external via CSS selectors,
because as far as I can tell, that is the right way to implement this
type of thing. It should at least be an option.
Michael A. Peters
On 02/17/2015 03:15 PM, Barry Smith wrote:
*snip*
As far as validation, a document with the hgroup element will not pass when
using the W3C Markup Validation Service.
>
> *snip*
Thank You For Your Time,
Barry Smith
WHATWG is not W3C
W3C dropped the ball (imho) and HTML became stagnant
On 02/23/2015 05:40 PM, Dean Jackson wrote:
At the recent Houdini meeting there was a vague agreement between the browser
engines on adding a way for elements to be notified when their size changes.
We've run into a number of scenarios where this is extremely useful, and is
otherwise difficu
Dear WHATWG,
Scrap the srcset attribute.
Traditionally in HTML, and in every instance of XML I have personally
worked with, an element's attribute is a key=value pair.
Okay the type attribute for source node in audio and video, sometimes it
has codecs specified there too - but that's the only
On 03/02/2015 09:47 AM, Tab Atkins Jr. wrote:
This is much easier to write and to maintain
Is it really?
With a simple key=value pair, I can:
$src = trim($node->getAttribute('src');
Then I can check it - if it is relative, I can change it to reference
the cdn. If it is not local, I can
On 03/07/2015 11:50 AM, Krzysztof Jurewicz wrote:
*snip*
What are your thoughts about that? Are there any security considerations
preventing the whitelist solution? Or maybe a more general one should be
worked out?
I do not allow bitcoin: on my servers, nor anything except for http,
https,
On 03/07/2015 03:40 PM, Michael A. Peters wrote:
Especially crypto-currencies where even on Linux systems, the client is
often not under a package management system control and may be out of date.
QR codes pose the same problem but it is more difficult to trick a user
into scanning a QR
On 03/20/2015 02:10 AM, Bobby Mozumder wrote:
There’s a standard design pattern emerging via all the front-end javascript
frameworks where content is loaded dynamically via JSON APIs. This is the
single-page app web design pattern. Everyone’s into it because the
responsiveness is so much be
I see JavaScript as a useful tool that is seriously abused by many devs, I'm
against this. But if you do it, make damn sure it has proper CSP support.
On March 24, 2015 2:18:53 AM PDT, Bobby Mozumder
wrote:
>https://github.com/mozumder/HTML6
>
>I’ll be updating that Github with more ideas and r
On 03/24/2015 04:50 PM, Michael A. Peters wrote:
I see JavaScript as a useful tool that is seriously abused by many devs, I'm
against this. But if you do it, make damn sure it has proper CSP support.
I would like to clarify that when I say I am against this, I am not
opposed t
On 03/25/2015 12:39 AM, Janusz Majnert wrote:
OK. This makes no sense for me.
So you propose that the server does simple translation of SQL from url
to actual query, but you don't see any security issue with this?
If on the other hand you're proposing that the server validates the sql
sent b
On 03/27/2015 06:51 PM, Miles Fidelman wrote:
I've been reading through the discussion thread, all of which seems to
jump immediately into the weeds of specific details of the proposal.
I'm amazed that nobody has yet commented on the implicit premise, which
I read as:
- JavaScript is a proces
On 04/02/2015 04:08 AM, Andrea Rendine wrote:
Well, this means that we must also simplify CSS, don't you think
so? all that stuff about media queries, about animation and transitions,
pseudo-elements, pseudo-classes, how can poor Tumblr users learn
that?
Oh god yes, I like CSS selectors but
It needs to be made very clear as a web standard that no JavaScript
action can disable UI functions such as the back button.
A very common abuse is that when pulling the mouse to hit the back
button because you are not interested in a page, a hover comes up and
when the hover comes up, the bac
they feel like they have no control.
It's effing stupid that anyone ever thought it was a good idea to let
JavaScript disable the standard browser controls. As browsers have done
that, it needs to be specified that JavaScript can't do that.
On 04/13/2016 12:44 PM, Michael A. Peters wrot
the tab or quitting the browser.
On 04/13/2016 12:54 PM, Jonathan Zuckerman wrote:
I have heard of a lot of abuses but never actually come across this
particular one, can you point us to a site that demonstrates it?
