Re: Sanatising HTML content through sandboxing

Also, a div doesn't represent a security boundary. It's difficult to sandbox something unless you have a security boundary around it. IMHO, an easy way to solve this problem is to just exposes an HTMLParser object, analogous to DOMParser, which folks can use to safely parse HTML, e.g., from XMLHtt

Re: Sanatising HTML content through sandboxing

Given that this type of sandbox would work very differently from the iframe sandbox, I think reusing the same attribute name would be confusing. Additionally, what's the behavior if you remove the attribute? What if you do elem.innerHTML += "foo" on the element after having removed the sandbox? Or

Re: Who is the audience?

On 11/8/11 8:50 AM, ext Robin Berjon wrote: On Nov 7, 2011, at 20:52 , Dimitri Glazkov wrote: One theme that was easy to observe at the conference was the pondering around who those mysterious consumers of what we do are, how to reach them, and how to reason about them. I heard people speak of W

RE: [indexeddb] Implicit Transaction Request associated with failed transactions

Yes! By "surface" I meant "bubble", in other words the request errors will continue to bubble up to the onerror handler of the transaction but the fatal errors won't ever be accessible via the onerror handler of the transaction. Israel On Tuesday, November 08, 2011 5:35 PM, David Grogan wrote: O

[Bug 12510] Specs split off from HTML5 (like WebSockets) need to have xrefs linked, otherwise they're ambiguous

http://www.w3.org/Bugs/Public/show_bug.cgi?id=12510 Glenn Adams changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|WONTFIX

Re: [indexeddb] Implicit Transaction Request associated with failed transactions

On Tue, Nov 8, 2011 at 4:54 PM, Israel Hilerio wrote: > On Tuesday, November 08, 2011 2:09 PM, David Grogan wrote: > >On Wed, Oct 26, 2011 at 4:36 PM, Israel Hilerio > wrote: > >>On Friday, October 14, 2011 2:33 PM, Jonas Sicking wrote: > >>> > The firing of error events on the transaction should

Re: innerHTML in DocumentFragment

The clipboard events spec has some text about HTML sanitization. It might be good to make sure any work in this area is shared. Daniel On Tue, Nov 8, 2011 at 17:10, Ojan Vafai wrote: > Providing concise, easy and XSS safe ways to generate a DOM is certainl

Sanatising HTML content through sandboxing

Right now there is no simple way to sanitise HTML content by stripping it of any potentially malicious HTML such as scripts etc. In the "innerHTML in DocumentFragment" thread I suggested following the sandbox attribute approach that can be applied to iframes. I've moved this out into its own threa

[Bug 14735] New: [IndexedDB] Add multientry attribute to IDBIndex

http://www.w3.org/Bugs/Public/show_bug.cgi?id=14735 Summary: [IndexedDB] Add multientry attribute to IDBIndex Product: WebAppsWG Version: unspecified Platform: PC OS/Version: All Status: NEW Severity: normal Priorit

Re: innerHTML in DocumentFragment

Providing concise, easy and XSS safe ways to generate a DOM is certainly something we have to solve. I don't think sandbox is the best way to achieve this. Specifically, I don't believe sandbox on iframes actually strips the script elements, does it? It just doesn't execute them. If we want to con

RE: [indexeddb] Implicit Transaction Request associated with failed transactions

On Tuesday, November 08, 2011 2:09 PM, David Grogan wrote: >On Wed, Oct 26, 2011 at 4:36 PM, Israel Hilerio wrote: >>On Friday, October 14, 2011 2:33 PM, Jonas Sicking wrote: >>> > The firing of error events on the transaction should only be of two types: >>> propagation error events or transactio

Re: IndexedDB: IDBIndex.multientry attribute?

Yes! Please file a bug on this. We really should be tracking these types of things in bugs as we approach last call. We noticed tidy that .cmp still returns reversed results for example. / Jonas On Tuesday, November 8, 2011, Joshua Bell wrote: > Should IDBIndex (and IDBIndexSync) expose a readon

Re: Consolidating charter changes

Under 'Additions Agreed': * Web Intents - this will be a joint deliverable with DAPI WG Pedantically, not politically: My recollection is that the agreement was only to add Web Intents to the Webapps charter (neither accepting nor denying a joint deliverable with DAPI). The status of the joint de

Re: [indexeddb] Implicit Transaction Request associated with failed transactions

On Wed, Oct 26, 2011 at 4:36 PM, Israel Hilerio wrote: > On Friday, October 14, 2011 2:33 PM, Jonas Sicking wrote: > > On Thu, Oct 13, 2011 at 10:57 AM, Israel Hilerio > > wrote: > > > On Monday, October 10, 2011 10:10 PM, Jonas Sicking wrote: > > >> On Thu, Oct 6, 2011 at 3:30 PM, Israel Hilerio

IndexedDB: IDBIndex.multientry attribute?

Should IDBIndex (and IDBIndexSync) expose a readonly boolean "multientry" attribute reflecting the multientry flag of the index? The index's unique flag is exposed in this way. Is there a reason the multientry flag is not?

