';
document.body.appendChild(script);
}
Best,
Nathan
impact on such a huge issue - and am probably wasting char's.
Best,
Nathan
3) UMP appears to be nearly a subset of CORS, and does have a lot of
nice properties for security and simplicity. We support UMP and would
like to see the syntax continue to be unified with CORS so that it is
in fact
Bjoern Hoehrmann wrote:
* Nathan wrote:
Personally, I don't follow why JS running in a user agent should have
completely different access rules to the rest of the web, primarily
because a few site admin's feel it's a good idea to expose sensitive
data via IP-based auth on intranets
Jonas Sicking wrote:
On Mon, May 10, 2010 at 6:38 PM, Bjoern Hoehrmann derhoe...@gmx.net wrote:
* Nathan wrote:
If you do not depend on a user's special standing with a third party
site, you can configure your server as proxy between your user and the
third party site. That's more difficult
Boris Zbarsky wrote:
On 5/10/10 10:21 PM, Nathan wrote:
2: Implement a user UI confirmation screen to allow JS applications xhr
access to other origin resources. (Similar to the allow desktop
notifications scenario in chromium)
Under what conditions would the typical user be able to make
, but they are pretty much obsolete given the
above.
Boris Zbarsky wrote:
On 5/10/10 11:14 PM, Nathan wrote:
2: Implement a user UI confirmation screen to allow JS applications xhr
access to other origin resources. (Similar to the allow desktop
notifications scenario in chromium)
Under what conditions
Boris Zbarsky wrote:
On 5/11/10 12:27 AM, Nathan wrote:
This leaves us in a scenario where it is the norm to download, install
and trust an application that runs in the browser
Perhaps. The difference is that it's much harder to do a drive-by app
install.
agree~ish, imho it's more
Boris Zbarsky wrote:
On 5/11/10 1:10 AM, Nathan wrote:
[!snip]
Boris, all,
I honestly don't have the solutions (as you can easily see) - what I can
see is that with CORS as it stands, and with same origin rules, then the
web is about as safe as it can get from xss, which is crucial
in the browser.
Best thanks in advance for any response,
ps: aware of window.crypto in firefox/gecko
Nathan
] http://lists.w3.org/Archives/Public/public-web-security/
Best,
Nathan
Jeremy Orlow wrote:
This came up not too long ago in the context of persistent storage. The
verdict (IIRC) was that we're not interested in adding crypto just to
the persistent storage APIs, but that we might be interested
Anne van Kesteren wrote:
On Tue, 11 May 2010 07:10:59 +0200, Nathan nat...@webr3.org wrote:
exactly, but the current set up stops xhr from getting resources that
the could be retrieved from site A with wget - with an inverted model
all the issues would disappear, leaving only one issue; namely
Resource.
You can't seriously block REST, the design of the web - this is ridiculous.
Nathan
Devdatta wrote:
IIRC HTTP-WG has asked this WG to change this behavior from a
whitelist to a blacklist. There was a huge discussion about this a
while back -- maybe this could be an example of why CORS should
Tyler Close wrote:
On Wed, May 12, 2010 at 12:33 PM, Nathan nat...@webr3.org wrote:
Yes,
The simplest argument I can give is that we (server admins) are trusted to
set the CORS headers, but not to remove any headers we don't want an XHR
request to see - this is frankly ridiculous
Tyler Close wrote:
On Wed, May 12, 2010 at 1:05 PM, Nathan nat...@webr3.org wrote:
Tyler Close wrote:
On Wed, May 12, 2010 at 12:33 PM, Nathan nat...@webr3.org wrote:
Yes,
The simplest argument I can give is that we (server admins) are trusted
to
set the CORS headers, but not to remove any
leaving all information + headers intact.
Best,
Nathan
/#response-header-filtering
Best,
Nathan
Maciej Stachowiak wrote:
On May 13, 2010, at 3:05 AM, Julian Reschke wrote:
On 12.05.2010 22:39, Nathan wrote:
Devdatta wrote:
As for the should CORS exist discussion, I'll bow out of those until
we're starting to move towards officially adopting a WG decision one
way or another
Vivek Khurana wrote:
On Wed, May 12, 2010 at 10:24 PM, Marcin Hanclik
marcin.hanc...@access-company.com wrote:
Hi Nathan,
This seems to be the current related standardization effort:
http://bondidev.omtp.org/1.5/crypto.html
=
http://bondi01.obe.access-company.com/1_5_5602_145/crypto.html
I
window, or other?
Additionally, under what security model would it run, would CORS/UMP etc
still apply as this seems to be at odds with the Widget Access Request
Policy [2].
[1] http://dev.w3.org/2006/waf/widgets-land/#introduction
[2] http://dev.w3.org/2006/waf/widgets-access/
Best,
Nathan
of further confusion (or should i say
conflated understanding of what a URL is), and benefit the entire web by
saving us from yet another (predominantly unneeded) URN namespace or URL
scheme.
Best leave this in your capable hands.
Nathan
Robin Berjon wrote:
Hi,
since some people were asking about JS crypto here not long ago, I thought I'd
point this one out:
http://bitwiseshiftleft.github.com/sjcl/
Thanks Robin! will come in handy :)
Anne van Kesteren wrote:
On Tue, 16 Jun 2009 16:18:25 +0200, Web Applications Working Group Issue
Tracker sysbot+trac...@w3.org wrote:
In
http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/0967.html
Mark Nottingham comments on the asymmetry of exposing the body of the
response
together and for you guys
to adopt + promote.
Apologies for the length of the mail, but you know.. had to say it..
Best,
Nathan
SULLIVAN, BRYAN L (ATTCINW) wrote:
Arun,
The basic concern I have is with the notion of browsers as the only
Web context and use-case that matters. The browser-based
+1 from me and every other developer I know.
Best,
Nathan
Julian Reschke wrote:
On 13.08.2010 00:03, Anne van Kesteren wrote:
...
For instance, a redirectCount property, default value would be
something like Infinity (the user agent could then cap the maximum
amount of redirects), and setting it to 0 would prevent any redirect,
and setting to
Hi,
I was wondering if there's a list of which major user agents support
(even partially) which APIs?
Best,
Nathan
Hi,
Just noticed that File API specifies NOT_READABLE_ERR as code 24,
whereas 24 is already used for DATA_CLONE_ERR
http://dev.w3.org/html5/spec/common-dom-interfaces.html#data_clone_err
Not sure if this is an issue or not, but a heads up regardless.
Best,
Nathan
the DOM Core updated - however the word alternative in there
worries me somewhat, is the end goal to effectively replace DOM Level 3
Core with DOM Core, or to try and split in to two versions of DOM Core
(one HTML focussed adn one XML focussed), or other?
Best,
Nathan
/ w3c land? seems to complement the
other base types used in webidl etc rather well + my gut reaction was
why isn't this standardized within w3c?
Best,
Nathan
experimental support in
Chromium.
Sounds like a good idea, + is this not needed to allow servers to tell
clients to Upgrade to HTTP+TLS or WebSockets?
Best,
Nathan
Nathan wrote:
Julian Reschke wrote:
Hi,
it might be cool (and not too complicated) to (optionally) expose 1xx
responses to the caller (see
http://greenbytes.de/tech/webdav/rfc2616.html#status.1xx).
This could be done through an opt-in, such as specifying a callback
function to be called
Hi,
Just wondering if there is a mapping between xsd types and Web IDL
types? would seem to make sense to align, mirror and give common mappings.
Best,
Nathan
cc: public-webapps
Hi Claes,
Nilsson, Claes1 wrote:
Hi Nathan,
Thanks for clarifying your proposal.
I interpret you so that you are proposing standardization of a general concept of
packaged and installed web applications. Something like
http://code.google.com/chrome/apps/docs/index.html
Marcos Caceres wrote:
On Thu, Sep 16, 2010 at 1:42 PM, Nathan nat...@webr3.org wrote:
cc: public-webapps
Hi Claes,
Nilsson, Claes1 wrote:
Hi Nathan,
Thanks for clarifying your proposal.
I interpret you so that you are proposing standardization of a general
concept of packaged and installed
Marcos Caceres wrote:
On Fri, Sep 3, 2010 at 7:52 PM, Nathan nat...@webr3.org wrote:
Hi All,
Simply wondering why WARP, Widgets Updates and Digital Signatures aren't
used to deploy js applications which run in the main browser context?
I guess because they all have counterparts on the Web
Marcos Caceres wrote:
On 9/16/10 6:10 PM, Nathan wrote:
Marcos Caceres wrote:
As above. I thought that was what we (Web Apps WG - Widgets) have been
doing for the last 5 years?
Maybe I've missed part of the specifications - are you telling me that I
can package up an HTML,CSS,JS based
/d');
u.resolveReference('../.././n?x=y'); - 'http://ex.org/a/n?x=y'
ps: I'll happily implement this interface Javascript whenever as I've
already got something similar: http://github.com/webr3/URI
Best,
Nathan
of value at all times is better than the
benefit of being able to omit [0] from parts of your code.
+1 in every way, and if somebody wanted to miss the [0] they could make
a simple get function which returned array or single element based on
array.length, in userland.
regards,
nathan
?
Best,
Nathan
Nathan wrote:
Tim Berners-Lee wrote:
Looking at my action item to characterize the deductions made from
HTTP responses in the tabulator library, I found these related questions:
1) If A redirects 301 Moved to B, what should be the XML base which
is used to parse the representation returned
necessary.
Sounds good, certainly having the API and an implementation there will
have countless benefits for us all.
Best,
Nathan
[1] http://www.w3.org/DesignIssues/CloudStorage.html
[2]
http://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm#sec_5_2_1
[3]
http://www.ics.uci.edu
, or by passing a map structure
containing preferences for each content type.
Best,
Nathan
, and whether 4 is even an option.
Best and TIA,
Nathan
Hi Cameron,
Thanks for your reply, comments in-line from here:
Cameron McCormack wrote:
Nathan:
We have the following interface:
[NoInterfaceObject]
interface TypedLiteral : RDFNode {
readonly attribute stringifier DOMString value;
readonly attribute IRI type
or the Store with t added?
Best TIA,
Nathan
.
Best ty for raising this,
Nathan
,
Nathan
Toni Ruottu wrote:
Hello,
I work for the computer science department at the University of
Helsinki, Finland. We've been trying to define an API that would allow
web site developers to run simple servers in their web pages. The
motivation behind the research is establishing some ground
together with other forms
of authentication, and that moving to TLS Extension support would
probably be wise in the long term.
see: http://krijnhoetmer.nl/irc-logs/whatwg/20110203#l-870
through to 14:51 for context
Thanks for raising this,
Nathan
Tim wrote:
Anne, others,
Do you have any
Nathan wrote:
Marcos Caceres wrote:
On 9/16/10 6:10 PM, Nathan wrote:
Marcos Caceres wrote:
As above. I thought that was what we (Web Apps WG - Widgets) have been
doing for the last 5 years?
Maybe I've missed part of the specifications - are you telling me that I
can package up an HTML,CSS
, for instance in many scenarios I want to allow everyone
except origins A and B who I know consistently steal bandwidth, or
display my resources beside unsavoury ones.
Best,
Nathan
Glenn Maynard wrote:
On Tue, Mar 1, 2011 at 3:33 PM, Nathan nat...@webr3.org wrote:
(rather than controlled only by user agents which choose to follow the specs
offering
an artificial screen).
If user agents deliberately ignore the specs to allow embedding where
authors don't want
Michael Nordman wrote:
Hi Art,
Please don't assume I know how the w3c works. I'm not subscribed to the
public-html list and honestly don't have a good understanding of which list
is for what. I consider the feature set provided in by the Application Cache
to harmonize with other topics
here before, so please be nice if this suggestion
is stupid for reasons I don't know : )
Thanks.
Nathan
That would do the trick, yes. Thanks for pointing it out, all my w3
spec reading skills are belong to you.
On Mon, Jul 5, 2010 at 4:44 PM, Shawn Wilsher sdwi...@mozilla.com wrote:
On 7/5/2010 3:19 AM, Nathan Kitchen wrote:
There are a couple of ways to do this:
I think you missed one
of something more appropriate, but that explains
what I'd like to accomplish.
Is this something that can already be achieved via the IndexedDB spec?
If not, could it be included without too much effort?
Appreciate all your hard work.
Nathan
Hi.
Just wondering if anyone could take a few moments to provide an update on
the state of full-text indexing in IndexedDB?
A quick google indicated that the question had been raised before, Jeremy
Orlow suggesting support for inverted indexes (back in February) and there
was a reference to
aspects of the spec.
Article: *Advertisers get hands stuck inside HTML5 database cookie jar* (
http://arstechnica.com/apple/news/2010/09/rldguid-tracking-cookies-in-safari-database-form.ars
)
Thanks.
Nathan
the spec and encourage
them take up their complaint with the vendors instead.
Cheers.
On Wed, Sep 8, 2010 at 10:51 AM, Jeremy Orlow jor...@chromium.org wrote:
On Tue, Sep 7, 2010 at 7:51 PM, Nathan Kitchen w...@nathankitchen.comwrote:
Hi all.
Stumbled across this article on Ars Technica
this functionality could be added.
Thanks.
Nathan
On Tue, Oct 26, 2010 at 7:03 PM, Nathan nat...@webr3.org wrote:
Jonas Sicking wrote:
On Mon, Oct 25, 2010 at 10:24 AM, Keean Schupke ke...@fry-it.com wrote:
We (www.fry-it.com) produce websites and mobile apps. We have been
looking
at HTML5
.
On Wed, Oct 27, 2010 at 9:10 AM, Keean Schupke ke...@fry-it.com wrote:
Hi Nathan,
On 27 October 2010 08:58, Nathan Kitchen w...@nathankitchen.com wrote:
The most obvious problem was that it was tied so tightly to SQLite (which
I think everyone would be amazed if MS started shipping with IE10
Not sure if this is covered by index keys, but you may consider adding:
- Full-text indexing
To the agenda.
N
On Tue, Nov 2, 2010 at 11:15 AM, Jonas Sicking jo...@sicking.cc wrote:
I suspect internationalization is another thing where we can quickly
make progress so lets try to get to
I'm also a little confused. There was a recent announcement [1] from the
WHATWG that the version number was being dropped from HTML 5. This has been
reported elsewhere, usually directly referring back to the WHATWG
announcement [2].
Obviously this doesn't seem to fit with the smacking great 5 in
A couple of other app cache observations from a hobbyist who's played around
with Google's Gears...
I built an offline web application based on Gears, with the intention to
migrate to something a bit more standardized as it became available. That
was a good two years ago now, but the existing and
.
On 31 March 2011 15:19, Nathan Kitchen w...@nathankitchen.com wrote:
Hi.
I've been watching discussions on IndexedDB for a while now, and wondered
if anyone would mind spending a few moments to explain how IndexedDB is
related (or not) to WebSQL. Is IndexedDB seen as replacing
I agree that it'd be best to have a spec independent of database platform,
which is why I was asking about an idea along the lines of RelationalDB
https://github.com/keean/RelationalDBor the example I gave in the email
which initiated this discussion, both of which are entirely abstracted from
the
Have you heard of knockout.js? It's an MVVM pattern based on JQuery, if
you're not aware of it you may be interested to see their approach.
Official site:
http://knockoutjs.com/
Recent MIX event:
http://channel9.msdn.com/Events/MIX/MIX11/FRM08
Just FYI as it was related...
On 23 April 2011
One feature I'd like to see is respect for compression headers. I've got an
app which results in a 30Mb app cache, but it's only 8Mb over the wire due
to GZIP compression. I'd much prefer the appcache to see that the content
was served compressed, cache it compressed, and serve it to the browser
The comments on
https://dvcs.w3.org/hg/editing/raw-file/tip/editing.html#dom-selection-addrange
say Chrome 15 dev seems to ignore addRange() if there's already a range.
In case it's helpful, I wanted to note that this isn't quite the case. The
WebKit implementation is here:
68 matches
Mail list logo