On Wed, Apr 13, 2016 at 3:53 PM, Michael A. Peters
wrote:
This btw is a
On 11/01/2016 02:42 AM, Roger Hågensen wrote:
I was wondering how can a server or script identify if a request is from
page, iframe or xhr?
Doing this would not prevent any XSS attacks, but it would allow a
server/server-side script to detect a potential XSS attack.
I could not find any mention
On 11/01/2016 03:32 AM, Roger Hågensen wrote:
On 2016-11-01 10:42, Roger Hågensen wrote:
I was wondering how can a server or script identify if a request is from
page, iframe or xhr?
I really hate answering myself (and so soon after making a post) but it
seems I have found the answer at
https
On 09/19/2016 07:41 AM, Simon Pieters wrote:
There is always room for adding convenience APIs, it's a matter of
demonstrating that it's a common enough need to make it worth the cost
of adding it.
https://wiki.whatwg.org/wiki/FAQ#Where.27s_the_harm_in_adding.E2.80.94
HTH,
* OFF TOPIC *
Goi
I'm starting to play with Push API and it dawned on me -
The client retrieves the enpoint from the browser and sends it to the
web application server.
The web application server then sends data to the endpoint, using the
data provided by the client.
Is there any mechanism by which the appli
https://www.w3.org/TR/html-design-principles/#priority-of-constituencies
3.2. Priority of Constituencies
In case of conflict, consider users over authors over implementors over
specifiers over theoretical purity. In other words costs or difficulties
to the user should be given more weight than
On 11/30/2016 05:23 PM, Ian Hickson wrote:
On Wed, Nov 30, 2016 at 4:49 PM Michael A. Peters
wrote:
Right now the specification for window.opener() is seriously insecure,
allowing for cross-domain script access by default.
I believe that's a bit of an overstatement. There are cert
On 11/30/2016 06:21 PM, Michael A. Peters wrote:
On 11/30/2016 05:23 PM, Ian Hickson wrote:
On Wed, Nov 30, 2016 at 4:49 PM Michael A. Peters
wrote:
Right now the specification for window.opener() is seriously insecure,
allowing for cross-domain script access by default.
I believe that&#
On 12/01/2016 05:39 PM, Domenic Denicola wrote:
From: whatwg [mailto:whatwg-boun...@lists.whatwg.org] On Behalf Of Ian Hickson
I believe that's a bit of an overstatement. There are certainly risks involved
in window.opener (they're briefly discussed in the spec itself), but it doesn't
remove
Well if it was done as a header, I suppose it could be added as a
http-equiv meta tag for those who want to.
Header is the easiest solution to make sure it is applied everywhere
without question. It could even be added at the front-end proxy to cover
numerous web applications on many domains a
On 12/01/2016 06:14 PM, Elliott Sprehn wrote:
On Wed, Nov 30, 2016 at 10:53 PM, Boris Zbarsky wrote:
On 12/1/16 1:41 AM, Chris Holland wrote:
I think the devil would be in implementation detail. Slapping a
"rel/noopener" attribute on a specific link is very deterministic and
straightforward
dow.opener cross-domain? Is the UA not a logical and uniform place for
this?
BTW I've also experienced the CitHub topic-closure nazis many times :-(
On Fri, Dec 2, 2016 at 10:42 AM, Michael A. Peters
wrote:
Well if it was done as a header, I suppose it could be added as a
http-equiv met
ntial-management/ rely on this
flaw?
On Fri, Dec 2, 2016 at 11:44 AM, Michael A. Peters
wrote:
If window.opener() did not work cross-domain then as far as I can tell
that would be secure.
On 12/01/2016 07:23 PM, Richard Maher wrote:
I see what you're saying Michael and also agree it's
On 12/02/2016 08:23 AM, Boris Zbarsky wrote:
On 12/2/16 11:01 AM, Michael A. Peters wrote:
Personally I love CSP but it does not allow inline scripts or inline CSS
Only if you say to not allow them. The default behavior allows them.
For example, this disallows inline scripts, because script
On 12/02/2016 08:47 AM, Boris Zbarsky wrote:
On 12/2/16 11:34 AM, Michael A. Peters wrote:
It seems that CSP behavior has radically changed since the last time I
looked at it
I can't speak to when you last looked at it, but the current state
shipping in browsers is, as far as I kno
This was inspired by inspection of a style-sheet in the wild that uses
screen-width to try and reduce bandwidth needs of mobile devices.
I like the concept, but very often I use my mobile devices where
bandwidth doesn't matter and my laptop via a mifi where bandwidth does
matter.
I would lik
perience, so you can build the feature you're asking for using existing
parts. It's not baked into the platform, but because of the nature of the
web and vagueness of the requirements, I'm not sure it's possible to do any
better.
On Fri, Dec 9, 2016 at 9:07 AM Michael A. Peters
because of the nature of the
web and vagueness of the requirements, I'm not sure it's possible to do any
better.
On Fri, Dec 9, 2016 at 9:07 AM Michael A. Peters
wrote:
This was inspired by inspection of a style-sheet in the wild that uses
screen-width to try and reduce bandwidth nee
nt to trigger the css rules for that
experience, so you can build the feature you're asking for using existing
parts. It's not baked into the platform, but because of the nature of the
web and vagueness of the requirements, I'm not sure it's possible to do
any
better.
On Fri,
On 12/09/2016 09:03 AM, Boris Zbarsky wrote:
On 12/9/16 5:57 AM, Michael A. Peters wrote:
max-height and max-width and orientation change, but device-width does
not change.
Just as a point of fact, device-width can absolutely change. The
simplest case is a two-monitor setup with the window
ted.
[1] https://dvcs.w3.org/hg/dap/raw-file/tip/network-api/Overview.html
On Fri, Dec 9, 2016 at 12:43 PM Michael A. Peters
wrote:
On 12/09/2016 09:03 AM, Boris Zbarsky wrote:
On 12/9/16 5:57 AM, Michael A. Peters wrote:
max-height and max-width and orientation change, but device-width does
not
y it can be more easily vetted and tested.
[1] https://dvcs.w3.org/hg/dap/raw-file/tip/network-api/Overview.html
On Fri, Dec 9, 2016 at 12:43 PM Michael A. Peters
wrote:
On 12/09/2016 09:03 AM, Boris Zbarsky wrote:
On 12/9/16 5:57 AM, Michael A. Peters wrote:
max-height and max-width and orient
On 12/09/2016 06:14 PM, Florian Rivoal wrote:
On Dec 9, 2016, at 23:07, Michael A. Peters wrote:
This was inspired by inspection of a style-sheet in the wild that uses
screen-width to try and reduce bandwidth needs of mobile devices.
I like the concept, but very often I use my mobile devices
I am (finally) starting to implement JSON-LD on a site, it generates a
lot of data that is useless to the non-bot typical user.
I'd prefer to only stick it in the head when the client is a crawler
that wants it.
Wouldn't it be prudent if agents that want JSON-LD can send a
standardized heade
you should probably first
run your proposal by a group that likes JSON-LD. Maybe
public-rdf-comme...@w3.org referenced from https://www.w3.org/TR/json-ld/?
Or an issue against https://github.com/json-ld/json-ld.org?
Jeffrey
On Fri, Jul 21, 2017 at 2:21 PM, Michael A. Peters
wrote:
I am (finally) s
On 07/23/2017 02:42 PM, Qebui Nehebkau wrote:
On 23 July 2017 at 14:12, Michael A. Peters wrote:
It's a beautiful way to create structured data separate from the content,
just like layout (CSS) is best kept separate from the content. [...] I
wonder why people on this list don'
On 07/23/2017 03:33 PM, Michael A. Peters wrote:
On 07/23/2017 02:42 PM, Qebui Nehebkau wrote:
*snip*
I can't speak for anyone else - I can barely speak for myself - but I
think
I'd argue that, intuitively, if your structured data isn't logically part
of your content, there&
;s your objection to displaying this
information to humans? How can you justify displaying different content to
different classes of user?
On Sun, Jul 23, 2017 at 8:13 PM Michael A. Peters
wrote:
On 07/23/2017 03:33 PM, Michael A. Peters wrote:
On 07/23/2017 02:42 PM, Qebui Nehebkau wrote:
*snip*
On 07/24/2017 04:43 PM, Qebui Nehebkau wrote:
On 24 July 2017 at 19:21, Michael A. Peters wrote:
But if you define your structured data as attributes then information
about the other 11 is not available to machines that fetch the page and
want to know what the page offers.
