Re: [whatwg] framesets

[Brian Campbell]

On Oct 13, 2009, at 11:20 PM, Peter Brawley wrote:


Ian,

> Your requirements aren't met by framesets

Eh? Our solution meets the requirement and uses framesets.


You have specified that your requirement is to prevent people from  
linking to or bookmarking individual pages inside of frames. Framesets  
do not satisfy that requirement. They make it a little more difficult,  
but they do not prevent it.




> s have been demonstrated to work as well as framesets

No-one's been able to point to a working non-frameset solution that  
meets this requirement.


Ian posted one, had-written just for you, which you dismissed without  
giving any reason.



>, and, well, framesets suck.

Unargued, subjective.


Framesets suck because they combine both layout and embedding  
semantics into one syntax, which give them much less layout  
flexibility than using CSS. Anything you can do with framesets (except  
resizing), you can do with iframes and CSS. However, there are lots of  
things you can do with iframes and CSS that you cannot do with  
framesets. Framesets are a completely different language than HTML;  
you cannot use framesets and any other content elements in the same  
document. This means that you are forced to, for example, use a frame  
for the header of your page, which may cause a scrollbar to appear if  
you don't allocate enough space, rather than just putting the header  
in the page directly and using iframes to include the other pages.



>I agree that there's
>lots of legacy content using framesets; that's why HTML5 defines  
how they

>should work (in more detail than any previous spec!).

?! According to http://www.html5code.com/index.php/html-5-tags/html-5-frameset-tag/ 
, "The frameset tag is not supported in HTML 5."


That is not the draft HTML5 spec. I'm not sure what that is, but as  
far as I know, it has no official affiliation with either the W3C or  
the WHATWG. Try: http://whatwg.org/html5 or more specifically:


http://www.whatwg.org/specs/web-apps/current-work/multipage/rendering.html#frames-and-framesets

The HTML5 spec includes two types of conformance requirements;  
conformance requirements for authors (or other producers of HTML), and  
conformance requirements for user agents (browser and other consumers  
of HTML). It is non-conforming in HTML5 to produce documents with  
framesets, however a conforming user agent must parse and process them  
consistently with the spec.


>The only thing that is easier with framesets than otherwise appears  
to be

>resizing, which I agree is not well-handled currently.

Unsubstantiated claim absent a working example of the spec  
implemented without framesets.


Did you take a look at Ian's example?

http://damowmow.com/playground/demos/framesets-with-iframes/001.html



>As noted before,
>though, that's an issue for more than just frames; we need a good  
solution
>for this in general, whether we have framesets or not. Furthermore,  
that's

>a styling issue, not an HTML issue.

For those who have to write or generate HTML, that's a distinction  
without a difference.


PB

-

Ian Hickson wrote:

On Tue, 13 Oct 2009, Peter Brawley wrote:


I don't know if there are pages that do this (and I sure hope  
none are

using  for it!), but the lack of an existence proof is not
proof of the lack of existence.



Of course. The point is if no-one can point to a working iframes
solution, ie, to an instance of them actually being preferred, the  
claim
that iframes provide a preferable alternative is simply not  
credible, to

put it mildly.




At this point I don't really understand what you want framesets  
for. Your
requirements aren't met by framesets, s have been  
demonstrated to
work as well as framesets, and, well, framesets suck. I agree that  
there's
lots of legacy content using framesets; that's why HTML5 defines  
how they
should work (in more detail than any previous spec!). But that  
doesn't

mean we should encourage them.

The only thing that is easier with framesets than otherwise appears  
to be
resizing, which I agree is not well-handled currently. As noted  
before,
though, that's an issue for more than just frames; we need a good  
solution
for this in general, whether we have framesets or not. Furthermore,  
that's

a styling issue, not an HTML issue.





No virus found in this incoming message.
Checked by AVG -
www.avg.com

Version: 8.5.421 / Virus Database: 270.14.13/2432 - Release Date:  
10/13/09 06:35:00

Re: [whatwg] Navigation events generated during unload

[Boris Zbarsky]

On 10/13/09 10:58 PM, Ian Hickson wrote:

Ah, I see. Yes, that makes sense. Are you ok with what the spec says
despite this minor difference? (It seems that what the spec says is a mote
more self-consistent, but I could be biased! ;-) )


Can you point me to the relevant spec text?

And note that I did say that the current Gecko behavior for link/iframe 
was expedient, not designed, right?  ;)


-Boris

Re: [whatwg] localStorage feedback

[Brett Cannon]

Found how to subscribe to the webapps list. Turns out I was trying to join
the working group and not the mailing list.

On Tue, Oct 13, 2009 at 16:28, Ian Hickson  wrote:

> On Tue, 13 Oct 2009, Jeremy Orlow wrote:
> > On Tue, Oct 13, 2009 at 3:40 PM, Ian Hickson  wrote:
> > > On Tue, 13 Oct 2009, Brett Cannon wrote:
> > > > On Mon, Oct 12, 2009 at 19:07, Ian Hickson  wrote:
> > > > >
> > > > > I believe you can test if a key is in the storage area using:
> > > > >
> > > > >   if (key in storage) { ... }
> > > > >
> > > > > For example:
> > > > >
> > > > >   if ('document' in window.localStorage) { ... }
> > > >
> > > > I didn't find that in the spec anywhere. Is it somehow implicit and I
> > > > just missed it? Or will it be specified sometime in the future?
> > >
> > > It's the net effect of this line in the spec:
> > >
> > > # The names of the supported named properties on a Storage object are
> the
> > > # keys of each key/value pair currently present in the list associated
> > > # with the object.
> > >
> > > ...combined with the definitions in the WebIDL spec.
> >
> > It seems odd that there wouldn't be a corresponding method on
> > localStorage given that the deleter, getter, and setter all have them.
>
> Personally I'd rather remove those methods, but I think we're stuck with
> them at this point.


While usability does go up when you use things like setting keys/values
directly off of localStorage instead of using setItem(), etc. it does make
it much more difficult to provide a drop-in library to provide enhanced
features and fix compatibility issues thanks to JavaScript not supporting
thorough operator overloading. For instance, IE 8 doesn't provide a way to
do an equivalent 'length' attribute (until ECMAScript 5 is supported). And I
have no clue how to potentially fix any browser incompatibility that the
'in' operator might introduce.

And taking away the functions would force people like me to come up with
their own API instead of using the defined functions. Providing functions
mirroring things you can do directly with an object might be a pain, but it
does help overcome a shortcoming of JavaScript.

-Brett

Re: [whatwg] The new content model for breaks rendering in MSIE5-7

[Ian Hickson]

On Tue, 29 Sep 2009, Keryx Web wrote:
> 2009-09-29 19:10, Dean Edwards skrev:
> > 
> > There is a nasty side effect though. As you mentioned the 
> > document.write() should be the last thing in the . If there are 
> > any scripts following the document.write() then they are *not 
> > executed*. I consider this a serious drawback. With server software 
> > generating script elements all over the place there are bound to be 
> > problems with this technique. It would be nice to find a better 
> > solution.
> 
> I consider this a deal breaker. Fragile and unintuitive hacks, that 
> really no one knows or can explain why they work, is NOT the kind of 
> things we should rely on when pushing for HTML5.

On Tue, 29 Sep 2009, Dean Edwards wrote:
> 
> You have two choices to get around the  rendering bug:
> 
> 1. The potentially dangerous document.write()
> 
> 2. Inserting weird conditional comments into your code:
> 
> 
>  
> 
> 
> I don't like either solution.

On Tue, 29 Sep 2009, Tab Atkins Jr. wrote:
> 
> The third solution, of course, is just to avoid  until IE7 
> shrinks sufficiently to be ignored.  That won't take too much longer, 
> and then you can start using it with impunity (aided by a js shim to 
> give it functionality in the browsers that accept it but don't implement 
> it yet).
> 
> This whole thing is really much less of an issue than the  
> problems were, where you'd have to wait for *every* current browser to 
> phase out, as opposed to just two that are already declining nicely.
> 
> After all, we're already happy enough using s or s or whatever 
> to implement that functionality.  It would be nice to immediately start 
> using the new stuff, but the timeline for when it's viable isn't so long 
> as to be unworkable.  In the meantime, we just keep doing what we're 
> already doing.

Indeed.


On Tue, 29 Sep 2009, Dean Edwards wrote:
> 
> It's going to take a while for IE7 to go away. In the meantime it 
> becomes an education issue -- "You can start using HTML5 except 
>  which will look OK in some browsers but completely break 
> others."

...and except for  which will be slow or not work in IE for the 
forseeable future, and the drag and drop model's "draggable" attribute 
which will only work in new browsers, or the new controls which will look 
like text fields in legacy UAs, or... how is  different?


> Can't we just invent some new elements? We've already created 20 new 
> ones. Two more won't hurt. :)

We have more than a dozen elements whose names would be appropriate here. 
Inventing entirely new elements to do the same thing again just to work 
around a very short-term problem is just silly.


On Sat, 3 Oct 2009, Dean Edwards wrote:
> 
> That's the whole point of this thread. We are specifying something that 
> won't be usable for years. Let's make the spec better so that we can use 
>  sooner.

Just spell it  and don't worry about it for now.

I really don't understand the sudden urgency here. All the browsers 
support this in their current versions to the same extent that they 
support, say, ; the only problem is obsolete browsers. If this is 
the biggest problem that you're worried about in terms of HTML5 
deployment, then my job here is done.


On Sat, 3 Oct 2009, Tab Atkins Jr. wrote:
> 
> If we mint a new element, we pay the costs of adding yet another 
> vaguely-heading element to add to the dozen+ we already have in the 
> language, and what's the benefit?  IE6 and IE7 will require a less 
> invasive hack to get them to the same level of not-working that all the 
> other browsers have.

Indeed.


On Sat, 3 Oct 2009, Keryx Web wrote:
> 
> The IE6/7 problem is not the only one. A number of people, myself 
> included, have expressed dissatisfaction from a semantic and 
> teachability viewpoint.
> 
> It is not better to let dt/dd have three (or perhaps 2) different 
> meanings, and different syntactic rules depending upon the parent 
> element than it would be to have 2 more elements.

I'd really like to use , but that's a lost cause.

I would prefer to use , but people had even more short-term 
troubles with that than with /.

If we're willing to wait, then I think the right solution is to drop 
 and  for now and add them in later again with .

But apparently there is so much demand that waiting a few more years isn't 
an option.


On Sun, 4 Oct 2009, Keryx Web wrote:
> 
> First and foremost, in  the order is all important. Here it would 
> not matter.
> 
> In  one may have several  for each  (or several 's in a 
> row), here one may not.
> 
> You call this "minor", I say confusing. But we have in fact created a 
> new syntax - why is that better than creating new elements?

It's less bad, in that it reduces the number of elements being have to 
consider when trying to remember how you mark up the legend/caption of a 
 element.

I agree that an element like  or  would be better.


> I am arguing in favor of introducing a new element, which would be the 
> zero c

Re: [whatwg] framesets

[Peter Brawley]

Ian,

> Your requirements aren't met by framesets

Eh? Our solution meets the requirement and uses framesets.

> s have been demonstrated to work as well as framesets

No-one's been able to point to a working non-frameset solution that 
meets this requirement.


>, and, well, framesets suck.

Unargued, subjective.

>I agree that there's
>lots of legacy content using framesets; that's why HTML5 defines how they
>should work (in more detail than any previous spec!).

?! According to 
http://www.html5code.com/index.php/html-5-tags/html-5-frameset-tag/, 
"The frameset tag is not supported in HTML 5."


>The only thing that is easier with framesets than otherwise appears to be
>resizing, which I agree is not well-handled currently.

Unsubstantiated claim absent a working example of the spec implemented 
without framesets.


>As noted before,
>though, that's an issue for more than just frames; we need a good 
solution
>for this in general, whether we have framesets or not. Furthermore, 
that's

>a styling issue, not an HTML issue.

For those who have to write or generate HTML, that's a distinction 
without a difference.


PB

-

Ian Hickson wrote:

On Tue, 13 Oct 2009, Peter Brawley wrote:
  
I don't know if there are pages that do this (and I sure hope none are 
using  for it!), but the lack of an existence proof is not 
proof of the lack of existence.
  
Of course. The point is if no-one can point to a working iframes 
solution, ie, to an instance of them actually being preferred, the claim 
that iframes provide a preferable alternative is simply not credible, to 
put it mildly.



At this point I don't really understand what you want framesets for. Your 
requirements aren't met by framesets, s have been demonstrated to 
work as well as framesets, and, well, framesets suck. I agree that there's 
lots of legacy content using framesets; that's why HTML5 defines how they 
should work (in more detail than any previous spec!). But that doesn't 
mean we should encourage them.


The only thing that is easier with framesets than otherwise appears to be 
resizing, which I agree is not well-handled currently. As noted before, 
though, that's an issue for more than just frames; we need a good solution 
for this in general, whether we have framesets or not. Furthermore, that's 
a styling issue, not an HTML issue.


  




No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.5.421 / Virus Database: 270.14.13/2432 - Release Date: 10/13/09 06:35:00


  

Re: [whatwg] Navigation events generated during unload

[Ian Hickson]

On Tue, 13 Oct 2009, Boris Zbarsky wrote:
> On 10/13/09 6:22 PM, Ian Hickson wrote:
> > Cross-origin 004 opens two files, 004a and 004b.
> 
> Yes.
> 
> > 004a has a link to: http://another.domain.libpr0n.com/pass
> 
> Yes.
> 
> > When you click that link, the first frame begins navigating to that URL.
> > Before it does so, it performs a cross-frame form submission to:
> > http://www.hixie.ch/tests/adhoc/html/navigation/unload/cross-origin/pass
> 
> Right.
> 
> > Since that's the same origin as the target frame, it should work per spec,
> > but it doesn't in Firefox.
> 
> Does
> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-October/023320.html
> explain what you're seeing?

Ah, I see. Yes, that makes sense. Are you ok with what the spec says 
despite this minor difference? (It seems that what the spec says is a mote 
more self-consistent, but I could be biased! ;-) )

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] Navigation events generated during unload

[Boris Zbarsky]

On 10/13/09 6:22 PM, Ian Hickson wrote:

Cross-origin 004 opens two files, 004a and 004b.


Yes.


004a has a link to: http://another.domain.libpr0n.com/pass


Yes.


When you click that link, the first frame begins navigating to that URL.
Before it does so, it performs a cross-frame form submission to:
http://www.hixie.ch/tests/adhoc/html/navigation/unload/cross-origin/pass


Right.


Since that's the same origin as the target frame, it should work per spec,
but it doesn't in Firefox.


Does 
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-October/023320.html 
explain what you're seeing?


-Boris

Re: [whatwg] disabled and readonly attributes

[Ian Hickson]

On Tue, 13 Oct 2009, Markus Ernst wrote:
>
> In 4.10.15.2 (disabled) and 4.10.5.2.3 (readonly) I can't find out what UAs
> should submit if an element is disabled resp. readonly [...]

To see what should be submitted, you should look in the form submission 
section:

   
http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#concept-form-submit

Specifically, under "Constructing the form data set".


> Also,  has a disabled attribute, but no readonly attribute. Is 
> there a reason for this?

I didn't want people to try setting readonly on a fieldset and forgetting 
that readonly only affects a few controls and not, e.g., buttons.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] Restarting the media element resource fetch algorithm after "load" event

[Andrew Scherkus]

Chiming in here from Chrome's perspective...

We use a combination of in-memory and block-based caching for media
resources.  There is no guarantee whatsoever on what is loaded.  There's a
nice side benefit of allowing complete random access to the file if the
server supports range request (in my opinion a must if you're working on an
audio/video site, but that's a side issue).

For http:// we don't support load at all and never reach NETWORK_LOADED.
 We're also baffled at what to report in our progress events because the
numbers are seemingly useless in our context.  Sometimes we'll cache the end
of the file to grab some useful metadata, but we don't want to fire a
progress event saying we've loaded the last bit of the file...

For file:// we immediately transition to NETWORK_LOADED.  This is how we
pass the WebKit layout tests :)

Being the only browser (I think?) that doesn't fire the load event we've ran
into site compatibility issues.  I believe a lot of web authors are used to
tacking onload= into a tag and expecting it to work.  I've reached out to
web authors to educate them about using canplaytype() +
oncanplay/oncanplaythrough as alternatives to user agent checking and
onload.

I'm in favour of getting rid of both load and progress events.

Andrew

On Fri, Oct 9, 2009 at 2:27 AM, Robert O'Callahan wrote:

> On Fri, Oct 9, 2009 at 8:32 PM, Philip Jägenstedt wrote:
>
>> Aesthetics is not a serious argument. More importantly, the progress
>> events spec [1] requires that exactly one of error/abort/load be fired
>> followed by loadend. Dropping load and loadend would be a willful violations
>> of that spec. In my opinion, the progress events spec should be the one to
>> change.
>>
>> [1] http://www.w3.org/TR/progress-events/
>>
>
> I agree.
>
> That spec says
>
>> If the Operation successfully completes, the user agent *must* dispatch a
>> load event.
>>
> Here we're just dealing with an operation that never completes. The only
> real problem in the spec is that it says "Exactly one of these *must* be
> dispatched", which seems to just not have considered the possibility of
> operations that run indefinitely.
>
> Some other Mozilla developers have actually argued that progress events in
> general don't make sense for media elements. The 'buffered' TimeRanges
> attribute gives you much more accurate and useful information than progress
> events. The progress event 'loaded' and 'total' attributes don't make a lot
> of sense in implementations where data may be discarded and redownloaded
> during the load. (If you discard some data, does the next progress event
> have a smaller 'loaded' value than the last one? Or does 'total' increase by
> the size of the discarded data?) But I don't want to open that can of worms
> just yet :-).
>
>
> Rob
> --
> "He was pierced for our transgressions, he was crushed for our iniquities;
> the punishment that brought us peace was upon him, and by his wounds we are
> healed. We all, like sheep, have gone astray, each of us has turned to his
> own way; and the LORD has laid on him the iniquity of us all." [Isaiah
> 53:5-6]
>

Re: [whatwg] The legend element

[Ian Hickson]

On Tue, 13 Oct 2009, Markus Ernst wrote:
> Ian Hickson schrieb:
> >
> > I would recommend not using  and  for rows 2 and 3.
> > 
> > As in:
> > 
> >   Placeholder outputs of 2nd row:
> > 
> > {label}: What is favourite pet?
> > 
> > {input-html}:
> > Cat
> > Dog
> > Ant
> > 
> > 
> >   Placeholder outputs of 3rd row:
> > 
> > {label}: When are you born?
> > 
> > {input-html}:
> > Month:
> >  
> >January
> >...
> >  
> > 
> > Year: 
> > 
> > Why isn't that satisfactory?
> 
> It is, if omitting  does not do any harm, such as lower the 
> accessibility of the form.

I don't see why it would, especially in your example where everything is 
in a cell anyway.

> If this is the case, and I read paragraph 4.10.2 of the spec correctly, 
>  serves exactly 2 purposes:
> - Adds possibility to group-disable it's descendants
> - Can assign it's descendants to a form, when they are placed outside the form
> element in the code

It also adds the possibility of grouping form controls under a single 
name, and of providing groups of controls for understanding the form.


> Is this correct? Then it might be nice to clarify this with a few words 
> in the spec, as "The fieldset element represents a set of form controls 
> optionally grouped under a common name" can be read as implying 
> structuring and thus accessibility matters.

The element does add structure and help with accessibility, but that 
doesn't mean it's always necessary.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] localStorage feedback

[Ian Hickson]

On Tue, 13 Oct 2009, Jeremy Orlow wrote:
> On Tue, Oct 13, 2009 at 3:40 PM, Ian Hickson  wrote:
> > On Tue, 13 Oct 2009, Brett Cannon wrote:
> > > On Mon, Oct 12, 2009 at 19:07, Ian Hickson  wrote:
> > > >
> > > > I believe you can test if a key is in the storage area using:
> > > >
> > > >   if (key in storage) { ... }
> > > >
> > > > For example:
> > > >
> > > >   if ('document' in window.localStorage) { ... }
> > >
> > > I didn't find that in the spec anywhere. Is it somehow implicit and I
> > > just missed it? Or will it be specified sometime in the future?
> >
> > It's the net effect of this line in the spec:
> >
> > # The names of the supported named properties on a Storage object are the
> > # keys of each key/value pair currently present in the list associated
> > # with the object.
> >
> > ...combined with the definitions in the WebIDL spec.
> 
> It seems odd that there wouldn't be a corresponding method on 
> localStorage given that the deleter, getter, and setter all have them.

Personally I'd rather remove those methods, but I think we're stuck with 
them at this point.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] localStorage feedback

[Jeremy Orlow]

On Tue, Oct 13, 2009 at 3:40 PM, Ian Hickson  wrote:

> On Tue, 13 Oct 2009, Brett Cannon wrote:
> > On Mon, Oct 12, 2009 at 19:07, Ian Hickson  wrote:
> > >
> > > I believe you can test if a key is in the storage area using:
> > >
> > >   if (key in storage) { ... }
> > >
> > > For example:
> > >
> > >   if ('document' in window.localStorage) { ... }
> >
> > I didn't find that in the spec anywhere. Is it somehow implicit and I
> > just missed it? Or will it be specified sometime in the future?
>
> It's the net effect of this line in the spec:
>
> # The names of the supported named properties on a Storage object are the
> # keys of each key/value pair currently present in the list associated
> # with the object.
>
> ...combined with the definitions in the WebIDL spec.
>

It seems odd that there wouldn't be a corresponding method on localStorage
given that the deleter, getter, and setter all have them.

Of course, adding a new keyword would break backwards compatibility.  (Yet
another shortcoming of local storage.)

Re: [whatwg] localStorage feedback

[Ian Hickson]

On Tue, 13 Oct 2009, Brett Cannon wrote:
> On Mon, Oct 12, 2009 at 19:07, Ian Hickson  wrote:
> >
> > I believe you can test if a key is in the storage area using:
> >
> >   if (key in storage) { ... }
> >
> > For example:
> >
> >   if ('document' in window.localStorage) { ... }
>
> I didn't find that in the spec anywhere. Is it somehow implicit and I 
> just missed it? Or will it be specified sometime in the future?

It's the net effect of this line in the spec:

# The names of the supported named properties on a Storage object are the 
# keys of each key/value pair currently present in the list associated 
# with the object.

...combined with the definitions in the WebIDL spec.


> > I think everyone agrees that we need a storage mechanism in workers; 
> > the question is what it should be. That's basically the same as the 
> > question of what should happen with the Web Database spec -- I don't 
> > think we would want to end up with multiple storage systems in 
> > workers. The answer to this question depends on the result of this 
> > debate in the Web Apps WG.
>
> Since I am not a w3c member and thus cannot subscribe to the Web Apps WG 
> mailing list, just want to say good luck to whomever pushes this. I 
> truly hope you guys can agree on a single storage solution that the 
> browsers all implement. It would definitely help keep my PhD thesis 
> relevant after it's finished. =)

Anybody can join the public-webapps mailing list, not just W3C members.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] framesets

[Ian Hickson]

On Tue, 13 Oct 2009, Peter Brawley wrote:
> >
> > I don't know if there are pages that do this (and I sure hope none are 
> > using  for it!), but the lack of an existence proof is not 
> > proof of the lack of existence.
> 
> Of course. The point is if no-one can point to a working iframes 
> solution, ie, to an instance of them actually being preferred, the claim 
> that iframes provide a preferable alternative is simply not credible, to 
> put it mildly.

At this point I don't really understand what you want framesets for. Your 
requirements aren't met by framesets, s have been demonstrated to 
work as well as framesets, and, well, framesets suck. I agree that there's 
lots of legacy content using framesets; that's why HTML5 defines how they 
should work (in more detail than any previous spec!). But that doesn't 
mean we should encourage them.

The only thing that is easier with framesets than otherwise appears to be 
resizing, which I agree is not well-handled currently. As noted before, 
though, that's an issue for more than just frames; we need a good solution 
for this in general, whether we have framesets or not. Furthermore, that's 
a styling issue, not an HTML issue.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] Navigation events generated during unload

[Ian Hickson]

On Tue, 13 Oct 2009, Boris Zbarsky wrote:
> On 10/13/09 7:00 AM, Ian Hickson wrote:
> > > >  
> > > > http://www.hixie.ch/tests/adhoc/html/navigation/unload/same-origin/004.html
> > > 
> > > But in this case the form action is same-origin with the load that's
> > > happening
> > 
> > As it is on the other one:
> > 
> > 
> > http://www.hixie.ch/tests/adhoc/html/navigation/unload/cross-origin/004.html
> 
> In the "cross-origin" test, the load that's happening is that of 
> "http://another.domain.libpr0n.com/pass"; while the form action is 
> "http://www.hixie.ch/tests/adhoc/html/navigation/unload/cross-origin/pass"; 
> as far as I can tell.  Those are not same-origin, right?

Cross-origin 004 opens two files, 004a and 004b.

004a has a link to: http://another.domain.libpr0n.com/pass

When you click that link, the first frame begins navigating to that URL. 
Before it does so, it performs a cross-frame form submission to:
   http://www.hixie.ch/tests/adhoc/html/navigation/unload/cross-origin/pass

Since that's the same origin as the target frame, it should work per spec, 
but it doesn't in Firefox.

(If it did work, then 004b, which is replaced by that form submission, 
would try to do a cross-frame form submission again, but by this time 004a 
is gone and so it would be a cross-origin frame targetting, which is 
disallowed, and thus nothing happens, regardless of the URL being navigated.)


> > The navigation algorithm goes through an asynchronous phase (waiting 
> > on the network, doing some sniffing in the background), but once it 
> > goes back to the synchronous stage where unload is fired, everything 
> > else happens in one go; there's no spinning of the event loop between 
> > the old page getting unload, the page being unloaded, and the new page 
> > being put into the session history and brought up.
> 
> Aha.  Perfect, thanks.  The text in the spec had just made it sound like 
> the async phase happened _after_ one started parsing the new document. 
> Good to know that's not the case.

Technically you are allowed to, but you have to switch before you run any 
scripts, so it's basically just allowing a minor optimisation.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] Transparent Content

[Ian Hickson]

On Tue, 13 Oct 2009, Yuvalik Webdesign wrote:
> 
> Anyway, Perhaps this will do?
> 
> "If a transparent element were to be removed but its descendants were 
> kept as they are, the content should remain conformant."
> 
> Or:
> 
> "Any transparent content should be conformant as if its transparent 
> containing element did not exist."

Unfortunately both of these can be interpreted as saying that the element 
and all its children disappear -- "kept as they are" implies kept as 
children of the element; "[parent] element did not exist" implies the kids 
aren't in the tree, etc.


> But again, perhaps the added example makes things clear enough. Just 
> trying to help.

Your help is much appreciated. I'm glad the example helps.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] Transparent Content

[Ian Hickson]

On Tue, 13 Oct 2009, Yuvalik Webdesign wrote:
> > 
> > If there's another way of saying what the spec says that is 
> > technically precise but more understandable, I'd be happy to use it. 
> > In the meantime, I've added an example to explain it better.
> 
> Would this do:
> 
> If a transparent element were to be replaced by an element equal to its 
> parent while retaining its content, this content should remain 
> conformant.

That wouldn't catch a case where there was some ordering issue.

For example, suppose element  can only have one child , as 
well as many other elements. Suppose  is transparent and can be a 
child of .

Now consider:

   


 

   

Is this conforming? If we apply your criteria:

   


 

   

...then yes, it appears conforming. But if we apply the spec's criteria:

   


   

...then we find it is _not_ conforming.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] localStorage feedback

[Brett Cannon]

On Mon, Oct 12, 2009 at 19:07, Ian Hickson  wrote:

>
> [SNIP]
> On Wed, 23 Sep 2009, Brett Cannon wrote:
> >
> > Before the move to structured clones one could tell if a key was set by
> > calling getItem() and seeing if it returned null (had to use === as
> > someone could have called setItem() w/ null, but that would be coerced
> > to a string for storage). But with the latest draft's switch to
> > structured clones that test no longer clearly differentiates between
> > whether the value returned by getItem() signifies that the key was not
> > set, or the key was set with the value null.
>
> I believe you can test if a key is in the storage area using:
>
>   if (key in storage) { ... }
>
> For example:
>
>   if ('document' in window.localStorage) { ... }
>
>
I didn't find that in the spec anywhere. Is it somehow implicit and I just
missed it? Or will it be specified sometime in the future?


>
> > And since I just subscribed to the mailing list, I was wondering if the
> > whole workers/localStorage discussion ended or not, as I can provide a
> > (potentially minor) real-world use-case for sharing access between the
> > page and worker if people want to hear it (in a new email of course).
>
> I think everyone agrees that we need a storage mechanism in workers; the
> question is what it should be. That's basically the same as the question
> of what should happen with the Web Database spec -- I don't think we would
> want to end up with multiple storage systems in workers. The answer to
> this question depends on the result of this debate in the Web Apps WG.
>
>
Since I am not a w3c member and thus cannot subscribe to the Web Apps WG
mailing list, just want to say good luck to whomever pushes this. I truly
hope you guys can agree on a single storage solution that the browsers all
implement. It would definitely help keep my PhD thesis relevant after it's
finished. =)

-Brett

Re: [whatwg] localStorage feedback

[Anne van Kesteren]

On Tue, 13 Oct 2009 04:20:56 +0200, Robert O'Callahan  
 wrote:

Perhaps it should be defined in CSSOM, alongside scrollTop/scrollLeft?


In Gecko, it's just something that fires asynchronously after a node's
scrollTop/scrollLeft have changed. Scroll events for the viewport fire at
the document and bubble to the window, scroll events on elements with
'overflow' not 'visible' fire at that element and don't bubble.


I forwarded this to www-style by the way. It's on the pile for cssom-view  
now.



--
Anne van Kesteren
http://annevankesteren.nl/

Re: [whatwg] disabled and readonly attributes

[Tab Atkins Jr.]

On Tue, Oct 13, 2009 at 11:16 AM, Anne van Kesteren  wrote:
> On Tue, 13 Oct 2009 18:07:16 +0200, Aryeh Gregor 
> wrote:
>>
>> It seems like I'm not the only one confused by the difference between
>> disabled and readonly, then.
>
> Disabled controls are not submitted.

The confusion at hand is about the treatment of fieldset[readonly] (or
rather, why it *doesn't* have a treatment, when fieldset[disabled]
works).

(I'd have a use for that, by the way.  Two weeks or so ago I had a
project with a lot of inputs that start in a readonly state, and go to
editable as a group when you doubleclick on their section.  Being able
to set/unset readonly on a fieldset rather than on each individual
input would have made it a little bit easier.)

~TJ

Re: [whatwg] disabled and readonly attributes

[Anne van Kesteren]

On Tue, 13 Oct 2009 18:07:16 +0200, Aryeh Gregor  
 wrote:

It seems like I'm not the only one confused by the difference between
disabled and readonly, then.


Disabled controls are not submitted.


--
Anne van Kesteren
http://annevankesteren.nl/

Re: [whatwg] disabled and readonly attributes

[Aryeh Gregor]

On Tue, Oct 13, 2009 at 7:12 AM, Markus Ernst  wrote:
> Also,  has a disabled attribute, but no readonly attribute. Is
> there a reason for this?

On Tue, Oct 13, 2009 at 9:15 AM, Tab Atkins Jr.  wrote:
> Dunno.

It seems like I'm not the only one confused by the difference between
disabled and readonly, then.

Re: [whatwg] framesets

[Peter Brawley]

Ian

Thanks for your interest in the issue.


> > > I quoted Andrew Fedoniouk
> > > (http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2007-March/010186.html), 
> > > "There are use cases when frames are good. As an example: online (and

> > > offline) help systems ... In such cases they provide level of usability
> > > higher than any other method of presenting content of such type."
> > >
> > > I've not seen a counterexample. Have you?> >
> > I believe Andrew's statement to be incorrect.> 
> If your belief is correct, there must be sites which accomplish this 
> spec with tables + iframes (for example). No contributor has managed to 
> point to them.
  
I don't know if there are pages that do this (and I sure hope none are 
using  for it!), but the lack of an existence proof is not proof of 
the lack of existence.


Of course. The point is if no-one can point to a working iframes 
solution, ie, to an instance of them actually being preferred, the claim 
that iframes provide a preferable alternative is simply not credible, to 
put it mildly.


>However, in the interests of moving this on, I made an example here in
>about ten minutes:
>http://damowmow.com/playground/demos/framesets-with-iframes/001.html

Yes, iframes can implement some features of the spec. See above.

PB

-

Ian Hickson wrote:

On Mon, 12 Oct 2009, Peter Brawley wrote:
  

I quoted Andrew Fedoniouk
(http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2007-March/010186.html), 
"There are use cases when frames are good. As an example: online (and

offline) help systems ... In such cases they provide level of usability
higher than any other method of presenting content of such type."

I've not seen a counterexample. Have you?


I believe Andrew's statement to be incorrect.
  
If your belief is correct, there must be sites which accomplish this 
spec with tables + iframes (for example). No contributor has managed to 
point to them.



I don't know if there are pages that do this (and I sure hope none are 
using  for it!), but the lack of an existence proof is not proof of 
the lack of existence.


However, in the interests of moving this on, I made an example here in 
about ten minutes:


   http://damowmow.com/playground/demos/framesets-with-iframes/001.html

It doesn't do the resizing, and I didn't test it in IE so it probably 
needs some hacks to work around some bugs there, but it works fine for me 
in Safari. Resizing in a single page in general is a solved problem, you 
can probably slap a little JS on there and it would be supported too. (It 
should be easier to do, mind you; that's a CSS problem though, and affects 
more than just frames.)



  

search engines can't index into them (search is a critical part of help
systems), pages in them can't easily be bookmarked
  

A DB row is a tree node and it must be possible to block bookmarking of such
rows.



Framesets don't block bookmarking of such rows. They just make it harder. 
(A user can always right-click a frame and get the URL to bookmark it.)


AJAX can block bookmarking of such rows, though.


On Mon, 12 Oct 2009, Peter Brawley wrote:
  
There are good database reasons to block bookmarks to table rows, so 
that must be doable.



That's fair enough, but framesets don't provide that possibility. They 
only make bookmarking significantly harder; they don't make it impossible. 
Indeed there have been a number of browsers over the years who have 
implemented various hacks whereby the user can bookmark the entire state 
of a frameset. The usability of such hacks has been poor, but the point is 
that if the requirement is that bookmarking not work, frames don't 
actually fulfill that need.


  




No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.5.421 / Virus Database: 270.14.11/2430 - Release Date: 10/12/09 04:01:00


  

Re: [whatwg] Transparent Content

[Yuvalik Webdesign]

From: Scott González [mailto:scott.gonza...@gmail.com] 

>On Tue, Oct 13, 2009 at 8:53 AM, Yuvalik Webdesign  
>wrote:
>Would this do:
>
>If a transparent element were to be replaced by an element equal to its parent 
>while retaining its content, this content should remain conformant.
>
>That would imply that another element would be inserted in the place of the 
>transparent element. Perhaps something like "If a transparent element were >to 
>be replaced by its children, the content should remain conformant."
>
>Interestingly, for a sentence that seems to be causing confusion, the 
>equivalent code is very straight-forward and easy to understand. I don't think 
>>this section will remain confusing, but if it does going into the technical 
>steps of how you would remove an element without removing its children would 
>>certainly clear that up.


"were to be replaced by its children" makes the sentence confusing again 
(although it is correct). In your proposal you suggest that the transparent 
content replaces the transparent element (which creates a non-logical 
situation), also, it doesn't make clear if you replace the element with all its 
children or just one at a time and in which order.
I do agree that the example code does make things easier to understand and 
perhaps it should be kept like so. 
It is interesting to see how something so relatively simple is so difficult to 
write down in one clear sentence.

Anyway, Perhaps this will do?

"If a transparent element were to be removed but its descendants were kept as 
they are, the content should remain conformant."

Or:

"Any transparent content should be conformant as if its transparent containing 
element did not exist."

(or something to this effect, my English is not so good that I can build such 
complex sentences).

But again, perhaps the added example makes things clear enough. Just trying to 
help.

Evert
 

Re: [whatwg] Navigation events generated during unload

[Boris Zbarsky]

On 10/13/09 7:00 AM, Ian Hickson wrote:

 http://www.hixie.ch/tests/adhoc/html/navigation/unload/same-origin/004.html


But in this case the form action is same-origin with the load that's
happening


As it is on the other one:

http://www.hixie.ch/tests/adhoc/html/navigation/unload/cross-origin/004.html


In the "cross-origin" test, the load that's happening is that of 
"http://another.domain.libpr0n.com/pass"; while the form action is 
"http://www.hixie.ch/tests/adhoc/html/navigation/unload/cross-origin/pass"; 
as far as I can tell.  Those are not same-origin, right?



The navigation algorithm goes through an asynchronous phase (waiting on
the network, doing some sniffing in the background), but once it goes back
to the synchronous stage where unload is fired, everything else happens in
one go; there's no spinning of the event loop between the old page
getting unload, the page being unloaded, and the new page being put into
the session history and brought up.


Aha.  Perfect, thanks.  The text in the spec had just made it sound like 
the async phase happened _after_ one started parsing the new document. 
Good to know that's not the case.


-Boris

Re: [whatwg] More prohibited characters for unquoted attributes are needed

[Geoffrey Sneddon]

Ian Hickson wrote:

On Mon, 7 Sep 2009, Aryeh Gregor wrote:

On Mon, Sep 7, 2009 at 1:34 PM, Geoffrey Sneddon
 wrote:

Apparently Hixie had previously said he didn't want to change this as it
will become a non-issue over time. I think it does matter due to the
security issues it presents in existing UAs. Conforming markup (using
elements/attributes allowed in HTML 4.01) should not cause JS to execute in
one browser but not in another.
I agree with you as an author.  I wrote an HTML output function in 
MediaWiki assuming that what the standard says is known to be 
interoperable, which is apparently wrong.  If I hadn't been keeping up 
with HTML 5, I would have introduced an XSS vulnerability because of 
some browsers' handling of `.


If the problem will go away with time, then perhaps a later version of 
the standard could make such unquoted attributes conforming, once 
there's no more problem with them.


As far as I can tell, this is an IE bug; treating "`" as an attribute 
quoting character is non-conforming in any version of HTML so far, it 
seems. I'm certainly not going to make it non-conforming to stumble into 
any IE bug or difference in parsing between IE and previous specs or other 
browsers; we'd just end up with an asanine set of conformance 
requirements.


I agree that it's pointless to make it non-conforming to hit any parsing 
bug, but I would argue that we should make as many cases as it is 
sensible to do so non-conforming if they open up security holes in 
websites on legacy UAs, given that website uses a HTML 5 
parser/sanitizer/serializer.



For example, should this be non-conforming?

   
   Test
   
Search: 

   

This perfectly innocent piece of HTML content (HTML2-compliant except for 
the DOCTYPE) results in a non-tree DOM in IE8. Should we make it 
non-conforming?


No, it opens up no security hole if that is done.

Similarly, IE conditional comments make it trivial to trigger scripts in 
IE but not another UA; indeed people do this on purpose. Should we make 
those non-conforming also?


They are a harder issue, but I think it is probably fair enough to 
assume that most sanitizers drop comments for such reasons, hence making 
them fine to leave as conforming also.


As I understand it, the attack here is a site that allows the user to 
input text that is used verbatim in two attributes, such that the user can 
set the first attribute's value to:


   `

...and the second to:

   ` onload='...payload...' end=x

...with the assumption that the site is going to not quote the first one, 
and quote the second one with double quotes:


(This is the default behaviour of Python html5lib, FWIW: the first is 
not quoted as it does not contain any whitespace characters or U+003E 
(>), the latter is quoted for that reason.)



   

...which in IE, for some reason, gets treated as:

   


Indeed, this is the attack I (and others) am concerned about.

I've disallowed ` in unquoted attribute values for now, but I think we 
should revert this once IE has fixed this bug for a few years.


Right, once versions of IE with this bug have faded out of existence I 
think this will become a non-issue. I also expect that'll be a while 
yet, though, and I highly doubt that time will have come even by the 
time when HTML 5 goes to REC. Furthermore, if there are similar attacks 
to this, I think they should similarly be made non-conforming.


--
Geoffrey Sneddon — Opera Software

Re: [whatwg] disabled and readonly attributes

[Tab Atkins Jr.]

On Tue, Oct 13, 2009 at 6:12 AM, Markus Ernst  wrote:
> In 4.10.15.2 (disabled) and 4.10.5.2.3 (readonly) I can't find out what UAs
> should submit if an element is disabled resp. readonly:
> - nothing
> - the default value
> - any value that might have been entered, or assigned via DOM, before
> disabled resp. readonly was set to true
> - any value that might have been assigned via DOM, even after disabled resp.
> readonly was set to true
> - or is this up to the UA?

For all of these, the @readonly attribute does nothing but prevent
user interaction.  I'm not sure off the top of my head whether it
prevents script-based manipulation.  There is no effect on the
submitted value.  @disabled prevents the form element from submitting
entirely.

The former is explained under the readonly attribute section in
4.10.5.2.3, the latter is explained in the form submission algorithm
in 4.10.17.3.

> I personnally would appreciate some clarity about this.
>
> Also,  has a disabled attribute, but no readonly attribute. Is
> there a reason for this?

Dunno.

~TJ

Re: [whatwg] Transparent Content

[Scott González]

On Tue, Oct 13, 2009 at 8:53 AM, Yuvalik Webdesign
wrote:

> Would this do:
>
> If a transparent element were to be replaced by an element equal to its
> parent while retaining its content, this content should remain conformant.
>

That would imply that another element would be inserted in the place of the
transparent element. Perhaps something like "If a transparent element were
to be replaced by its children, the content should remain conformant."

Interestingly, for a sentence that seems to be causing confusion, the
equivalent code is very straight-forward and easy to understand. I don't
think this section will remain confusing, but if it does going into the
technical steps of how you would remove an element without removing its
children would certainly clear that up.

Re: [whatwg] Transparent Content

[Yuvalik Webdesign]

> From: Ian Hickson [mailto:i...@hixie.ch]

> If there's another
> way
> of saying what the spec says that is technically precise but more
> understandable, I'd be happy to use it. In the meantime, I've added an
> example to explain it better.


Would this do:

If a transparent element were to be replaced by an element equal to its parent 
while retaining its content, this content should remain conformant.

Evert

Re: [whatwg] Feature requests in WebSocket

[Ian Hickson]

On Fri, 18 Sep 2009, Greg Wilkins wrote:
> Ian Hickson wrote:
> > I don't see how we could hit limits within the OS with Web Sockets.
> 
> Consider a webapp with U users, each with W widgets accessing S services 
> on the server.
> 
> The resources the server needs to service with with multiplexing is 
> O(U+S)

No, it's O(U*S*W). You need resources for each user/widget/service 
endpoint.


> > WebSockets is designed to be more like CGI than HTTP in terms of 
> > server-side complexity. Just like there are far more CGI 
> > implementations than HTTP implementations, I would expect -- and hope! 
> > -- that there will be far more Web Socket implementations than HTTP 
> > implementations.
> 
> It is not a good example and I know of no serious large scale web 
> application that uses CGI.  It is only for small scale systems.

Small scale systems and large scale systems are both part of the target 
audience for Web Sockets.


> > On Fri, 4 Sep 2009, Greg Wilkins wrote:
> >> With HTTP, the server side developer handles requests and has little 
> >> idea what connection they came over.
> > 
> > This is not HTTP.
> 
> I don't understand your point?

With Web Sockets, one would know which connections requests were coming 
over, since it's a connection-primary protocol. The connection is the 
primitive.


> Why is the server side any different to the client side.

The main difference is that there are fewer client-side developers, and 
their code is generally going to be tested more thoroughly (and thus have 
better implementations) than server-side implementations.


> You don't expect most client side developers to write their own browsers 
> and websocket implementations do you?

I don't expect there to be much many more than four client-side 
implementations.

Realistically one could expect that if this protocol becomes widely used 
enough that there are services that use this protocol, standalone clients 
could crop up to talk to those servers, and then the difference will 
mostly go away. I think that would be sad, though; this isn't exactly the 
best protocol to use if you're not limited by the browser security model.


> Why do you expect server side developers to write their own servers?

Same reason that people write their own CGI scripts.


> > TCP/IP already supports all we need here. I don't see why we would 
> > want to reinvent this wheel inside a protocol tunneling through TCP.
> 
> There is no wheel being reinvented.
> 
> TCP/IP is not there for hold state that is entirely private to the 
> application.
> 
> TCP/IP is there to create a channel between application (eg browser) to 
> application (eg server).
> 
> It is the job of the application level protocol (eg HTTP, SMTP, 
> websocket, etc) to route data between an application component (eg 
> widget within page within browser) and application component (eg 
> resource within server).

Web Socket is not an application-level protocol. It's just a security 
layer on top of TCP to make TCP available to applications so that they can 
write their own application-level protocols.


> So while you obviously think connections should not be a limiting factor 
> - the reality is that they are and there is only a small design cost to 
> make a protocol that is not wasteful of connections.

Making Web Sockets have multiplexing is not a small design cost. It's 
actually remarkably complicated. You'd either need to drop the 
HTTP-Upgrade support, or make it so that there were two ways to address 
resources (one during the handshake, for the first connection, and one for 
subsequent connections).

I'm also not at all convinced that there will be W*S connections per user. 
different "W"s will need different "S"s, and each "S" will be from a 
different provider, with his own server, not on the same host.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] spec comments (websocket)

[Ian Hickson]

On Fri, 4 Sep 2009, Wenbo Zhu wrote:
>
> re: http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol-40
> 1) section 6:  "User agents should not close the Web Socket connection
> arbitrarily."
> 
> Please clarify what "arbitrarily" means .. given there is no handshake 
> for close?

Arbitrarily here has its usual meaning, "Determined by chance, whim, or 
impulse, and not by necessity, reason, or principle".

The point being that the connection is only to be closed upon the request 
of the user of the Web Socket API, and not, e.g., based on a timer.


> 2) section 7: "Servers that only accept input from one origin can just 
> send back that value in the "WebSocket-Origin" header, without bothering 
> to check the client's value."
> 
> I suppose servers should still verify the (single) origin to ensure it 
> matches .. Yes, the server simple echoes back the received origin 
> thereafter.

No, the server need not check the origin in this case. The UA performs 
that check. (The UA can be trusted to perform that check to the same 
extent that the UA can be trusted to provide the correct Origin header.)

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

[whatwg] disabled and readonly attributes

[Markus Ernst]

In 4.10.15.2 (disabled) and 4.10.5.2.3 (readonly) I can't find out what 
UAs should submit if an element is disabled resp. readonly:

- nothing
- the default value
- any value that might have been entered, or assigned via DOM, before 
disabled resp. readonly was set to true
- any value that might have been assigned via DOM, even after disabled 
resp. readonly was set to true

- or is this up to the UA?

I personnally would appreciate some clarity about this.

Also,  has a disabled attribute, but no readonly attribute. Is 
there a reason for this?


--
Markus

Re: [whatwg] The legend element

[Markus Ernst]

Ian Hickson schrieb:
[...]


I would recommend not using  and  for rows 2 and 3.

As in:

  Placeholder outputs of 2nd row:

{label}: What is favourite pet?

{input-html}:
Cat
Dog
Ant


  Placeholder outputs of 3rd row:

{label}: When are you born?

{input-html}:
Month:
 
   January
   ...
 

Year: 

Why isn't that satisfactory?



It is, if omitting  does not do any harm, such as lower the 
accessibility of the form. If this is the case, and I read paragraph 
4.10.2 of the spec correctly,  serves exactly 2 purposes:

- Adds possibility to group-disable it's descendants
- Can assign it's descendants to a form, when they are placed outside 
the form element in the code


Is this correct? Then it might be nice to clarify this with a few words 
in the spec, as "The fieldset element represents a set of form controls 
optionally grouped under a common name" can be read as implying 
structuring and thus accessibility matters.

Re: [whatwg] Issues with Web Sockets API

[Ian Hickson]

On Mon, 31 Aug 2009, Alexey Proskuryakov wrote:
> > 
> > 9. If the client has any authentication information <...> that would 
> > be relevant to a resource accessed over HTTP, if /secure/ is false, or 
> > HTTPS, if it is true, on host /host/, port /port/, with /resource 
> > name/ as the path (and possibly query parameters), then HTTP headers 
> > that would be appropriate for that information should be sent at this 
> > point. [RFC2616] [RFC2109] [RFC2965]
> 
> I'm not sure how this part translates into actual behavior. What if 
> there are several sets of credentials already known to the client, for 
> example?

What would you do in the same situation for HTTP URLs?


> Also, what if the client has already performed digest authentication 
> with several nonce values?

Same question.


> Is this meant to mimic some behavior that existing clients have for HTTP 
> already?

Yes, as it says, the idea is for UAs to send the same headers they would 
send if the protocol had been HTTP.


> > If /code/, interpreted as ASCII, is "401", then let /mode/ be
> > _authenticate_. Otherwise, fail the Web Socket connection and abort these
> > steps.
> 407 (proxy authenticate) also likely needs to be supported.

Proxies wouldn't work with WebSockets in general.


> > -> If the entry's name is "www-authenticate" Obtain credentials in a 
> > manner consistent with the requirements for handling the 
> > |WWW-Authenticate| header in HTTP, and then close the connection (if 
> > the server has not already done so)
> 
> Some authentication schemes (e.g. NTLM) work on connection basis, so I 
> don't think that closing the connection right after receiving a 
> challenge can work with them.

Yeah, that's quite possible.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] Navigation events generated during unload

[Ian Hickson]

On Mon, 12 Oct 2009, Boris Zbarsky wrote:
> On 10/12/09 1:55 AM, Ian Hickson wrote:
> > Why is the form.submit() ignored? It's not ignored in, e.g.:
> > 
> > 
> > http://www.hixie.ch/tests/adhoc/html/navigation/unload/same-origin/004.html
> 
> But in this case the form action is same-origin with the load that's
> happening

As it is on the other one:

   http://www.hixie.ch/tests/adhoc/html/navigation/unload/cross-origin/004.html


> > > Also, I'm not quite sure what the part about unloading that comes 
> > > after the algorithm you pointed me to means.  Does it mean that once 
> > > you get the response and start parsing the new document you queue a 
> > > task to unload the old one?  That doesn't seem at all right to me, 
> > > since at this point the new document can be running scripts that 
> > > touch the WindowProxy they share...
> > 
> > Not sure what you mean here. I've tried to clarify that the new page 
> > must be active before any scripts run.
> 
> Looking at the algorithm steps when I made my last comment, it sounded 
> like the new data starts coming in, the UA starts processing it, and 
> queues a task to unload the old document.  Gecko at the moment, for 
> example, unloads the old document immediately after firing unload on it, 
> and before parsing any of the new document.  Is that the behavior the 
> spec calls for?

The navigation algorithm goes through an asynchronous phase (waiting on 
the network, doing some sniffing in the background), but once it goes back 
to the synchronous stage where unload is fired, everything else happens in 
one go; there's no spinning of the event loop between the old page 
getting unload, the page being unloaded, and the new page being put into 
the session history and brought up.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] The legend element

[Ian Hickson]

On Mon, 12 Oct 2009, Markus Ernst wrote:
>
> My use case is a template system with separate placeholders for labels 
> and input fields, where input fields can be fieldsets in some cases, 
> e.g.:
> 
> Relevant part of the template:
> 
> 
> 
>   {label}
>   {input-html}
> 
> 
>
> Placeholder outputs of first row:
> 
> {label}: What is your name?
> 
> {input-html}:
> 
> 
> 
> Placeholder outputs of 2nd row:
> 
> {label}: What is favourite pet?
> 
> {input-html}:
> 
>   Cat
>   Dog
>   Ant
> 
> 
> 
> Placeholder outputs of 3rd row:
> 
> {label}: When are you born?
> 
> {input-html}:
> 
>   Month:
> 
>   January
>   ...
> 
>   
>   Year: 
> 
> 
> 
> Rows 2 and 3 illustrate the use case. For my original suggestion replace
>  with  in those rows.

Ah, I see.

I would recommend not using  and  for rows 2 and 3.

As in:

  Placeholder outputs of 2nd row:

{label}: What is favourite pet?

{input-html}:
Cat
Dog
Ant


  Placeholder outputs of 3rd row:

{label}: When are you born?

{input-html}:
Month:
 
   January
   ...
 

Year: 

Why isn't that satisfactory?

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] framesets

[Ian Hickson]

On Mon, 12 Oct 2009, Peter Brawley wrote:
> > >
> > > I quoted Andrew Fedoniouk
> > > (http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2007-March/010186.html),
> > >  
> > > "There are use cases when frames are good. As an example: online (and
> > > offline) help systems ... In such cases they provide level of usability
> > > higher than any other method of presenting content of such type."
> > >
> > > I've not seen a counterexample. Have you?
> >
> > I believe Andrew's statement to be incorrect.
> 
> If your belief is correct, there must be sites which accomplish this 
> spec with tables + iframes (for example). No contributor has managed to 
> point to them.

I don't know if there are pages that do this (and I sure hope none are 
using  for it!), but the lack of an existence proof is not proof of 
the lack of existence.

However, in the interests of moving this on, I made an example here in 
about ten minutes:

   http://damowmow.com/playground/demos/framesets-with-iframes/001.html

It doesn't do the resizing, and I didn't test it in IE so it probably 
needs some hacks to work around some bugs there, but it works fine for me 
in Safari. Resizing in a single page in general is a solved problem, you 
can probably slap a little JS on there and it would be supported too. (It 
should be easier to do, mind you; that's a CSS problem though, and affects 
more than just frames.)


> > search engines can't index into them (search is a critical part of help
> > systems), pages in them can't easily be bookmarked
> 
> A DB row is a tree node and it must be possible to block bookmarking of such
> rows.

Framesets don't block bookmarking of such rows. They just make it harder. 
(A user can always right-click a frame and get the URL to bookmark it.)

AJAX can block bookmarking of such rows, though.


On Mon, 12 Oct 2009, Peter Brawley wrote:
> 
> There are good database reasons to block bookmarks to table rows, so 
> that must be doable.

That's fair enough, but framesets don't provide that possibility. They 
only make bookmarking significantly harder; they don't make it impossible. 
Indeed there have been a number of browsers over the years who have 
implemented various hacks whereby the user can bookmark the entire state 
of a frameset. The usability of such hacks has been poor, but the point is 
that if the requirement is that bookmarking not work, frames don't 
actually fulfill that need.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] The banner-role for headers

[Ian Hickson]

On Mon, 12 Oct 2009, Yuvalik Webdesign wrote:
> > From: Ian Hickson
> >
> > > Which makes sense to me, a banner is not a header. In other words, 
> > > if  implies a banner-role, it may only be used once on a 
> > > page unless that role is overridden for additional s. Is 
> > > this an oversight in the spec or is this to remain like this? If so, 
> > > how should this contradiction be approached by designers/developers.
> > 
> > That's an oversight. What would be a better ARIA role to use for 
> > ?
> 
> I am no expert, but looking at the ARIA spec, I doubt there is a role 
> that fits the  element. The closest I can find is the "heading" 
> role, but that is more closely related to, and already implemented on 
>  and .
> 
> I see three possibilities, but anybody feel free to comment on these:
> 
> 1) Don't give  an implied ARIA-role.
> 2) Give  the "header" role.
> 3) Leave the "banner" role, but give clear instructions on the fact that 
> it may only be used once and how to remove the role from subsequent 
> s.
> 
> Personally I think 3) is *not* workable.

Fair enough. Done #1.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] Some discrepencies and example remarks

[Ian Hickson]

On Mon, 12 Oct 2009, Yuvalik Webdesign wrote:
> > > 
> > > The spec is not very clear anywhere about styling practices (I know 
> > > this is CSS' job, but within HTML the mark-up should at least be 
> > > mentioned).
> > 
> > Could you elaborate on what you had in mind? Note that default styles 
> > are listed in detail in their own section.
> 
> I know, but that was not what I had in mind. I wish there were some 
> examples that showed the difference in mark-ups between using , 
>  etc. and .

There are at least four examples in the spec that show  and  
or  used together.

I'm happy to add more, if you have any specific requests.


> When starting a job you get content from the client (well, hopefully ;-) 
> You start out by categorizing and sorting this content; this process can 
> be an actual job you do, or something you do "subconsciously" while 
> working at the site. In an ideal situation, it is easy to sort the 
> content in two categories: content that belongs in the outline and pure 
> lay-out. But sometimes this choice is not so black and white. In those 
> cases, one designer may use a  while another may use a  or 
> an . Now I am not saying the spec should educate on this (as it 
> has been mentioned, this is a job for tutorial sites etc.), but what I 
> am saying is that it may be prudent to use more complex examples in the 
> spec that address the difference in when to use  etc. and when 
> to use  to make the line less gray.

If you have any concrete examples I could include, I'd be happy to do so. 
I'm probably not the best person to be writing such examples, though.


> > Please file specific bugs or send specific e-mails for each example 
> > you think should be reworked; there are over 300 examples in the spec 
> > and without knowing what is wrong with each one, if I just go through 
> > them all and change them, they're just going to go from one kind of 
> > bad example to another kind of bad example.
> 
> I'd be perfectly happy to provide you with some examples, but I hope you 
> will give me some helpfull feedback if I make a mistake in them. I will 
> rework the examples for sectioning elements. Is a time-frame of two 
> weeks ok with you?

Rather than reworking examples, let's just add more. :-)

Any time frame is fine; I'll add them whenever they are available.


On Mon, 12 Oct 2009, Yuvalik Webdesign wrote:
> 
> So I decided to start already with an example. I went through some old 
> code to find a suitable use-case and I found one that I think might be 
> beneficial since it is used quite often on all sorts of sites in one 
> shape or another. But right from the start I get stuck. The existing 
> (HTML4) code is as follows:
> 
> The page has a header and a footer which we will disregard for the sake 
> of this example. Between this header and footer we have:
> 
> 
>   
> 
> 
> 
>I come across the following questions:
> 
> 1) Should this entire code be wrapped in a ? The argument for 
> it being that this entire portfolio should show up in the outline as a 
> whole. The argument against it being that since it is the only content 
> on the page no  is needed and that it is conceivable that in 
> the future extra content could be added in between the  and the 
>  which is not related to either.

It maybe could have a section, but I'd have to see the rest of the page to 
say for sure. Doesn't seem necessary though.


> 2) Should the  be replaced by ? The argument being that 
> this detail-picture is actually the main content of the page and could 
> also include extra information (like a textual description) in the 
> future. The argument against is simply that the  is adequately 
> semantic and the  is there only for lay-out/scripting.

I would probably remove the  altogether.


> 3) Should the  be wrapped in an ? Since it is definitely 
> related to the detail-picture. But see also 5)

Unless it could be removed without significantly changing the meaning of 
the page (which seems unlikely here), I would say no.


> 4) Should the  be replaced by a ? Argument for it is that 
> clicking on a thumbnail changes (part of) the page and is therefore not 
> a "true" list of items but a form of navigation. The argument against is 
> that it is highly debatable if this constitutes a real form of 
> navigation.

It doesn't seem like a navigation menu to me.


> 5) Now stretching a bit, it is conceivable that someone may argue that 
> the thumbnails are actually the main-content and that the detail-picture 
> is nothing more than a detail of part of that content.

Neither makes sense without the other, so I'd be skeptical of that line of 
reasoning.


On Mon, 12 Oct 2009, Yuvalik Webdesign wrote:
> 
> I think this is the core of the "problem". There is a large grey area 
> where design and development overlap. Most designers would most 
> definitely *not* call this an app, but I guess most developers would. 

Document, app, it doesn't matter. There's a spectrum, and few things these 
d

Re: [whatwg] Transparent Content

[Ian Hickson]

On Mon, 12 Oct 2009, Yuvalik Webdesign wrote:
>
> I have an argument with a colleague of mine regarding Transparent 
> elements. He filed a bug regarding this in bugzilla and I wrote to the 
> html5doctor about it with a question, but neither action has answered 
> our question.
> 
> The way I understand it, a Transparent Element can contain the same 
> elements its direct parent can. The way my colleague understands it, is 
> that a transparent element can be wrapped around any other element.
>
> The section about Transparent Content (3.2.5.2) Is not very easy to 
> understand, any chance it could be re-phrased? Specifically this 
> sentence:
> 
> “When a content model includes a part that is "transparent", those 
> parts must not contain content that would not be conformant if all 
> transparent elements in the tree were replaced, in their parent element, 
> by the children in the "transparent" part of their content model, 
> retaining order.”
> 
> If I knew what it meant I would offer a suggestion, but I am at a loss 
> as to understand this.

On Mon, 12 Oct 2009, Tab Atkins Jr. wrote:
> 
> Neither of you are *quite* right, but you are much closer to correct 
> than your colleague.  A transparent element *must* contain the same 
> kinds of elements that its direct parent can.  The meaning of 
> transparent is simply that, if you removed the element but left its 
> children, the document would still be conforming.
> 
> It does *not* mean that you can wrap a transparent element around 
> anything, as some elements have very specific rules about what children 
> they may have.  Frex, you can't wrap an arbitrary transparent element 
> around a .

On Mon, 12 Oct 2009, Yuvalik Webdesign wrote:
> 
> So, if I understand correctly I should read:
> 
> When a content model includes a part that is "transparent", that part 
> must not contain content that would not be conformant if the transparent 
> element in the tree would be removed, while retaining the order of the 
> tree."

On Mon, 12 Oct 2009, Tab Atkins Jr. wrote:
> 
> Yes, that's correct.  It's essentially a rewording of what's in the spec 
> (just more focused on the element rather than the parent/children, as 
> the current spec text is).

It doesn't say that because if you remove the element, you implicitly also 
remove all its children (the children are part of the element in the DOM).

Other than that, the conclusions above are correct. If there's another way 
of saying what the spec says that is technically precise but more 
understandable, I'd be happy to use it. In the meantime, I've added an 
example to explain it better.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] The banner-role for headers

[Simon Pieters]

+wai lists
(see  
http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2009-October/023540.html  
)


On Tue, 13 Oct 2009 09:34:18 +0200, Ian Hickson  wrote:


On Mon, 12 Oct 2009, Yuvalik Webdesign wrote:

> From: Ian Hickson
>
> > Which makes sense to me, a banner is not a header. In other words,
> > if  implies a banner-role, it may only be used once on a
> > page unless that role is overridden for additional s. Is
> > this an oversight in the spec or is this to remain like this? If so,
> > how should this contradiction be approached by designers/developers.
>
> That's an oversight. What would be a better ARIA role to use for
> ?

I am no expert, but looking at the ARIA spec, I doubt there is a role
that fits the  element. The closest I can find is the "heading"
role, but that is more closely related to, and already implemented on
 and .

I see three possibilities, but anybody feel free to comment on these:

1) Don't give  an implied ARIA-role.
2) Give  the "header" role.
3) Leave the "banner" role, but give clear instructions on the fact that
it may only be used once and how to remove the role from subsequent
s.


4) ARIA and/or HTML5 changes so that  and role="banner" match.



Personally I think 3) is *not* workable.


Fair enough. Done #1.


--
Simon Pieters
Opera Software

Re: [whatwg] Is there any reason for the continued existence of enctype attribute at the form element

[Ian Hickson]

On Mon, 12 Oct 2009, Mark Kaplun wrote:
> > 
> > I've certainl written CGI scripts without libraries where the CGI 
> > script only supports one enctype. I doubt I'm alone in this.
>
> Ian, if posting was implemented my way (browser selects best encoding as 
> default) when you wrote the CGI, your work was harder, easier or no 
> change at all?

Harder, at least in the scenario I described earlier -- I'd have written 
the code assuming the multipart enctype, tested it, found it working fine, 
and then if at the last minute I made the file upload control not be 
always present, it would have broken in ways that I wouldn't immediately 
have understood.

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'