Re: [Element Traversal LC] access to element by index

[Jonas Sicking]

If we're not 100% compatible with SVG, why would they oppose an 
improvement like the suggested one?


Content that uses childElements[...] would not function correctly
in SVG Tiny 1.2 implementations for no particularily good reason.


I'm not following this argument at all. Neither would content that uses 
.globalStorage, .forms, .querySelector or anything else that's not in 
the SVG Tiny spec.


We're trying to make a new API here, of course content that uses that 
API isn't going to work in implementations that don't support it.


/ Jonas

Re: [XHR2] onprogress Event issue

[Jonas Sicking]

Julien Chaffraix wrote:

Hi everyone,

We are in the process of implementing XHR onprogress attribute on
WebKit and arises a compatibility issue with the Firefox
implementation.
Currently the XHR2 draft specifies that we use the ProgressEvent
interface for onprogress events whereas Firefox uses the DocumentLS
LSProgressEvent interface.
We are left wondering which way to go.
Does someone know what the prospects are: will Firefox change its
behavior in the future or should we ask for a modification of the
draft?


This is definitely a good question, one that I'd like to see addressed too.

I think that if the spec remains as is Firefox would likely fire events 
that implements both the ProgressEvent interface and the LSProgressEvent 
interface, but encourage people to use the ProgressEvent interface. 
Possibly even by putting a message in the error console when the old 
interface properties are accessed.


/ Jonas

Re: [Element Traversal LC] access to element by index

[Jonas Sicking]

Daniel Glazman wrote:


I'm actually not sure.  How often do authors want to get the third 
child without knowing anything more about it than that it's an 
element? Iterating through the kids (by means of ET or '.childNodes') 
gives you much more context information (what type of element it is, 
what it's bbox is, whether or not it has text/child content, etc.).  
Not trying to be a pain, but can you identify a concrete use case?


[admin: please Cc me, I am not following this mailing-list]

I probably has to use it in my daily code - find the n-th child element
of another given element - at least a dozen times in the last fifteen
days. Iterating through the kids is a for my point of view pure bloat
compared to myFooElement.childElements.item(3)...


I agree with Daniel, while I don't write a lot of javascript myself I've 
seen a number of cases like this in the javascript used to implement 
firefox:


bar = foo.parentNode.parentNode.childNodes.item(3).firstChild;

Basically I wonder why we wouldn't give access to items by index? 
Complexity of implementation really can't be an argument here, the 
amount of code to implement this is trivial, especially compared to all 
other things required by a browser or DOM implementation. Like Boris 
pointed out it's likely that an implementation could reuse existing 
code, but even if that isn't the case I would imagine that the code to 
implement this property is laughable compared to the code needed to draw 
an antialiased spline or implementing DOM events (part of which I use as 
a hiring interview question due to its complexity).


I remember in the initial releases of gecko we got a lot of support 
questions from people wondering why their DOM-using code didn't work in 
Netscape when it worked in IE. The reason was that IE didn't create DOM 
nodes for whitespace-only nodes and so the DOM was significantly 
different and harder to figure out where your nodes lived. 
getElementById helped to some extent here, and I think that recent 
development of javascript libraries has helped a lot too. However if we 
are arguing that people should use those solutions there really is no 
need for the ElementTraversal spec at all.


So I honestly can't understand the complexity argument at all. I think 
ElementTraversal is something that users really want and would be 
trivial to implement with or without .childElements. So there really is 
no need to cut corners and good arguments not to.


/ Jonas

Re: [Element Traversal LC] access to element by index

[Henri Sivonen]

On Apr 2, 2008, at 00:48, Boris Zbarsky wrote:
OK.  So item() would be available on Element after casting it to  
NodeList in those implementations.  I guess you're saying that the  
cast would not longer be unambiguous if there were multiple  
NodeLists that might make sense?  So childElements couldn't be  
implemented with a |return this;|?


That doesn't seem like such a terrible implementation burden to me,  
to be honest...



I'm not claiming it would be awfully hard, but it does change the  
impact of Element Traversal from adding four or five methods on an  
existing class (mere code footprint; super-simple) to adding more run- 
time object instances. And then, there are issues like should  
childElements return the same object every time. And if yes, then the  
implementor needs to add a new pointer to each element node or to add  
a hashtable on the owner document or something along those lines.  
Again, not awfully hard, but still more complex than just adding  
convenience methods on an existing class. And to what end? To use  
indexing instead of list-style iteration.


--
Henri Sivonen
[EMAIL PROTECTED]
http://hsivonen.iki.fi/

Re: [Element Traversal LC] access to element by index

[Daniel Glazman]

Bjoern Hoehrmann wrote:


It would be easier to define that, if the argument starts with a non-
white space combinator, it is prefixed with a selector that selects the
element node it is called on and only that node. That would give you

  myFooElement.querySelectorAll(*)[3]


Urgh, to say the least.

