Re: [whatwg] In AppCache web apps, images from unpredictable domains won't load
That sounds perfect, thanks. On Mon, Jul 20, 2009 at 3:20 PM, Ian Hickson wrote: > > I've made it so that you can specify "*" in the online whitelist section > to basically open it up to anything. > > -- > Ian Hickson U+1047E)\._.,--,'``.fL > http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. > Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.' >
[whatwg] In AppCache web apps, images from unpredictable domains won't load
On Mon, 6 Jul 2009, Aaron Whyte wrote: > > When a page is loaded from an AppCache, even when online, external > resources such as images will not be loaded at all. If foo.com has an > image http://bar.com/img.png"; />, then according to the steps > in > http://www.whatwg.org/specs/web-apps/current-work/multipage/offline.html#changesToNetworkingModel > > it will fail the load for the resource. Right; an app is intended to be self-contained, such that if it uses a manifest, and has been tested and shown to work (even while online), it is more or less guaranteed that it will work offline. > For example, someone with an Offline Gmail client would never be able to > see cross-domain images in emails, even when completely online. Good point, an app that shows uncached externally-sourced content is going to have trouble with the closed-sandbox model. On Mon, 6 Jul 2009, Aaron Boodman wrote: > > I think we could fix this issue by simply changing the rules to default > to allowing requests, and having the author mark the url prefixes he > wants to blacklist from being loaded from the network. On Mon, 6 Jul 2009, Michael Nordman wrote: > > That would work too. We'd have to introduce a new kind of 'namespace' in > the manifest file. I've made it so that you can specify "*" in the online whitelist section to basically open it up to anything. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] In AppCache web apps, images from unpredictable domains won't load
On Mon, Jul 6, 2009 at 2:40 PM, Aaron Boodman wrote: > On Mon, Jul 6, 2009 at 1:28 PM, Jonas Sicking wrote: > > On Mon, Jul 6, 2009 at 11:46 AM, Aaron Whyte wrote: > >> When a page is loaded from an AppCache, even when online, external > resources > >> such as images will not be loaded at all. > >> If foo.com has an image http://bar.com/img.png"; />, then > according > >> to the steps in > >> > http://www.whatwg.org/specs/web-apps/current-work/multipage/offline.html#changesToNetworkingModel > >> it will fail the load for the resource. > >> For example, someone with an Offline Gmail client would never be able to > see > >> cross-domain images in emails, even when completely online. > >> There's no workaround in the current spec. > > > > The workaround is for the gmail to download the images to gmails > > servers and then serve them from a google domain. Not as simple as > > simply being able to cache urls from other servers I agree, but doing > > multi domain application caches is very complicated from a security > > point of view so I think we wanted to stay clear of it for the first > > iteration of the spec. > > The spec already provides for loading resources not in the app cache > from the network (across origins or not). It simply defaults to not > allowing it. You have to opt-into the url prefixes you want to load > from the network. > > I think we could fix this issue by simply changing the rules to > default to allowing requests, and having the author mark the url > prefixes he wants to blacklist from being loaded from the network. That would work too. We'd have to introduce a new kind of 'namespace' in the manifest file.
Re: [whatwg] In AppCache web apps, images from unpredictable domains won't load
On Mon, Jul 6, 2009 at 1:28 PM, Jonas Sicking wrote: > On Mon, Jul 6, 2009 at 11:46 AM, Aaron Whyte wrote: >> When a page is loaded from an AppCache, even when online, external resources >> such as images will not be loaded at all. >> If foo.com has an image http://bar.com/img.png"; />, then according >> to the steps in >> http://www.whatwg.org/specs/web-apps/current-work/multipage/offline.html#changesToNetworkingModel >> it will fail the load for the resource. >> For example, someone with an Offline Gmail client would never be able to see >> cross-domain images in emails, even when completely online. >> There's no workaround in the current spec. > > The workaround is for the gmail to download the images to gmails > servers and then serve them from a google domain. Not as simple as > simply being able to cache urls from other servers I agree, but doing > multi domain application caches is very complicated from a security > point of view so I think we wanted to stay clear of it for the first > iteration of the spec. The spec already provides for loading resources not in the app cache from the network (across origins or not). It simply defaults to not allowing it. You have to opt-into the url prefixes you want to load from the network. I think we could fix this issue by simply changing the rules to default to allowing requests, and having the author mark the url prefixes he wants to blacklist from being loaded from the network. - a
Re: [whatwg] In AppCache web apps, images from unpredictable domains won't load
On Mon, Jul 6, 2009 at 1:28 PM, Jonas Sicking wrote: > > The workaround is for the gmail to download the images to gmails > servers and then serve them from a google domain. This isn't just an email problem. It'll also affect RSS readers, document editors, blogging tools, and other tools where user-defined HTML appears. > Not as simple as > simply being able to cache urls from other servers I agree, but doing > multi domain application caches is very complicated from a security > point of view so I think we wanted to stay clear of it for the first > iteration of the spec. I'd like to stay clear of it too. I'm not saying that all these external images should be AppCache-able or otherwise available offline. I simply want the option to have them work the way they do in normal, non-AppCached pages.
Re: [whatwg] In AppCache web apps, images from unpredictable domains won't load
Couple of comments... 1) Aaron's comment was not about caching them at all, it was about referring to them from a cached application and having them load via the network as usual. "Step 5" gets in the way of that. 2) The spec already allows for cross-origin caching, they can be explicitly listed in a manifest file. On Mon, Jul 6, 2009 at 1:28 PM, Jonas Sicking wrote: > On Mon, Jul 6, 2009 at 11:46 AM, Aaron Whyte wrote: > > When a page is loaded from an AppCache, even when online, external > resources > > such as images will not be loaded at all. > > If foo.com has an image http://bar.com/img.png"; />, then > according > > to the steps in > > > http://www.whatwg.org/specs/web-apps/current-work/multipage/offline.html#changesToNetworkingModel > > it will fail the load for the resource. > > For example, someone with an Offline Gmail client would never be able to > see > > cross-domain images in emails, even when completely online. > > There's no workaround in the current spec. > > The workaround is for the gmail to download the images to gmails > servers and then serve them from a google domain. Not as simple as > simply being able to cache urls from other servers I agree, but doing > multi domain application caches is very complicated from a security > point of view so I think we wanted to stay clear of it for the first > iteration of the spec. > > / Jonas >
Re: [whatwg] In AppCache web apps, images from unpredictable domains won't load
On Mon, Jul 6, 2009 at 11:46 AM, Aaron Whyte wrote: > When a page is loaded from an AppCache, even when online, external resources > such as images will not be loaded at all. > If foo.com has an image http://bar.com/img.png"; />, then according > to the steps in > http://www.whatwg.org/specs/web-apps/current-work/multipage/offline.html#changesToNetworkingModel > it will fail the load for the resource. > For example, someone with an Offline Gmail client would never be able to see > cross-domain images in emails, even when completely online. > There's no workaround in the current spec. The workaround is for the gmail to download the images to gmails servers and then serve them from a google domain. Not as simple as simply being able to cache urls from other servers I agree, but doing multi domain application caches is very complicated from a security point of view so I think we wanted to stay clear of it for the first iteration of the spec. / Jonas
Re: [whatwg] In AppCache web apps, images from unpredictable domains won't load
Yup... the source of grief is... 6.9.7 Changes to the networking model5: Fail the resource load. The intent behind this was "making the testing of offline application easier". Given the unintended consequence Aaron brought up, we should probably revisit this. Maybe only fail to load the resource if its from the same-origin as the manifest, otherwise load as usual. On Mon, Jul 6, 2009 at 11:46 AM, Aaron Whyte wrote: > When a page is loaded from an AppCache, even when online, external > resources such as images will not be loaded at all. > If foo.com has an image http://bar.com/img.png"; />, then > according to the steps in > > http://www.whatwg.org/specs/web-apps/current-work/multipage/offline.html#changesToNetworkingModel > it will fail the load for the resource. > For example, someone with an Offline Gmail client would never be able to > see cross-domain images in emails, even when completely online. > > There's no workaround in the current spec. For user-defined img tags, like > those in webmail apps, the set of external domains is practically infinite. > The NETWORK namespace, which requires a known domain for the > domain-matching check, won't help. The FALLBACK namespace has to have a > known domain, that has to be the same as the manifest's domain, so it also > can't help. > >
Re: [whatwg] In AppCache web apps, images from unpredictable domains won't load
Not loading cross-domain images in e-mail messages is a standard privacy feature e.g. in Microsoft Outlook. (Indeed, that means that Microsoft Outlook does not allow any external images, only attachments). The workaround, to save as a HTML document and view in browser, should work. If the images are important and viewing them stand-alone makes sense, the user can also use the URL from image properties. Therefore I do not think this particular problem is worth fighting with for off-line Web applications. IMHO, Chris
[whatwg] In AppCache web apps, images from unpredictable domains won't load
When a page is loaded from an AppCache, even when online, external resources such as images will not be loaded at all. If foo.com has an image http://bar.com/img.png"; />, then according to the steps in http://www.whatwg.org/specs/web-apps/current-work/multipage/offline.html#changesToNetworkingModel it will fail the load for the resource. For example, someone with an Offline Gmail client would never be able to see cross-domain images in emails, even when completely online. There's no workaround in the current spec. For user-defined img tags, like those in webmail apps, the set of external domains is practically infinite. The NETWORK namespace, which requires a known domain for the domain-matching check, won't help. The FALLBACK namespace has to have a known domain, that has to be the same as the manifest's domain, so it also can't help.
