from:"Maciej Stachowiak"


 On Apr 23, 2015, at 3:27 PM, Martin Thomson martin.thom...@gmail.com wrote:
 
 On 23 April 2015 at 15:02, Ted Mielczarek t...@mozilla.com wrote:
 Has anyone ever proposed exposing the structured clone algorithm directly as 
 an API?
 
 If you didn't just do so, I will :)
 
 1. https://twitter.com/TedMielczarek/status/591315580277391360
 
 Looking at your jsfiddle, here's a way to turn that into something useful.
 
 +Object.prototype.clone = Object.prototype.clone || function() {
 - function clone(x) {
return new Promise(function (resolve, reject) {
window.addEventListener('message', function(e) {
resolve(e.data);
});
 +window.postMessage(this, *);
 -window.postMessage(x, *);
});
 }
 
 But are we are in the wrong place to have that discussion?

Code nitpick: it probably should remove the event listener from within the 
handler, or calling this function repeatedly will leak memory. Also it will get 
slower every time.

Actually, now that I think about it, this isn’t usable at all if you are using 
postMessage for anything else, since you could accidentally capture 
non-cloning-related messages.

I guess these are potentially arguments to expose cloning directly.

Regards,
Maciej

[components] Isolated Imports and Foreign Custom Elements


Hi everyone,

I wrote up a proposal (with input and advice from Ryosuke Niwa) on a possible 
way to extend Web Components to support fully isolated components:

https://github.com/w3c/webcomponents/wiki/Isolated-Imports-Proposal 
https://github.com/w3c/webcomponents/wiki/Isolated-Imports-Proposal

I welcome comments on whether this approach makes sense.


I’d also like to discuss this during the proposals section of tomorrow’s F2F. I 
know it’s supposed to be focused on Shadow DOM, but I think this proposal is 
relevant context.

I think this proposal, even if it is itself a post-v1 project, helps explain 
why closed mode is important and relevant. While closed mode doesn’t provide 
strong security isolation by default, its a building block that can be used to 
build full isolation, whereas open mode can’t be used that way.

If we agree to have a closed mode eventually, then it’s probably sensible to 
add it for v1. We’d also want to decide sooner rather than later whether closed 
or open is the default (or whether there is no default and we require authors 
to choose one explicitly).

Regards,
Maciej

Re: [components] Apple's consolidated feedback on Web Components


 On Apr 22, 2015, at 11:10 PM, Maciej Stachowiak m...@apple.com wrote:
 
 
 Hi everyone,
 
 In preparation for Fridays’ face-to-face, a number of us at Apple (including 
 me, Ryosuke Niwa, Sam Weinig, and Ted O’Connor

I forgot to mention that Gavin Barraclough also contributed to this discussion. 
We also incorporated past feedback from others on the team.

 - Maciej

[components] Apple's consolidated feedback on Web Components

Hi everyone,

In preparation for Fridays’ face-to-face, a number of us at Apple (including
me, Ryosuke Niwa, Sam Weinig, and Ted O’Connor) got together to collect our
thoughts and feedback about the current state of Web Components.

Before going into the changes we propose, we want to reiterate that we think
the concept of Web Components is great, and we even like many of the specifics.
We’re considering significant implementation effort, but we have some concerns.
We think there is a set of targeted changes that would help web developers, and
allow us to address a broader set of use cases.

With that in mind, here are our key points of feedback, by spec.

I. Shadow DOM

A. Closed vs. Open.
1. Add a closed/open flag to createShadowRoot(). The Shadow DOM
spec now has the notion of an encapsulation flag for closed mode. Yay!
Unfortunately, there’s no way yet for a Web developer to pass this flag in.
Open vs. closed has been much discussed, and while the default is contentious,
we felt there was a rough consensus to at least expose both modes. We think
this is critical for v1. https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144
https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144
2. The behavior of closed mode should be actually defined. We
hope this does not need much justification. We think this is critical for v1.
https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144
https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144
3. We think closed mode should be the default. Alternately, we
would be ok with a mandatory argument so developers must always explicitly
choose open or closed. This has been much discussed, so we won’t give further
rationale here, and can wait for the meeting Friday to debate.
https://www.w3.org/Bugs/Public/show_bug.cgi?id=28445
https://www.w3.org/Bugs/Public/show_bug.cgi?id=28445

B. Multiple Generations of Shadow DOM
1. We think this should be removed. Discussion can wait for
debate of contentious bits, https://www.w3.org/Bugs/Public/show_bug.cgi?
https://www.w3.org/Bugs/Public/show_bug.cgi?id=28446
2. We think that the Apple / Component Kitchen named slot
proposal does a better job of addressing the main use cases for this. We think
it is a superior replacement.
https://github.com/w3c/webcomponents/wiki/Proposal-for-changes-to-manage-Shadow-DOM-content-distribution

https://github.com/w3c/webcomponents/wiki/Proposal-for-changes-to-manage-Shadow-DOM-content-distribution
https://lists.w3.org/Archives/Public/public-webapps/2015AprJun/0184.html
https://lists.w3.org/Archives/Public/public-webapps/2015AprJun/0184.html
https://www.w3.org/Bugs/Public/show_bug.cgi?id=28542
https://www.w3.org/Bugs/Public/show_bug.cgi?id=28542

C. Imperative Distribution API
1. We think the imperative distribution API is still worth
doing. There has been positive feedback from web developers on the concept and
there isn’t an obvious reason against it.
https://www.w3.org/Bugs/Public/show_bug.cgi?id=18429
https://www.w3.org/Bugs/Public/show_bug.cgi?id=18429

D. Event Retargeting
1. We agree with making it optional (opt-in or opt-out). We
don’t feel that strongly, but many web developers have asked for this. The
default should likely match the default for open vs. closed (no retargeting by
default if open by default).
https://www.w3.org/Bugs/Public/show_bug.cgi?id=28444
https://www.w3.org/Bugs/Public/show_bug.cgi?id=28444

E. Renaming
1. If any strongly incompatible changes are made, we suggest
renaming createShadowRoot. This is to avoid compat problems with content
written for Chrome’s shipping implementation.

II. Custom Elements

A. Insertion/Removal Callbacks
1. We think the current attached/detached callbacks should be
removed. They don’t match core DOM concepts and insert/remove is a more natural
bracket. https://www.w3.org/Bugs/Public/show_bug.cgi?id=24314
https://www.w3.org/Bugs/Public/show_bug.cgi?id=24314
2. We think inserted/removed callbacks should be added, for
alignment with DOM. https://www.w3.org/Bugs/Public/show_bug.cgi?id=24866
https://www.w3.org/Bugs/Public/show_bug.cgi?id=24866

B. ES6 classes
1. Custom elements should support ES6 classes in a natural way
- allowing use of the ES6 class constructor instead of a separate callback. We
believe there is rough consensus on this point.
https://www.w3.org/Bugs/Public/show_bug.cgi?id=28541
https://www.w3.org/Bugs/Public/show_bug.cgi?id=28541

C. Upgrade
1. We don’t think upgrading should be supported. The tradeoffs
of different options have been much-discussed.
https://www.w3.org/Bugs/Public/show_bug.cgi?id=28544
https://www.w3.org/Bugs/Public/show_bug.cgi?id=28544
2. We support synchronous constructors, or

Re: Shadow tree style isolation primitive

2015-02-05 Thread Maciej Stachowiak


 
 ... Hanging but?! Oh lordy. Oooh, let me turn this into a contemplative 
 sidebar opportunity.
 
 Shadow DOM and Web Components seem to have what I call the Unicorn 
 Syndrome. There's a set of specs that works, proven by at least one browser 
 implementation and the use in the wild. It's got warts (compromises) and some 
 of those warts are quite ugly. Those warts weren't there in the beginning -- 
 they are a result of a hard, multi-year slog of trying to make a complete 
 system that doesn't fall over in edge cases, and compromising. A lot.


Compromise
1. a. A settlement of differences in which each side makes concessions.

I don’t remember any of that happening. I guess you mean a different definition 
of “compromising”?

Regards,
Maciej

Re: Fallout of non-encapsulated shadow trees

2014-07-01 Thread Maciej Stachowiak


 On Jul 1, 2014, at 3:26 PM, Domenic Denicola dome...@domenicdenicola.com 
 wrote:
 
 From: Maciej Stachowiak m...@apple.com
 
 Web Components as currently designed cannot explain the behavior of any 
 built-in elements (except maybe those which can be explained with CSS alone).
 
 Unfortunately this is a hard problem that nobody has even sketched a solution 
 to.

I have sketched a solution to it (including publicly in the last Web Apps WG 
meeting). I believe the following set of primitives would be sufficient for 
implementing built-in elements or their close equivalents:

(1) “closed” or “Type 2 Encapsulation” mode for the Shadow DOM as I have 
advocated it (i.e. no access to get into or style the Shadow DOM when in this 
mode).
(2) Ability to have the script associated with the component run in a separate 
“world”
(3) A two-way membrane at the API layer between a component and a script; 
approximately, this would be the Structured Clone algorithm, but extended to 
also translate references to DOM objects between the worlds.
(4) An import mechanism that loads some script to run in a separate world, and 
allows importing custom element definitions from it.
(5) Custom elements with the ability to work with the membrane from (3) and the 
script world from (2).

With this in place, the only “magic” of built-in elements would be access to 
platform capabilities that some built-in elements have (which could be exported 
as lower-level specific APIs, e.g. participation in form submission for form 
controls), and the fact that they come pre-imported.

Unfortunately, Shadow DOM doesn’t provide (1) and HTML Imports doesn’t provide 
(4). Thus, merely adding (2) and (3) won’t be enough; we’ll need to create 
parallels to API that Google has already shipped and frozen without addressing 
this problem.

Thus, when you say the following:

On Jul 1, 2014, at 5:34 PM, Domenic Denicola dome...@domenicdenicola.com 
wrote:

 From: Edward O'Connor [mailto:eocon...@apple.com] 
 
 But soft encapsulation is just as useless for explaining the platform 
 as no encapsulation at all.
 
 I think just as useless overstates your case. Type 2 allows you to hide 
 implementation details of your component from authors better than Type 1 
 does. Yes, it's not isolation for security purposes, so it doesn't get you 
 the whole way, but like Brendan said, we shouldn't let the perfect be the 
 enemy of the good.
 
 Well, but *for explaining the platform* it is just as useless. It may be 
 useful independently for authors who wish to protect against interference by 
 people who are afraid of feeling bad, but it is not useful for explaining the 
 platform.
 
 My personal perspective is that it is already a shame we are on track to have 
 two versions (in some sense) of web components: the existing one, and one 
 that explains the platform. It would be a shame to have a third in between 
 those two, that is unlike the existing one but also does not explain the 
 platform. So I guess along this axis I would strongly prefer perfect to 
 good, I suppose because I think what we have already is good.

I believe you are wrong. DOM-level encapsulation can be used as-is in 
combination with scripting encapsulation to provide a secure platform for 
untrusted components, and a way to explain built-in elements. Shadow DOM 
without DOM-level encapsulation cannot be used in combination with other 
primitives.

Thus, if we’d built Shadow DOM with DOM-level encapsulation in the first place, 
we could add the right other primitives to it and be able to explain built-in 
elements. But the way it was actually done can’t explain anything built-in.


