on, especially since the
W3C drafts are invariably out of date. IMHO the "Upgrade Insecure
Requests" specification should just reference the WHATWG spec.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/,
o a unique origin could be interesting. It's not clear to me whether
> any of the other flags would be useful, though.
>
> Ian, WDYT?
Happy to add features if browsers are going to implement them. Just file a
bug describing what the feature is. :-
7;ve filed at least two bugs on this:
https://www.w3.org/Bugs/Public/show_bug.cgi?id=13145
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25159
As you say, Selection.toString() depends on this; the relevant bug is in a
similar state:
https://www.w3.org/Bugs/Public/show_bug.cgi?id=10583
On Wed, 3 Sep 2014, Anne van Kesteren wrote:
> On Wed, Sep 3, 2014 at 7:07 PM, Ian Hickson wrote:
> > Hear hear. Indeed, a large part of moving to a "living standard" model is
> > all about maintaining the agility to respond to changes to avoid having to
> > m
share.
>
> In this light, WHATWG should avoid making indefinite-timescale, over-ambitious
> assertions.
Hear hear. Indeed, a large part of moving to a "living standard" model is
all about maintaining the agility to respond to changes to avoid having to
make this very k
%20values%20as%20bookmarkable%20template&op_sys=other&priority=P3&product=WHATWG&qa_contact=contributor%40whatwg.org&rep_platform=Other&short_desc=&target_milestone=---&version=unspecified
HTH,
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
On Thu, 28 Aug 2014, Glenn Adams wrote:
> On Thu, Aug 28, 2014 at 10:04 AM, Ian Hickson wrote:
> > On Wed, 27 Aug 2014, Daniel Appelquist wrote:
> > >
> > > As you might know, the new charter for webapps includes a new
> > > version of the URL spec
On Wed, 27 Aug 2014, Daniel Appelquist wrote:
>
> As you might know, the new charter for webapps includes a new version
> of the URL spec. I am acting as editor of this spec.
What's the purpose of the W3C republishing this spec?
--
Ian Hickson
On Wed, 2 Jul 2014, Domenic Denicola wrote:
>
> From: Ian Hickson
>
> > I've been reluctant to do so to avoid people ending up on obsolete
> > versions (e.g. by following links from old source code) and not
> > realising what's going on.
>
> This
could do. If you have any specific ideas,
don't hesitate to let me know. (In particular, right now I'm working on a
new publication pipeline for HTML and so I'm in a good position to add new
features for this kind of thing.)
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
On Fri, 27 Jun 2014, Glenn Adams wrote:
>
> Clearly we operate in different business regimes.
If we both operate on the same Web content, then I don't think that
matters, the interoperability issue is the same either way.
--
Ian Hickson
at software passes tests for an obsolete version of a
standard, when the standard's purpose is interoperability and achieving
that interoperability requires converging on a target that we're only
slowly reaching over many years, is at best pointless, and at worst
harmful, which is why I
On Wed, 25 Jun 2014, Glenn Adams wrote:
> On Tue, Jun 24, 2014 at 8:28 PM, Ian Hickson wrote:
> >
> > Compraing implementations to anything but the very latest draft is not
> > only a waste of time, it's actively harmful to interoperability. At no
> > point shou
27;s actively harmful to interoperability. At no
point should any implementor even remotely consider making a change from
implementing what is currently specified to what was previously specified,
that would literally be going backwards.
--
Ian Hickson U+1047E)
lay nice, invokes the promise callbacks, all before the task that fired
the event handler has returned to the event loop. And once it does return
to the event loop, the next major thing _it_ does is "perform a microtask
checkpoint" anyway.
HTH.
--
Ian H
On Thu, 8 May 2014, Bruce Lawson wrote:
> On 7 May 2014 20:03, Ian Hickson wrote:
> >
> > Requiring a dash is pretty ugly. I would allow any attribute, and
> > we'll just have to be careful when introducing new global ones.
>
> I think the ship HMS Ugly has
up attributes. This is already a problem.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
ducing new global ones.
We only introduce them at the rate of ~one per year if you treat
namespaced groups of attributes like event handlers, microdata, or ARIA as
single units (which they more or less are, for this problem, I think).
--
Ian Hickson
ck spec (and all
> future specs). This could really help with consistency.
I'm very happy to add any such attributes to the HTML spec, just file a
bug once you're confident that it won't change.
--
Ian Hickson U+1047E)\._.,--,'``.fL
HATWG version changes to fix a bug and the W3C
version doesn't (because it's a REC, say, and thus can't change), then the
WHATWG one is the one that the tests will match. And thus, the W3C one is
not going to do anything to "provide the work for the implementors t
his further!
The canonical spec for XHR is Anne's, at http://xhr.spec.whatwg.org/.
I really would rather the W3C stopped causing all this confusion with all
these forks of WHATWG specs. It's harming the Web.
--
Ian Hickson U+1047E)\._.,--,'``.
> 2.The XMLHttpRequest
> <http://www.w3.org/TR/XMLHttpRequest/#xmlhttprequest> object was initially
> defined as part of the WHATWG's HTML effort. (Much later, Microsoft shipped
> an implementation.)
If this was the meaning, you would need a comma after &q
he case of Navigation, "online" and "offline"
events go to the Window. In the case of Screen, "resize" and "scroll"
events go to the Window. So it makes sense to put new events there too.
IMHO.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
On Fri, 14 Mar 2014, Arun Ranganathan wrote:
> On Mar 12, 2014, at 6:54 PM, Ian Hickson wrote:
> >>
> >> For blob: URLs we agreed to make this pretty explicit:
> >> http://dev.w3.org/2006/webapi/FileAPI/#originOfBlobURL
> >
> > Unfortunately, scri
3C letterhead (and some subtly broken cross-references since it
doesn't include the rest of the spec):
http://dev.w3.org/html5/workers/
As is normal, the TR/ spec for workers is woefully out of date at this
point.
HTH,
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
t's a pretty compelling difference, IMHO.
> Also, the short version gives you the risk of namespace conflicts with
> the built-in methods and properties of form.
You can do this instead if that feels like a real risk:
this.elements.a.value = process(value)
...but
ng manipulation, the way that
getElementById() or querySelector() would.
(The last four examples above are all from the HTML spec.)
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
into decay with no active maintenance, which is
almost as bad.)
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
On Thu, 12 Dec 2013, Joel Weinberger wrote:
>
> This is a feature (or anti-feature, depending on your perspective :-)
> that has been touted as "good security" for quite some time (in fact,
> the W3C spec specifically calls it out in that regard).
Which spec are we talkin
level keyword that we
can use to make it easier to specify (right now it can be done but has to
be done in prose, and I haven't been consistent about it in my specs).
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
On Tue, 10 Dec 2013, Jonas Sicking wrote:
>
> However I'd really like to see us start a level 2 of the spec. The
> synchronous messaging channels is something else I'd like to see done
> there.
There's seven features I'm aware of that people have asked for that aren't
in Workers currently, or
provide, explained
as the browser using some default binding that declares those pseudo-
elements (thought obviously behind the hood it doesn't need to be done
that way). Obviously there's a limit to how much you can do with just
this, but I think if we provide sufficient hooks, there nee
On Thu, 5 Dec 2013, Ryosuke Niwa wrote:
> On Dec 5, 2013, at 8:49 AM, Ian Hickson wrote:
> > On Thu, 5 Dec 2013, Ryosuke Niwa wrote:
> >>
> >> Let me understand the problem of styling/replacing builtin form
> >> controls.
> >>
ly different mechanism?
Different than what? I'd love the markup to not be different whether or
not we're using custom widget presentations.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
formance-requirements-for-authors
The basic idea is to try to help authors by catching things that they
probably didn't intend. In the case of in body, the main problem is
late loading of style sheets leading to poor performance and flicker.
If there are use cases where best practi
On Wed, 18 Sep 2013, Anne van Kesteren wrote:
> On Tue, Sep 17, 2013 at 4:34 PM, pira...@gmail.com wrote:
> > Really :-) I though the same, but since its a "GET equivalent
> > operation" just like XHR and in fact Google Charts creates on-demand
> > graphics based on the data on the URL query, s
out "bufferedAmount"
> implies that send() won't fail, is that correct?
Since the processing of an incoming close frame is handled in a task, it
cannot be synchronous with a send() call. For specific details, see the
exact algorithm described here:
http://www.whatwg.org/htm
On Sun, 16 Jun 2013, Dimitri Glazkov wrote:
> On Fri, Jun 14, 2013 at 10:26 AM, Ian Hickson wrote:
> > On Fri, 14 Jun 2013, Dirk Schulze wrote:
> >> On Jun 14, 2013, at 6:41 AM, "Robin Berjon" wrote:
> >> >
> >> > now that is in HTML, I was
. That's certainly how
it's implemented, and it would fix a lot of problems with have with things
falling between the cracks. (See, e.g., how much of an improvement we made
to that kind of thing when we merged DOM HTML and HTML.)
