Re: [webkit-dev] Signing up to help with some SVG bugs

2010-01-28 Thread David Kilzer 
To contributed to WebKit, see:  

To contact other developers, see:  

Dave


From: Mark Wyszomierski 
>To: webkit-dev@lists.webkit.org
>Sent: Thu, January 28, 2010 8:24:48 PM
>Subject: [webkit-dev] Signing up to help with some SVG bugs
>
>>Hi,
>
>
>I am experiencing a bug with the SVG module, I believe defined by the 
>following two bug entries:
>
>
>  https://bugs.webkit.org/show_bug.cgi?id=34301
>  https://bugs.webkit.org/show_bug.cgi?id=17043
>
>
>The problem I'm having is that creating an  element in 
>javascript will never get executed (works fine if defined in the body of the 
>document though). So issue #17043 states that there is a missing idl file for 
>. I am guessing this is why elements created via javascript do 
>nothing.
>
>
>That issue hasn't been updated since 2008, I'm wondering if I can help out 
>with it? Is there a group already focusing on the SVG module? I'd like to help 
>out with some of these other bugs SVG bugs too. I'm not sure how people are 
>organizing themselves to tackle bugs with webkit, if there is another method 
>for helping out, please let me know,
>
>
>Thanks,
>Mark
>
>
>
>___
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev

[webkit-dev] Signing up to help with some SVG bugs

2010-01-28 Thread Mark Wyszomierski 
Hi,

I am experiencing a bug with the SVG module, I believe defined by the
following two bug entries:

  https://bugs.webkit.org/show_bug.cgi?id=34301
  https://bugs.webkit.org/show_bug.cgi?id=17043

The problem I'm having is that creating an  element in
javascript will never get executed (works fine if defined in the body of the
document though). So issue #17043 states that there is a missing idl file
for . I am guessing this is why elements created via
javascript do nothing.

That issue hasn't been updated since 2008, I'm wondering if I can help out
with it? Is there a group already focusing on the SVG module? I'd like to
help out with some of these other bugs SVG bugs too. I'm not sure how people
are organizing themselves to tackle bugs with webkit, if there is another
method for helping out, please let me know,

Thanks,
Mark
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev

Re: [webkit-dev] a simple isolatedworlds alternative for uzbl?

2010-01-28 Thread Adam Barth 
On Thu, Jan 28, 2010 at 11:57 AM, Dieter Plaetinck  wrote:
> I guess we can only wait for isolatedworlds to appear in the gtk+
> port :)

I suspect they would welcome patches.  (They should be pretty easy patches.)  :)

Adam
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev

Re: [webkit-dev] a simple isolatedworlds alternative for uzbl?

2010-01-28 Thread Dieter Plaetinck 
On Thu, 28 Jan 2010 08:01:19 -0800
Adam Barth  wrote:

> On Thu, Jan 28, 2010 at 12:40 AM, Dieter Plaetinck
>  wrote:
> > On Wed, 27 Jan 2010 23:01:17 -0800
> > Adam Barth  wrote:
> >
> >> Getting this right with the approach you seem to be taking is
> >> extremely difficult.  The problem is not that the local script is
> >> untrustworthy.  The problem is that the web page it's interacting
> >> with might be able to steal its privileges.
> >
> > Thank you, but can you describe this a bit more?
> > Even if we don't pass around the object or attach it to an object
> > such as document or window, we are still vulnerable?  How can the
> > webpage "steal privileges"?
> 
> For example, the attacker could use some of the techniques described
> in this paper:
> 
> http://www.adambarth.com/papers/2009/adida-barth-jackson.pdf

Thanks.
very interesting article.

I guess we can only wait for isolatedworlds to appear in the gtk+
port :)

Dieter
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev

[webkit-dev] MathML Patch Review Request

2010-01-28 Thread Alex Milowski 
There are a number of relatively new MathML related patches waiting
to be reviewed:

   * https://bugs.webkit.org/show_bug.cgi?id=34228  - compile-time
layout debugging support
   * https://bugs.webkit.org/show_bug.cgi?id=34275  - CSS update
   * https://bugs.webkit.org/show_bug.cgi?id=34277  - mover, munder,
and munderover support
   * https://bugs.webkit.org/show_bug.cgi?id=34278  - msubsup (super &
subscripts) support

The first two are quite simple.

-- 
--Alex Milowski
"The excellence of grammar as a guide is proportional to the paucity of the
inflexions, i.e. to the degree of analysis effected by the language
considered."

Bertrand Russell in a footnote of Principles of Mathematics
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev

Re: [webkit-dev] changelogs: a reprise

2010-01-28 Thread David Kilzer 
On Thu, January 28, 2010 at 4:10:11 AM, Chris Jerdonek wrote:


> On Tue, Jan 26, 2010 at 9:55 AM, David Kilzer wrote:
> >> (2) Consider phasing in support for an alternate workflow where new
> >> ChangeLog entries for the next commit are stored separately from the
> >> versioned ChangeLog files -- perhaps in individual .changelog files
> >> for Subversion users and in the commit message for Git users.
> 
> > I'm not a big fan of wrapper scripts, mostly because I'll probably
> > forget about using them since I'm so used to using the basic
> > git/svn commands.  (I guess svn-create-patch is a counter-argument
> > to that, but I rarely use svn directly anymore.)
> >
> > Using .changelog-bugnum files should probably be optional if it's
> > implemented, e.g., tools should still be smart enough (or at least
> > as smart as they are today) to operate on ChangeLog files directly
> > if developers choose to continue doing that.  I say that because
> > once there is a git merge driver for ChangeLog files, the need for
> > an alternative ChangeLog workflow drops to zero, at least for me.
> 
> I ran into an issue today where "git diff" didn't generate me a patch
> with the ChangeLog portion in the standard format.  Namely, the
> ChangeLog diff had non-empty leading context (which can happen since
> it doesn't run fixChangeLogPatch like the svn-create-patch wrapper
> script).  Is there a way to address this issue for Git users without
> using wrapper scripts or a change to the ChangeLog workflow?