I would really like to build a system that can provide security for mutually 
distrusting components and embedders, and that can explain the platform. 
However, I feel that my efforts to give feedback, both to nudge in this 
direction and otherwise, have been rejected and stonewalled. With Google 
controlling editorship of all the Web Components specs, shipping the only 
implementation so far -- unprefixed, freezing said implementation, and not 
being very open to non-Google input, and making all decisions in private via 
“consensus within Google”, it is hard to see how to meaningfully participate. 
If there is any possibility of some of those factors changing, I think it’s not 
too late to end up with a better component model and I’d be interested in 
helping.

Regards,
Maciej

P.S. Due to the factors stated in the last paragraph, I’m going to try to limit 
my participation in this thread as much as possible for the sake of my own 
mental equilibrium.

Re: Fallout of non-encapsulated shadow trees

2014-06-30 Thread Maciej Stachowiak


 On May 15, 2014, at 6:17 AM, Anne van Kesteren ann...@annevk.nl wrote:
 
 I'm still trying to grasp the philosophy behind shadow trees.
 Sometimes it's explained as exposing the primitives but the more I
 learn (rather slowly, this time at BlinkOn) the more it looks like a
 bunch of new primitives.
 
 We cannot explain input still, but since we allow going inside the
 shadow tree we now see the need for a composed tree walker (a way to
 iterate over a tree including its non-encapsulated interleaved shadow
 trees). In addition we see the need for a composed range of sorts, so
 selection across boundaries makes sense. Neither of these are really
 needed to explain bits of the existing platform.

I agree with the need for encapsulation in Web Components and have been arguing 
for it for a long time. Currently, despite agreement dating back several years, 
it doesn’t even offer a mode with better encapsulation. Now that the 
non-encapsulation version has shipped in Chrome, it may be hard to change other 
than by renaming everything.

Web Components as currently designed cannot explain the behavior of any 
built-in elements (except maybe those which can be explained with CSS alone).

Regards,
Maciej

Re: [April2014Meeting] Building an Issue and Bug focused agenda

2014-04-09 Thread Maciej Stachowiak


Would the WG be willing to put Web Components related topics on Friday when 
building the agenda? (Note: there are at least some Apple folks who will be 
there both days in any case.)

Cheers,
Maciej

On Apr 8, 2014, at 8:40 AM, Dimitri Glazkov dglaz...@chromium.org wrote:

 Actually, Friday sounds better for me too!
 
 :DG
 
 
 On Mon, Apr 7, 2014 at 10:55 PM, Maciej Stachowiak m...@apple.com wrote:
 
 Hi folks,
 
 I’d really appreciate it if we could decide whether Web Components related 
 topics will be discussed Thursday or Friday. It is the topic I am most 
 personally interested in, and I think I might only be able to spare the time 
 for one of the two days, so I’d appreciate knowing which day it will be (even 
 if we don’t work out the other schedule details). Friday would be more 
 convenient for me, for what it’s worth, but either is fine.
 
 Thanks,
 Maciej
 
 On Apr 2, 2014, at 3:50 AM, Arthur Barstow art.bars...@nokia.com wrote:
 
  Hi All,
 
  The [Agenda] page for the April 10-11 meeting includes a list of Potential 
  Topics and other than a meeting with some members of SysApps on April 10 to 
  discuss the Service Worker and Manifest specs, currently, all other time 
  slots are unallocated.
 
  Although we will allocate time slots for agenda topics at the meeting, I 
  think it would be helpful if each of the specs' stakeholders and leads - 
  not just Editors but also implementers and developers - would please 
  identify high priority Issues and Bugs in advance of the meeting. This 
  should help attendees' meeting preparations, reduce some of the overhead of 
  agenda tweaking and help make the meeting bug/issue focused.
 
  Among the specs that come to mind (including the two specs mentioned 
  above) are:
 
  * Web Components; led by Dimitri et al. - what are the high priority 
  issues, bugs, blockers, etc. to discuss?
 
  * File API; led by Jonas (will Arun join remotely?); which high priority 
  bugs need discussion; status of LC processing; next steps
 
  * Streams specs; led by Feras and Takeshi (will Domenic join remotely?); 
  status and plans for this effort; high priority issues
 
  * Editing; led by Ryosuke (will Aryeh join remotely?); plans; spec split?
 
  * Service Workers; led by Alex and Jungkee; high priority issues, bugs, 
  etc.; plan and expectations for first Technical Report publication
 
  * Manifest; led by Marcos; high priority issues, bugs, etc.
 
  * Other high priority topics?
 
  Feedback from All is welcome, as well as proposals for a day + time slot 
  for specific topics.
 
  -Thanks, AB
 
  [Agenda] https://www.w3.org/wiki/Webapps/April2014Meeting#Potential_Topics

Re: Indexed DB: Opening connections, versions, and priority

2014-02-27 Thread Maciej Stachowiak


On Feb 26, 2014, at 10:35 AM, Joshua Bell jsb...@google.com wrote:

 While looking at a Chrome bug [1], I reviewed the Indexed DB draft, section 
 3.3.1 [2] Opening a database:
 
 These steps are not run for any other connections with the same origin and 
 name but with a higher version
 
 And the note: This means that if two databases with the same name and 
 origin, but with different versions, are being opened at the same time, the 
 one with the highest version will attempt to be opened first. If it is able 
 to successfully open, then the one with the lower version will receive an 
 error.
 
 I interpret that as (and perhaps the spec should be updated to read): This 
 means that if two open requests are made to the database with the same name 
 and origin at the same time, the open request with the highest version will 
 be processed first. If it is able to successfully open, then the request with 
 the lower version will receive an error.
 
 So far as I can tell with a test [3], none of Chrome (33), Firefox (27), or 
 IE (10) implement this per spec. Instead of processing the request with the 
 highest version first, they process the first request that was received.
 
 Is my interpretation of the spec correct? Is my test [3] correct? If yes and 
 yes, should we update the spec to match reality?

I think the ambiguous language in the spec, and also in your substitute 
proposal, is at the same time. I would think if one request is received 
first, then they are not, in fact, at the same time. Indeed, it would be pretty 
hard for two requests to be exactly simultaneous.

If at the same time is actually supposed to mean something about receiving a 
new open request while an older one is still in flight in some sense, then the 
spec should say that, and specify exactly what it means. I would think the only 
observable time is actually delivering the callback. That would imply a rule 
that if you receive a request with a higher version number before the 
completion callback for a currently pending open request has been delivered, 
you need to cancel the attempt and try with the higher version (possibly 
retrying with the lower version again later).

Regards,
Maciej

Re: Form submission participation (was Re: Goals for Shadow DOM review)

2014-02-21 Thread Maciej Stachowiak


On Feb 21, 2014, at 11:04 AM, Ian Hickson i...@hixie.ch wrote:

 On Thu, 20 Feb 2014, Jonas Sicking wrote:
 On Thu, Feb 20, 2014 at 2:51 PM, Edward O'Connor eocon...@apple.com wrote:
 
 Yeah, I think we just say that [form.elements] is the legacy feature 
 that only exposes built-in controls. form.getParticipants() works for 
 me.
 
 Agreed. [form.elements] is pretty crappy anyway in that it's live and 
 that it doesn't include input type=image elements for webcompat 
 reasons (stemming from an old Netscape bug :))
 
 I actually think form.elements is more important than form submission, as 
 far as custom form controls go.
 
 Pages with custom form controls are highly likely, I would guess, to be 
 interactive apps that don't have any unscripted form submission. I would 
 expect lots of XHR, WebSockets, and the like. However, scripts are hugely 
 simplified by form.elements. Instead of having to grab things by ID, you 
 can just name them, for example. This is even more true for event handlers 
 on form controls, which have the form in the scope chain. For example, one 
 of the big reasons for adding output was that it makes it easier to 
 update text -- instead of:
 
  oninput=document.getElementById('a').textContent = process(value)
 
 ...you can write:
 
  oninput=a.value = process(value)

I'd guess most sophisticated webapps do not use attribute-based event handlers 
(as opposed to addEventListener), so they would not get this convenient scoping 
benefit. If you're looking at an out-of-line function, then your comparison is:

this.a.value = process(value)
this.querySelector(#a).value = process(value)

which is a less dramatic difference. Also, the short version gives you the risk 
of namespace conflicts with the built-in methods and properties of form.


Regards,
Maciej

Re: Form submission participation (was Re: Goals for Shadow DOM review)

2014-02-21 Thread Maciej Stachowiak


On Feb 21, 2014, at 2:28 PM, Ian Hickson i...@hixie.ch wrote:

 On Fri, 21 Feb 2014, Maciej Stachowiak wrote:
 
 I'd guess most sophisticated webapps do not use attribute-based event 
 handlers (as opposed to addEventListener), so they would not get this 
 convenient scoping benefit.
 
 That's not clear to me. I mean, certainly today, with div soup, they 
 don't. But that's at least partly because there's no sane way to do it 
 when your markup isn't really declarative in any useful sense.
 
 When you have Web components that let you get the effect you want while 
 sticking to a terse markup language, it becomes much more feasible to 
 return to using inline event handlers.

Might be, but I'm not sure you can center a design on a hypothetical future 
change in web developer behavior.

 
 If you're looking at an out-of-line function, then your comparison is:
 
 this.a.value = process(value)
 this.querySelector(#a).value = process(value)
 
 which is a less dramatic difference.
 
 It's a pretty compelling difference, IMHO.
 
 
 Also, the short version gives you the risk of namespace conflicts with 
 the built-in methods and properties of form.
 
 You can do this instead if that feels like a real risk:
 
  this.elements.a.value = process(value)

Which is hardly an upgrade at all over:
this.querySelector(#a).value = process(value)

Cheers,
Maciej

WebKit interest in ServiceWorkers (was Re: [manifest] Utility of bookmarking to home screen, was V1 ready for wider review)

2014-02-17 Thread Maciej Stachowiak


On Feb 16, 2014, at 2:16 AM, Marcos Caceres mar...@marcosc.com wrote:

 
 
 On Sunday, February 16, 2014, Alex Russell slightly...@google.com wrote:
 On Sat, Feb 15, 2014 at 5:56 AM, Marcos Caceres w...@marcosc.com wrote:
 tl;dr: I strongly agree (and data below shows) that installable web apps 
 without offline capabilities are essentially useless.
 
 Things currently specified in the manifest are supposed to help make these 
 apps less useless (as I said in the original email, they by no means give us 
 the dream of installable web apps, just one little step closer) - even if 
 we had SW tomorrow, we would still need orientation, display mode, start URL, 
 etc.
 
 So yes, SW and manifest will converge... questions for us to decide on is 
 when? And if appcache can see us through this transitional period to having 
 SW support in browsers? I believe we can initially standardize a limited set 
 of functionality, while we continue to wait for SW to come into fruition 
 which could take another year or two.
 
 SW will becoming to chrome ASAP. We're actively implementing. Jonas or Nikhil 
 can probably provide more Mozilla context.
 
 I'm also interested in the WebKit and Microsoft context. I just don't know 
 who to ask there. Have their been any public signals of their level of 
 interest in SW? 

In general I think it's a good idea and I bet many other WebKit folks do too. 
We haven't yet had a chance to review thoroughly but I expect we'll like the 
general principles. I personally would like to see it become an official draft 
of the Working Group if it isn't already (the Publication Status page implies 
not, but perhaps I have missed something). If it is being actively implemented, 
it would be great to publish it as a Working Draft also, so we can get the IPR 
disclosures out of the way.

