Re: [webkit-dev] Should SATURATED_ARITHMETIC_LAYOUT be forced when enabling SUBPIXEL_LAYOUT ?
Hi, On 07/31/2013 10:40 PM, Ryosuke Niwa wrote: Can't we encounter the same bug if we you multiplied the same height by 64 even if the sub pixel layout is not turned off? Or is there some parser and other component that prevents such an overflow to happen? I've been debugging and analyzing this issue a bit more and I concluded that the scenario described in bug 119273 is already protected if SUBPIXEL_LAYOUT is not enabled. The CSS max-height property value is clamped to max float during the parsing phase. Further arithmetic operations are already protected, so only the case of using the 64 factor defined for the SUBPIXEL_LAYOUT is still causing problems. So, this issue affects only the ports enabling SUBPIXEL_LAYOUT by default and not using the SATURATED_ARITHMETIC_LAYOUT. As far as I know, gtk+, Qt and EFL are the ports affected by this issue. Regarding the gtk+ port, the SATURATED_ARITHMETIC_LAYOUT would be enabled as soon as I verify bug 120583 is solved enabling this flag. Could anyone responsible of the other ports give some insight to this issue ? BR. -- Javi ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Proposed feature: Network Service Discovery
Hi Brendan, I am also interested in that feature and am actually working on an implementation of it. The implementation, which is behind a specific flag, is currently usable for simple demos on linux environment. My initial plan was to publish it in a couple of weeks when being stabilized, probably on github. Maybe we can team up? Regards, Youenn ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Proposed feature: Network Service Discovery
Hi Ryosuke, The two points you are mentioning make sense to me. ** For starters, most of users wouldn't even know what a local network is; let alone what discovering media sources, etc... mean. Most users may not be able to understand what means “discover local network DACP servers”. But if a user is requested to grant/deny access to “Bob music library” service (the service being a DACP server), the situation seems getting better. The spec is a work in progress and may be improved. It's also a very good way to finger-print users. How many users have the same set of speakers, etc... let alone the same set of media contents. ** That is a valid point. Fingerprinting based on the information gathered by the discovery process may be adjusted. In particular, one may minimize the exposure to web applications of the information gathered from the discovery scan. Fingerprinting based on XHR exchanges with granted local services seems more difficult to defeat. Note though that the fingerprinting web application would need to be granted access to the same service each time it wants to fingerprint the user. This probably makes it less appealing than existing strategies such as JS/canvas-based fingerprinting. Regards, Youenn ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Proposed feature: Network Service Discovery
Perhaps before we spend any more time discussing the security implications of Network Service Discovery, we should decide whether it fits with the goals of the WebKit project: https://www.webkit.org/projects/goals.html It’s not at all clear to me that it does. Simon On Sep 6, 2013, at 9:59 AM, Oliver Hunt oli...@apple.com wrote: On Sep 6, 2013, at 9:44 AM, youenn fablet youe...@gmail.com wrote: Hi Ryosuke, The two points you are mentioning make sense to me. For starters, most of users wouldn't even know what a local network is; let alone what discovering media sources, etc... mean. Most users may not be able to understand what means “discover local network DACP servers”. But if a user is requested to grant/deny access to “Bob music library” service (the service being a DACP server), the situation seems getting better. The spec is a work in progress and may be improved. For the sake of argument let's say this discovery is allowed to occur. How do you talk to Bob music library without the web page sending raw data to/from the DACP server? --Oliver ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Proposed feature: Network Service Discovery
I agree. This also seems like it’s something that could be implemented by a client application using our JS object extension hooks without touching WebKit at all. - Anders On Sep 6, 2013, at 10:30 AM, Simon Fraser simon.fra...@apple.com wrote: Perhaps before we spend any more time discussing the security implications of Network Service Discovery, we should decide whether it fits with the goals of the WebKit project: https://www.webkit.org/projects/goals.html It’s not at all clear to me that it does. Simon On Sep 6, 2013, at 9:59 AM, Oliver Hunt oli...@apple.com wrote: On Sep 6, 2013, at 9:44 AM, youenn fablet youe...@gmail.com wrote: Hi Ryosuke, The two points you are mentioning make sense to me. For starters, most of users wouldn't even know what a local network is; let alone what discovering media sources, etc... mean. Most users may not be able to understand what means “discover local network DACP servers”. But if a user is requested to grant/deny access to “Bob music library” service (the service being a DACP server), the situation seems getting better. The spec is a work in progress and may be improved. For the sake of argument let's say this discovery is allowed to occur. How do you talk to Bob music library without the web page sending raw data to/from the DACP server? --Oliver ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Proposed feature: Network Service Discovery