[Bug 13893] Only HTML elements should be editable

http://www.w3.org/Bugs/Public/show_bug.cgi?id=13893 Aryeh Gregor changed: What|Removed |Added Status|NEW |RESOLVED Resolution|

Re: Consolidating charter changes

I propose using the mail list and then after we get consensus, the wiki is updated accordingly. On 11/8/11 1:04 PM, ext James Hawkins wrote: To clarify, should we comment on this thread or in the wiki? Thanks, James On Tue, Nov 8, 2011 at 9:37 AM, Arthur Barstow

Re: Consolidating charter changes

To clarify, should we comment on this thread or in the wiki? Thanks, James On Tue, Nov 8, 2011 at 9:37 AM, Arthur Barstow wrote: > During the October 31 meeting, we discussed [1] various additions, changes > and deletions for WebApps' current charter [2]. To consolidate the various > proposals,

Re: State of subclassing and tag names in the component model

On 11/8/11 10:32 AM, Dominic Cooney wrote: There are two kinds of components—ones that are a refinement of something in HTML, like a select element or a button; and ones that have no genuine peer in HTML. This is the litmus test: If you were writing this today, would you start with a div or span

Consolidating charter changes

During the October 31 meeting, we discussed [1] various additions, changes and deletions for WebApps' current charter [2]. To consolidate the various proposals, I created the following doc: My expectation is that Doug will this information w

[Bug 13973] Refactor delete stuff

http://www.w3.org/Bugs/Public/show_bug.cgi?id=13973 Aryeh Gregor changed: What|Removed |Added Status|NEW |RESOLVED Resolution|

[Bug 14729] Inline formatting should add wrappers inside empty blocks

http://www.w3.org/Bugs/Public/show_bug.cgi?id=14729 Aryeh Gregor changed: What|Removed |Added Status|NEW |RESOLVED Resolution|

[Bug 13831] Deleting a block should leave style tags nested inside

http://www.w3.org/Bugs/Public/show_bug.cgi?id=13831 Aryeh Gregor changed: What|Removed |Added Status|NEW |RESOLVED Resolution|

[Bug 14729] New: Inline formatting should add wrappers inside empty blocks

http://www.w3.org/Bugs/Public/show_bug.cgi?id=14729 Summary: Inline formatting should add wrappers inside empty blocks Product: WebAppsWG Version: unspecified Platform: All OS/Version: All Status: NEW Seve

[Bug 13976] Backspacing in between two lists should merge them

http://www.w3.org/Bugs/Public/show_bug.cgi?id=13976 Aryeh Gregor changed: What|Removed |Added Status|NEW |RESOLVED Resolution|

[Bug 14727] New: Deleting doesn't handle non-normalized sublists correctly

http://www.w3.org/Bugs/Public/show_bug.cgi?id=14727 Summary: Deleting doesn't handle non-normalized sublists correctly Product: WebAppsWG Version: unspecified Platform: All OS/Version: All Status: NEW Seve

Re: State of subclassing and tag names in the component model

Hi Boris, This is my current thinking, although this blends/steals a lot of ideas from TPAC: There are two kinds of components—ones that are a refinement of something in HTML, like a select element or a button; and ones that have no genuine peer in HTML. This is the litmus test: If you were writ

Re: HTML Editing APIs is already in scope [Was: Re: Draft Minutes: 31 October 2011 f2f meeting]

On Tue, Nov 8, 2011 at 9:17 AM, Arthur Barstow wrote: > My summary is: although HTML Editing APIs is in scope for WebApps, and we > agreed to use public-webapps for related discussions [1], given no one has > agreed to actively drive the spec in WebApps, we will not include it as an > explicit del

HTML Editing APIs is already in scope [Was: Re: Draft Minutes: 31 October 2011 f2f meeting]

Below is a followup on the short discussion we had on October 31 re the HTML Editing APIs ... On 11/1/11 10:05 AM, Arthur Barstow wrote: The DRAFT minutes from the October 31 f2f meeting are in the following document and copied below: http://www.w3.org/2011/10/31-webapps-minutes.html

Re: Who is the audience?

On Nov 7, 2011, at 20:52 , Dimitri Glazkov wrote: > One theme that was easy to observe at the conference was the pondering > around who those mysterious consumers of what we do are, how to reach > them, and how to reason about them. I heard people speak of Web > Authors and Web Developers and makin

Re: "We just ran out of time ..." [Was: Re: Component Model f2f: Actionable things]

On Nov 3, 2011, at 05:38 , Arthur Barstow wrote: > Well, we may get together more frequently than just the annual TPAC meeting > week. If folks think that would be useful (e.g. in 6 months), please speak up > and we can take it from there. Otherwise, WebApps' next f2f meeting is during > the 201

Reminder: RfC: LCWD of Web Storage ; deadline November 15

Original Message Subject:RfC: LCWD of Web Storage ; deadline November 15 Resent-Date:Thu, 27 Oct 2011 11:04:52 + Resent-From: Date: Thu, 27 Oct 2011 07:04:19 -0400 From: ext Arthur Barstow To: public-webapps On October 25 a LCWD of Web Storage was