Regards,
Maciej

Re: [webcomponents] Imperative API for Insertion Points

2014-02-16 Thread Maciej Stachowiak

On Feb 15, 2014, at 4:57 PM, Ryosuke Niwa rn...@apple.com wrote:Hi all,I’d like to propose one solution for[Shadow]: Specify imperative API for node distributionhttps://www.w3.org/Bugs/Public/show_bug.cgi?id=18429because select content attribute doesn’t satisfy the needs of framework/library authors to support conditionals in their templates,and doesn’t satisfy my random image element use case below.== Use Case ==Random image element is a custom element that shows one of child img elements chosen uniformally random.e.g. the markup of a document that uses random-image-element may look like this:random-image-element img src="" img src="" img src=""/random-image-elementrandom-image-element displays one out of the three img child elements when a user clicks on it.As an author of this element, I could modify the DOM and add style content attribute directly on those elementsbut I would rather use shadow DOM to encapsulate the implementation.I wanted to mention that this handles other use cases besides selecting a random child which are impossible (or at least very awkward) with contentselect="" as presently defined:(1) A container component that can hold an arbitrary number of children, and wraps each of its light DOM children in a piece of markup inside the ShadowDOM. Consider a buttonbar component that placed each child into a button, and styled them all specially:buttonbar  i _onclick_="execCommand('italic')"I/i  b _onclick_="execCommand('bold')B/b  u _onclick_="execCommand('underline')U/ubuttonImagine it would render like this (explaining why separate individual button elements won't cut it).(2) A component that expects alternate labels and corresponding items, wants to parent them into different boxes, but wants to make sure they remaincorresponding.tabview  tabtitlePuppies/tabtitle  tabpane lots of pictures of puppies /tabpane  tabtitleKittens/tabtitle  tabpane lots of pictures of kittens /tabpane  tabtitleSadness/tabtitle  !-- no tab pane provided for this title yet --  tabtitleBunnies/tabtitle  tabpane lots of pictures of bunnies .../tabpane/tabviewThe component author would like this to render as a tabview with 4 tab labels at the top ("Puppies", "Kittens", "Sadness", "Bunnies") and 3 actual tab paneswith one placeholder inserted: (the puppy pane, the kitten pane, a blank placeholder, the bunny pane).But if my shadow DOM looks like this:div class=tab-label-barcontent select="tabtitle"/divdiv class=tab-holdercontent select="tabpane"/divThen the pictures of bunnies would line up with the "Sadness" label, and I don't have an easy way to add the placeholder anywhere but at the beginning or theend of the tab panes.(3) An element that selects some of its children conditionally. Let's say you have an element that will select different children depending on what features thebrowser supports:cond  case condition="Modernizr.webgl"Spiffy WebGL view goes here!/case  case condition="Modernizr.canvas"Passable 2-D canvas view goes here/case  case defaultOh noes! You need more browser features to use this site!/case/condThe idea is to select in only exactly one of the cases - the first that matches. The others don't go into the shadow DOM. There isn't a great way to select only one of the "case" elements here (after having run the JS to evaluate which applies).The SVG "switch" element does something similar, as does Modernizr's normal class-based mode of operation.I hope these examples give more motivation for why programmatically binding an insertion point may be useful.Regards,Maciej

Re: [webcomponents] Encapsulation and defaulting to open vs closed (was in www-style)

2014-02-15 Thread Maciej Stachowiak


On Feb 14, 2014, at 7:16 PM, Boris Zbarsky bzbar...@mit.edu wrote:

 On 2/14/14 10:07 PM, Ryosuke Niwa wrote:
 We most vigorously object to making the CSS style resolver depend on JS
 DOM object properties.
 
 Ryosuke, I think you misunderstood the proposal.  I'm pretty sure we all 
 object to having the CSS style resolver depend on anything that involves JS 
 properties.  But it's not necessarily a problem to have it depends on 
 internal node state that can be set via DOM APIs (e.g. it already depends on 
 DOM attribute values and whatnot).
 
 So in implementation terms, an element would just have an internal boolean 
 and setting this.shadowRoot = undefined or whatnot would set that boolean; 
 the CSS machinery would read that boolean.  That seems fairly workable to me; 
 whether it's the sort of API we want is a separate issue that I have no 
 opinion on.

The API we currently have doesn't actually allow this:

readonly attribute ShadowRoot? shadowRoot;

Now, we could change this attribute to not be readonly. However, that makes me 
wonder - what happens if you assign something other than null? Would this 
become an API to replace the shadow root? That seems like a bad idea. On the 
whole, this choice seems like messier API change than a parameter to 
createShadowRoot indicating the mode (which I thought the WG had rough 
consensus on over a year ago).

Regards,
Maciej

Re: [webcomponents] Encapsulation and defaulting to open vs closed (was in www-style)

2014-02-13 Thread Maciej Stachowiak


On Feb 13, 2014, at 4:01 PM, Alex Russell slightly...@google.com wrote:

 On Thu, Feb 13, 2014 at 1:25 PM, Maciej Stachowiak m...@apple.com wrote:
 
 On Feb 12, 2014, at 4:04 PM, Alex Russell slightly...@google.com wrote:
 
 
 
 In discussion with Elliot and Erik, there appears to be an additional 
 complication: any of the DOM manipulation methods that aren't locked down 
 (marked non-configurable and filtered, ala caja) create avenues to get 
 elements from the Shadow DOM and then inject styles. E.g., even with Arv's 
 lockdown sketch: 
 
   https://gist.github.com/arv/8857167
 
 You still have most of your work ahead of you. DocumentFragment provides 
 tons of ins, as will all incidentally composed APIs.
 
 I'm not totally clear on what you're saying. I believe you're pointing out 
 that injecting hooks into the scripting environment a component runs in (such 
 as by replacing methods on global protototypes) can allow the shadow root to 
 be accessed even if no explicit access is given. I agree. This is not 
 addressed with simple forms of Type 2 encapsutation. It is a non-goal for 
 Type 2.
 
 I'd like to understand what differentiates simple forms of Type 2 
 encapsulation from other potential forms that still meet the Type 2 
 criteria. Can you walk me through an example and show how they would be used 
 in a framework?

Type 4 encapsulation would also meet the Type 2 criteria, for example.

The difference is that with simple Type 2 you do not attempt to protect 
against a pre-poisoned scripting environment. I would be satisfied with Type 4 
(if it's usable) but it is much harder to spec as you need it to give rigorous 
security guarantees.

  
 This is fraught.
 
 Calling something fraught is not an argument.
 
 Good news! I provided an argument in the following sentence to help 
 contextualize my conclusion and, I had hoped, lead you to understand why I'd 
 said that.

Your argument seems to be based on an incorrect premise.

  
 To get real ocap-style denial of access to the shadow DOM, we likely need to 
 intercept and check all DOM accesses. Is the system still usable at this 
 point? It's difficult to know. In either case, a system like caja *can* 
 exist without explicit supportwhich raises the question: what's the 
 goal? Is Type 2 defined by real denial of access? Or is the request for a 
 fig-leaf (perception of security)?
 
 Type 2 is not meant to be a security mechanism.
 
 I'd like to see an example of Type 2 isolation before I agree to that.
  
 It is meant to be an encapsulation mechanism. Let me give a comparison. Many 
 JavaScript programmers choose to use closures as a way to store private data 
 for objects. That is an encapsulation mechanism. It is not, in itself, a hard 
 security mechanism. If the caller can hook your global environment, and for 
 example modify commonly used Object methods, then they may force a leak of 
 your data.
 
 A closure is an iron-clad isolation mechanism for object ownership with 
 regards to the closing-over function object. There's absolutely no iteration 
 of the closed-over state of a function object; any such enumeration would be 
 a security hole (as with the old Mozilla object-as-param-to-eval bug). You 
 can't get the value of foo in this example except with the consent of the 
 returned function:
 
 var maybeVendFoo = function() {
   var foo = 1;
   return function(willMaybeCall) {
 if (/* some test */) { willMaybeCall(foo); }
   }
 };
 
 Leakage via other methods can be locked down by the first code to run in an 
 environment (caja does this, and nothing prevents it from doing this for SD 
 as it can pre-process/filter scripts that might try to access internals).

Caja is effective for protecting a page from code it embeds, since the page can 
have a guarantee that its code is the first to run. But it cannot be used to 
protect embedded code from a page, so for example a JS library cannot guarantee 
that objects it holds only in closure variables will not leak to the 
surrounding page. This is exactly analogous to shadow DOM leakage via DOM 
methods.

 
 Getting to closure-strength encapsulation means neutering all potential 
 DOM/CSS access. Maybe I'm dense, but that seems stronger than the simple 
 form of Type 2.

That seems like a false conclusion to me given the above.

 
 If you're making the case that it might be helpful to folks trying to 
 implement Type 4 if the platform gave them a way to neuter access without so 
 much pre-processing/runtime-filtering, I could take that as an analog with 
 marking things non-configurable in ES. But it seems you think there's an 
 interim point that developers will use directly. I don't understand that and 
 would like to.

I don't believe Type 4 can be implemented on top of Type 1 with a 
pre-processing/runtime-filtering strategy. It would require additions to the 
platform. Filtering cannot create a two-way distrust boundary, only one-way. 
You would need a mutually trusted agent

Re: [webcomponents] Encapsulation and defaulting to open vs closed (was in www-style)

2014-02-11 Thread Maciej Stachowiak


On Feb 11, 2014, at 3:29 PM, Dimitri Glazkov dglaz...@chromium.org wrote:

  
 Dimitri, Maciej, Ryosuke - is there a mutually agreeable solution here?
 
 I am exactly sure what problem this thread hopes to raise and whether there 
 is a need for anything other than what is already planned.

In the email Ryosuke cited, Tab said something that sounded like a claim that 
the WG had decided to do public mode only:

http://lists.w3.org/Archives/Public/www-style/2014Feb/0221.html
Quoting Tab:
 The decision to do the JS side of Shadow DOM this way was made over a
 year ago.  Here's the relevant thread for the decision:
 http://lists.w3.org/Archives/Public/public-webapps/2012OctDec/thread.html#msg312
 (it's rather long) and a bug tracking it
 https://www.w3.org/Bugs/Public/show_bug.cgi?id=19562.

I can't speak for Ryosuke but when I saw this claim, I was honestly unsure 
whether there had been a formal WG decision on the matter that I'd missed. I 
appreciate your clarification that you do not see it that way.


Quoting Dmitri again:
 The plan is, per thread I mentioned above, is to add a flag to 
 createShadowRoot that hides it from DOM traversal APIs and relevant CSS 
 selectors: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144.

That would be great. Can you please prioritize resolving this bug[1]? It has 
been waiting for a year, and at the time the private/public change was made, it 
sounded like this would be part of the package.

It seems like there are a few controversies that are gated on having the other 
mode defined:
- Which of the two modes should be the default (if any)?
- Should shadow DOM styling primitives be designed so that they can work for 
private/closed components too?

Regards,
Maciej

[1] Incidentally, if you find the word private problematic, we could call the 
two modes open and closed, then someday the third mode can be secure or 
sandboxed

Re: [webcomponents] Encapsulation and defaulting to open vs closed (was in www-style)

2014-02-11 Thread Maciej Stachowiak


On Feb 11, 2014, at 4:04 PM, Dimitri Glazkov dglaz...@chromium.org wrote:

 On Tue, Feb 11, 2014 at 3:50 PM, Maciej Stachowiak m...@apple.com wrote:
 
 On Feb 11, 2014, at 3:29 PM, Dimitri Glazkov dglaz...@chromium.org wrote:
 
  
 Dimitri, Maciej, Ryosuke - is there a mutually agreeable solution here?
 
