Re: Custom-elements: document.registerPolyfillElement ?

2014-06-10 Thread Dominic Cooney 
On Mon, Jun 9, 2014 at 4:00 PM, Brett Zamir bret...@gmail.com wrote:

  I was looking to make a genuine polyfill for dialog (not just a shim),
 and I found Polymer's CustomElements helpful, but realized too late that
 the spec required x- prefixes.

 I still feel like it would be useful to have a means for polyfills to be
 built according to well-recognized semantics via a standard extension
 mechanism.


It is possible to do this using a type extension. For example:

document.register('x-polyfill-dialog', {prototype: ..., extends: 'dialog'})

This produces a type extension of the HTMLUnknownElement with the tag name
dialog in browsers that don't support dialog, and a type extension of the
HTMLDialogElement of ones that do.

The only wrinkle is that markup must use dialog is=x-polyfill-dialog.

Your polyfill can degrade gracefully in whichever way you decide. For
example, you could detect HTMLDialogElement and not register the Custom
Element, in which case the markup will create unresolved type extensions of
HTMLDialogElement that get the browser's native dialog. Or you could go
ahead and register your polyfill anyway, in which case your prototype
object would hide the browser's HTMLDialogElement prototype. Or you could
do something dynamic inbetween.

HTH,

Dominic

Re: Blob URL Origin

2014-06-10 Thread Anne van Kesteren 
On Tue, Jun 10, 2014 at 12:16 AM, Arun Ranganathan a...@mozilla.com wrote:
 Right now, the Blob URL Store is defined in terms of units of similar-origin 
 browsing contexts; each unit is required to have a Blob URL Store. As you 
 point out, that allows all origins within document.domain access to a given 
 Blob URL Store.

Yeah, so unlike what the discussion claimed thus far, we did not in
fact allow that much cross-origin blob URL usage. Only origins within
the document.domain reach.


 1. Require that entries in the Blob URL Store also store origin

I thought this was the idea. The identifier would be
http://someorigin:70/uuid;.


 2. Define it strictly as a same-origin store. I’m a bit fuzzy on how exactly 
 to define this; for instance, strictly the origin and not the effective 
 script origin of a Document?

We could say that the store is bound to a global object. And then both
URL.createObjectURL() and places that parse URLs hook into the entry
setting object's global object's blob URL store.

At that point the only benefit of putting the origin into the URL is
so that new URL(blob).origin works.


Something that is still unclear to me is what happens when you
navigate to a blob URL. I guess that still technically works as the
URL parsing would happen within the correct global.


-- 
http://annevankesteren.nl/

Re: HTML imports: new XSS hole?

2014-06-10 Thread Frederik Braun 
On 04.06.2014 11:00, Anne van Kesteren wrote:
 On Tue, Jun 3, 2014 at 7:20 PM, Oda, Terri terri@intel.com wrote:
 Perhaps it would make sense to also require explicit allowing of imports via
 CSP?  Scripts are allowed when no CSP is provided for historical
 compatibility so you'd need to make sure that imports fell under a separate
 directive, but there's no need for backwards compatibility so it probably
 makes sense to choose a more conservative default behaviour for HTML
 Imports.
 
 Using script import seems like a solution that would be better in
 that case, as it does not provide opt-in through HTTP. Whenever we
 require HTTP for a feature, we get a ton of complaints. And script
 import is not that bad authoring-wise either:
 
 script import/script
 link rel=import href
 
 (Okay, you win two code points if you omit the quotes with link.)
 
 

Were you saying script import=url/script or script src=url
import/script?

I, by the way, wholeheartedly agree that link tags become more
dangerous through HTML imports and that they are somehow breaking the
dogma of security by no surprises :)

Re: HTML imports: new XSS hole?

2014-06-10 Thread Anne van Kesteren 
On Tue, Jun 10, 2014 at 10:36 AM, Frederik Braun fbr...@mozilla.com wrote:
 Were you saying script import=url/script or script src=url
 import/script?

The former. The latter is reserved for loading and executing scripts.


 I, by the way, wholeheartedly agree that link tags become more
 dangerous through HTML imports and that they are somehow breaking the
 dogma of security by no surprises :)


-- 
http://annevankesteren.nl/

Re: IE - Security error with new Worker(URL.createObjectURL(new Blob([workerjs],{type:'text/javascript'})))

2014-06-10 Thread Aymeric Vitte 

Thanks, any way to track/be notified when this will be available?

Regards

Aymeric

Le 06/06/2014 19:42, Travis Leithead a écrit :

Well, in IE's defense, this is not specifically allowed by: 
http://www.w3.org/TR/workers/#dom-worker. Regardless, the product team is 
working to fix this so that it works in IE as well. Stay tuned. I updated the 
Connect bug below.

-Original Message-
From: Aymeric Vitte [mailto:vitteayme...@gmail.com]
Sent: Friday, June 6, 2014 6:25 AM
To: Web Applications Working Group WG (public-webapps@w3.org)
Cc: Travis Leithead
Subject: IE - Security error with new Worker(URL.createObjectURL(new 
Blob([workerjs],{type:'text/javascript'})))

Why IE(11) does not allow this while this is working on FF and Chrome?
[1] seems to suggest that it is by design.

Regards

Aymeric

[1]
https://connect.microsoft.com/IE/feedback/details/779379/unable-to-spawn-worker-from-blob-url



--
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms

Re: [webcomponents]: Telcon on as-needed basis from now on

2014-06-10 Thread Arthur Barstow 

On 6/9/14 12:09 PM, Dimitri Glazkov wrote:

I think it might be best to flip the regular bit to off for now,
and only use this time slot when we have other participants. Thus,
consider the weekly call cancelled unless there's an announcement
otherwise.


That sounds like a good plan Dimitri.


Another idea Hayato-san and I discussed is moving it to Tokyo-friendly
timezone, so that him and I could just use as a weekly spec
coordination call, rather than office hours-style arrangement.


I think that would be fine too (D3E's call is 17:00 PM SFO time for that 
reason), provided  has a chance to voice a contrary opinion (and I need 
a day or two to change the voice conf reservation.


-Thanks, AB

Re: Custom-elements: document.registerPolyfillElement ?

2014-06-10 Thread Brett Zamir 
Thanks, this is helpful to know, though I'd still prefer a solution at 
some point which didn't require one to use extra code and once the 
polyfill was no longer needed, requiring alteration of code to be 
semantically correct (e.g., if it no longer is a x-polyfill-dialog 
because the registration for it was removed) and non-redundant.


Best wishes,
Brett

On 6/10/2014 2:00 PM, Dominic Cooney wrote:
On Mon, Jun 9, 2014 at 4:00 PM, Brett Zamir bret...@gmail.com 
mailto:bret...@gmail.com wrote:


I was looking to make a genuine polyfill for dialog (not just a
shim), and I found Polymer's CustomElements helpful, but realized
too late that the spec required x- prefixes.

I still feel like it would be useful to have a means for polyfills
to be built according to well-recognized semantics via a standard
extension mechanism.


It is possible to do this using a type extension. For example:

document.register('x-polyfill-dialog', {prototype: ..., extends: 
'dialog'})


This produces a type extension of the HTMLUnknownElement with the tag 
name dialog in browsers that don't support dialog, and a type 
extension of the HTMLDialogElement of ones that do.


The only wrinkle is that markup must use dialog is=x-polyfill-dialog.

Your polyfill can degrade gracefully in whichever way you decide. For 
example, you could detect HTMLDialogElement and not register the 
Custom Element, in which case the markup will create unresolved type 
extensions of HTMLDialogElement that get the browser's native dialog. 
Or you could go ahead and register your polyfill anyway, in which case 
your prototype object would hide the browser's HTMLDialogElement 
prototype. Or you could do something dynamic inbetween.


HTH,

Dominic

RE: IE - Security error with new Worker(URL.createObjectURL(new Blob([workerjs],{type:'text/javascript'})))

2014-06-10 Thread Travis Leithead 
Unfortunately, there is not presently a way for you to track it externally. :-(

MS Connect is the best we have so far, and I know that it is not great. We 
recognize this is a problem and hope to be able to improve the situation soon.
 
-Original Message-
From: Aymeric Vitte [mailto:vitteayme...@gmail.com] 
Sent: Tuesday, June 10, 2014 3:00 AM
To: Travis Leithead; Web Applications Working Group WG (public-webapps@w3.org)
Subject: Re: IE - Security error with new Worker(URL.createObjectURL(new 
Blob([workerjs],{type:'text/javascript'})))

Thanks, any way to track/be notified when this will be available?

Regards

Aymeric

Le 06/06/2014 19:42, Travis Leithead a écrit :
 Well, in IE's defense, this is not specifically allowed by: 
 http://www.w3.org/TR/workers/#dom-worker. Regardless, the product team is 
 working to fix this so that it works in IE as well. Stay tuned. I updated the 
 Connect bug below.

 -Original Message-
 From: Aymeric Vitte [mailto:vitteayme...@gmail.com]
 Sent: Friday, June 6, 2014 6:25 AM
 To: Web Applications Working Group WG (public-webapps@w3.org)
 Cc: Travis Leithead
 Subject: IE - Security error with new Worker(URL.createObjectURL(new 
 Blob([workerjs],{type:'text/javascript'})))

 Why IE(11) does not allow this while this is working on FF and Chrome?
 [1] seems to suggest that it is by design.

 Regards

 Aymeric

 [1]
 https://connect.microsoft.com/IE/feedback/details/779379/unable-to-spawn-worker-from-blob-url


-- 
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms

[Bug 26033] New: Make distribution algorithm forward compatible with shadow as function call.

2014-06-10 Thread bugzilla 
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26033

Bug ID: 26033
   Summary: Make distribution algorithm forward compatible with
shadow as function call.
   Product: WebAppsWG
   Version: unspecified
  Hardware: PC
OS: All
Status: NEW
  Severity: normal
  Priority: P2
 Component: Component Model
  Assignee: dglaz...@chromium.org
  Reporter: wc...@mozilla.com
QA Contact: public-webapps-bugzi...@w3.org
CC: m...@w3.org, public-webapps@w3.org

Opening this bug to continue
https://www.w3.org/Bugs/Public/show_bug.cgi?id=24288#c2

Bug 24288 reverted shadow as a function call behavior due to an
implementation difficulty in blink and it looks like the intent was to remove
the behavior until a reasonable implementation is found.

The spec change in bug 24288 neuters children of the shadow element to
preserve its use for the future, but it should also prevent distribution of
nodes into content insertion points of older shadow trees if we want to be able
to reintroduce shadow as a function call. Right now, the behavior is to
distribute 'left over' nodes in the distribution pool.

This can be done by bringing back Let POOL be an empty ordered list.

in
https://github.com/w3c/webcomponents/commit/61745e0b40c8d609ad1070e7babc7915fca637ea

I bring this up because it seems like the intent was to eventually reintroduce
shadow as a function call and it looks like people are interested in this
feature.

-- 
You are receiving this mail because:
You are on the CC list for the bug.