--
Ian Hickson
th a REC, we
still need to change it, since otherwise browsers are going to implement
things that are wrong... (e.g. anyone implementing HTML4 now is going to
be in a world of trouble because HTML4 has all kinds of mistakes in it,
despite being a REC -- HTML4 is not "stable" at all.)
| Use GPS|
++
And so on.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
; > I will try to file a ticket for Chrome.
>
> Ah, there is a requirement to the effect that when navigating, you
> exit fullscreen. Maybe we should restrict that to cross-origin
> navigation.
>
> Ian, other Adam, thoughts?
The history API doesn't involve
o make this kind of
thing easy.
Note that in theory, for 2D at least, shunting ImageBitmaps across threads
can be as efficient as commit().
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
On Wed, 2 Jan 2013, Glenn Maynard wrote:
> On Wed, Jan 2, 2013 at 4:23 PM, Ian Hickson wrote:
> >
> > Since none of the browsers I could test reconnect for 500s currently
> > as far as I can tell, I've changed the spec to not make 5xxs
> > reconnect. The serve
t; PS I'm emailing, because the 'Feedback Comments' form on the web page
> returned 'ERROR' on my attempt to submit. Not sure who to notify of
> that problem.
The error reporting widget on the WHATWG spec above should work, FWIW.
E-mail is fine too though.
--
On Tue, 4 Dec 2012, Charles McCathie Nevile wrote:
>
> This is a formal warning.
I do not support the chairs in this. I stand by Ms2ger. He has not acted
inappropriately and his complaints are valid.
--
Ian Hickson U+1047E)\._.,--,'``.
who have no interest in working with
the W3C at this time. This is just plagiarism.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
On Tue, 17 Jul 2012, Ian Hickson wrote:
>
> My plan is to make it so that cross-origin URLs start cross-origin
> workers. The main unresolved question is how to do this in an opt-in
> manner. The best idea I've come up with so far is having scripts that
> want to opt-in to
On Mon, 26 Nov 2012, Anne van Kesteren wrote:
>
> I agree with Ian's other observations/comments.
>
> On Fri, Nov 23, 2012 at 10:22 PM, Ian Hickson wrote:
> > What I don't really understand, though, is why any of this is needed
> > at all. What value is the
On Sun, 25 Nov 2012, Jonas Sicking wrote:
> On Sun, Nov 25, 2012 at 12:38 PM, Ian Hickson wrote:
> > On Sun, 25 Nov 2012, David Bruant wrote:
> >>
> >> The intent is clear: the WHATWG publishes documents in the public
> >> domain for very good reason. A
e only time that forking
a specification is justified is #2 above.
We use open licenses on our specifications because of #1 and #2. We can't
legally prevent #3 while allowing #1 and #2, so we rely on common sense
and good faith to achieve #3.
HTH,
--
Ian Hickson U+1047E
On Fri, 23 Nov 2012, Glenn Adams wrote:
> On Fri, Nov 23, 2012 at 2:22 PM, Ian Hickson wrote:
> >
> > What I don't really understand, though, is why any of this is needed
> > at all. What value is the W3C adding by creating these forks?
>
> The problem as I see
Author" to "Editor", makes
some of the text in the spec, e.g. the note saying "As the editor learns
more about the subject matter the goals might increase in scope somewhat",
somewhat confusing.
What I don't really understand, though, is why any of this is needed at
tInterval in
> workers for repaints.
The idea in due course is to just expose rAF in workers. Please do read
the e-mail above, which actually mentions that.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/,
ownload images in a web worker and the images with both 2d contexts and
> WebGL contexts
I've now specced something like this; for details, see:
http://lists.w3.org/Archives/Public/public-whatwg-archive/2012Nov/0199.html
--
Ian Hickson U+1047E)\._.,--,&
to make additional progress here beyond what will
happen already given the currently-filed bugs.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
.
plagiarism (noun): The practice of taking someone else's work or ideas and
passing them off as one's own.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
W3C does this without the editor's
participation, and more importantly, while simultaneously decrying the
evils of forking specifications, and with virtually no credit to the
person doing the actual work.
It's this hypocrisy that is new and notable.
--
Ian Hickson U+1047E
On Thu, 30 Aug 2012, Olli Pettay wrote:
> >
> > The spec used to say "DOM mutation events must not fire for changes
> > caused by the UA parsing the document". I've updated this to also
> > mention mutation observers.
>
> Why? Getting MutationObserver notifications during parsing is what I'd
>
FYI, I've updated the EventSource spec to do reconnection in the case of
certain 5xx errors, DNS errors, and connection failures, as per a thread
earlier this year.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/
hives/Public/public-whatwg-archive/2012Sep/0207.html
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
now be who knows where.
Basically as soon as a port leaves the scope in which it was created, you
can no longer make any stable statements about where the other side is.
This is why the ports used in dedicated Workers are hidden (so you can't
send them anywhere).
--
Ian Hickson
e just embedded in the
WorkerGlobalScope and the API exposed through that interface, so that you
can't send the port's endpoint around. But it's literally defined in terms
of a MessagePort.
--
Ian Hickson U+1047E)\._.,--,'
t; component in the Bug tracking system:
> https://www.w3.org/Bugs/Public/buglist.cgi?product=WebAppsWG&component=DOM%20Parsing%20and%20Serialization&resolution=---
Please do not close bugs unless they are fixed in the canonical version of
the spec as well (the one Ms2ger maintains)
dinged in the reviews).
We saw this a lot with the equivalent DOM APIs like hasFeature(). In
practice, they became completely useless and Anne worked hard to sunset
them in DOM Core.
I would recommend and urge great caution. There be dragons on this path.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
nd. I use the browser everyday at work, and
> sometimes you have to ask yourself: who's serving who. Does the user
> serve the browser, or does the browser serve the user?
The browser serves the user, but many of the users it serves are not as
edu
tgun.
Not prefixing, and instead having spec authors make sure that what they
spec is compatible with what has shipped (at the very least by changing
names when they change semantics), is of course the right solution here. :-)
--
Ian Hickson U+1047E)\._.,--,
in architectures and provide more deployment
> > flexibility and perhaps greater efficiencies.
Those are still not use cases, for the record. I tried explaining what a
use case was here:
http://lists.w3.org/Archives/Public/public-webapps/2012JulSep/0302.html
http://lists.w3.org/Ar
WS binding but not an XHR binding?
Both would be useful, but my primary concern is Web Sockets, since I edit
that spec. Before I can consider proposals that affect Web Sockets, I need
to know what use case it is we're trying to address.
--
Ian Hickson
Something like "I want to be able to sell
plane tickets for people to go on holiday", say. Or "I want to provide a
service to users that lets them merge data from a medical drugs database
and a patient database, without giving me their credentials to those
databases". Or some
related to
persistent bi-directional full-duplex communication with a remote server.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
just a high-level problem statement, typically one
that even an end-user could actually understand (or at least that a
programmer could understand, even if they were not familiar with the Web).
What's the use case that is driving the ideas discussed in this thread in
the context o
at
involves Web Socket? I don't really understand what problem we're trying
to solve here.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
ith the register*Handler() methods.)
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
rd constraint,
questions such as yours above are obviously moot.
HTH,
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
reed on span and div; what's the use case for the inner
not being inert in this case, though? Surely it's fine for it
to be inert; you'd instantiate its template from the instantiated outer
template, right?
--
Ian Hickson U+1047E
pt the "create an element" operations check if
there's a on the stack, and if there is, then they add the
inert marker to the namespace, but everything else in the parser acts as
if the marker is not there?
--
Ian Hickson U+1047E)\._.,--,
equest. It's more than just cookies and HTTP auth headers.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
On Wed, 18 Jul 2012, Bronislav Klu�~Mka wrote:
>
> Since script is loaded using HTTP, why not use already defined CORS headers on
> server side while serving those scripts?
CORS is the wrong semantic. It's not "origin A is allowed to read content
from origin B", it's "origin A is allowed to caus
On Tue, 6 Dec 2011, Jonas Sicking wrote:
> On Tue, Dec 6, 2011 at 5:05 PM, Travis Leithead
> wrote:
> > A new scenario just came to my attention that I thought I might
> > pose to the list. Given the current same-origin restrictions on
> > new Worker(), it is problematic for Worker usage by any JS
On Thu, 12 Jul 2012, Julian Reschke wrote:
>
> It almost seems to me that nobody cares over here what the W3C document
> actually says, as there is that other "more helpful" version. In which
> case I wonder why it's published at all?
Patent policy.
--
Ian Hi
t which to write the diff so that it will be
maintained in future versions of the spec.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
ing XHR
> or WebSockets to achieve the same result the hard way), so lack of
> convenience in error recovery feels like an omission in this API.
If it's something we do want to eventually support, I think it's be
something to consider for v2.
--
Ian Hickson
finds a network. The current
> spec seems to explicitly disallow this, although some browsers are
> attempting to reconnect anyway.
The idea is to let the script handle network troubles, so that authors are
in full control of how much load their servers g
On Mon, 4 Jun 2012, Ian Hickson wrote:
> On Wed, 4 Apr 2012, Rafael Weinstein wrote:
> > On Mon, Apr 2, 2012 at 3:21 PM, Dimitri Glazkov
> > wrote:
> > >
> > > Perhaps lost among other updates was the fact that I've gotten the
> > > first dra
tion was much faster (2-5
> seconds). This with *reconnection time* set to 500ms.
As far as I can tell, none of that is conforming. If you yank the cable,
they should retry once, then give up, per the spec.
--
Ian Hickson U+1047E)\._.
advocating)
that we could instead be spending on making something else a _lot_ better.
(The number one way of making a spec fail is to ignore backwards
compatibility, of course. Which in a way is the same thing, just on a
larger scale.)
--
Ian Hickson U+1047E)\
;d go with
disabling it when there's no CORS. Strawman has been updated accordingly.
On Tue, 5 Jun 2012, Anne van Kesteren wrote:
>
> A (bigger?) problem with E4H/H4E is that TC39 does not like it:
> http://lists.w3.org/Archives/Public/public-script-coord/2011OctDec/thread.html#ms
hly supportive of the goal of allowing HTML literals in
> script. I fully agree that better load ("compile") time feedback would
> be beneficial to authors here.
Let's do it! As far as I can tell, the impact on a JS parser would be
pretty minimal.
http://www.
ame. I don't think having a hard-coded list of HTML
elements is a good thing either, it's got the same forward-compatibility
problems. Unfortunately in the case of the existing lists we had no choice
because UAs already had them. Here, we have a choice.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
hich still suffer from lack of compile-time checking and
mix markup with data, but at least would be more structured than raw
strings and could offer better injection protection.
[1] (This is not the same as auto-escaping strings in other contexts. For
example, E4H doesn't propose to hav
al for dealing with this. I suppose we could go back to having an
attribute on , this time setting the context at a more coarse
level of just HTML vs SVG vs MathML; that's more likely to be understood
by authors than what I was suggesting before ("in tab
On Wed, 11 Apr 2012, Ian Hickson wrote:
>
> I'm fine with making changes here. The following proposals seem to make
> the most sense, though I'm sure others could work too:
>
> 2. Make the .source attribute be of type (MessagePort or WindowProxy)?
> and a
ough.
I assumed we were talking about the stacking context of the root element,
not just the one that the 's parent is in. Otherwise there
wouldn't need to be anything about how the parent's stacking context has
no effect, etc.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
ing performed again.
The "installation" security model of asking the user up-front to grant
trust just doesn't work because users don't understand the question, and
the "installation" security model of curating apps and trying to determine
by empirical examination w
eration as if it's an actually sane way of writing code.
Am I really the only one here who thinks this is horrifying?
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
pages where text/plain
files are sent as text/html, or text files are slightly augmented with
HTML without properly escaping everything -- they render fine until they
get to something that accidentally looks like markup, and the parser does
its stuff, and you wonder why half of the 100-page docu
On Thu, 10 May 2012, Rafael Weinstein wrote:
> On Thu, May 10, 2012 at 4:01 PM, Ian Hickson wrote:
> > On Fri, 11 May 2012, Tab Atkins Jr. wrote:
> >
> > But ok, let's assume that the use case is "create an element and its
> > subtree so that you can ins
> > script to generate DOM trees.
>
> As others have said, you've lost this race.
People said the same about . I chose to be more optimistic.
--
Ian Hickson U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
On Thu, 10 May 2012, Scott Gonz�lez wrote:
> On Thu, May 10, 2012 at 7:01 PM, Ian Hickson wrote:
> >
> > But I'm very skeptical about creating new APIs to encourage authors to
> > use injection-prone, non-type-checked, direct string manipulation in
> > script to
1 - 100 of 705 matches
Mail list logo