 I am exactly sure what problem this thread hopes to raise and whether there 
 is a need for anything other than what is already planned.
 
 In the email Ryosuke cited, Tab said something that sounded like a claim that 
 the WG had decided to do public mode only:
 
 http://lists.w3.org/Archives/Public/www-style/2014Feb/0221.html
 Quoting Tab:
 The decision to do the JS side of Shadow DOM this way was made over a
 year ago.  Here's the relevant thread for the decision:
 http://lists.w3.org/Archives/Public/public-webapps/2012OctDec/thread.html#msg312
 (it's rather long) and a bug tracking it
 https://www.w3.org/Bugs/Public/show_bug.cgi?id=19562.
 
 I can't speak for Ryosuke but when I saw this claim, I was honestly unsure 
 whether there had been a formal WG decision on the matter that I'd missed. I 
 appreciate your clarification that you do not see it that way.
 
 
 Quoting Dmitri again:
 The plan is, per thread I mentioned above, is to add a flag to 
 createShadowRoot that hides it from DOM traversal APIs and relevant CSS 
 selectors: https://www.w3.org/Bugs/Public/show_bug.cgi?id=20144.
 
 That would be great. Can you please prioritize resolving this bug[1]? It has 
 been waiting for a year, and at the time the private/public change was made, 
 it sounded like this would be part of the package.
 
 Can you help me understand why you feel this needs to be prioritized? I mean, 
 I don't mind, but it would be great if I had an idea on what's the driving 
 force behind the urgency?

(1) It blocks the two dependent issues I mentioned.
(2) As a commenter on a W3C spec and member of the relevant WG, I think I am 
entitled to a reasonably prompt level of response from a spec editor. This bug 
has been open since November 2012. I think I have waited long enough, and it is 
fair to ask for some priority now. If it continues to go on, then an outside 
observer might get the impression that failing to address this bug is 
deliberate stalling. Personally, I prefer to assume good faith, and I think you 
have just been super busy. But it would show good faith in return to address 
the bug soon.

Note: as far as I know there is no technical issue or required feedback 
blocking bug 20144. However, if there is any technical input you need, or if 
you would find it helpful to have a spec diff provided to use as you see fit, I 
would be happy to provide such. Please let me know!

 
 It seems like there are a few controversies that are gated on having the 
 other mode defined:
 - Which of the two modes should be the default (if any)?
 
 This is re-opening the old year-old discussion, settled in 
 http://lists.w3.org/Archives/Public/public-webapps/2013JanMar/thread.html#msg800,
  right? 

I'm not sure what you mean by settled. You had a private meeting and the 
people there agreed on what the default should be. That is fine. Even using 
that to make a provisional editing decision seems fine. However, I do not 
believe that makes it settled for purposes of the WG as a whole. In 
particular, I have chosen not to further debate which mode should be the 
default until both modes exist, something that I've been waiting on for a 
while. I don't think that means I lose my right to comment and to have my 
feedback addressed. 

In fact, my understanding of the process is this: the WG is required to address 
any and all feedback that comes in at any point in the process. And an issue is 
not even settled to the point of requiring explicit reopening unless there is a 
formal WG decision (as opposed to just an editor's decision based on their own 
read of input from the WG.)


  
 - Should shadow DOM styling primitives be designed so that they can work for 
 private/closed components too?
 
 Sure. The beauty of a hidden/closed mode is that it's a special case of the 
 open mode, so we can simply say that if a shadow root is closed, the 
 selectors don't match anything in that tree. I left the comment to that 
 effect on the bug.

Right, but that leaves you with no styling mechanism that offers more 
fine-grained control, suitable for use with closed mode. Advocates of the 
current styling approach have said we need not consider closed mode at all, 
because the Web Apps WG has decided on open mode. If what we actually decided 
is to have both (and that is my understanding of the consensus), then I'd like 
the specs to reflect that, so the discussion in www-style can be based on facts.

As a more basic point, mention of closed mode to exclude it from /shadow most 
likely has to exist in the shadow styling spec, not just the Shadow DOM spec. 
So there is a cross-spec dependency even if no new constructs are added.


Thank you for your

Re: Officially deprecating main-thread synchronous XHR?

2014-02-07 Thread Maciej Stachowiak


On Feb 7, 2014, at 9:32 AM, Scott González scott.gonza...@gmail.com wrote:

 What about developers who are sending requests as the page is unloading? My 
 understanding is that sync requests are required. Is this not the case?

Besides the proposed Beacon API, if you don't need to do a POST then you can 
use an img element created at unload time - a load initiated this way will 
generally survive unloading the page.

 - Maciej

 
 On Friday, February 7, 2014, Anne van Kesteren ann...@annevk.nl wrote:
 On Fri, Feb 7, 2014 at 6:18 PM, Jonas Sicking jo...@sicking.cc wrote:
  Agreed. I think for this to be effective we need to get multiple browser
  vendors being willing to add such a warning. We would also need to add text
  to the various versions of the spec (whatwg and w3c).
 
 For what it's worth, was done when Olli brought this up in #whatwg:
 http://xhr.spec.whatwg.org/#sync-warning
 
 
 --
 http://annevankesteren.nl/

Re: Officially deprecating main-thread synchronous XHR?

2014-02-07 Thread Maciej Stachowiak


On Feb 7, 2014, at 9:18 AM, Jonas Sicking jo...@sicking.cc wrote:

 On Feb 7, 2014 8:57 AM, Domenic Denicola dome...@domenicdenicola.com 
 wrote:
 
  From: Olli Pettay olli.pet...@helsinki.fi
 
   And at least we'd improve responsiveness of those websites which stop 
   using sync XHR because of the warning.
 
  I think this is a great point that makes such an effort worthwhile even if 
  it ends up not leading to euthanizing sync XHR.
 
 Agreed. I think for this to be effective we need to get multiple browser 
 vendors being willing to add such a warning. We would also need to add text 
 to the various versions of the spec (whatwg and w3c).
 
 Which browsers are game? (I think mozilla is). Which spec editors are?
 

I usually hate deprecation warnings because I think they are ineffective and 
time-wasting. But this case may be worthy of an exception. In addition to 
console warnings in browsers and the alert in the spec, it might be useful to 
have a concerted documentation and outreach effort (e.g. blog posts on the 
topic) as an additional push to get Web developers to stop using sync XHR.

Regards,
Maciej

Re: Background sync push messaging: declarative vs imperative

2014-01-03 Thread Maciej Stachowiak


On Jan 2, 2014, at 9:33 AM, John Mellor joh...@google.com wrote:

 On Thu, Dec 19, 2013 at 9:32 PM, Maciej Stachowiak m...@apple.com wrote:
 
 On Dec 19, 2013, at 9:02 AM, John Mellor joh...@google.com wrote:
 
 [cross-posted to public-webapps and public-sysapps]
 
 A couple of us from Chrome have taken a holistic look at how we could add 
 standardized APIs for web apps to execute/sync in the background.
 
 This is an important capability, yet can be safely granted to low-privilege 
 web apps, as long as battery consumption and metered data usage are (very) 
 carefully limited.
 
 Running arbitrary JS in the background, without the relevant page open, and 
 with full networking capabilities, does not seem safe to me. How did you 
 conclude that this capability can safely be granted to low-privilege web apps?
 
 Good question (and great examples!). Low-privilege is relative - I did not 
 intend that any website could use this without asking; instead some 
 combination of heuristics like the following might be required:
 user added webapp to their homescreen (or bookmarked it?)
Bookmarking doesn't give the feel of an install operation so it seems poor to 
tie it to elevated privileges (as opposed to something like an install 
operation from a curated store).
 user frequently visits webapp domain
That's frighteningly implicit and would also prevent webapps from using this 
mechanism for sync until after the user has used the webapp more than some 
threshold, which gives a poor out-of-the-box experience if sync is a key 
feature.
 user accepted permission dialog/infobar
Explicit permission seems poor for this because the consequences are too subtle 
to understand easily (unlike, say, granting access to geolocation where the 
consequence is obvious and understandable).

 Some of the specific threats I'd be concerned about include:
 
 (1) An attacker could use this capability to spread a botnet that can be used 
 to mount DDOS attacks or to perform offline distributed computations that are 
 not in the user's interest, without needing a code execution exploit or 
 sandbox escape.
 
 Some mitigating factors:
 The same-origin policy would apply as usual, so you'd only be able to DDOS 
 hosts that allow CORS (and the apps own host).
The network request is issued before the browser knows whether CORS is allowed, 
so that would not be a mitigation (unless DDOS specifically requires non-GET 
methods or reading the response).
 Both network requests and computations (Bitcoin mining?) would be heavily 
 throttled by the browser in order to conserve battery; if we base the 
 throttling on how often the webapp is used, and penalise expensive background 
 syncs, it would be possible to enforce that total execution time in the 
 background is limited to some small multiple (possibly even 1x or below) of 
 the total execution time in the foreground.
It seems like such a limit would make it hard to use the feature for the 
posited use cases because it would be unreliable.
 
 (2) An attacker could use this capability to widely spread an innocuous 
 looking background service which, based on remote command-and-control, 
 attempts zero-day exploits against the user's browser at a time of the 
 attacker's choosing. This can happen without visiting the malicious site, 
 indeed, while a user doesn't have a browser open, and can possibly happen 
 faster than even the fastest-updating browser could plausibly patch.
  
 Yes, this is a subtle downside of the imperative approach. For frequently 
 used apps it probably doesn't make a huge difference; conversely if we 
 stopped syncing completely for apps that haven't been used in a long time, 
 this concern might be minimized.

For the posited use cases, the time limit probably needs to be long enough that 
your apps won't stop working after a reasonable but long vacation. That would 
still be a bigger window of opportunity for attack than a one-time visit.

  
 These both seem unsafe to me, compared to the security of the Web as it 
 stands today. And I don't think a permissions dialog would be a sufficient 
 mitigation, since it is hard to explain the danger to users.
 
 On the other hand, native apps can already do both of the above unsafe 
 activities, and installing them is effectively just a permissions dialog 
 away. App store review processes may filter out undesirable behavior in the 
 static parts of apps, but struggle to keep up with dynamically-updating 
 content, e.g. in embedded WebViews.

There's a few relevant differences between apps (particularly installed via an 
app store) and webpages besides review:

(1) Users have different expectations of what apps and webpages can do.
(2) Apps generally have a way to uninstall, after which they stop affecting 
your system. For webpages, there generally isn't an uninstall operation other 
than just closing the page.
(3) At least app stores require personally identifying information such as a 
credit card to get a developer

Re: Passsword managers and autocomplete='off'

2013-12-17 Thread Maciej Stachowiak


On Dec 17, 2013, at 11:21 AM, Joel Weinberger j...@chromium.org wrote:

 Thanks for the feedback, everyone. A few people at this point have suggested 
 emailing the wha...@whatwg.org list since this is really an HTML feature; 
 I'll do that in a few. In response to Ian's question, I'm referring to the W3 
 WebForms standard: http://www.w3.org/Submission/web-forms2/#the-autocomplete

That is pretty out of date and not a standards track document.


 
 
 Safari has similar behavior available as anon-default user preference: Allow 
 AutoFill even for websites that request passwords not be saved. Even with 
 this setting enabled, some user interaction is required both to save and to 
 fill. We agree that on net, refusing to autofill passwords harms security.
 As of yesterday, in Chrome Canary, it is now a flag that users can turn on as 
 well. Not quite the menu option it is in Safari, but an option nonetheless. 
 
 We did not make it the default, because website owners have objections to 
 bypassing autofill=off as a default behavior. The primary types of objections 
 are:
 
 (1) Public computer scenarios. Accidentally saving a password on a shared 
 or public computer may endanger the user's account.
 The browser saving passwords seems like the least of concerns with public 
 computers :-P From our perspective, given that key loggers etc are a big 
 threat on a public computer, we don't consider the benefit here to outweigh 
 the overall user benefit of having managed passwords.
  
 (2) Casual walk-up attacks, for example temporary access to a friend's or 
 relative's computer. AKA friendly fraud.
 Similar to the public computer case, from our perspective, this benefit 
 doesn't seem to outweigh the benefit of having more complex, managed 
 passwords.
 
 I should also mention that, in general, Chrome explicitly does not consider a 
 physically local attacker in our threat model.

To be clear, I'm not saying I agree with these reasons. But these are the 
reasons some major financial or shopping sites state when asked why they use 
autocomplete=off. We have mentioned counter-arguments nearly identical to what 
you say, and in most cases, the site operators were not persuaded. (We did not 
say we explicitly don't consider physically local attackers, as we do give it 
some consideration; though obviously we cannot protect against a sufficiently 
determined attacker with physical access.)

I also forgot to mention:
(3) At least some sites believe that consumer finance regulations require them 
to use autocomplete=off. They believe their requirement to protect the user's 
authentication information and prevent it from being accessed by third parties 
extends to preventing passwords from being automatically stored on the user's 
computer.

 
 At least some website operators (often for financial or shopping sites) are 
 more worried about these threats than about the risk of users using lower 
 quality or shared passwords. This factor is magnified in Safari where we 
 suggest autogenerated per-site random passwords, but only if we can autofill 
 them.
 This is precisely our concern. We believe the priorities of website operators 
 are badly misplaced. There is a huge amount of evidence of the problems with 
 non-complex passwords (see various password database leaks of late), and 
 extremely low evidence of the prevalence of these various local attacker 
 threats. We applaud Safari's generated password management and believe it is 
 the best interest of our users to make their passwords more complex for all 
 of the web.
 
 It's also the case that by prioritizing the request of the website over the 
 desire of users to manage their passwords, we are violating the Priority of 
 Constituencies. I suppose that by offering a flag we are somewhat skirting 
 around that, but I don't consider it a real option.

I largely agree with this.

 
 I do not know if we can collectively assuage the worries of sites that use 
 autocomplete=off. So far, though, I'm not aware of any complaints about our 
 non-default setting to bypass it.
 I'm not sure we can convince website operators of anything like this without 
 making the change happen and demonstrating the world won't collapse. I 
 suspect that a lot of this is a fear of the unknown. 

The sites that are concerned about password autocomplete have at least two 
possible actions they could take that made us hesitant to flip the default:

(A) They could blacklist browsers that ignore autocomplete=off - this has been 
explicitly threatened in the past. It's also been claimed that, even if the 
sites did not want to do this, regulatory bodies would require them to do so 
because of point #3 above.

(B) They could reimplement password input from scratch (using script and not 
using a real password field) in a way that evades browser autocomplete 
heuristics. This would be bad because it would prevent even off-by-default 
autocomplete=off bypass from working.

For these reasons, we

Re: [webcomponents] Auto-creating shadow DOM for custom elements

2013-12-14 Thread Maciej Stachowiak


On Dec 7, 2013, at 3:31 PM, Dominic Cooney domin...@google.com wrote:

 
 It's not reasonable to require developers to write the above super tricky 
 line of code. It involves at least four different concepts and is easy to get 
 subtly wrong.
 
 For example, when I wrote my first component (after much reading of docs), I 
 did this, which has at least two bugs[1]:
 
 shadow = this.createShadowRoot(this);
 shadow.appendChild(template.content.cloneNode(true));
 
 One of these bugs was copied from the Web Components Primer even.
 
 I assume you are referring to the Explainer (if not, could you please provide 
 a link.) I am the editor of the Explainer. Please file a bug. In some areas 
 the Explainer is out of date.

I meant the document titled Introduction to Web Components. It's the document 
here: http://w3c.github.io/webcomponents/explainer/. At first I did not know 
what you meant by Explainer but I see now that the URL contains that.

 
 I do not find either of those lines in the Explainer. But I could surmise 
 that you are referring to using cloneNode instead of importNode. No doubt 
 your bug will explain what you mean.

The specific lines are:

this._root = this.createShadowRoot();
this._root.appendChild(template.content.cloneNode());

And yes, the issue is that cloneNode() is not a best practice since in general 
the template might be imported. (I don't think we should recommend to authors 
that they pick cloneNode vs importNode on a case-by-case basis). 

I'm not sure offhand how to file a bug against this document but if you point 
me to the right bug tracker and component I'll be glad to do so. It

Another bug I noticed: the callback is named readyCallback instead of 
createdCallback.

Note: it appears that everywhere a shadow root is created in the Introduction, 
it's immediately followed by cloning a template into its contents. The intro 
certainly seems to assume they will be used together, despite the objections to 
making that path more convenient. And similar boilerplate appears over and over.

As an alternate suggestion, and one that might dodge the subclassing issues, 
perhaps createShadowRoot could take an optional template argument and clone it 
automatically. Then this:

this._root = this.createShadowRoot();
this._root.appendChild(template.content.cloneNode());

Could turn into this:

this._root = this.createShadowRoot(template);

Which is quite a bit simpler, and involves fewer basic contents.


  
 In practice, the code delta is going to be more than one line, if you want to 
 avoid polluting the global namespace.
 
 Here is my attempt at writing a trivial component with Custom Elements, 
 Shadow DOM and Templates as they exist today. Note that this works in Chrome 
 Canary as of a week ago with experimental web features turned on:
 
 
 
 
 I sincerely tried to minimize verbosity as much as possible, without 
 introducing gratuitous namespace pollution or sacrificing clarity.
 
 Key lines:
 
 !-- custom element definition --
 script
 (function () {
 var prototype = Object.create(HTMLElement.prototype);
 var template = document.getElementById(rainbow-span-template);
 
 prototype.createdCallback = function() {
 var shadow = this.createShadowRoot(this);
 shadow.appendChild(template.content.cloneNode(true));
 }
 
 document.register(rainbow-span, {prototype: prototype});
 })();
 /script
 
 
 Here is how it would look with the proposed 'template' parameter to 
 document.register:
 
 
 
 
 This replaces 9 rather non-obvious non-blank lines of code with 1:
 
 !-- custom element definition --
 script
 document.register(rainbow-span, {template: 
 document.getElementById(rainbow-span-template)});
 /script
 
 
 Now, obviously things will get more complicated with components that do need 
 to run code on creation beyond the basics. But I believe there will be 
 substantial complexity savings. To make this work properly for more complex 
 cases, the createCallback would need to take
 
 
 [1] (a)Forgot to var-declare shadow; (b) used cloneNode instead of importNode 
 which would be wrong in case of a template from an import document.
 
 
 
  Web components are part of the extensible web concept where we provide a 
  minimal subset of features necessary for opinionated frameworks to build 
  things on top. Supporting template in document.register is easily done in 
  script, so I believe it's better left to developers as they're better at 
  building frameworks than we are.
 
  In either case, that's something we can always add later so it shouldn't 
  stand in the way of the current spec.
 
 The spec as it is makes it gratuitously complicated to create a basic 
 component. As my examples above demonstrate, this would be a significant 
 improvement in developer ergonomics and reduction of learning curve for a 
 modest increase in

Re: [custom elements] Improving the name of document.register()


Thanks, Google folks, for considering a name to document.register. Though a 
small change, I think it will be a nice improvement to code clarity.

Since we're bikeshedding, let me add a few more notes in favor of defineElement 
for consideration:

1) In programming languages, you would normally say you define or declare a 
function, class structure, variable, etc. I don't know of any language where 
you register a function or class. Defining a custom element seems parallel to 
these cases. It is true that one registers a COM object. At first glance, 
that may seem like an analogous operation, but I don't think it really is. COM 
registration is usually done out of band by a separate tool, not by the program 
itself at runtime.

2) registerElement sounds kind of like it would take an instance of Element and 
register it for some purpose. defineElement sounds more like it is introducing 
a new kind of element, rather than registering a concrete instance of an 
element..

3) If we someday define a standardized declarative equivalent (note that I'm 
not necessarily saying we have to do so right now), defineElement has more 
natural analogs. For example, a define or definition element would convey 
the concept really well. But a register or registration or even 
register-element element would be a weird name.

4) The analogy to registerProtocolHandler is also not a great one, in my 
opinion. First, it has a different scope - it is on navigator and applies 
globally for the UI, rather than being on document and having scope limited to 
that document. Second, the true parallel to registerProtocolHandler would be 
registerElementDefinition. After all, it's not just called registerProtocol. 
That would be an odd name. But defineElement conveys the same idea as 
registerElementDefinition more concisely. The Web Components spec itself says 
Element registration is a process of adding an element definition to a 
registry.

5) Register with the parser is not a good description of what 
document.register does, either. It has an effect regardless of whether elements 
are created with the parser. The best description is what the custom elements 
spec itself calls it

I feel that the preference for registerElement over defineElement may partly be 
inertia due to the old name being document.register. Think about it - is 
registerElement really the name you'd come up with, starting from a blank 
slate? I hope you will give more consideration to defineElement (which seems to 
be the most preferred candidate among the non-register-based names).

Thanks,
Maciej


On Dec 12, 2013, at 10:09 PM, Dominic Cooney domin...@google.com wrote:

 
 
 
 On Fri, Dec 13, 2013 at 2:29 AM, Brian Kardell bkard...@gmail.com wrote:
 
 On Dec 11, 2013 11:48 PM, Ryosuke Niwa rn...@apple.com wrote:
 
 
  On Dec 11, 2013, at 6:46 PM, Dominic Cooney domin...@google.com wrote:
 
 ...
  El 11/12/2013 21:10, Edward O'Connor eocon...@apple.com escribió:
 
  Hi,
 
  The name register is very generic and could mean practically anything.
  We need to adopt a name for document.register() that makes its purpose
  clear to authors looking to use custom elements or those reading someone
  else's code that makes use of custom elements.
 
  I think the method should be called registerElement, for these reasons:
 
  - It's more descriptive about the purpose of the method than just 
  register.
  - It's not too verbose; it doesn't have any redundant part.
  - It's nicely parallel to registerProtocolHandler.
 
 
  I'd still refer declareElement (or defineElement) since registerElement 
  sounds as if we're registering an instance of element with something.  
  Define and declare also match SGML/XML terminologies.
 
  - R. Niwa
 
 
 Define/declare seem a little confusing because we are in the imperative space 
 where these have somewhat different connotations.  It really does seem to me 
 that conceptually we are registering (connecting the definition) with the 
 parser or something.  For whatever that comment is worth. 
 
 While there's no consensus, I think this thread expresses a slightly stronger 
 preference for registerElement than other proposals. I have filed this bug 
 suggesting registerElement.
 
 https://www.w3.org/Bugs/Public/show_bug.cgi?id=24087
 
 Dominic

Re: Passsword managers and autocomplete='off'


On Dec 12, 2013, at 11:20 AM, Joel Weinberger j...@chromium.org wrote:

 Hi all. For a while now, we have wanted on Chrome to ignore 
 autocomplete='off' for password fields for the password manager. We believe 
 that the current respect for autocomplete='off' for passwords is, in fact, 
 harming the security of users by making browser password managers 
 significantly less useful than they should be, thus discouraging their 
 adoption, making it difficult for users to generate, store, and use more 
 complex or (preferably) random passwords. Additionally, the added benefit of 
 autocomplete='off' for security is questionable at best.
 
 We believe that our implementation of this ignore functionality actually 
 falls within the letter of the web-forms standard. A user's password save for 
 an autocomplete='off' field requires a user interaction to save (we do not do 
 it automatically), which ultimately is not different than a copy/paste 
 approach from the user. Additionally, we have taken precautions against 
 password harvesting via XSS. We do not autofill into the DOM until the user 
 has made a gesture (click, keypress, etc.) within the page, and we never 
 autofill into iframe forms (we wait for a user to explicitly select their 
 username from a dropdown).
 
 Part of the issue here is that autocomplete='off' is overloaded. It is 
 simultaneously meant to denote a secure or sensitive field *or* that a 
 field's completion will be handled by the application itself. Thus, we are 
 not proposing to ignore autocomplete='off' for our form fill as there are 
 many places where the application itself creates a suggestion box, and we 
 have no desire to override that functionality. Rather, we care about the 
 sensitive use, which in the case of password fields, is already denoted by 
 the input type='password'.
 
 In the latest version of Chrome (currently in our Canary build), we have 
 already implemented this feature. However, we will putting in behind a flag 
 shortly so that it is not the default, but to still allow users to opt into 
 this. We hope to make this the default for users in the not very distant 
 future.
 
 What are this group's thoughts on this? Any particular concerns with this 
 approach? While we believe that we are within the letter of the standards in 
 our approach, we would love to see this made explicitly clear in the 
 standards and hopefully see other browsers adopt this in the future, as we 
 believe it is in the security interests of all users.

Safari has similar behavior available as anon-default user preference: Allow 
AutoFill even for websites that request passwords not be saved. Even with this 
setting enabled, some user interaction is required both to save and to fill. We 
agree that on net, refusing to autofill passwords harms security.

We did not make it the default, because website owners have objections to 
bypassing autofill=off as a default behavior. The primary types of objections 
are:

(1) Public computer scenarios. Accidentally saving a password on a shared or 
public computer may endanger the user's account.
(2) Casual walk-up attacks, for example temporary access to a friend's or 
relative's computer. AKA friendly fraud.

At least some website operators (often for financial or shopping sites) are 
more worried about these threats than about the risk of users using lower 
quality or shared passwords passwords. This factor is magnified in Safari where 
we suggest autogenerated per-site random passwords, but only if we can autofill 
them.

I do not know if we can collectively assuage the worries of sites that use 
autocomplete=off. So far, though, I'm not aware of any complaints about our 
non-default setting to bypass it.

Regards,
Maciej

Custom form elements (was Re: [webcomponents] Inheritance in Custom Elements (Was Proposal for Cross Origin Use Case and Declarative Syntax))


On Dec 7, 2013, at 4:38 PM, Dominic Cooney domin...@google.com wrote:

 
 
 Built-in HTML elements have lots of hooks to modify their behaviour (for 
 example, HTMLVideoElement's autoplay attribute.) The analogy is extending a 
 Java class which has private and public final members, but no protected or 
 public non-final ones.
 
 If someone were to make proposals about adding more hooks to the web platform 
 to enable more subtyping use cases (for example, a protocol for participating 
 in form submission) I would look forward to working with them on those 
 proposals.

Let's say you have the ability to define a custom element inheriting from a 
form element, but completely replace its rendering and behavior with custom 
shadow DOM.

Is that actually sufficient to participate correctly in form submission? I 
don't think it is. In particular, I don't see how a custom element could 
inherit from HTMLInputElement, fully support the interface, and correctly 
submit a value that is specified via a completely custom mechanism.

Also, even if it worked, inheriting from HTMLInputElement is a particularly 
clunky approach to participating in form submission. To actually correctly 
support the interface, you need your component to support every input type. But 
that is way overkill if you only want to replace a single kind of input, or 
define a new type of your own. The more convenient approach would be to ignore 
type-switching and as a consequence make a subclass that does not respect the 
Liskov Substituton Principle and is therefore bad OO.

I think giving custom elements a specific API for participating in form 
submission, to enable defining new kinds of form elements, would be a better 
approach to this problem and ultimately easier to use. It is also much more 
relevant as a way to explain how the way the Web platform works. Built-in 
form elements participate in form submission by having special hooks to 
participate in form submission, not by inheriting from other form elements.

Regards,
Maciej

Re: [webcomponents] Inheritance in Custom Elements (Was Proposal for Cross Origin Use Case and Declarative Syntax)


On Dec 10, 2013, at 12:24 PM, Elliott Sprehn espr...@chromium.org wrote:

 
 On Tue, Dec 10, 2013 at 8:00 AM, Anne van Kesteren ann...@annevk.nl wrote:
 On Tue, Dec 10, 2013 at 3:54 PM, Boris Zbarsky bzbar...@mit.edu wrote:
  On 12/10/13 10:34 AM, Anne van Kesteren wrote:
  E.g. the dialog's close() method won't work as defined
  right now on a subclass of HTMLDialogElement.
 
  Why not?
 
  I assumed that actual ES6 subclassing, complete with invoking the right
  superclass @@create, would in fact produce an object for which this would
  work correctly.  At least any situation that doesn't lead to that is a
  UA/spec bug.
 
 Well for one because the specification at the moment talks about a
 dialog element and does not consider the case where it may have been
 subclassed. The pending dialog stack is also for dialog elements
 only, not exposed in any way, etc. The way the platform is set up at
 the moment is very defensive and not very extensible.
 
 
 When extending native elements like that you use type extensions, so it'd be 
 dialog is=my-subclass and the tagName is still DIALOG. Registering 
 something that extends HTMLDialogElement but isn't a type extension of 
 dialog does not work, in the same way that doing __proto__ = HTMLDivElement 
 doesn't magically make you into a div today.

The document.register method does not seem to support what you describe as 
currently spec'd, but does have an API doing the thing that won't actually 
work, i.e. registering my-subclass to be a subclass of HTMLDialogElement.

Regards,
Maciej

Re: [webcomponents] Auto-creating shadow DOM for custom elements


On Dec 9, 2013, at 11:13 AM, Scott Miles sjmi...@google.com wrote:

 Domenic Denicola a few messages back gave a highly cogent explanation of the 
 exact line of thinking arrived at last time we went through all this 
 material. 
 
 I'm not wont to try to summarize it here, since he said it already better 
 there. Perhaps the short version is: nobody knows what the 'standard use 
 case' is yet.
 
 In previous adjudications, the straw that broke that camel's back was with 
 respect to handling auto-generation with inheritance. Shadow-roots may need 
 to be generated for each entry in the inheritance chain. Having the system 
 perform this task takes it out of the control of the user's code, which 
 otherwise has ability to modulate calls to super-class methods and manage 
 this process.
 
 class XFoo {
   constructor_or_createdCallback: function() {
 // my shadowRoot was auto-generated
 this.doUsefulStuffLikeDatabinding(this.shadowRoot);
   }
 }
 
 class XBar extends XFoo {
   constructor_or_createdCallback: function() {
 super(); // uh-oh, super call operates on wrong shadowRoot
   }
 }

If the shadow root is optionally automatically generated, it should probably be 
passed to the createdCallback (or constructor) rather than made a property 
named shadowRoot. That makes it possible to pass a different shadow root to 
the base class than to the derived class, thus solving the problem.

Using an object property named shadowRoot would be a bad idea in any case 
since it automatically breaks encapsulation. There needs to be a private way to 
store the shadow root, either using ES6 symbols, or some new mechanism specific 
to custom elements. As it is, there's no way for ES5 custom elements to have 
private storage, which seems like a problem. They can't even use the closure 
approach, because the constructor is not called and the methods are expected to 
be on the prototype. (I guess you could create per-instance copies of the 
methods closing over the private data in the created callback, but that would 
preclude prototype monkeypatching of the sort built-in HTML elements allow.)

Regards,
Maciej

Re: [webcomponents] Auto-creating shadow DOM for custom elements


On Dec 7, 2013, at 1:29 PM, Domenic Denicola dome...@domenicdenicola.com 
wrote:

 From: Brendan Eich [mailto:bren...@secure.meer.net] 
 
 Requiring this kind of boilerplate out of the gave is not:
 
 this.createShadowRoot().appendChild(document.importNode(template.contents));
 
 Wanting to avoid this kind of boilerplate is not a stab in the dark. 
 Why can't we avoid it, even with separate specs that compose well? Part of 
 composing well is not requiring excessive boilerplate.
 
 Part of the issue is that I don't think that's the boilerplate people will be 
 using, uniformly. Adding a line to eliminate *that* boilerplate doesn't help 
 all the other cases, e.g. ones without a shadow DOM but instead a normal DOM, 
 or ones which don't use a template, or which don't use an imported template, 
 or which use multiple nodes. There are lots of ways to create a 
 fully-functioning custom element, and assuming that it will be done via a 
 single imported template element put into a shadow DOM seems like a stab in 
 the dark to me.

In what way does that require using an imported template element specifically, 
as opposed to any template whatsoever? Note that importNode will DTRT whether 
the template comes from another document or not. Or even if I'm mistaken and it 
does not, you could specify that the template contents are cloned into the 
right document whether it was imported or not.

Note also that using normal DOM instead of shadow DOM can be served by never 
using the optional feature (or by making a lightdom-template version if using 
custom elements with normal DOM becomes popular).

Constructing shadow DOM programmatically can also be served by not using the 
optional feature, or by 


 The other aspect of my critique was that scenario-solving this particular use 
 case isn't very useful in light of the large number of other things people 
 will be building out of our building blocks. Why assume this scenario is more 
 common than, say, HTML imports + template elements? Why not add sugar for 
 that? There's a lot of possible combinations that could benefit from some 
 unifying sugar, but we just don't know which of them are actually useful yet.

It's fine to allow those other things. It just seems like using all three of 
Custom Elements, Shadow DOM and Templates could be smoothed out without 
precluding those other options. It also seems like Polymer uses those three 
things together, so it seems unlikely that no one will do it. Using these three 
technologies together is very natural and pretending otherwise seems like an 
excessive level of agnosticism to me.

BTW, I do think using HTML imports + template elements needs more sugar (there 
is no easy way afaik to instantiate a template defined in an imported 
document), but I am not sure it serves the same use cases.

Regards,
Maciej

Re: [custom elements] Improving the name of document.register()

2013-12-12 Thread Maciej Stachowiak

I like defineElement a lot too. I think it gets to the heart of this method's 
potential - the ability to define your own elements.

 - Maciej

 On Dec 11, 2013, at 6:46 PM, Dominic Cooney domin...@google.com wrote:
 
 On Thu, Dec 12, 2013 at 5:17 AM, pira...@gmail.com pira...@gmail.com wrote:
 I have seen registerProtocolHandler() and it's being discused 
 registerServiceWorker(). I believe registerElementDefinition() or 
 registerCustomElement() could help to keep going on this path.
 
 Send from my Samsung Galaxy Note II
 
 El 11/12/2013 21:10, Edward O'Connor eocon...@apple.com escribió:
 
 Hi,
 
 The name register is very generic and could mean practically anything.
 We need to adopt a name for document.register() that makes its purpose
 clear to authors looking to use custom elements or those reading someone
 else's code that makes use of custom elements.
 
 I support this proposal.
  
 Here are some ideas:
 
 document.defineElement()
 document.declareElement()
 document.registerElementDefinition()
 document.defineCustomElement()
 document.declareCustomElement()
 document.registerCustomElementDefinition()
 
 I like document.defineCustomElement() the most, but
 document.defineElement() also works for me if people think
 document.defineCustomElement() is too long.
 
 I think the method should be called registerElement, for these reasons:
 
 - It's more descriptive about the purpose of the method than just register.
 - It's not too verbose; it doesn't have any redundant part.
 - It's nicely parallel to registerProtocolHandler.
 
 If I had to pick from the list Ted suggested, I think defineElement is the 
 best of that bunch and also an improvement over just register. It doesn't 
 line up with registerProtocolHandler, but there's some poetry to 
 defineElement/createElement. 
 
 
 Ted
 
 P.S. Sorry for the bikeshedding. I really believe we can improve the
 name of this function to make its purpose clear.
 
 I searched for bugs on this and found none; I expect this was discussed but I 
 can't find a mail thread about it. The naming of register is something that's 
 been on my mind so thanks for bringing it up.
 
 Dominic

Re: Beacon API

2013-02-15 Thread Maciej Stachowiak


On Feb 15, 2013, at 3:51 AM, Ian Fette (イアンフェッティ) ife...@google.com wrote:

 Anne,
 
 Both Chrome and Safari support the ping attribute. I am not sure about IE, I 
 believe Firefox has it disabled by default. FWIW I wouldn't consider this a 
 huge failure, if anything I'd expect over time people to use ping where it's 
 supported and fallback where it's not, resulting in the same privacy tradeoff 
 for users of all browsers but better performance for some browsers than 
 others, which will eventually lead to a predictable outcome...

Are there any websites that use it, at least in the browsers that support it? 
Relative lack of web developer adoption so far makes it seem like a bad bet to 
make more features that do the same thing, unless we're confident that we know 
what was wrong with a ping in the first place.

 - Maciej

Re: Beacon API

2013-02-15 Thread Maciej Stachowiak


On Feb 15, 2013, at 9:21 PM, Maciej Stachowiak m...@apple.com wrote:

 
 On Feb 15, 2013, at 3:51 AM, Ian Fette (イアンフェッティ) ife...@google.com wrote:
 
 Anne,
 
 Both Chrome and Safari support the ping attribute. I am not sure about IE, I 
 believe Firefox has it disabled by default. FWIW I wouldn't consider this a 
 huge failure, if anything I'd expect over time people to use ping where it's 
 supported and fallback where it's not, resulting in the same privacy 
 tradeoff for users of all browsers but better performance for some browsers 
 than others, which will eventually lead to a predictable outcome...
 
 Are there any websites that use it, at least in the browsers that support it? 
 Relative lack of web developer adoption so far makes it seem like a bad bet 
 to make more features that do the same thing, unless we're confident that we 
 know what was wrong with a ping in the first place.

BTW as far as I know the best current nonblocking technique to phone home on 
unload is to create an img in your unload handler pointing to the ping URL, 
this will result in reliable delivery without blocking at least in IE and 
WebKit-based browsers. I've found it hard to convince even knowledgable web 
developers to use this technique or a ping over synchronous XHR, even sites 
that are otherwise willing to do Safari-specific optimizations. I am not sure 
why sync XHR in unload is so tantalizing.

Regards,
Maciej

Re: Defenses against phishing via the fullscreen api (was Re: full screen api)

2012-12-19 Thread Maciej Stachowiak


On Dec 18, 2012, at 6:44 AM, Anne van Kesteren ann...@annevk.nl wrote:

 On Tue, Oct 23, 2012 at 12:50 AM, Maciej Stachowiak m...@apple.com wrote:
 Based on all this, I continue to think that requesting keyboard access
 should involve separate API, so that it can be feature-detected and given
 different security treatment by vendors as desired. This is what Flash does,
 and they have the most experience dealing with the security implications of
 fullscreen on the Web.
 
 Gecko and Chrome have indicated they do not desire this distinction.
 You have indicated your desire to maybe enable keyboard access in the
 future, but you do not have a thought out UI. Given this is the data
 we are working with it seems unwise to change direction at this point.
 
 The specification is modeled after Gecko and Chrome and very much
 intents to have keyboard access working. As per usual, everything that
 is not restricted is expected to work.

That seems like a bad basis to make a decision about a security issue.

 
 I am willing to add some wording to the security section to make the
 risks of keyboard access more clear. Does anyone have some suggested
 wording?

What would be the point? Web developers can't protect themselves from phishing 
attacks by other sites, and as you state the spec currently does not allow UAs 
to limit keyboard access. So who is the audience for such as security 
considerations warning? End users?


At minimum, I'd like the spec to explicitly allow not providing full keyboard 
access, as requested in my original message on this thread:

 Despite both of these defenses having drawbacks, I think it is wise for 
 implementations to implement at least one of them. I think the spec should 
 explicitly permit implementations to apply either or both of these 
 limitations, and should discuss their pros and cons in the Security 
 Considerations section.

As you point out, the spec does not currently allow this behavior. Are you 
rejecting this request? If so, why? Safari has had this behavior since forever 
and is unlikely to change in the foreseeable future, so it seems pointless to 
disallow it.

And given this difference in UA behavior, it seems useful to let web developers 
feature-detect the difference in behavior somehow.

Regards,
Maciej

Re: [webcomponents]: Making Shadow DOM Subtrees Traversable

2012-12-01 Thread Maciej Stachowiak


On Nov 29, 2012, at 12:24 PM, Elliott Sprehn espr...@gmail.com wrote:

 
 On Wed, Nov 28, 2012 at 2:51 PM, Maciej Stachowiak m...@apple.com wrote:
 
 Does this support the previously discussed mechanism of allowing either 
 public or private components? I'm not able to tell from the referenced 
 sections.
  
 Can you explain the use case for wanting private shadows that are not 
 isolated?

I still don't entirely buy the use cases for making shadow dom contents public. 
But I thought the rough consensus in the earlier discussion was to support both 
modes, not to support public components only.

Regards,
Maciej

Re: [webcomponents]: Making Shadow DOM Subtrees Traversable

2012-11-28 Thread Maciej Stachowiak


Does this support the previously discussed mechanism of allowing either public 
or private components? I'm not able to tell from the referenced sections.

 - Maciej

On Nov 28, 2012, at 1:17 PM, Dimitri Glazkov dglaz...@chromium.org wrote:

 As of http://dvcs.w3.org/hg/webcomponents/rev/0714c60f265d, there's now an 
 API to traverse the shadow trees:
 
 http://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/shadow/index.html#api-shadow-aware-shadow-root
 http://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/shadow/index.html#api-html-shadow-element-older-shadow-root
 
 Please let me know if I goofed anything up. File bugs or yell at me.
 
 :DG
 
 
 On Fri, Nov 9, 2012 at 10:17 AM, Dimitri Glazkov dglaz...@chromium.org 
 wrote:
 On Thu, Nov 8, 2012 at 9:26 PM, Boris Zbarsky bzbar...@mit.edu wrote:
  On 11/8/12 9:28 AM, Elliott Sprehn wrote:
 
  If you're worried about malicious attacks on your widget, shadows being
  private is not enough. You need a whole new scripting context.
 
  Er... yes, you do.  Do widgets not get that?  If not, that's pretty
  broken...
 
 Having a separate scripting context is certainly useful for a certain
 class of widgets (see Like/+1 button discussion).  That's why we have
 this whole notion of the isolated shadow trees. This is also a
 fundamental requirement for enabling UA controls to be built with
 script (I _just_ had a discussion with a fellow WebKit engineer who
 asked for that).
 
 However, for a large class of use cases, mostly represented by the
 libraries/frameworks, the separate scripting context is an unnecessary
 barrier. Libraries like bootstrap, quickui, and x-tags are eager to
 start using shadow DOM to delineate lightweight, purely functional
 boundaries between composable bits in the same document. For these
 developers, where things like:
 a) examining (and sometimes modifying), say a currently selected tab
 in an tab manager;
 b) having a central state stored in the document;
 c) nesting and reusing bits across different libraries;
 are all expected and counted upon. Adding a scripting context boundary
 here is just a WTF! stumbling block.
 
 :DG

Re: [webcomponents]: Changing API from constructable ShadowRoot to factory-like

2012-11-09 Thread Maciej Stachowiak


I think a factory function is better here for the reasons Dimitri stated. But I 
also agree that an addFoo function returning a new object seems strange. I 
think that createShadowRoot may be better than either option.

 - Maciej

On Nov 8, 2012, at 11:42 AM, Erik Arvidsson a...@chromium.org wrote:

 addShadowRoot seem wrong to me to. Usually add* methods takes an
 argument of something that is supposed to be added to the context
 object.
 
 If we are going with a factory function I think that createShadowRoot
 is the right name even though create methods have a lot of bad history
 in the DOM APIs.
 
 On Thu, Nov 8, 2012 at 1:01 PM, Elliott Sprehn espr...@google.com wrote:
 True, though that's actually one character longer, probably two with normal
 formatting ;P
 
 new ShadowRoot(element,{
 element.addShadowRoot({
 
 I'm more concerned about the constructor with irreversible side effects of
 course.
 
 - E
 
 
 On Thu, Nov 8, 2012 at 9:57 AM, Dimitri Glazkov dglaz...@google.com wrote:
 
 That _is_ pretty nice, but we can add this as a second argument to the
 constructor, as well:
 
 root = new ShadowRoot(element, {
  applyAuthorSheets: false,
  resetStyleInheritance: true
 });
 
 At this point, the stakes are primarily in aesthetics... Which makes
 the whole question so much more difficult to address objectively.
 
 :DG
 
 On Thu, Nov 8, 2012 at 9:54 AM, Elliott Sprehn espr...@google.com wrote:
 The real sugar I think is in the dictionary version of addShadowRoot:
 
 root = element.addShadowRoot({
  applyAuthorSheets: false,
  resetStyleInheritance: true
 })
 
 
 On Thu, Nov 8, 2012 at 9:49 AM, Dimitri Glazkov dglaz...@google.com
 wrote:
 
 Sure. Here's a simple example without getting into traversable shadow
 trees (those are still being discussed in a different thread):
 
 A1) Using constructable ShadowRoot:
 
 var element = document.querySelector('div#foo');
 // let's add a shadow root to element
 var shadowRoot = new ShadowRoot(element);
 // do work with it..
 shadowRoot.applyAuthorSheets = false;
 shadowRoot.appendChild(myDocumentFragment);
 
 A2) Using addShadowRoot:
 
 var element = document.querySelector('div#foo');
 // let's add a shadow root to element
 var shadowRoot = element.addShadowRoot();
 // do work with it..
 shadowRoot.applyAuthorSheets = false;
 shadowRoot.appendChild(myDocumentFragment);
 
 Now with traversable shadow trees:
 
 B1) Using constructable ShadowRoot:
 
 var element = document.querySelector('div#foo');
 alert(element.shadowRoot); // null
 var root = new ShadowRoot(element);
 alert(root === element.shadowRoot); // true
 var root2 = new ShadowRoot(element);
 alert(root === element.shadowRoot); // false
 alert(root2 === element.shadowRoot); // true
 
 B2) Using addShadowRoot:
 
 var element = document.querySelector('div#foo');
 alert(element.shadowRoot); // null
 var root = element.addShadowRoot();
 alert(root === element.shadowRoot); // true
 var root2 = element.addShadowRoot();
 alert(root === element.shadowRoot); // false
 alert(root2 === element.shadowRoot); // true
 
 :DG
 
 On Thu, Nov 8, 2012 at 9:42 AM, Maciej Stachowiak m...@apple.com
 wrote:
 
 Could you please provide equivalent code examples using both
 versions?
 