On 09/06/2013 10:59 AM, Oliver Hunt wrote: On Sep 6, 2013, at 9:44 AM, youenn fablet youe...@gmail.com mailto:youe...@gmail.com wrote: For starters, most of users wouldn't even know what a local network is; let alone what discovering media sources, etc... mean. Most users may not be able to understand what means discover local network DACP servers. But if a user is requested to grant/deny access to Bob music library service (the service being a DACP server), the situation seems getting better. The spec is a work in progress and may be improved. For the sake of argument let's say this discovery is allowed to occur. How do you talk to Bob music library without the web page sending raw data to/from the DACP server? The spec isn't very clear about how the permissions work, but I think we could protect users from accidentally giving permission and fingerprinting by making the permissions work like this: * When prompting the user for permission, get the list of discovered services and ask the user if they want to give the application access to any of them. An implementation could using checkboxes, for example, but with the default state being unchecked. If the user clicks ok without looking at it, the result is an empty list. * Remove PERMISSION_DENIED_ERR. If permission is denied, just return an empty object. This way, a JavaScript application can't tell the difference between an empty network and not having permission to see any of the services. I'll look into proposing this change to the spec. signature.asc Description: OpenPGP digital signature ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
[webkit-dev] Moving LayoutTests/fast/js to LayoutTests/js
This is a courtesy notice: FYI, I’m in the process of moving LayoutTests/fast/js to LayoutTests/js for https://bugs.webkit.org/show_bug.cgi?id=120899. This change will touch many files in the test files and in Tools/Scripts to update the paths that expect fast/js to look for js instead. Mark ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Proposed feature: Network Service Discovery
+1 After the concerns raised, I am not convinced the feature fits into the engine. I am also not convinced this needs WebKit support to be implemented. Benjamin On 9/6/13 10:39 AM, Anders Carlsson wrote: I agree. This also seems like it’s something that could be implemented by a client application using our JS object extension hooks without touching WebKit at all. - Anders On Sep 6, 2013, at 10:30 AM, Simon Fraser simon.fra...@apple.com mailto:simon.fra...@apple.com wrote: Perhaps before we spend any more time discussing the security implications of Network Service Discovery, we should decide whether it fits with the goals of the WebKit project: https://www.webkit.org/projects/goals.html It’s not at all clear to me that it does. Simon On Sep 6, 2013, at 9:59 AM, Oliver Hunt oli...@apple.com mailto:oli...@apple.com wrote: On Sep 6, 2013, at 9:44 AM, youenn fablet youe...@gmail.com mailto:youe...@gmail.com wrote: Hi Ryosuke, The two points you are mentioning make sense to me. For starters, most of users wouldn't even know what a local network is; let alone what discovering media sources, etc... mean. Most users may not be able to understand what means “discover local network DACP servers”. But if a user is requested to grant/deny access to “Bob music library” service (the service being a DACP server), the situation seems getting better. The spec is a work in progress and may be improved. For the sake of argument let's say this discovery is allowed to occur. How do you talk to Bob music library without the web page sending raw data to/from the DACP server? --Oliver ___ webkit-dev mailing list webkit-dev@lists.webkit.org mailto:webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev ___ webkit-dev mailing list webkit-dev@lists.webkit.org mailto:webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Should SATURATED_ARITHMETIC_LAYOUT be forced when enabling SUBPIXEL_LAYOUT ?
Thanks for the analysis! Perhaps we should merge two build flags and turn on the saturated arithmetic whenever subpixel is enabled. - R. Niwa On Fri, Sep 6, 2013 at 2:07 AM, Javier Fernandez jfernan...@igalia.comwrote: Hi, On 07/31/2013 10:40 PM, Ryosuke Niwa wrote: Can't we encounter the same bug if we you multiplied the same height by 64 even if the sub pixel layout is not turned off? Or is there some parser and other component that prevents such an overflow to happen? I've been debugging and analyzing this issue a bit more and I concluded that the scenario described in bug 119273 is already protected if SUBPIXEL_LAYOUT is not enabled. The CSS max-height property value is clamped to max float during the parsing phase. Further arithmetic operations are already protected, so only the case of using the 64 factor defined for the SUBPIXEL_LAYOUT is still causing problems. So, this issue affects only the ports enabling SUBPIXEL_LAYOUT by default and not using the SATURATED_ARITHMETIC_LAYOUT. As far as I know, gtk+, Qt and EFL are the ports affected by this issue. Regarding the gtk+ port, the SATURATED_ARITHMETIC_LAYOUT would be enabled as soon as I verify bug 120583 is solved enabling this flag. Could anyone responsible of the other ports give some insight to this issue ? BR. -- Javi ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Proposed feature: Network Service Discovery
On Sep 6, 2013, at 9:44 AM, youenn fablet youe...@gmail.com wrote: Hi Ryosuke, The two points you are mentioning make sense to me. For starters, most of users wouldn't even know what a local network is; let alone what discovering media sources, etc... mean. Most users may not be able to understand what means “discover local network DACP servers”. But if a user is requested to grant/deny access to “Bob music library” service (the service being a DACP server), the situation seems getting better. The spec is a work in progress and may be improved. For the sake of argument let's say this discovery is allowed to occur. How do you talk to Bob music library without the web page sending raw data to/from the DACP server? --Oliver___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
[webkit-dev] I do not want to be in list anymore
Sent from my iPad ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
