Re: [service worker] f2f meeting notes, next meeting details

2016-04-12 Thread Ali Alabbas 
Hello, here are the day 2 meeting notes from the service worker F2F in 
Redmond,. The attendees are CC'd if there are any corrections that need to be 
made or if anyone has any questions or concerns that they would like to raise.

=

Service Worker F2F
Redmond, WA
April 12, 2016

Day 2 Notes

Attendees:
-
 * Microsoft - Ali Alabbas, Jatinder Mann, Adrian Bateman, Travis Leithead, 
Todd Reifsteck
 * Google - Joshua Bell, Matt Falkenhagen, Jake Archibald, Alex Russell, Marijn 
Kruisselbrink
 * Mozilla - Ehsan Akhgari, Ben Kelly, Andrew Sutherland (remote)
 * Samsung - Jungkee Song
 * Apple - Ted O'Connor


Agenda & Notes:
-
 * Foreign fetch architecture (#878: Foreign fetch vs non-credentialed requests)
  * Reduce state on the serial object
  * Is there a way to fetch something locally that will always be visible?
   * Yes, if there's no origin, it will be an opaque response
  * New CORS header that the destination needs to support?
   * alice.com (A) foreign fetch to bob.com (B), response from B to A: 
that's a cross-origin request
  * Want to reuse CORS infrastructure as much as possible
  * Must create a new Response with the CORS headers
  * SW is like B's server
  * Response always creates a copy of the response and then modifies it
  * Mechanisms should be the same in that the service worker
  * Should we loop the request back through CORS or should we just make it 
visible for the origin?
  * Adding a new step with what the service worker responds with (adding 
extra step in the network layer)
  * Current security model is that A can do whatever it wants to A
   * A has a security boundary (SOP) since it's in a different origin
  * Constraining foreign fetch would defeat the purpose
  * A can only see what credentials that are exposed through scripts (which 
are none today)
  * We shouldn't allow transparent smuggling of data
   * A requesting data from C is not allowed
   * A requests data from B which then requests from C and passes that 
data on will have the same headers as C unless B creates a new response with 
different headers
  * CORS does not fit model
  * Why make foreign fetch more complicated than postMessage in terms of 
how origin B lets origin A have access to bytes?
   * postMessage doesn't allow you to send opaque bytes
  * Response time is when the CORS check occurs
   * After the network request goes out is when the check occurs
  * B can do whatever it wants to B and expose it to A
  * We should minimize the number of policy security mechanisms so that we 
do not have to service different policies
  * A can make a request that initiates a foreign fetch even and 
intercepted by B's service worker without having known and potentially with 
no-credentials
  * We don't need preflight because it requires that you are going to the 
network and SWs don't necessarily require going to the network
  * Fonts and analytics are the biggest use case for foreign fetch at the 
moment
  * Opaque requests can allow no-credentialed request
   * It would create some issues with maintainability
   * Would prefer to have some sort of partitioning instead
  * New issue created: #878: Foreign fetch vs non-credentialed requests
   * Summary from issue: As currently specified foreign fetch doesn't 
play together well with non-credentialed requests. In a world without foreign 
fetch, a website on origin A can fetch something from origin B without 
credentials, and there is no way (modulo fingerprinting) for B to associate 
that request with its cookies. If B can intercept the request with foreign 
fetch this is no longer the case as B itself was fetched with credentials, and 
can make credentialed requests and access data that was cached using 
credentials. There are a few options here:
   * Live with this: non-credentialed requests aren't an important 
security/privacy boundary since B can use fingerprinting etc. anyway to track 
things and associate requests with credentials.
   * Completely disable foreign fetch interception of non-credentialed 
requests. This would be very unfortunate as things like fonts are always 
fetched without credentials, so this would disable a major use case of foreign 
fetch.
   * Require origin A to opt in to having its non-credentialed requests 
be intercepted by a foreign fetch service worker. This would be rather 
unfortunate as well, as it would largely get rid of the transparent nature of 
foreign fetch, making it much less powerful.
   * Somehow make it possible for origin B to say "this service worker 
does not need credentials". In the case of something like the fonts use case 
this would be done by adding an extra flag to the Link: header that installs 
the foreign fetch capab

[Bug 13913] Attributes don't have an order

2016-04-12 Thread bugzilla 
https://www.w3.org/Bugs/Public/show_bug.cgi?id=13913
Bug 13913 depends on bug 17871, which changed state.

Bug 17871 Summary: Element attributes should not be required to be stored in an 
ordered list
https://www.w3.org/Bugs/Public/show_bug.cgi?id=17871

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |MOVED

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug 24732] Remove DOMError from FileAPI

2016-04-12 Thread bugzilla 
https://www.w3.org/Bugs/Public/show_bug.cgi?id=24732

Aryeh Gregor  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 CC||a...@aryeh.name
 Resolution|--- |MOVED

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Re: [Custom Elements] They are globals.

2016-04-12 Thread /#!/JoePea 
On Mon, Apr 11, 2016 at 4:44 PM, Ryosuke Niwa  wrote:
> You'd have to instead write it as "new SomeClass(this.shadowRoot)" and then 
> (1) needs to be modified as: `super(..arguments)` to pass the argument along 
> to the HTMLElement constructor.

For sure, similar to the examples in the GitHub issue. :]

React doesn't encourage the instantiation of element classes directly.
What if browsers did that too and threw errors whenever someone tried
to instantiate a class using `new` that extended from any of the
native classes:

```js
import {SomeElement} from 'some-library'

// this would cause a `TypeError: Illegal constructor` or something
let el = new SomeElement()

// does not return a constructor
shadowRoot1.registerElement('any-name', SomeElement)

// only this instantiation method is allowed
let el1 = shadowRoot1.createElement('any-name')

// we can use the same class in a different component where
//  is already defined but isn't backed by SomeElement
shadowRoot2.registerElement('other-name', SomeElement)
let el2 = shadowRoot2.createElement('other-name')

// maybe this should throw an error instead of returning
// HTMLUnknownElement, otherwise it might hide the obvious
// human error instead teaching the developer
shadowRoot1.registerElement('a-name', SomeElement)
let el3 = shadowRoot2.createElement('a-name')

// this would cause an error because el1 was created from
// shadowRoot1 so el1 doesn't work in shadowRoot2
shadowRoot2.appendChild(el1)
```

ShadowDOM is still evolving and the Web Component spec hasn't
officially settled, so I think there's a good opportunity here for the
web to be more helpful by throwing errors and not being ambiguous as
for example in `document.createElement('ths-has-a-typo')`.

TLDR - ShadowDOM could be the encapsulation of HTML to Custom Elements
as JSX is the encapsulation of HTML to React Components (in a morphed
way, as obviously the mechanics are different).

Here's what a small component might look like:

```js
//  --- HandyForm.js
import AwesomeButton from './AwesomeButton'
import { FancyForm, FancyInput } from './FancyForm'

export default
class HandyForm extends HTMLElement {
constructor() {
this.root = this.createShadowRoot()
this.root.registerElement('', AwesomeButton)
this.root.registerElement('', FancyForm)
this.root.registerElement('', FancyInput)

const frag = document.createDocumentFragment()
frag.innerHTML = `


 



`
this.root.appendChild(frag)
}

static get observedAttributes() { return [ ... ] }

connectedCallback() { ... }
disconnectedCallback() { ... }
attributeChangedCallback() { ... }
}

//  --- app.js
import HandyForm from './HandyForm'

// elements registered on the document won't cross into shadow roots
document.registerElement('handy-form', HandyForm)
document.body.appendChild(document.createElement('handy-form'))
```

- Joe

/#!/JoePea