Re: [whatwg] Checkboxes that control other checkboxes

[Michael A. Puls II]

On Wed, 21 Nov 2012 19:51:39 -0500, Ian Hickson  wrote:


On Sun, 14 Aug 2011, Timo Beermann wrote:


It should be able to implemet checkboxes, where by only
activating/deactivating this single checkbox you can active/deactivate
multiple other checkboxes. That is possible with scripting today, but it
should be possible without scripting, only with HTML/CSS. Because some
users deactivate Scripting (for security or whatever other reason) and
on other computers (school, university, work,...) you are not able to
change the settings, even if you want to. E.g. I use NoScript and only
allow scripting on very few trusted sites, that really need it.


I haven't added this yet, but it is already logged as a possible future
extension, so it's possible it may be added in the future.

What would be helpful though is examples of sites that do this kind of
thing, so that we can study how necessary it is, and how to implement it.
For instance, are the dependent fields always in a ? Are they
always other checkboxes? Is there more complex logic than just "check box
A is checked so those controls are enabled"?


My non-web use-case is with  
  
(options.html in the unzipped package). I *disable* a checkbox when  
another checkbox is checked. I just use addEventListener('input') and  
check for e.target.checked to decide what to do.


However, it'd be cool if there were @disables and @enables for checkboxes  
(at least) where you can specify a list of controls (that match @name I  
guess). Those controls would still fire 'input' and 'change'.


In my case, since I'm already using JS, it's no biggie, but it'd still be  
cool to do that part without JS.


--
Michael

Re: [whatwg] Checkboxes that control other checkboxes

[Fred Andrews]

> Date: Thu, 22 Nov 2012 11:23:19 +0100
> From: derer...@gmx.ch
...
> Maybe, instead of adding that kind of functionalities to form elements, 
> it might be worth thinking of a different way. E.g., define a set of 
> scripting actions that are considered as very useful for UIs, and have 
> no security issues, and let UAs execute that kind of scripts even if 
> scripting is actually disabled, or let UAs offer a user setting such as 
> "Allow only useful form actions" or whatever.

Supporting scripts that can implement a rich UI with reduced security
risk is of interest to the work of the W3C PUA CG and some options
have been proposed, see:
http://www.w3.org/community/pua/wiki/Draft

If the sharing of state accessible via the DOM and APIs is seen as a
security risk then scripts that can modify input buttons need to have
very restricted access to the DOM and APIs otherwise they could
implement a UI redressing attack on the input buttons - for example
disabling buttons to discriminate against users or changing the buttons
to leak state when the form is submitted.

If the buttons are being used purely for operations within the UA then
they could be controlled by script in a context restricted from access
to outgoing communication channels (the PUA Private Context).
A prototype proxy implementing these restriction shows that many
rich website UI elements can still operate under such restrictions.

If the buttons are part of an outgoing form then placing them in a
context without JS enabled would seem to be the simplest approach
to protect the DOM and API security.  One option being explored is to
allow a  restricted 'web worker' style context to have some limited
access to page elements, and since this worker does not have general
DOM access the risk of leaking state is reduced.

For example, the check box could have a declarative attribute that
defines a message to post to a worker when it changes, and the
controlled checkbox could have a declarative attribute that defines
a message listener that can change the element.  The form UI logic
and would be implemented in the worker.

Another alternatively is to place the form in an iframe with JS disabled,
but with a declarative extension that allows the form state to be posted
to the worker upon a change in the checkbox or other defined state
changes.  The worker could implement the form state logic and post
back new iframe content with the controlled buttons enabled or disabled
as necessary.  The worker is effectively a local web server using messages
to receive requests and send responses.  An advantage to this approach
is that the form could have a fallback URL so that a server could
implement the logical even if the UA does not support JS.

If targeting UAs without JS then a polyfill is not an option for backwards
compatibility and so forms would still need a fallback for legacy UAs. Have
you though how this might work?   Perhaps include an 'update' button in
the webpage design that posts the form to the server?

cheers
Fred



  

Re: [whatwg] Checkboxes that control other checkboxes

[Markus Ernst]

Am 22.11.2012 01:51 schrieb Ian Hickson:

On Sun, 14 Aug 2011, Timo Beermann wrote:


It should be able to implemet checkboxes, where by only
activating/deactivating this single checkbox you can active/deactivate
multiple other checkboxes. That is possible with scripting today, but it
should be possible without scripting, only with HTML/CSS. Because some
users deactivate Scripting (for security or whatever other reason) and
on other computers (school, university, work,...) you are not able to
change the settings, even if you want to. E.g. I use NoScript and only
allow scripting on very few trusted sites, that really need it.


I haven't added this yet, but it is already logged as a possible future
extension, so it's possible it may be added in the future.

What would be helpful though is examples of sites that do this kind of
thing, so that we can study how necessary it is, and how to implement it.
For instance, are the dependent fields always in a ? Are they
always other checkboxes? Is there more complex logic than just "check box
A is checked so those controls are enabled"?

This seems to be a special case of a larger problem to me. In order to 
make forms behave intelligently without scripting, there are more 
similar tasks:
- Check/uncheck check and radio boxes based on the selected value of a 
select element (or even on the values of other input elements)
- Enable/disable or make readonly any kinds of controls based on the 
state or value of an other element
- Or even show/hide a set of elements based on the state or value of an 
other element


Maybe, instead of adding that kind of functionalities to form elements, 
it might be worth thinking of a different way. E.g., define a set of 
scripting actions that are considered as very useful for UIs, and have 
no security issues, and let UAs execute that kind of scripts even if 
scripting is actually disabled, or let UAs offer a user setting such as 
"Allow only useful form actions" or whatever.

Re: [whatwg] Checkboxes that control other checkboxes

[Ian Hickson]

On Sun, 14 Aug 2011, Timo Beermann wrote:
>
> It should be able to implemet checkboxes, where by only 
> activating/deactivating this single checkbox you can active/deactivate 
> multiple other checkboxes. That is possible with scripting today, but it 
> should be possible without scripting, only with HTML/CSS. Because some 
> users deactivate Scripting (for security or whatever other reason) and 
> on other computers (school, university, work,...) you are not able to 
> change the settings, even if you want to. E.g. I use NoScript and only 
> allow scripting on very few trusted sites, that really need it.

I haven't added this yet, but it is already logged as a possible future 
extension, so it's possible it may be added in the future.

What would be helpful though is examples of sites that do this kind of 
thing, so that we can study how necessary it is, and how to implement it. 
For instance, are the dependent fields always in a ? Are they 
always other checkboxes? Is there more complex logic than just "check box 
A is checked so those controls are enabled"?

-- 
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Re: [whatwg] Checkboxes that control other checkboxes

[Randy]

You do understand that in general HTML en CSS are used for structure and 
presentation, whereas Javascript adds (automated) behavior?

When sites authors add Javascript functionality, it should be unobtrusive and 
should only add functionality to make things easier. For web applications (or 
simply for websites) you can decide to provide functionality that completely 
relies on javascript.

Your description clearly describes behavior and should stay in JS. Can you 
provide a real world use-case where this functionality is absolutely needed, so 
it should still work without JS?

Regards

--Original Message--
From: Timo Beermann
Sender: whatwg-boun...@lists.whatwg.org
To: wha...@whatwg.org
Subject: [whatwg] Checkboxes that control other checkboxes
Sent: Aug 14, 2011 09:29

It should be able to implemet checkboxes, where by only
activating/deactivating this single checkbox you can active/deactivate
multiple other checkboxes. That is possible with scripting today, but
it should be possible without scripting, only with HTML/CSS. Because
some users deactivate Scripting (for security or whatever other
reason) and on other computers (school, university, work,...) you are
not able to change the settings, even if you want to. E.g. I use
NoScript and only allow scripting on very few trusted sites, that
really need it.

Timo Beermann


---
Sent from my BlackBerry

[whatwg] Checkboxes that control other checkboxes

[Timo Beermann]

It should be able to implemet checkboxes, where by only
activating/deactivating this single checkbox you can active/deactivate
multiple other checkboxes. That is possible with scripting today, but
it should be possible without scripting, only with HTML/CSS. Because
some users deactivate Scripting (for security or whatever other
reason) and on other computers (school, university, work,...) you are
not able to change the settings, even if you want to. E.g. I use
NoScript and only allow scripting on very few trusted sites, that
really need it.

Timo Beermann