Re: Proposed W3C Charter: Web Performance Working Group

2018-07-22 Thread L. David Baron 
Below is an attempt to write comments on the charter to consider the
feedback so far in this thread.  It's not clear to me what the right
charter changes to suggest for the privacy and fingerprinting issues
are; I've made a proposal here, but I'm open to alternative
suggestions.

There's also the question of whether these comments should
constitute a formal objection to the charter.  I think I'm leaning
against, but could also be persuaded otherwise.

-David

=

We're glad to see the plan to merge Navigation Timing into Resource
Timing after level 2 is complete.  However, this only partially
addresses our concerns about confusing cross-references and
monkeypatching between a number of the specifications produced by this
working group.  It would be good to also see User Timing and Performance
Timeline merged into the same set of specifications in the next level.

A number of the group's specifications have significant privacy
implications:  they might provide mechanisms for finding information
about what other software is running on the user's computer, whether
that's web content in other origins, or entirely separate software.
This requires careful consideration of whether these features are safe.
It would be good to see the Success Criteria section of the charter both 
explicitly ask the group to consider these issues, and explicitly say
that it is an acceptable result for the group to decide not to release a
specification because an acceptable solution for user privacy cannot be
found.

Likewise, some specifications in the group provide significant
additional fingerprinting surface.  When they do this, they should
explicitly point out that they are doing so, and explicitly allow
implementations to take countermeasures.  We'd like to see the Success 
Criteria section of the charter encourage the group to consider 
fingerprinting explicitly.

-- 
턞   L. David Baron http://dbaron.org/   턂
턢   Mozilla  https://www.mozilla.org/   턂
 Before I built a wall I'd ask to know
 What I was walling in or walling out,
 And to whom I was like to give offense.
   - Robert Frost, Mending Wall (1914)


signature.asc
Description: PGP signature
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Intent to unship: display: -moz-box and display: -moz-inline-box from content pages.

2018-07-22 Thread Emilio Cobos Álvarez 

Hi,

In bug 1477553 I intend to disable the ability for content to specify 
display: -moz-box and -moz-inline-box, which will be consistent with 
what we did for the rest of -moz- prefixed values in bug 1288572.


We have a use counter for this in [1], which is somewhat high. This 
could however be a bit misleading, since people tend to confuse these 
values (XUL flexbox) with the equivalent -webkit-prefixed ones (legacy 
HTML flexbox). This confusion caused enough issues for us that we had to 
add a hack in the style engine to ignore -moz- prefixed values when the 
-webkit- prefixed value is specified before-hand [2], see bug 1407701 & 
friends.


Given we don't / can't collect URLs from pages where the use counter is 
hit, we can't asses whether the pages where it's hit are using it 
intentionally or just by adding prefixes. Though my gut feeling is that 
it's mostly the later...


In any case, given that, for now I plan to just hide them on Nightly and 
early beta, before doing it for the release channel in a couple releases 
if everything goes well and there's no reported breakage.


This will all be behind the pref:

  layout.css.xul-box-display-values.content.enabled

Let me know if there's any concern with this, and please file bugs 
blocking that one if you find broken stuff.


Thanks!

 -- Emilio

[1]: 
https://georgf.github.io/usecounters/index.html#kind=page=DEPRECATED=beta=62
[2]: 
https://searchfox.org/mozilla-central/rev/ad36eff63e208b37bc9441b91b7cea7291d82890/servo/components/style/properties/declaration_block.rs#519

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform