Re: Shadow tree style isolation primitive

2015-02-05 Thread Dimitri Glazkov
On Thu, Feb 5, 2015 at 10:11 AM, Dimitri Glazkov dglaz...@google.com wrote: ... Hanging but?! Oh lordy. Oooh, let me turn this into a contemplative sidebar opportunity. Shadow DOM and Web Components seem to have what I call the Unicorn Syndrome. There's a set of specs that works, proven by

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Takeshi Yoshino
On Thu, Feb 5, 2015 at 10:57 PM, Anne van Kesteren ann...@annevk.nl wrote: On Thu, Feb 5, 2015 at 2:48 PM, Bjoern Hoehrmann derhoe...@gmx.net wrote: A Websocket connection is established by making a HTTP Upgrade request, and the protocol is HTTP unless and until the connection is upgraded.

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Florian Bösch
On Thu, Feb 5, 2015 at 2:39 PM, Takeshi Yoshino tyosh...@google.com wrote: To prevent WebSocket from being abused to attack existing HTTP servers from malicious non-simple cross-origin requests, we need to have WebSocket clients to do some preflight to verify that the server is not an HTTP

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Anne van Kesteren
On Thu, Feb 5, 2015 at 2:39 PM, Florian Bösch pya...@gmail.com wrote: On Thu, Feb 5, 2015 at 2:35 PM, Anne van Kesteren ann...@annevk.nl wrote: Wouldn't that require the endpoint to support two protocols? That sounds suboptimal. CORS and Websockets are two separate protocols which each work

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Anne van Kesteren
On Thu, Feb 5, 2015 at 2:48 PM, Bjoern Hoehrmann derhoe...@gmx.net wrote: A Websocket connection is established by making a HTTP Upgrade request, and the protocol is HTTP unless and until the connection is upgraded. Sure, but the server can get away with supporting a very limited subset of

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Anne van Kesteren
On Thu, Feb 5, 2015 at 1:27 PM, Florian Bösch pya...@gmail.com wrote: CORS is an adequate protocol to allow for additional headers, and websocket requests could be subjected to CORS (I'm not sure what the current client behavior is in that regard, but I'm guessing they enforce CORS on websocket

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Florian Bösch
On Thu, Feb 5, 2015 at 2:35 PM, Anne van Kesteren ann...@annevk.nl wrote: Wouldn't that require the endpoint to support two protocols? That sounds suboptimal. CORS and Websockets are two separate protocols which each work off and by themselves, there is no change required to either to make

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Florian Bösch
The websocket wire protocol only comes into effect after a successful handshake. The handshake involves a request to the endpoint by the client (typically a GET) and a response by the endpoint (101 switching protocols). As such websockets themselves do not concern themselves with headers and the

Re: Shadow tree style isolation primitive

2015-02-05 Thread Olli Pettay
On 02/05/2015 02:24 AM, Dimitri Glazkov wrote: However, I would like to first understand if that is the problem that the group wants to solve. It is unclear from this conversation. Yes. The marketing speech for shadow DOM has changed over time from do everything possible, make things

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Takeshi Yoshino
On Thu, Feb 5, 2015 at 10:41 PM, Florian Bösch pya...@gmail.com wrote: On Thu, Feb 5, 2015 at 2:39 PM, Takeshi Yoshino tyosh...@google.com wrote: To prevent WebSocket from being abused to attack existing HTTP servers from malicious non-simple cross-origin requests, we need to have WebSocket

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Bjoern Hoehrmann
* Anne van Kesteren wrote: On Thu, Feb 5, 2015 at 2:48 PM, Bjoern Hoehrmann derhoe...@gmx.net wrote: A Websocket connection is established by making a HTTP Upgrade request, and the protocol is HTTP unless and until the connection is upgraded. Sure, but the server can get away with supporting a

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Takeshi Yoshino
To prevent WebSocket from being abused to attack existing HTTP servers from malicious non-simple cross-origin requests, we need to have WebSocket clients to do some preflight to verify that the server is not an HTTP server that don't understand CORS. We could do e.g. when a custom header is

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Bjoern Hoehrmann
* Anne van Kesteren wrote: On Thu, Feb 5, 2015 at 2:29 PM, Bjoern Hoehrmann derhoe...@gmx.net wrote: It seems to me that pre-flight requests would happen prior to opening a Websocket connection, i.e. before requirements of the Websocket proto- col apply, so this would have to be covered by the

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Florian Bösch
On Thu, Feb 5, 2015 at 2:44 PM, Takeshi Yoshino tyosh...@google.com wrote: IIUC, CORS prevents clients from issuing non-simple cross-origin request (even idempotent methods) without verifying that the server understands CORS. That's realized by preflight. Incorrect, the browser will perform

Re: Are web components *seriously* not namespaced?

2015-02-05 Thread Glen
So in other words it *is* a case of it's good enough. Web components are quite possibly the future of the web, and yet we're implementing them to be good enough in 90% of use cases? jQuery is JavaScript which means that it's different for various reasons: 1. It's less important to keep the

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Michiel De Mey
Standardizing the approach would definitely help developers, however where will we communicate this? On February 5, 2015 at 3:04:35 PM, Takeshi Yoshino (tyosh...@google.com) wrote: On Thu, Feb 5, 2015 at 10:57 PM, Anne van Kesteren ann...@annevk.nl wrote: On Thu, Feb 5, 2015 at 2:48 PM,

[IndexedDB] When is an error event dispatched at a transcation?

2015-02-05 Thread Glen Huang
The IDBTransaction interface exposes an onerror event handler. I wonder when that handler gets called? The algorithm of Steps for aborting a transaction” dispatches error events at requests of the transaction, but never at the transaction itself, only an abort event is dispatched, if I

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Florian Bösch
Well, 1) Clients do apply CORS to WebSocket requests already (and might've started doing so quite some time ago) and everything's fine and you don't need to change anything. 2) Clients do not apply CORS to WebSocket requests, and you're screwed, because any change you make will break existing

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Anne van Kesteren
On Thu, Feb 5, 2015 at 2:29 PM, Bjoern Hoehrmann derhoe...@gmx.net wrote: It seems to me that pre-flight requests would happen prior to opening a Websocket connection, i.e. before requirements of the Websocket proto- col apply, so this would have to be covered by the API specification in-

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Takeshi Yoshino
http://www.w3.org/TR/cors/#cross-origin-request-0 2. If the following conditions are true, follow the simple cross-origin request algorithm: - The request method is a simple method and the force preflight flag is unset. - Each of the author request headers is a simple header or author request

Re: Are web components *seriously* not namespaced?

2015-02-05 Thread Anne van Kesteren
On Thu, Feb 5, 2015 at 2:15 AM, Tab Atkins Jr. jackalm...@gmail.com wrote: Yes, real namespacing does eventually prove necessary as the population grows. That's fine. It's something that can be added organically as necessary; letting everything live in the null namespace first doesn't harm

Re: Minimum viable custom elements

2015-02-05 Thread Chris Bateman
As an example I made a simple input-based Custom Element which prevents alphabetic input, and dropped it in an very simple Ember app. Here's the version with a subclassed input: http://jsbin.com/mevemu/1/edit?html,output And the version with an input nested in a custom element:

Re: Are web components *seriously* not namespaced?

2015-02-05 Thread Melvin Carvalho
On 4 February 2015 at 22:31, Glen glen...@gmail.com wrote: I know I'm rather late to the party, but I've been doing a lot of reading lately about web components and related technologies, and the one thing that confounds me is the fact that web components appear not to have any real

Re: Are web components *seriously* not namespaced?

2015-02-05 Thread Glen
I like the look of a colon, however it would quite probably conflict with XML/XHTML so it's probably best to avoid it (although I am not an expert). A hyphen or maybe even a tilde (~) would likely be the better option. ms-panel polymer-element a href=xxx x-controller=xxx ms~panel

Re: Are web components *seriously* not namespaced?

2015-02-05 Thread Kurt Cagle
Tab, I spend the vast majority of my time anymore in RDF-land, where namespaces actually make sense (I'm not going to argue on the XML use of namespaces - they are, agreed, ugly and complex). I know that when I've been at Balisage or any of the W3 confabs, the issue of namespaces ex-XML has been

Re: Shadow tree style isolation primitive

2015-02-05 Thread Ryosuke Niwa
On Feb 5, 2015, at 9:41 AM, Dimitri Glazkov dglaz...@google.com wrote: On Thu, Feb 5, 2015 at 5:46 AM, Olli Pettay o...@pettay.fi mailto:o...@pettay.fi wrote: On 02/05/2015 02:24 AM, Dimitri Glazkov wrote: However, I would like to first understand if that is the problem that the group

Re: Are web components *seriously* not namespaced?

2015-02-05 Thread Tab Atkins Jr.
On Fri, Feb 6, 2015 at 8:12 AM, Kurt Cagle kurt.ca...@gmail.com wrote: Tab, I spend the vast majority of my time anymore in RDF-land, where namespaces actually make sense (I'm not going to argue on the XML use of namespaces - they are, agreed, ugly and complex). I know that when I've been at

Re: Shadow tree style isolation primitive

2015-02-05 Thread Dimitri Glazkov
On Thu, Feb 5, 2015 at 10:52 AM, Marc Fawzi marc.fa...@gmail.com wrote: Following this thread because there is real need for what is being discussed. However, until that need is satisfied, here is what we're thinking to achieve style encapsulation, using current-world technologies, and I'm

Re: Shadow tree style isolation primitive

2015-02-05 Thread Bjoern Hoehrmann
* Dimitri Glazkov wrote: Shadow DOM and Web Components seem to have what I call the Unicorn Syndrome. There's a set of specs that works, proven by at least one browser implementation and the use in the wild. It's got warts (compromises) and some of those warts are quite ugly. Those warts weren't

Re: Shadow tree style isolation primitive

2015-02-05 Thread Maciej Stachowiak
... Hanging but?! Oh lordy. Oooh, let me turn this into a contemplative sidebar opportunity. Shadow DOM and Web Components seem to have what I call the Unicorn Syndrome. There's a set of specs that works, proven by at least one browser implementation and the use in the wild. It's got

Re: Shadow tree style isolation primitive

2015-02-05 Thread Ryosuke Niwa
On Feb 5, 2015, at 3:51 PM, Dimitri Glazkov dglaz...@google.com wrote: On Thu, Feb 5, 2015 at 2:53 PM, Ryosuke Niwa rn...@apple.com mailto:rn...@apple.com wrote: On Feb 5, 2015, at 9:41 AM, Dimitri Glazkov dglaz...@google.com mailto:dglaz...@google.com wrote: On Thu, Feb 5, 2015 at

Re: Shadow tree style isolation primitive

2015-02-05 Thread Dimitri Glazkov
On Thu, Feb 5, 2015 at 5:46 AM, Olli Pettay o...@pettay.fi wrote: On 02/05/2015 02:24 AM, Dimitri Glazkov wrote: However, I would like to first understand if that is the problem that the group wants to solve. It is unclear from this conversation. Yes. The marketing speech for shadow DOM

Re: [IndexedDB] When is an error event dispatched at a transcation?

2015-02-05 Thread Glen Huang
Darn it, I forgot they bubble. Thank you for the detailed explanation. On Feb 6, 2015, at 1:59 AM, Joshua Bell jsb...@google.com wrote: On Thu, Feb 5, 2015 at 12:58 PM, Glen Huang curvedm...@gmail.com mailto:curvedm...@gmail.com wrote: The IDBTransaction interface exposes an onerror event

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Florian Bösch
On Thu, Feb 5, 2015 at 12:59 PM, Anne van Kesteren ann...@annevk.nl wrote: That is not sufficient to allow custom headers. Cross-origin (and WebSocket is nearly always cross-origin I think) custom headers require a preflight and opt-in on a per-header basis. Access-Control-Allow-Headers is

Allow custom headers (Websocket API)

2015-02-05 Thread Michiel De Mey
Hi I'd like to propose a new feature to enable browsers to send custom headers through the API. The Websocket spec supports this, however the API does not expose this feature. We're trying to integrate bearer token authentication using the Authorization header, this is mainly for single-page

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Anne van Kesteren
On Thu, Feb 5, 2015 at 12:50 PM, Michiel De Mey de.mey.mich...@gmail.com wrote: All it says about CORS is the following (Opening handshake section): The |Origin| header field [RFC6454] is used to protect against unauthorized cross-origin use of a WebSocket server by scripts using the

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Florian Bösch
On Thu, Feb 5, 2015 at 1:22 PM, Anne van Kesteren ann...@annevk.nl wrote: I'm not sure how this is relevant. We are discussing adding the ability to the WebSocket API to set custom headers and whether the current protocol is adequate for that. CORS is an adequate protocol to allow for

Re: Are web components *seriously* not namespaced?

2015-02-05 Thread Tab Atkins Jr.
On Thu, Feb 5, 2015 at 3:57 PM, Benjamin Goering b...@livefyre.com wrote: Glad to see this. I was 'checking in' on the professional practicalities of custom elements earlier this week, and was pretty bummed when I couldn't use XHTML5 namespaces for my employer's organization. I build widgets

Re: Are web components *seriously* not namespaced?

2015-02-05 Thread Tab Atkins Jr.
On Thu, Feb 5, 2015 at 7:44 PM, Anne van Kesteren ann...@annevk.nl wrote: On Thu, Feb 5, 2015 at 2:15 AM, Tab Atkins Jr. jackalm...@gmail.com wrote: Yes, real namespacing does eventually prove necessary as the population grows. That's fine. It's something that can be added organically as

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Anne van Kesteren
On Thu, Feb 5, 2015 at 1:18 PM, Florian Bösch pya...@gmail.com wrote: On Thu, Feb 5, 2015 at 12:59 PM, Anne van Kesteren ann...@annevk.nl wrote: That is not sufficient to allow custom headers. Cross-origin (and WebSocket is nearly always cross-origin I think) custom headers require a preflight

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Anne van Kesteren
On Thu, Feb 5, 2015 at 3:49 AM, Michiel De Mey de.mey.mich...@gmail.com wrote: I'd like to propose a new feature to enable browsers to send custom headers through the API. The Websocket spec supports this, however the API does not expose this feature. Does the specification take similar

Re: Allow custom headers (Websocket API)

2015-02-05 Thread Michiel De Mey
All it says about CORS is the following (Opening handshake section): The |Origin| header field [RFC6454] is used to protect against unauthorized cross-origin use of a WebSocket server by scripts using the WebSocket API in a web browser. On Thu, Feb 5, 2015 at 10:19 AM, Anne van Kesteren

Re: Shadow tree style isolation primitive

2015-02-05 Thread Dimitri Glazkov
On Thu, Feb 5, 2015 at 9:41 AM, Dimitri Glazkov dglaz...@google.com wrote: On Thu, Feb 5, 2015 at 5:46 AM, Olli Pettay o...@pettay.fi wrote: On 02/05/2015 02:24 AM, Dimitri Glazkov wrote: However, I would like to first understand if that is the problem that the group wants to solve. It

Re: Minimum viable custom elements

2015-02-05 Thread Erik Bryn
Thanks for the mentioning the Ember issue Chris :) I've filed it here: https://github.com/tildeio/htmlbars/issues/288 On Thu, Feb 5, 2015 at 7:13 AM, Chris Bateman chrisb...@gmail.com wrote: As an example I made a simple input-based Custom Element which prevents alphabetic input, and dropped it

Re: [IndexedDB] When is an error event dispatched at a transcation?

2015-02-05 Thread Joshua Bell
On Thu, Feb 5, 2015 at 12:58 PM, Glen Huang curvedm...@gmail.com wrote: The IDBTransaction interface exposes an onerror event handler. I wonder when that handler gets called? The algorithm of Steps for aborting a transaction” dispatches error events at requests of the transaction, but never

Re: Are web components *seriously* not namespaced?

2015-02-05 Thread Tab Atkins Jr.
On Fri, Feb 6, 2015 at 12:48 AM, Glen glen...@gmail.com wrote: So in other words it *is* a case of it's good enough. Web components are quite possibly the future of the web, and yet we're implementing them to be good enough in 90% of use cases? jQuery is JavaScript which means that it's