I'm not sure if there is a way to "fix up" patches when they're created using 
git-diff, e.g., some kind of diff hook.  Note that there is no "loss of 
information" if a ChangeLog patch isn't fixed up immediately after it's 
created, so the fix-up can always happen when the patch is applied later.  It 
just looks a little ugly in the meantime.  :)

I also replied with more thoughts in Bug 32834.



Dave

___
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev

Re: [webkit-dev] a simple isolatedworlds alternative for uzbl?

2010-01-28 Thread Adam Barth 
On Thu, Jan 28, 2010 at 12:40 AM, Dieter Plaetinck  wrote:
> On Wed, 27 Jan 2010 23:01:17 -0800
> Adam Barth  wrote:
>
>> Getting this right with the approach you seem to be taking is
>> extremely difficult.  The problem is not that the local script is
>> untrustworthy.  The problem is that the web page it's interacting with
>> might be able to steal its privileges.
>
> Thank you, but can you describe this a bit more?
> Even if we don't pass around the object or attach it to an object such
> as document or window, we are still vulnerable?  How can the webpage
> "steal privileges"?

For example, the attacker could use some of the techniques described
in this paper:

http://www.adambarth.com/papers/2009/adida-barth-jackson.pdf

>> Isolated worlds should be implemented in webkitgtk+ thanks to some
>> contributors from Apple.  I bet all that's left to do is add an API
>> for accessing the functionality.  The PDF is just being honest when it
>> says "reasonable assurance."  I'd be extremely skeptical of someone
>> who claims more than reasonable assurance for a commercial-grade
>> system.
>
> That's good to know. I'm looking forward to it.  The "reasonable
> assurance" part, does this mean a problem with the design or is this
> more about potential issues with the (early) implementations?

Assurance is a term of art in security.  It refers to how confident we
are the the final system meets it's security goals.  In this case,
we're talking about the implementation.  Often the way you get better
assurance is by reducing the trusted computing base or by applying
some sort of analysis tools to the system.  In this case, the sense is
indicating that this particular step is part of the trusted computing
base.

Adam
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev

Re: [webkit-dev] changelogs: a reprise

2010-01-28 Thread Chris Jerdonek 
On Tue, Jan 26, 2010 at 9:55 AM, David Kilzer  wrote:
>> (2) Consider phasing in support for an alternate workflow where new
>> ChangeLog entries for the next commit are stored separately from the
>> versioned ChangeLog files -- perhaps in individual .changelog files
>> for Subversion users and in the commit message for Git users.

> I'm not a big fan of wrapper scripts, mostly because I'll probably forget 
> about using them since I'm so used to using the basic git/svn commands.  (I 
> guess svn-create-patch is a counter-argument to that, but I rarely use svn 
> directly anymore.)
>
> Using .changelog-bugnum files should probably be optional if it's 
> implemented, e.g., tools should still be smart enough (or at least as smart 
> as they are today) to operate on ChangeLog files directly if developers 
> choose to continue doing that.  I say that because once there is a git merge 
> driver for ChangeLog files, the need for an alternative ChangeLog workflow 
> drops to zero, at least for me.

I ran into an issue today where "git diff" didn't generate me a patch
with the ChangeLog portion in the standard format.  Namely, the
ChangeLog diff had non-empty leading context (which can happen since
it doesn't run fixChangeLogPatch like the svn-create-patch wrapper
script).  Is there a way to address this issue for Git users without
using wrapper scripts or a change to the ChangeLog workflow?

--Chris
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev

Re: [webkit-dev] a simple isolatedworlds alternative for uzbl?

2010-01-28 Thread Dieter Plaetinck 
On Wed, 27 Jan 2010 23:01:17 -0800
Adam Barth  wrote:

> Getting this right with the approach you seem to be taking is
> extremely difficult.  The problem is not that the local script is
> untrustworthy.  The problem is that the web page it's interacting with
> might be able to steal its privileges.

Thank you, but can you describe this a bit more?
Even if we don't pass around the object or attach it to an object such
as document or window, we are still vulnerable?  How can the webpage
"steal privileges"?

> 
> Isolated worlds should be implemented in webkitgtk+ thanks to some
> contributors from Apple.  I bet all that's left to do is add an API
> for accessing the functionality.  The PDF is just being honest when it
> says "reasonable assurance."  I'd be extremely skeptical of someone
> who claims more than reasonable assurance for a commercial-grade
> system.
> 
> Adam

That's good to know. I'm looking forward to it.  The "reasonable
assurance" part, does this mean a problem with the design or is this
more about potential issues with the (early) implementations?


___
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev