Re: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Henri Sivonen
On Dec 16, 2009, at 21:47, Klotz, Leigh wrote: I'd like to suggest that the main issue is dependency of the XHR document on concepts where HTML5 is the only specification that defines several core concepts of the Web platform architecture, such as event loops, event handler attributes,

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Kenton Varda
Somehow I suspect all this has been said many times before... On Wed, Dec 16, 2009 at 11:45 PM, Maciej Stachowiak m...@apple.com wrote: CORS would provide at least two benefits, using the exact protocol you'd use with UM: 1) It lets you know what site is sending the request; with UM there is

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Maciej Stachowiak
On Dec 17, 2009, at 1:42 AM, Kenton Varda wrote: Somehow I suspect all this has been said many times before... On Wed, Dec 16, 2009 at 11:45 PM, Maciej Stachowiak m...@apple.com wrote: CORS would provide at least two benefits, using the exact protocol you'd use with UM: 1) It lets you

[widgets] white space handling

2009-12-17 Thread Cyril Concolato
Hi Widget addicts, While reading again through the spec, I'm wondering why there are differences between the PC spec and the XML spec in terms of white space handling. PC defines: * space characters as: U+0020, U+0009, U+000A, U+000B, U+000C, U+000D * Unicode white space characters as:

[widgets] Authorities will never have authority?

2009-12-17 Thread Jonathan Rees
Sorry, I missed the followup on Larry's email http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0131.html - can someone tell me where this is tracked? Specifically I want to check that the 'authority' component is adequately futureproofed. Devoid of semantics could mean devoid in this

[widgets] Draft Minutes for 17 December 2009 Voice Conference

2009-12-17 Thread Arthur Barstow
The draft minutes from the MMM DD Widgets voice conference are available at the following and copied below: http://www.w3.org/2009/12/17-wam-minutes.html WG Members - if you have any comments, corrections, etc., please send them to the public-webapps mail list before 7 January 2010 (the

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Ian Hickson
On Wed, 16 Dec 2009, Devdatta wrote: hmm.. just a XDR GET on the file at hixie.ch which allows access only if the request is from damowmow.com ? It couldn't be XDR -- XDR is a script-based mechanism, whereas XBL can be invoked before the root element is parsed. But even assuming the XDR

RE: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Klotz, Leigh
If XHR is wholly dependent on HTML5 then it should either be moved into the HTML5 recommendation-track document, or renamed XHR for HTML5. Ian has made a point that modularizing HTML5 itself is a large task; it's not clear that the same applies to this XHR document, at least to the same

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Kenton Varda
On Thu, Dec 17, 2009 at 2:21 AM, Maciej Stachowiak m...@apple.com wrote: On Dec 17, 2009, at 1:42 AM, Kenton Varda wrote: Somehow I suspect all this has been said many times before... On Wed, Dec 16, 2009 at 11:45 PM, Maciej Stachowiak m...@apple.com wrote: CORS would provide at least two

[widgets] test-suite: start file encoding

2009-12-17 Thread Scott Wilson
Test cases e5, e6, z1 and z2 test the ability of a UA to use a widget- specified charset (ISO 8859-1); however the PC specification states that a UA only has to implement UTF-8, and support for additional encodings is optional. Do these test cases then really only require that a UA

Re: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Jonas Sicking
On Thu, Dec 17, 2009 at 9:10 AM, Klotz, Leigh leigh.kl...@xerox.com wrote: If XHR is wholly dependent on HTML5 then it should either be moved into the HTML5 recommendation-track document, or renamed XHR for HTML5.   Ian has made a point that modularizing HTML5 itself is a large task; it's not

RE: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Klotz, Leigh
Jonas, Thank you for your response; comments below: -Original Message- From: Jonas Sicking [mailto:jo...@sicking.cc] Sent: Thursday, December 17, 2009 9:22 AM To: Klotz, Leigh Cc: Henri Sivonen; Anne van Kesteren; WebApps WG; Forms WG Subject: Re: XMLHttpRequest

Re: [widgets] test-suite: start file encoding

2009-12-17 Thread Marcos Caceres
On Thu, Dec 17, 2009 at 6:21 PM, Scott Wilson scott.bradley.wil...@gmail.com wrote: Test cases e5, e6, z1 and z2 test the ability of a UA to use a widget-specified charset (ISO 8859-1); however the PC specification states that a UA only has to implement UTF-8, and support for additional

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Ian Hickson
On Thu, 17 Dec 2009, Kenton Varda wrote: OK, I'm sure that this has been said before, because it is critical to the capability argument: If Bob can access the data, and Bob can talk to Charlie *in any way at all*, then it *is not possible* to prevent Bob from granting access to

RE: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Klotz, Leigh
Jonas, I apologize if you and other group members consider this to be a pedantic exercise, but it's a necessary part of making the specification reusable. -Original Message- From: Jonas Sicking [mailto:jo...@sicking.cc] Sent: Thursday, December 17, 2009 9:45 AM To: Klotz,

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Tyler Close
On Thu, Dec 17, 2009 at 10:08 AM, Maciej Stachowiak m...@apple.com wrote: My goal was merely to argue that adding an origin/cookie check to a secret-token-based mechanism adds meaningful defense in depth, compared to just using any of the proposed protocols over UM. I believe my argument

Re: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Jonas Sicking
  From: Anne van Kesteren annevk at opera.com   Subject: Re: [XHR] LC comments from the XForms Working Group   Date: 2009-10-08 15:31:27 GMT   On Tue, 17 Jun 2008 05:24:48 +0200, Boris Zbarsky bzbarsky at mit.edu wrote:   Anne van Kesteren wrote:   It would change the conformance

Re: [DataCache] Some Corrections

2009-12-17 Thread Nikunj Mehta
Joseph Pecoraro wrote: I have changed to using the new method "immediate" and that also removed this call. Immediate looks useful. The specification for immediate is: [[ When this method is called, the user agent creates a new cache transaction, and performs the steps to

Re: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Jonas Sicking
On Thu, Dec 17, 2009 at 10:54 AM, Jonas Sicking jo...@sicking.cc wrote:   From: Anne van Kesteren annevk at opera.com   Subject: Re: [XHR] LC comments from the XForms Working Group   Date: 2009-10-08 15:31:27 GMT   On Tue, 17 Jun 2008 05:24:48 +0200, Boris Zbarsky bzbarsky at mit.edu wrote:

RE: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Klotz, Leigh
-Original Message- From: Jonas Sicking [mailto:jo...@sicking.cc] Sent: Thursday, December 17, 2009 10:54 AM To: Klotz, Leigh Cc: Henri Sivonen; Anne van Kesteren; WebApps WG; Forms WG Subject: Re: XMLHttpRequest Comments from W3C Forms WG ...snip And then go on to cite

RE: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Klotz, Leigh
Jonas, I'm not sure how the dependency is specified in the XHR draft. Can you point me to it? The word event loop doesn't appear. I know how XForms defines synchronous vs. asynchronous submissions using XML Events (which are an XML syntax for accessing DOM Events), and XHR is directly

Re: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Jonas Sicking
On Thu, Dec 17, 2009 at 11:18 AM, Klotz, Leigh leigh.kl...@xerox.com wrote: Jonas, I'm not sure how the dependency is specified in the XHR draft.  Can you point me to it?  The word event loop doesn't appear. The term queue a task is defined in HTML5, and uses the event loop. / Jonas

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Kenton Varda
On Thu, Dec 17, 2009 at 10:08 AM, Maciej Stachowiak m...@apple.com wrote: On Dec 17, 2009, at 9:15 AM, Kenton Varda wrote: On Thu, Dec 17, 2009 at 2:21 AM, Maciej Stachowiak m...@apple.com wrote: I'm not saying that Alice should be restricted in who she shares the feed with. Just that

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Ian Hickson
On Thu, 17 Dec 2009, Kenton Varda wrote: It seems more useful to attribute resource usage to the user rather than to the sites the user uses to access those resources. In my example, I might want to limit Alice to, say, 1GB data transfer per month, but I don't see why I would care if that

Why preflight per-resource rather than per-origin?

2009-12-17 Thread Mark S. Miller
Despite the costs of doing preflight opt-in on a per-resource basis rather than a per-origin basis, to meet its security goals, CORS proposes to do preflight on a per-resource basis. I have seen the rationale for this stated in bits and pieces. Can anyone point me at a reasonably self contained

[widgets] Anyone working on SNIFF in Java?

2009-12-17 Thread Scott Wilson
I've finally narrowed it down to just one test case to pass PC conformance! Unfortunately it involves implementing SNIFF... Does anyone know of an implementation already existing in Java? S /-/-/-/-/-/ Scott Wilson Apache Wookie: http://incubator.apache.org/projects/wookie.html

RE: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Klotz, Leigh
-Original Message- From: Jonas Sicking [mailto:jo...@sicking.cc] Sent: Thursday, December 17, 2009 11:33 AM To: Klotz, Leigh Cc: Henri Sivonen; Anne van Kesteren; WebApps WG; Forms WG Subject: Re: XMLHttpRequest Comments from W3C Forms WG On Thu, Dec

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Tyler Close
On Thu, Dec 17, 2009 at 9:38 AM, Ian Hickson i...@hixie.ch wrote: One of the big reasons to restrict which origin can use a particular resource is bandwidth management. For example, resources.example.com might want to allow *.example.com to use its XBL files, but not allow anyone else to

RE: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Klotz, Leigh
Boris, Thank you for the clarification. Surely then this ought to be fixed with an IETF or W3C document describing this fact, and not by requiring all future specifications which use URLs to reference the HTML5 document. Is it defined in http://www.w3.org/html/wg/href/draft ? If so, perhaps

Re: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Boris Zbarsky
On 12/17/09 2:22 PM, Klotz, Leigh wrote: Thank you for the clarification. Surely then this ought to be fixed with an IETF or W3C document describing this fact After some pushback, there is in fact such a document being worked on. It's not quite far enough to reference normatively last I

RE: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Klotz, Leigh
Great! It sounds like more progress is being made on both putting experience from implementations back into specifications, and in modularizing the XHR document references, since it will give a better place than HTML5 for reference. Leigh. -Original Message- From: Boris Zbarsky

Re: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Jonas Sicking
As Ian already has mentioned. No one is disputing that most of these things should be factored out of the HTML5 spec. But so far no one has stepped up to that task. Until someone does we'll have to live with the reality that these things are defined in the HTML5 spec and the HTML5 spec alone. /

RE: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Klotz, Leigh
OK, so is the conclusion that XHR is implementable only in HTML5 and should be re-titled XMLHttpRequest in HTML5 or something similar? -Original Message- From: Jonas Sicking [mailto:jo...@sicking.cc] Sent: Thursday, December 17, 2009 3:14 PM To: Klotz, Leigh Cc: Boris Zbarsky; WebApps

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Ian Hickson
On Thu, 17 Dec 2009, Tyler Close wrote: On Thu, Dec 17, 2009 at 9:38 AM, Ian Hickson i...@hixie.ch wrote: One of the big reasons to restrict which origin can use a particular resource is bandwidth management. For example, resources.example.com might want to allow *.example.com to use its

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Tyler Close
On Thu, Dec 17, 2009 at 3:46 PM, Ian Hickson i...@hixie.ch wrote: On Thu, 17 Dec 2009, Tyler Close wrote: On Thu, Dec 17, 2009 at 9:38 AM, Ian Hickson i...@hixie.ch wrote: One of the big reasons to restrict which origin can use a particular resource is bandwidth management. For example,

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Ian Hickson
On Thu, 17 Dec 2009, Tyler Close wrote: On Thu, Dec 17, 2009 at 3:46 PM, Ian Hickson i...@hixie.ch wrote: On Thu, 17 Dec 2009, Tyler Close wrote: On Thu, Dec 17, 2009 at 9:38 AM, Ian Hickson i...@hixie.ch wrote: One of the big reasons to restrict which origin can use a particular

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Kenton Varda
On Thu, Dec 17, 2009 at 12:58 PM, Ian Hickson i...@hixie.ch wrote: With CORS, I can trivially (one line in the .htaccess file for my site) make sure that no sites can use XBL files from my site other than my sites. My sites don't do any per-user tracking; doing that would involve orders of

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Kenton Varda
On Thu, Dec 17, 2009 at 4:41 PM, Ian Hickson i...@hixie.ch wrote: What one liner are your proposing that would solve the problem for XBL, XML data, videos, etc, all at once? Are we debating about the state of existing infrastructure, or theoretically ideal infrastructure? Honest question.

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Tyler Close
On Thu, Dec 17, 2009 at 4:41 PM, Ian Hickson i...@hixie.ch wrote: On Thu, 17 Dec 2009, Tyler Close wrote: On Thu, Dec 17, 2009 at 3:46 PM, Ian Hickson i...@hixie.ch wrote: On Thu, 17 Dec 2009, Tyler Close wrote: On Thu, Dec 17, 2009 at 9:38 AM, Ian Hickson i...@hixie.ch wrote: One of the

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Ian Hickson
On Thu, 17 Dec 2009, Kenton Varda wrote: On Thu, Dec 17, 2009 at 4:41 PM, Ian Hickson i...@hixie.ch wrote: What one liner are your proposing that would solve the problem for XBL, XML data, videos, etc, all at once? Are we debating about the state of existing infrastructure, or

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Ian Hickson
On Thu, 17 Dec 2009, Tyler Close wrote: Starting from the X-FRAME-OPTIONS proposal, say the response header also applies to all embedding that the page renderer does. So it also covers img, video, etc. In addition to the current values, the header can also list hostname patterns that may

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Ian Hickson
On Thu, 17 Dec 2009, Kenton Varda wrote: On Thu, Dec 17, 2009 at 12:58 PM, Ian Hickson i...@hixie.ch wrote: With CORS, I can trivially (one line in the .htaccess file for my site) make sure that no sites can use XBL files from my site other than my sites. My sites don't do any per-user

Re: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Maciej Stachowiak
On Dec 17, 2009, at 2:37 PM, Boris Zbarsky wrote: On 12/17/09 2:22 PM, Klotz, Leigh wrote: Thank you for the clarification. Surely then this ought to be fixed with an IETF or W3C document describing this fact After some pushback, there is in fact such a document being worked on. It's

Re: XMLHttpRequest Comments from W3C Forms WG

2009-12-17 Thread Maciej Stachowiak
On Dec 17, 2009, at 3:15 PM, Klotz, Leigh wrote: OK, so is the conclusion that XHR is implementable only in HTML5 and should be re-titled XMLHttpRequest in HTML5 or something similar? I think your premise is false, and I don't such a retitling would be helpful. The XHR spec does not

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

2009-12-17 Thread Kenton Varda
On Thu, Dec 17, 2009 at 5:49 PM, Ian Hickson i...@hixie.ch wrote: On Thu, 17 Dec 2009, Tyler Close wrote: X-FRAME-OPTIONS: *.example.com Access-Control-Allow-Origin: * Why is this better than: Access-Control-Allow-Origin: *.example.com ...? I think Tyler missed on this one.