> https://critic.hoppipolla.co.uk/r/6323
> https://critic.hoppipolla.co.uk/r/6327
> https://critic.hoppipolla.co.uk/r/6334
> 
> TOPIC: 'unsafe-dynamic'
> https://github.com/w3c/webappsec-csp/issues/70#event-631031432
> 
> TOPIC: default-src definition in CSP2
>  https://github.com/w3c/webappsec/issues/514#issuecomment-211587068
> 
> Here is what the current specification says:
> 
> Let the default sources be the result of parsing the default-src
> directive’s value as a source list if a default-src directive is explicitly
> specified, and otherwise the U+002A ASTERISK character (*).
> Which is incorrect, as it reads that these two statements are equivalent:
> 
> Content-Security-Policy: default-src *; upgrade-insecure-requests
> Content-Security-Policy: upgrade-insecure-requests
> 
> The statement should probably read something like:
> 
> Let the default sources be the result of parsing the default-src
> directive’s value as a source list if a default-src directive is explicitly
> specified, and otherwise the list of all possible sources.
> 
> TOPIC: Block all non-SRI resources
> https://github.com/w3c/webappsec-csp/pull/64#issuecomment-211482914
> https://lists.w3.org/Archives/Public/public-webappsec/2016Apr/0001.html (in
> which Dan suggests punting on * for now...)
> 
> TOPIC: Further granularity of unsafe-inline styles
> https://github.com/w3c/webappsec-csp/issues/45
> 
> Providing safer referrer policy states
> https://lists.w3.org/Archives/Public/public-webappsec/2016Apr/0004.html
> 
> To Join:
> 
> #webappsec on irc.w3.org:6665 or http://irc.w3.org/?channels=webappsec
> 
> By phone:
> US Toll Number: +1-617-324-0000
> Meeting Number: 641 834 499
> Meeting Password: webappsec
> 
> -------------------------------------------------------
> To join the online meeting (Now from mobile devices!)
> -------------------------------------------------------
> 1. Go to
> https://mit.webex.com/mit/j.php?MTID=m12575b534e506abae4b7a9f445c0e53e
> 2. If requested, enter your name and email address.
> 3. If a password is required, enter the meeting password: webappsec
> 4. Click "Join".
> 
> To view in other time zones or languages, please click the link:
> https://mit.webex.com/mit/j.php?MTID=m3f8188061759c9d387834efb90e1335e
> 
> -------------------------------------------------------
> To join the audio conference only
> -------------------------------------------------------
> To receive a call back, provide your phone number when you join the
> meeting, or call the number below and enter the access code.
> US Toll Number: +1-617-324-0000
> 
> Access code:641 834 499
> Mobile Auto Dial:+1-617-324-0000,,,641834499#
> 
> -------------------------------------------------------
> For assistance
> -------------------------------------------------------
> 1. Go to https://mit.webex.com/mit/mc
> 2. On the left navigation bar, click "Support".
> 
> 
> DRAFT minutes for the teleconference will be available immediately
> following the minutes at the following URL: (where [YYYY] is the
> four-digit year, e.g. 2015, [MM] is the two-digit month, e.g. 02, and
> [DD] is the two-digit day, e.g. 07)
> 


-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
https://wendy.seltzer.org/        +1.617.863.0613 (mobile)
Received on Tuesday, 19 April 2016 18:47:24 UTC