First it means the argument of querySelectorAll is not always
a valid Selector. That is bad design. With both my Selectors spec's
editor and my CSS WG Co-Chair hats on, that's not desirable.

Second, querySelectorAll's implementation would need to parse the
first token of the argument to recognize it, and would then rely
on the Selectors parser one first time before calling a second time
to resolve the selector. Or, second possibility, the Selectors parser
has to be tweaked to add a context if the first token is a combinator.
From my implementor's perspective, both are NOT acceptable. Really
really ugly.


We could also standardize the popular .getChildrenByTagName() method,
that would give the similar

  myFooElement.getChildrenByTagName(*)[3]


First it's not that popular. I write complex JS code on a daily basis
and that's the first time I hear of it. Second, once again I don't see
why we have childNode.item() and not childElements.item().
Please give one *good* reason why we cannot do that. Performance ? Let
me laugh ! Complexity of implementation ? I guess Jonas answered to
that. No use cases ? I would use it immediately and the JS code of
Firefox and extensions is full of use cases.

Speaking of memory footprint and performance, I certainly prefer getting
the nth element child individually through item() rather than getting
the whole list of children and then reaching the nth index of it...


Either would be preferable over

  myFooElement.querySelector(:nth-child(3), null, myFooElement)


Well... From a design perspective, that is MUCH better than your
querySelectorAll() tweak above...

/Daniel

Re: [Element Traversal LC] access to element by index

[Jonas Sicking]

Henri Sivonen wrote:


On Apr 2, 2008, at 12:44, Jonas Sicking wrote:

And to what end? To use indexing instead of list-style iteration.


Exactly. Something that I would imagine is quite commonly done. Note 
that we're not just talking iterating over a full DOM tree, we're also 
talking about navigating around in a DOM tree from one known specific 
node to another.


It seems to me that allowing indexed access to children creates a 
similar kind of problem that allowing indexed access to strings by 
UTF-16 code unit has created. Allowing app code to index into platform 
structures that are most commonly forward-iterated seems like an 
anti-pattern in terms of what implementation constraints are placed if 
the impression that the app developer gets is that indexing has the 
performance properties of array access and that it is OK to write app 
code with that assumption.


What makes you think that most users of the DOM-tree does 
forward-iteration? This is not my experience with the code I've seen. 
Rather it has been trying to get to specific nodes within a tree.


The same argument can be made for .nextElementSibling, why give 
forward-iterating access into platform structures that are most commonly 
index-accessed?


/ Jonas

Re: [Element Traversal LC] access to element by index

[Henri Sivonen]

On Apr 2, 2008, at 12:44, Jonas Sicking wrote:

And to what end? To use indexing instead of list-style iteration.


Exactly. Something that I would imagine is quite commonly done. Note  
that we're not just talking iterating over a full DOM tree, we're  
also talking about navigating around in a DOM tree from one known  
specific node to another.



It seems to me that allowing indexed access to children creates a  
similar kind of problem that allowing indexed access to strings by  
UTF-16 code unit has created. Allowing app code to index into platform  
structures that are most commonly forward-iterated seems like an anti- 
pattern in terms of what implementation constraints are placed if the  
impression that the app developer gets is that indexing has the  
performance properties of array access and that it is OK to write app  
code with that assumption.


--
Henri Sivonen
[EMAIL PROTECTED]
http://hsivonen.iki.fi/

Re: [Element Traversal LC] access to element by index

[Daniel Glazman]

Jonas Sicking wrote:


Bjoern Hoehrmann wrote:

We could also standardize the popular .getChildrenByTagName() method,
that would give the similar

  myFooElement.getChildrenByTagName(*)[3]


This seems like an excellent idea. To do in addition to the 
ElementTraversal spec.


I understand from Jonas's answer that he also never heard before
of that popular getChildrenByTagName()...

/Daniel

Re: [Element Traversal LC] access to element by index

[Henri Sivonen]

On Apr 2, 2008, at 13:20, Jonas Sicking wrote:

Henri Sivonen wrote:

On Apr 2, 2008, at 12:44, Jonas Sicking wrote:

And to what end? To use indexing instead of list-style iteration.


Exactly. Something that I would imagine is quite commonly done.  
Note that we're not just talking iterating over a full DOM tree,  
we're also talking about navigating around in a DOM tree from one  
known specific node to another.
It seems to me that allowing indexed access to children creates a  
similar kind of problem that allowing indexed access to strings by  
UTF-16 code unit has created. Allowing app code to index into  
platform structures that are most commonly forward-iterated seems  
like an anti-pattern in terms of what implementation constraints  
are placed if the impression that the app developer gets is that  
indexing has the performance properties of array access and that it  
is OK to write app code with that assumption.


What makes you think that most users of the DOM-tree does forward- 
iteration? This is not my experience with the code I've seen. Rather  
it has been trying to get to specific nodes within a tree.


If one wants a specific node, why not put an id on it and use  
getElementById? Knowing that you want the fifth element child of  
another element requires a priori knowledge of the document tree shape  
anyway. That said, I don't think there's a problem with having a  
getChildElementByIndexThisIsNotGuaranteedToBeArrayAccess() if you  
really want to get the nth element child only instead of iterating  
with an index.


The same argument can be made for .nextElementSibling, why give  
forward-iterating access into platform structures that are most  
commonly index-accessed?



Indeed the argument I made should lead to iterator objects instead of  
either item(n) or nextSibling.


I think one of the major design flaws of the DOM is that it gives two  
views to the tree without specifying the performance characteristics  
of those views. App developers who like linked lists may reasonable  
assume that nextSibling is a mere pointer dereference. App developers  
who like arrays may reasonably assume that item(n) is a mere array  
access. Now DOM implementations are damned either way and have to do  
tricks to make the non-native view fast as well.


(From what I've said so far, it can be guessed that I prefer the  
linked list view. :-)


--
Henri Sivonen
[EMAIL PROTECTED]
http://hsivonen.iki.fi/

Re: [XHR2] onprogress Event issue

[Jonas Sicking]

Anne van Kesteren wrote:

On Wed, 02 Apr 2008 08:54:17 +0200, Jonas Sicking [EMAIL PROTECTED] wrote:
This is definitely a good question, one that I'd like to see addressed 
too.


I think that if the spec remains as is Firefox would likely fire 
events that implements both the ProgressEvent interface and the 
LSProgressEvent interface, but encourage people to use the 
ProgressEvent interface. Possibly even by putting a message in the 
error console when the old interface properties are accessed.


If we want a different interface I think the progress events 
specification should be changed. XMLHttpRequest Level 2 simply uses 
whatever Progress Events 1.0 defines at this point and I'd like to keep 
it that way.


FWIW i'm fine with keeping things the way they are. Though there is 
definitely a risk that other vendors will have to implement the 
LSProgressEvent interface as well in order to support content out there 
that is written for firefox. But we're talking about two extra 
properties whose implementation will basically just be to forward to 
another property so I doubt that it's a big burden.


/ Jonas

Re: [Element Traversal LC] access to element by index

[Jonas Sicking]

Daniel Glazman wrote:

Jonas Sicking wrote:


Bjoern Hoehrmann wrote:

We could also standardize the popular .getChildrenByTagName() method,
that would give the similar

  myFooElement.getChildrenByTagName(*)[3]


This seems like an excellent idea. To do in addition to the 
ElementTraversal spec.


I understand from Jonas's answer that he also never heard before
of that popular getChildrenByTagName()...


I hadn't, but I wouldn't expect to either since I'm not looking at 
toolkits that often.


But I was serious about thinking that adding the function seems like a 
good idea. It's currently much too painful to navigate around in the DOM 
so it's something we should try to fix.


/ Jonas

Re: [Element Traversal LC] access to element by index

[Daniel Glazman]

Jonas Sicking wrote:

But I was serious about thinking that adding the function seems like a 
good idea. It's currently much too painful to navigate around in the DOM 
so it's something we should try to fix.


Agreed.

/Daniel

Re: [Element Traversal LC] access to element by index

[Henri Sivonen]

On Apr 2, 2008, at 15:09, Jonas Sicking wrote:
It can be a pain to add IDs to *all* the nodes you ever access. A  
pattern i've seen a lot is to have small repeating sections in a  
page, and then navigating within that repeated section.


That makes sense.

That said, I don't think there's a problem with having a  
getChildElementByIndexThisIsNotGuaranteedToBeArrayAccess() if you  
really want to get the nth element child only instead of iterating  
with an index.


Sure, as long as we also  
add .firstElementChildThisIsNotGuaranteedToBePropertyAccess ;)


Hmm. Somehow I thought it would be a given that nextElementSibling/ 
firstElementChild wouldn't be direct pointers but convenience getters  
built on top of nextSibling and firstChild. But I guess an app  
developer might as well expect the DOM to maintain lots and lots of  
direct pointers...


Anyway, myFooElement.getChildrenByTagName(*)[3] looks like it does  
something more expensive than myFooElement.childElements[3] even if  
the implementation were the same, so they give app developers  
different expectations of performance characteristics.


The same argument can be made for .nextElementSibling, why give  
forward-iterating access into platform structures that are most  
commonly index-accessed?
Indeed the argument I made should lead to iterator objects instead  
of either item(n) or nextSibling.
I think one of the major design flaws of the DOM is that it gives  
two views to the tree without specifying the performance  
characteristics of those views. App developers who like linked  
lists may reasonable assume that nextSibling is a mere pointer  
dereference. App developers who like arrays may reasonably assume  
that item(n) is a mere array access. Now DOM implementations are  
damned either way and have to do tricks to make the non-native view  
fast as well.


Honestly, is this really a big problem? It used to be that iterating  
a child list using .nextSibling was O(N^2).


It was a problem for me when I tried to walk the HTML5 spec in Firefox  
1.5 using iterative traversal with firstChild/nextSibling/parentNode.  
Firefox 1.5 performed a *lot* worse than the then-current versions of  
Opera and Safari. And the spec was a lot smaller back then, too. :-)


--
Henri Sivonen
[EMAIL PROTECTED]
http://hsivonen.iki.fi/

Re: [Element Traversal LC] access to element by index

[Henri Sivonen]

On Apr 2, 2008, at 16:21, Henri Sivonen wrote:
It was a problem for me when I tried to walk the HTML5 spec in  
Firefox 1.5 using iterative traversal with firstChild/nextSibling/ 
parentNode. Firefox 1.5 performed a *lot* worse than the then- 
current versions of Opera and Safari. And the spec was a lot smaller  
back then, too. :-)



It turns out that I still have the test case around:
http://hsivonen.iki.fi/test/dom-walk-perf.html

I think it is perfectly reasonable to expect this algorithm to be the  
fast way to walk when you see a tree with first child, sibling and  
parent references:


function walk(node) {
  var current = node;
  var next = null;
  for (;;) {
if (next = current.firstChild) {
   current = next;
   continue;
}
break;
for (;;) {
  if (next = current.nextSibling) {
current = next;
break;
  }
  current = current.parentNode;
  if (current == node) {
return;
  }
}
  }
}

With Element Traversal, I think it would be reasonable to expect the  
above algorithm to be the fast way to walk the elements when s/ 
firstChild/firstElementChild/ and s/nextSibling/nextElementSibling/.


--
Henri Sivonen
[EMAIL PROTECTED]
http://hsivonen.iki.fi/

Re: [Element Traversal LC] access to element by index

[Henri Sivonen]

On Apr 2, 2008, at 16:50, Henri Sivonen wrote:

   if (next = current.firstChild) {
  current = next;
  continue;
   }
   break;



Please disregard that break;. (Left-over from a switch that was  
obscuring the main point of the algorithm.)


--
Henri Sivonen
[EMAIL PROTECTED]
http://hsivonen.iki.fi/

Re: DOM3 Events Keyflow

[Olli Pettay]

Hi all,

I did some key event testing, mainly on Windows.
Tested FF3, Safari3.1, Opera9.5 (not IE, because of its non-DOM-events).
When just pressing one character key all the browsers dispatch
'keydown', 'keypress', 'input', 'keyup', but Safari dispaches also
'textInput' right before 'input'.

So the key event dispatching in non-IME cases is quite similar in all
those browsers - at least when the testcase is simple enough :)

But when enabling IME things change quite a bit.
The testcase was simply to press 'k' and 'a' and enter
to get one Hiragana symbol. MS IME Standard 2002 ver 8.1 was
used for the testing.

Opera seems to dispatch only the first 'keydown' and when
the composition is ready one 'input'. Subsequent IME compositions
don't trigger keydown, only 'input' events.

Safari does something like:
'keydown', 'input', 'keyup', 'keydown', 'input', 'input', 'keyup',
'keydown', 'input', 'textInput', 'input', 'keyup'.
That is quite many 'input' events.

Gecko has for a long time had few events for
IME, so the event flow in the testcase goes like this:
'keydown', 'keypress', 'compositionstart', 'text', 'text', 'text', 
'input', 'compositionend', 'keyup'

I don't like the event name 'text' (which is dispatched for each
component in the composition, or how to say) but it has been there
since 1999. The names 'compositionstart' and 'compositionend' are ok.
If those gecko-only-events are removed from the flow, it looks just like
the normal key event handling: 'keydown', 'keypress', 'input', 'keyup'
Pretty nice, IMHO.

My testing may miss some events, especially if non-gecko-engines
have some their own events.

I attached also one quick version of gecko-key-event-flow.
It may contain bugs and doesn't cover all the cases.

