Re: [webkit-dev] a simple isolatedworlds alternative for uzbl?
On Wed, 27 Jan 2010 23:01:17 -0800 Adam Barth aba...@webkit.org wrote: Getting this right with the approach you seem to be taking is extremely difficult. The problem is not that the local script is untrustworthy. The problem is that the web page it's interacting with might be able to steal its privileges. Thank you, but can you describe this a bit more? Even if we don't pass around the object or attach it to an object such as document or window, we are still vulnerable? How can the webpage steal privileges? Isolated worlds should be implemented in webkitgtk+ thanks to some contributors from Apple. I bet all that's left to do is add an API for accessing the functionality. The PDF is just being honest when it says reasonable assurance. I'd be extremely skeptical of someone who claims more than reasonable assurance for a commercial-grade system. Adam That's good to know. I'm looking forward to it. The reasonable assurance part, does this mean a problem with the design or is this more about potential issues with the (early) implementations? ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
Re: [webkit-dev] changelogs: a reprise
On Tue, Jan 26, 2010 at 9:55 AM, David Kilzer ddkil...@webkit.org wrote: (2) Consider phasing in support for an alternate workflow where new ChangeLog entries for the next commit are stored separately from the versioned ChangeLog files -- perhaps in individual .changelog files for Subversion users and in the commit message for Git users. I'm not a big fan of wrapper scripts, mostly because I'll probably forget about using them since I'm so used to using the basic git/svn commands. (I guess svn-create-patch is a counter-argument to that, but I rarely use svn directly anymore.) Using .changelog-bugnum files should probably be optional if it's implemented, e.g., tools should still be smart enough (or at least as smart as they are today) to operate on ChangeLog files directly if developers choose to continue doing that. I say that because once there is a git merge driver for ChangeLog files, the need for an alternative ChangeLog workflow drops to zero, at least for me. I ran into an issue today where git diff didn't generate me a patch with the ChangeLog portion in the standard format. Namely, the ChangeLog diff had non-empty leading context (which can happen since it doesn't run fixChangeLogPatch like the svn-create-patch wrapper script). Is there a way to address this issue for Git users without using wrapper scripts or a change to the ChangeLog workflow? --Chris ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
Re: [webkit-dev] a simple isolatedworlds alternative for uzbl?
On Thu, Jan 28, 2010 at 12:40 AM, Dieter Plaetinck die...@plaetinck.be wrote: On Wed, 27 Jan 2010 23:01:17 -0800 Adam Barth aba...@webkit.org wrote: Getting this right with the approach you seem to be taking is extremely difficult. The problem is not that the local script is untrustworthy. The problem is that the web page it's interacting with might be able to steal its privileges. Thank you, but can you describe this a bit more? Even if we don't pass around the object or attach it to an object such as document or window, we are still vulnerable? How can the webpage steal privileges? For example, the attacker could use some of the techniques described in this paper: http://www.adambarth.com/papers/2009/adida-barth-jackson.pdf Isolated worlds should be implemented in webkitgtk+ thanks to some contributors from Apple. I bet all that's left to do is add an API for accessing the functionality. The PDF is just being honest when it says reasonable assurance. I'd be extremely skeptical of someone who claims more than reasonable assurance for a commercial-grade system. That's good to know. I'm looking forward to it. The reasonable assurance part, does this mean a problem with the design or is this more about potential issues with the (early) implementations? Assurance is a term of art in security. It refers to how confident we are the the final system meets it's security goals. In this case, we're talking about the implementation. Often the way you get better assurance is by reducing the trusted computing base or by applying some sort of analysis tools to the system. In this case, the sense is indicating that this particular step is part of the trusted computing base. Adam ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
Re: [webkit-dev] changelogs: a reprise
On Thu, January 28, 2010 at 4:10:11 AM, Chris Jerdonek wrote: On Tue, Jan 26, 2010 at 9:55 AM, David Kilzer wrote: (2) Consider phasing in support for an alternate workflow where new ChangeLog entries for the next commit are stored separately from the versioned ChangeLog files -- perhaps in individual .changelog files for Subversion users and in the commit message for Git users. I'm not a big fan of wrapper scripts, mostly because I'll probably forget about using them since I'm so used to using the basic git/svn commands. (I guess svn-create-patch is a counter-argument to that, but I rarely use svn directly anymore.) Using .changelog-bugnum files should probably be optional if it's implemented, e.g., tools should still be smart enough (or at least as smart as they are today) to operate on ChangeLog files directly if developers choose to continue doing that. I say that because once there is a git merge driver for ChangeLog files, the need for an alternative ChangeLog workflow drops to zero, at least for me. I ran into an issue today where git diff didn't generate me a patch with the ChangeLog portion in the standard format. Namely, the ChangeLog diff had non-empty leading context (which can happen since it doesn't run fixChangeLogPatch like the svn-create-patch wrapper script). Is there a way to address this issue for Git users without using wrapper scripts or a change to the ChangeLog workflow? I'm not sure if there is a way to fix up patches when they're created using git-diff, e.g., some kind of diff hook. Note that there is no loss of information if a ChangeLog patch isn't fixed up immediately after it's created, so the fix-up can always happen when the patch is applied later. It just looks a little ugly in the meantime. :) I also replied with more thoughts in Bug 32834. https://bugs.webkit.org/show_bug.cgi?id=32834 Dave ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
[webkit-dev] MathML Patch Review Request
There are a number of relatively new MathML related patches waiting to be reviewed: * https://bugs.webkit.org/show_bug.cgi?id=34228 - compile-time layout debugging support * https://bugs.webkit.org/show_bug.cgi?id=34275 - CSS update * https://bugs.webkit.org/show_bug.cgi?id=34277 - mover, munder, and munderover support * https://bugs.webkit.org/show_bug.cgi?id=34278 - msubsup (super subscripts) support The first two are quite simple. -- --Alex Milowski The excellence of grammar as a guide is proportional to the paucity of the inflexions, i.e. to the degree of analysis effected by the language considered. Bertrand Russell in a footnote of Principles of Mathematics ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
Re: [webkit-dev] a simple isolatedworlds alternative for uzbl?
On Thu, 28 Jan 2010 08:01:19 -0800 Adam Barth aba...@webkit.org wrote: On Thu, Jan 28, 2010 at 12:40 AM, Dieter Plaetinck die...@plaetinck.be wrote: On Wed, 27 Jan 2010 23:01:17 -0800 Adam Barth aba...@webkit.org wrote: Getting this right with the approach you seem to be taking is extremely difficult. The problem is not that the local script is untrustworthy. The problem is that the web page it's interacting with might be able to steal its privileges. Thank you, but can you describe this a bit more? Even if we don't pass around the object or attach it to an object such as document or window, we are still vulnerable? How can the webpage steal privileges? For example, the attacker could use some of the techniques described in this paper: http://www.adambarth.com/papers/2009/adida-barth-jackson.pdf Thanks. very interesting article. I guess we can only wait for isolatedworlds to appear in the gtk+ port :) Dieter ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
Re: [webkit-dev] a simple isolatedworlds alternative for uzbl?
On Thu, Jan 28, 2010 at 11:57 AM, Dieter Plaetinck die...@plaetinck.be wrote: I guess we can only wait for isolatedworlds to appear in the gtk+ port :) I suspect they would welcome patches. (They should be pretty easy patches.) :) Adam ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
[webkit-dev] Signing up to help with some SVG bugs
Hi, I am experiencing a bug with the SVG module, I believe defined by the following two bug entries: https://bugs.webkit.org/show_bug.cgi?id=34301 https://bugs.webkit.org/show_bug.cgi?id=17043 The problem I'm having is that creating an animateMotion element in javascript will never get executed (works fine if defined in the body of the document though). So issue #17043 states that there is a missing idl file for animateMotion. I am guessing this is why elements created via javascript do nothing. That issue hasn't been updated since 2008, I'm wondering if I can help out with it? Is there a group already focusing on the SVG module? I'd like to help out with some of these other bugs SVG bugs too. I'm not sure how people are organizing themselves to tackle bugs with webkit, if there is another method for helping out, please let me know, Thanks, Mark ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
Re: [webkit-dev] Signing up to help with some SVG bugs
To contributed to WebKit, see: http://webkit.org/coding/contributing.html To contact other developers, see: http://webkit.org/contact.html Dave From: Mark Wyszomierski mar...@gmail.com To: webkit-dev@lists.webkit.org Sent: Thu, January 28, 2010 8:24:48 PM Subject: [webkit-dev] Signing up to help with some SVG bugs Hi, I am experiencing a bug with the SVG module, I believe defined by the following two bug entries: https://bugs.webkit.org/show_bug.cgi?id=34301 https://bugs.webkit.org/show_bug.cgi?id=17043 The problem I'm having is that creating an animateMotion element in javascript will never get executed (works fine if defined in the body of the document though). So issue #17043 states that there is a missing idl file for animateMotion. I am guessing this is why elements created via javascript do nothing. That issue hasn't been updated since 2008, I'm wondering if I can help out with it? Is there a group already focusing on the SVG module? I'd like to help out with some of these other bugs SVG bugs too. I'm not sure how people are organizing themselves to tackle bugs with webkit, if there is another method for helping out, please let me know, Thanks, Mark ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