It sounds like
On 07/25/2017 10:45 AM, Jonathan Zuckerman wrote:
This suggestion might have more success with the W3C? I'm not completely
clear on the politics and history of the two orgs, but it seems like the
W3C has supported JSON-LD in the past, so they might have some interest in
expanding it.
On a person
On 07/25/2017 02:29 PM, Qebui Nehebkau wrote:
Wow, that was unnecessary. "Working with the web since the late 90s"
doesn't intrinsically make you any more right or any better a web designer
than some 12-year-old from Geocities. If maintaining your worldview depends
on assuming that anyone who dis
On 07/25/2017 02:42 PM, Qebui Nehebkau wrote:
On 25 July 2017 at 17:32, Michael A. Peters wrote:
Nor does his assumption that I am "new" to the web somehow disqualify me
from making suggestions with current use cases that could reduce the bloat
of traffic.
Oh, then I
With images, the alt attribute can and should be used to give a
description of an image for users who can not see the image.
With text, some glyphs are pictographs that have a meaning. For example,
U+1F502 is a pictograph indicating single loop, but it is meaningless if
you can not see it.
E
uld do exactly what you're asking
for in the given scenario.
On Fri, Oct 6, 2017 at 11:15 AM, Michael A. Peters
mailto:mpet...@domblogger.net>> wrote:
With images, the alt attribute can and should be used to give a
description of an image for users who can not see the image.
With
On 10/06/2017 08:44 AM, Léonie Watson wrote:
On 06/10/2017 11:26, Michael A. Peters wrote:
Nope, no problem at all. That looks like a simple solution I did not
find. Thank you.
Note that you need to provide an explicit role on the span if you use
aria-label to provide its accessible name
There does not seem to be a JavaScript API for closing open tags.
This is problematic when dealing with WebVTT which does not require tags
be closed.
Where it is the biggest problem is when the document is being served as
XML+XHTML
I tried the following hack which seemed to be working:
cle
io or video players.
On 10/14/2017 12:46 AM, Silvia Pfeiffer wrote:
Hi Michael,
It seems to me that the TextTrack API is made for this use case.
Why does it not work for you?
Cheers,
Silvia.
On Sat, Oct 14, 2017 at 4:36 PM, Michael A. Peters
wrote:
There does not seem to be a JavaScript
On 10/16/2017 10:08 AM, Roger Hågensen wrote:
On 2017-10-14 10:13, Michael A. Peters wrote:
I use TextTrack API but it's documention does not specify that it
closes open tags within a cue, in fact I'm fairly certain it doesn't
because some people use it for json and other r
On webites that either are age restricted and/or have content that may
be offensive to some people, often (but not as often as I'd like) there
is a warning splashscreen that the server puts in the page if the user
has not already agreed to see such content.
One way to do this is with a div tha
Thank you! That does seem like it is exactly what I need.
On 11/12/2017 12:11 AM, Yay295 wrote:
I think the alertdialog role fits here.
https://developer.mozilla.org/en-US/docs/Web/Accessibility/ARIA/ARIA_Techniques/Using_the_alertdialog_role
On Sun, Nov 12, 2017 at 1:03 AM, Michael A. Peters
:
There is another problem with Modals on webpages. When there is a modal
created through HTML and CSS, the user can still select items in the
background by pressing tab. It seems that there is no good solution to
prevent it.
Am 12.11.2017 um 09:59 schrieb Michael A. Peters:
Thank you! That does
nberg wrote:
There is another problem with Modals on webpages. When there is a modal
created through HTML and CSS, the user can still select items in the
background by pressing tab. It seems that there is no good solution to
prevent it.
Am 12.11.2017 um 09:59 schrieb Michael A. Peters:
Thank you!
On 12/11/2017 04:30 AM, Jirka Kosek wrote:
On 11.12.2017 11:39, Christoph Päper wrote:
As with and , HTML could also add or something similar to
embed MusicXML. Lyrics are a subset of musical notation and poems are, arguably, a special kind
of lyrics (or the other way around).
This would r
58 matches
Mail list logo