-Olli


Doug Schepers wrote:

Hi, WebAPI fans-

This past week in the DOM3 Events telcon, we discussed the order of key
events for the DOM3 Events specification, with attention paid to IME. We
are hoping to model the most platform-independent event order, and are
seeking active feedback from Apple, Microsoft, Mozilla, Opera, and
anyone else with experience in implementing keyboard events (especially
with regards to internationalization).

I've made a trial schematic to get us started [1]. I've also modeled it
in Graphviz, and I've included the Dot format file here (attached).
Graphviz is free open source software [2], and the Dot format is really
simple to edit.

We are hoping to discuss this again at next week's teleconference.

[1]
http://dev.w3.org/2006/webapi/DOM-Level-3-Events/proposals/d3e-keyflow.svg
[2] http://www.graphviz.org/

Regards-
-Doug Schepers
W3C Team Contact, SVG, CDF, and WebAPI


inline: gecko-keyflow.svg

Re: [Element Traversal LC] access to element by index

[Maciej Stachowiak]

On Apr 2, 2008, at 2:44 AM, Jonas Sicking wrote:



Henri Sivonen wrote:

On Apr 2, 2008, at 00:48, Boris Zbarsky wrote:
OK.  So item() would be available on Element after casting it to  
NodeList in those implementations.  I guess you're saying that the  
cast would not longer be unambiguous if there were multiple  
NodeLists that might make sense?  So childElements couldn't be  
implemented with a |return this;|?


That doesn't seem like such a terrible implementation burden to  
me, to be honest...
I'm not claiming it would be awfully hard, but it does change the  
impact of Element Traversal from adding four or five methods on an  
existing class (mere code footprint; super-simple) to adding more  
run-time object instances. And then, there are issues like should  
childElements return the same object every time. And if yes, then  
the implementor needs to add a new pointer to each element node or  
to add a hashtable on the owner document or something along those  
lines. Again, not awfully hard, but still more complex than just  
adding convenience methods on an existing class.


Sure it's more complex, but it's still trivial.


In WebKit, it would be more than one line of code to add a new kind of  
NodeList. Not a ridiculous amount of code though.


However, I think live NodeLists are an anti-pattern. They tend to be  
horrible for performance in the face of mutation (and even when there  
isn't mutation, extra objects are allocated). This is part of why I  
strongly argued for querySelectorAll to return a non-live list. And  
using indexing is not really any more convenient than using next/ 
previous methods.


I can live with the editor's decision either way on this one.

Cheers,
Maciej

Re: [Element Traversal LC] access to element by index

[Boris Zbarsky]

Henri Sivonen wrote:
I'm not claiming it would be awfully hard, but it does change the impact 
of Element Traversal from adding four or five methods on an existing 
class (mere code footprint; super-simple)


That depends on what performance characteristics callers expect or UAs want to 
provide.  More on that below.


And then, there are issues like should childElements return 
the same object every time.


True.

And if yes, then the implementor needs to 
add a new pointer to each element node or to add a hashtable on the 
owner document or something along those lines.


Assuming there is nothing like that in place already, yes.  I guess I'm a little 
biased since in Gecko there is somethign like that in place already (if nothing 
else to support setUserData() from DOM3 Core).  One could also allow UAs to 
choose, of course, but that might give them different performance 
characteristics.  But you can't prevent that anyway; see below.



And to what end? To use indexing instead of list-style iteration.


This is the really good question.  The other major use-case of an actual object 
that represents the list of child elements is that the script can cache the 
object if it intends to iterate the list multiple times.  That, of course, 
raises questions about whether the list should be live or not, because for 
different use cases one might want to cache one or the other.


If the common envisioned use case for this will involve multiple iterations of 
the list, possibly separated in time, then the right performance tradeoff might 
be creating an object which caches the list of child elements so as to avoid 
having to walk all the non-element kids and check their types all the time.  The 
caching could happen in the user script, or it could happen in the UA itself. 
The latter is what I'm guessing would end up being implemented in Gecko given 
the spec as it stands.  I say that because I strongly suspect that, in practice, 
child elements of the same node are walked multiple times.


Note that any use case that involves getting the childElementCount immediately 
means that two walks are required on the UA side, by the way.


-Boris

Re: [Element Traversal LC] access to element by index

[Boris Zbarsky]

Henri Sivonen wrote:
Allowing app code to index into platform 
structures that are most commonly forward-iterated seems like an 
anti-pattern in terms of what implementation constraints are placed if 
the impression that the app developer gets is that indexing has the 
performance properties of array access and that it is OK to write app 
code with that assumption.


AS you noted in another post, in practice app developers assume that anything 
they do will be fast and when it's not they blame the UA.  And therefore, no 
matter which access pattern you expose it has to be fast.


-Boris

Minutes, DOM3 Events Telcon, 02 April 2008

[Doug Schepers]

Hi, WebAPI fans-

The minutes for the 02 April 2008 DOM3 Events telcon can be found here:

 http://www.w3.org/2008/04/02-webapi-minutes.html

Or as text, below:

   [1]W3C

  [1] http://www.w3.org/

   - DRAFT -

   Web API WG Teleconference
  02 Apr 2008

   [2]Agenda

  [2] http://www.w3.org/2008/webapps/wiki/2_Apr_2008

   See also: [3]IRC log

  [3] http://www.w3.org/2008/04/02-webapi-irc

Attendees

   Present
  Doug, Carmelo, smaug, ap, Travis

   Regrets
   Chair
  Doug

   Scribe
  Carmelo, Travis

Contents

 * [4]Topics
 1. [5]Key Event Model
 2. [6]keyCode and charCode
 3. [7]mobile-specific events
 * [8]Summary of Action Items
 _



   trackbot Date: 02 April 2008

   smaug Zakim: ??P4 is smaug

   shepazu
   [9]http://lists.w3.org/Archives/Public/www-archive/2006Nov/att-0047/
   keyCode-ie.htm

  [9] 
http://lists.w3.org/Archives/Public/www-archive/2006Nov/att-0047/keyCode-ie.htm


   shepazu scribe: Carmelo

   shepazu scribeNick: Carmelo

   ap_ Alexey Proskuryakov, Apple

   scribe ACTION: Item to To Carmelo to cross tests keyup keydown and
   keypress as described on [recorded in
   [10]http://www.w3.org/2008/04/02-webapi-minutes.html#action01]

   [11]http://lists.w3.org/Archives/Public/www-archive/2006Nov/att-0047
   /keyCode-ie.htm

 [11] 
http://lists.w3.org/Archives/Public/www-archive/2006Nov/att-0047/keyCode-ie.htm


   ap_ close enough :)

   Daug went over new introductions

Key Event Model

   shepazu Ollie sent in this:
   [12]http://lists.w3.org/Archives/Public/public-webapi/2008Apr/att-00
   34/gecko-keyflow.svg

 [12] 
http://lists.w3.org/Archives/Public/public-webapi/2008Apr/att-0034/gecko-keyflow.svg


   shepazu
   [13]http://lists.w3.org/Archives/Public/public-webapi/2008Apr/0034.h
   tml

 [13] 
http://lists.w3.org/Archives/Public/public-webapi/2008Apr/0034.html


   ap_ correct, 10:40 PM :)

   smaug 9:40 pm here

   ap_ that's an OK time for me, no problem!

   shepazu Alexey,s email:
   [14]http://lists.w3.org/Archives/Public/public-webapi/2008Mar/0220.h
   tml

 [14] 
http://lists.w3.org/Archives/Public/public-webapi/2008Mar/0220.html


   Travis (a little late, sorry)

   Travis I'll be calling in just a minute...

   Ap: Explained his model view

   Doug: Although browsers can not gurantee event orders's users can
   ... to Alexey, Do u thing that will be useful?

   Ollie: Quite a number of issues with that.

   shepazu Dead keys, etc.

   smaug it's very noisy right now

   smaug and echo too

   ap_ yes, that's correct

   Doug to Alexey: When your first started you had a model similar to
   Firefox?

   shepazu and now they no longer provide an emulation layer

   ap_ yes, I can describe it like that

   ap_ that's both for matching IE, and for better supporting
   advanced text input on windows

   Alexey: We do not have that many problems with our model.

   ap_ not to say that Firefox is significantly broken

   Alexey: A few minor issues with Windows

   ap_ but there were some issues

   Alexey: Possible to define some kind of state diagram

   Travis: What about performance issues after removing the emulation
   layer?

   Alexey - None

   shepazu TL: did you drop the emulation layer for benchmarking
   reasons?

   shepazu AP: no, to better match IE...

   shepazu ...

   ap_ and resolve some issues with advanced text input that we had

   ap_ ok

   Doug: Will it be possible to write down (email) the issues?

   ap_ in fact, we are trying to make OS X and Windows versions work
   the same

   ap_ as much as possible

   shepazu scribeNick: Travis

   shepazu scribe: Travis

   It would be nice to standarize on one model or another...

   (TL: said that)

   Doug: It would mean that all other browers might have to change
   their behavior--at the risk of breaking pages.

   (someone:sorry) Whenever we change eventing, we break something. (It
   always happens)

   Whenever a webpage wants to handle IME, it's a mess

   Doug: With a single model, there will be pages that break, but I
   think that most pages don't use it 'cause that can't depend on it.
   ... If people are relying on a model, it's probably IE's model.

   In Safari, we saw significant breakage on many pages, but not
   significant enough to cause a huge problem. (many pages were
   special-casing for safari, but they were quite ready to adapt)

   Doug: Do you think that if we specified a set behavior, that those
   pages would change to match?

   Yes, big sites would adapt.

   Doug: that reduces the risk of us proposing a specific model.
   ... until we hear otherwise, we will continue to try to specify a
   model.
   ... If we do have a cleaner (or specified) model, we would adopt it.
   ... We have two options:
   ... 1) Figure out IE's behavior and specify that

RE: What is Microsoft's intent with XDR vis-à-vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests]

[Close, Tyler J.]

I think the XDR proposal is pretty good and is the best of the current 
proposals to push forward to standardization. I hope Microsoft finds a way to 
make that happen.

Some responses to Jonas' comments are inline below...

Jonas Sicking wrote:
 Eric Lawrence wrote:
  Ian--
 
  Thanks for sharing your opinions.  I'd like to take the
 opportunity to clarify a few points of confusion.
 
  This is blatently untrue, a number of serious security
 problems with XDR
  have already been raised (such as the fact that it
 encourages content-type
  sniffing
 
  It's possible that you overlooked some mails on the thread?
 
  Vis-à-vis content-type sniffing, it was plainly stated that
 Content-Type sniffing is neither recommended, nor necessary.

 I think you are misunderstanding the issues Ian has raised.

 Since XDR does not let you set the Content-Type header, the
 server is in
 fact required to sniff the content type. How else would the server
 figure out the content type of the request body?

I think Eric's point is that the client specified Content-Type header cannot be 
trusted to accurately describe the content, so the server must parse the 
content under the assumption that the header is misleading. Given that 
status-quo, and assuming the resource only accepts one Content-Type, omitting 
the header doesn't seem to change the server's responsibilities.

There could be a danger when the resource accepts more than one media type and 
the server determines that the client sent a different media type than the 
client thought it was sending. In this case, the server sees the client as 
saying something that the client didn't mean to say. To avoid this scenario, 
there would have to be some mechanism agreed to between the client and the 
server for specifying the intended media type. This role is precisely what the 
Content-Type header was created for, but it has unfortunately been overloaded 
with security implications. Having client and server coordinate the media type 
based on a URL query string argument seems like the best alternative.

  XDR is a truly anonymous request and does not send
 credentials to ANY site (1st party, 3rd party), trustworthy
 or not.  In this way, we have high confidence that there is
 no possibility of executing a CSRF attack against an
 unsuspecting legacy server which uses cookies or HTTP authentication.

 Again, this is not the concern. The concern is sites that do want to
 transport private data. They are going to try to do this weather the
 browser provides the API meant for this or not.

Sending the user's cookies, as AC4CSR does, is just not a viable design, since 
the target resource cannot determine whether or not the user consented to the 
request. I've posted several explanations of the attacks enabled by this use of 
ambient authority, and, in my opinion, the issues are still outstanding. The 
use of ambient authority in AC4CSR is a show-stopper, as reflected in the 
decision Mozilla announced on this mailing list.

 In fact, I would argue that XDR does encourage sending private data.
 Most use cases for POST that I can think of involves knowing who the
 data is coming from. Or have you had other use cases in mind?

There are many other ways to authorize a request, other than sending the user's 
credentials, which is among the worst ways.

 Additionally, it is not true that no authorization
 credentials is being
 sent. Intranet sites might authorize simply based on the fact that you
 can connect to the intranet server. I have still not seen anything in
 the XDR spec to prevent internet-interanet POSTs so this
 still seems to
 be the case.

Currently, an HTML form can POST internet-intranet with Content-Type of 
application/x-www-form-urlencoded or text/plain. The XDR proposal adds a 
third case of no specified Content-Type (but with no cookies or custom 
headers). It seems highly unlikely that an intranet resource correctly defends 
against the first two cases, but is vulnerable to the third. I would rather bet 
on this than work through all the things that might go wrong with AC4CSR's 
pre-flight request, caching, ACLs and use of ambient authority.

 I definitely appreciate all the work that Microsoft has put into the
 spec, but am saddened that there was no mention about XDR in
 any of the
 numerous posts from anyone at microsoft.

I think the AC4CSR spec is a goner, and so appreciate Microsoft stepping up 
with a proposal that seems more likely to survive study and deployment. Given 
the Mozilla announcement, now seems like the right time to move on from the 
AC4CSR proposal.

--Tyler

IHTMLXDomainRequest Interface ()
http://msdn2.microsoft.com/en-us/library/cc288108(VS.85).aspx

Access Control for Cross-site Requests
http://www.w3.org/TR/access-control/

Re: What is Microsoft's intent with XDR vis-à-vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests]

[Boris Zbarsky]

Close, Tyler J. wrote:

I think Eric's point is that the client specified Content-Type header cannot
be trusted to accurately describe the content, so the server must parse the
content under the assumption that the header is misleading.


I don't think anyone is arguing about that.


There could be a danger when the resource accepts more than one media type
and the server determines that the client sent a different media type than
the client thought it was sending.


Actually, the danger is when the resource accepts more that one media type, 
there is a proxy or firewall that filters which types are allowed (possibly 
depending on the origin), and the sniffing on the server and firewall is not 
exactly identical.


This is the most common security issue with content-type sniffing: one program 
trying to protect another from certain types of content, and failing because the 
type-identification algorithms are not precisely identical.


The proposal of communicating the type via some mechanism other than 
Content-Type would work to address this issue if the firewall is aware of that 
mechanism and has exactly the same implementation for type detection as the 
resource.  It seems to me that this is barely less fragile as relying on content 
sniffing...


-Boris

Re: What is Microsoft's intent with XDR vis-à-vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests]

[Maciej Stachowiak]

On Apr 2, 2008, at 4:52 PM, Close, Tyler J. wrote:



Sending the user's cookies, as AC4CSR does, is just not a viable  
design, since the target resource cannot determine whether or not  
the user consented to the request. I've posted several explanations  
of the attacks enabled by this use of ambient authority, and, in my  
opinion, the issues are still outstanding. The use of ambient  
authority in AC4CSR is a show-stopper, as reflected in the decision  
Mozilla announced on this mailing list.


Can you please post these examples again, or pointers to where you  
posted them? I believe they have not been previously seen on the Web  
API list. A number of people have mentioned that the AC approach to  
cross-site XHR is insecure (or that XDR is somehow more secure), but I  
have not yet seen any examples of specific attacks. I would love to  
see this information. If I do not see a description of a specific  
attack soon I will assume these claims are just FUD.


Note also that sending of cookies is not an essential feature of  
AC4CSR; certainly it could be a viable spec with that feature removed.  
Do you believe there are any other showstopper issues?


Regards,
Maciej

RE: What is Microsoft's intent with XDR vis-à-vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests]

[Close, Tyler J.]

Maciej Stachowiak wrote:
 On Apr 2, 2008, at 4:52 PM, Close, Tyler J. wrote:

 
  Sending the user's cookies, as AC4CSR does, is just not a viable
  design, since the target resource cannot determine whether or not
  the user consented to the request. I've posted several explanations
  of the attacks enabled by this use of ambient authority, and, in my
  opinion, the issues are still outstanding. The use of ambient
  authority in AC4CSR is a show-stopper, as reflected in the decision
  Mozilla announced on this mailing list.

 Can you please post these examples again, or pointers to where you
 posted them? I believe they have not been previously seen on the Web
 API list.

I've written several messages to the appformats mailing list. I suggest reading 
all of them. The most detailed description of the attacks are in the message at:

http://www.w3.org/mid/[EMAIL PROTECTED]

with a correction at:

http://www.w3.org/mid/[EMAIL PROTECTED]


 A number of people have mentioned that the AC approach to
 cross-site XHR is insecure (or that XDR is somehow more secure), but I
 have not yet seen any examples of specific attacks. I would love to
 see this information. If I do not see a description of a specific
 attack soon I will assume these claims are just FUD.

I think we've met before at a SHDH event. That was a more pleasant 
conversation. Hopefully, we'll be able to regain that tone.

 Note also that sending of cookies is not an essential feature of
 AC4CSR; certainly it could be a viable spec with that feature removed.
 Do you believe there are any other showstopper issues?

Possibly. There is a lot of complexity in the AC4CSR proposal. I've been 
writing about the most severe things as I find them.

--Tyler

RE: What is Microsoft's intent with XDR vis-à-vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests]

[Ian Hickson]

On Thu, 3 Apr 2008, Close, Tyler J. wrote:
 Maciej Stachowiak wrote:
 
  Can you please post these examples again, or pointers to where you 
  posted them? I believe they have not been previously seen on the Web 
  API list.
 
 I've written several messages to the appformats mailing list. I suggest 
 reading all of them. The most detailed description of the attacks are in 
 the message at:
 
 http://www.w3.org/mid/[EMAIL PROTECTED]
 
 with a correction at:
 
 http://www.w3.org/mid/[EMAIL PROTECTED]

As noted here:

   http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0138.html

...these are not problems with the Access Control and XXX specs. XDR is 
just as susceptible to these problems.

The above e-mail also describes ways to mitigate these problems.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'