 Cheers,
 Maciej
 
 On Nov 7, 2012, at 10:36 AM, Dimitri Glazkov dglaz...@google.com
 wrote:
 
 Folks,
 
 Throughout the year-long (whoa!) history of the Shadow DOM spec,
 various people commented on how odd the constructable ShadowRoot
 pattern was:
 
 var root = new ShadowRoot(host); // both creates an instance *and*
 makes an association between this instance and host.
 
 People (I cc'd most of them) noted various quirks, from the
 side-effectey constructor to relatively uncommon style of the API.
 
 I once was of the strong opinion that having a nice, constructable
 object has better ergonomics and would overcome the mentioned code
 smells.
 
 But... As we're discussing traversable shadows and the possibility
 of
 having Element.shadowRoot, the idea of changing to a factory pattern
 now looks more appealing:
 
 var element = document.querySelector('div#foo');
 alert(element.shadowRoot); // null
 var root = element.addShadowRoot({ resetStyleInheritance: true });
 alert(root === element.shadowRoot); // true
 var root2 = element.addShadowRoot();
 alert(root === element.shadowRoot); // false
 alert(root2 === element.shadowRoot); // true
 
 You gotta admit this looks very consistent and natural relative to
 how
 DOM APIs work today.
 
 We could still keep constructable object syntax as alternative
 method
 or ditch it altogether and make calling constructor throw an
 exception.
 
 What do you think, folks? In the spirit of last night's events,
 let's
 vote:
 
 1) element.addShadowRoot rocks! Let's make it the One True Way!
 2) Keep ShadowRoot constructable! Factories stink!
 3) Let's have both!
 4) element.addShadowRoot, but ONLY if we have traversable shadow
 trees
 5) Kodos.
 
 :DG
 
 P.S. I would like to retain the atomic quality of the operation

Re: [webcomponents]: Changing API from constructable ShadowRoot to factory-like

2012-11-08 Thread Maciej Stachowiak


Could you please provide equivalent code examples using both versions?

Cheers,
Maciej

On Nov 7, 2012, at 10:36 AM, Dimitri Glazkov dglaz...@google.com wrote:

 Folks,
 
 Throughout the year-long (whoa!) history of the Shadow DOM spec,
 various people commented on how odd the constructable ShadowRoot
 pattern was:
 
 var root = new ShadowRoot(host); // both creates an instance *and*
 makes an association between this instance and host.
 
 People (I cc'd most of them) noted various quirks, from the
 side-effectey constructor to relatively uncommon style of the API.
 
 I once was of the strong opinion that having a nice, constructable
 object has better ergonomics and would overcome the mentioned code
 smells.
 
 But... As we're discussing traversable shadows and the possibility of
 having Element.shadowRoot, the idea of changing to a factory pattern
 now looks more appealing:
 
 var element = document.querySelector('div#foo');
 alert(element.shadowRoot); // null
 var root = element.addShadowRoot({ resetStyleInheritance: true });
 alert(root === element.shadowRoot); // true
 var root2 = element.addShadowRoot();
 alert(root === element.shadowRoot); // false
 alert(root2 === element.shadowRoot); // true
 
 You gotta admit this looks very consistent and natural relative to how
 DOM APIs work today.
 
 We could still keep constructable object syntax as alternative method
 or ditch it altogether and make calling constructor throw an
 exception.
 
 What do you think, folks? In the spirit of last night's events, let's vote:
 
 1) element.addShadowRoot rocks! Let's make it the One True Way!
 2) Keep ShadowRoot constructable! Factories stink!
 3) Let's have both!
 4) element.addShadowRoot, but ONLY if we have traversable shadow trees
 5) Kodos.
 
 :DG
 
 P.S. I would like to retain the atomic quality of the operation:
 instantiate+associate in one go. There's a whole forest of problems
 awaits those who contemplate detached shadow roots.

Re: [webcomponents]: Making Shadow DOM Subtrees Traversable

2012-11-08 Thread Maciej Stachowiak


On Nov 6, 2012, at 3:29 PM, Dimitri Glazkov dglaz...@google.com wrote:

 On Thu, Nov 1, 2012 at 8:39 AM, Tab Atkins Jr. jackalm...@gmail.com wrote:
 
 6) The isolated setting essentially means that there's a new
 document and scripting context for this shadow subtree (specifics
 TBD). Watch https://www.w3.org/Bugs/Public/show_bug.cgi?id=16509 for 
 progress.
 
 That seems like a whole separate feature - perhaps we should figure out 
 private vs public first. It would be good to know the use cases for 
 this feature over using private or something like seamless iframes.
 
 Yeah, sure.  It's useful to bring up at the same time, though, because
 there are some decent use-cases that sound at first blush like they
 should be private, but really want even stronger security/isolation
 constraints.
 
 An existing example, iirc, is the Google +1 button widget.  Every
 single +1 includes an iframe so it can do some secure scripting
 without the page being able to reach in and fiddle with things.
 
 What are the advantages to using an isolated component for the +1 button 
 instead if an iframe, or a private component containing an iframe?
 
 I'm not 100% sure (Dimitri can answer better), but I think it's
 because we can do a somewhat more lightweight isolation than what a
 full iframe provides.
 
 IIRC, several of our use-cases *really* want all of the instances of a
 given component to use the same scripting context, because there's
 going to be a lot of them, and they all need the same simple data;
 they'd gain no benefit from being fully separate and paying the cost
 of a thousand unique scripting contexts.

Is that the semantics isolated would have? All instances of the same 
component are in the same scripting context, but one separate from the page? I 
assumed that new
document and scripting context for this shadow subtree would mean there's a 
new one per instance, and the document plus the scripting context is most of 
the cost of an iframe.

 
 Yup. The typical example that the Google+ people point out to me is
 techcrunch.com. The count of iframes had gotten so high that it
 affected performance to the point where the crunchmasters had to fake
 the buttons (and reveal them on hover, which is tangential to the
 story and may or may not have been the wisest choice).
 
 With isolated shadow trees, the number of scripting contexts would
 equal then number of button-makers, and offer additional opportunities
 like sharing styles among instances.

OK, it wasn't clear that the separate document and scripting context for 
isolated components would be per unique component, rather than per-instance. 
That does seem like a meaningfully different behavior.



 
 
 One thing that makes me nervous about theisolated idea, is thata 
 scripting context is normally bound one-to-one to either a browsing context 
 or a worker; and having multiple scripting contexts per browsing context 
 seems like it could be tricky to implement and may have security risks. But 
 I don't have any more concrete objection at this time.
 
 I think that Workers or something very much like them is a productive
 direction to look in for the isolated components, actually.

Wouldn't that require making the DOM and UI event dispatch threadsafe (which 
are likely not very practical things to do)?

 
 Flipping it around, isolation also serves as a great way for the
 *page* to protect itself from the *component*.  There are tons of
 components that have absolutely no need to interact with the outside
 page, so sealing them off loses you nothing and gains you peace of
 mind when worrying about whether you should include some random
 plugins you found on your favorite component library site.
 
 Would the page be able to choose to make a component isolated without the 
 cooperation of the component? Or alternately load components in such a way 
 that only isolated ones would succeed?
 
 I think we'd like that, but haven't thought it through very hard yet.
 
 Isolation as a problem is something that's often considered in design
 discussions (hence it being brought up here), but it's in a distant
 future in relation to actual progress of the spec. If there were
 Shadow DOM L2, that would a nice place to start.

Maybe it should be set aside from this public vs private discussion for now 
then.

If it may be desirable to force isolated from the outside, then that makes it 
substantially different from the public vs private distinction, which should be 
completely under the control of the component. There's not much point to 
discussing isolated without having a handle on this aspect of its design.

Regards,
Maciej

Re: [webcomponents]: Making Shadow DOM Subtrees Traversable

2012-11-08 Thread Maciej Stachowiak


On Nov 8, 2012, at 2:15 AM, Elliott Sprehn espr...@gmail.com wrote:

 
 On Thu, Nov 1, 2012 at 6:43 AM, Maciej Stachowiak m...@apple.com wrote:
 
 On Nov 1, 2012, at 12:41 PM, Tab Atkins Jr. jackalm...@gmail.com wrote:
 
 ...
 
  For example, being able to re-render the page manually via DOM
  inspection and custom canvas painting code.  Google Feedback does
  this, for example.  If shadows are only exposed when the component
  author thinks about it, and then only by convention, this means that
  most components will be un-renderable by tools like this.
 
 As Adam Barth often points out, in general it's not safe to paint pieces of a 
 webpage into canvas without security/privacy risk. How does Google Feedback 
 deal with non-same-origin images or videos or iframes, or with visited link 
 coloring, to cite a few examples? Does it just not handle those things?
 
 
 We don't handle visited link coloring as there's no way to get that from JS.
 
 For images we proxy all images and do the actual drawing to the canvas in a 
 nested iframe that's on the same domain as the proxy.
 
 For cross domain iframes we have a JS API that the frame can include that 
 handles a special postMessage which serializes the entire page and then 
 unserializes on the other side for rendering. Thankfully this case is 
 extremely rare unlike web components where it turns out you end up with 
 almost the entire page down in some component or another (ex. x-panel, 
 x-conversation-view …). This of course requires you to have control of the 
 cross origin page.
 
 For an architectural overview of Google Feedback's JS HTML rendering engine 
 you can look at this presentation, slides 6 and 10 explain the image proxy:
 
 http://www.elliottsprehn.com/preso/fluentconf/

Are these types of workarounds adequate for the web components case? If not, 
why not?

Regards,
Maciej

Re: [webcomponents]: Making Shadow DOM Subtrees Traversable

2012-11-01 Thread Maciej Stachowiak


On Nov 1, 2012, at 12:02 AM, Dimitri Glazkov dglaz...@google.com wrote:

 Hi folks!
 
 While you are all having good TPAC fun, I thought I would bring this
 bug to your attention:
 
 https://www.w3.org/Bugs/Public/show_bug.cgi?id=19562
 
 There's been several comments from developers about the fact that
 Shadow DOM encapsulation is _too_ well-sealed for various long tail,
 but important use cases

What are these use cases? I did not seem them in the bug.

http://w3cmemes.tumblr.com/post/34633601085/grumpy-old-maciej-has-a-question-about-your-spec

 In other words, the information that could be accessible (no security 
 concerns, for example) is not. One has to use
 hacks to get at the truth.



 
 Here's a simple strawman (copied from bug for easy reading):
 
 1) There's a 3-position switch on each shadow DOM subtree: public,
 private, isolated.

Is there any special behavior associated with these three settings besides what 
is in the other numbered points?

 
 2) There's a mechanism in place to flip this switch (specifics TBD)

Who gets to flip the switch? Can a private subtree still be accessed via the 
element it is attached to by simply marking it public? That would make 
private useless if so. It seems like whoever creates the shadow DOM should be 
able to make it private in an irreversible way. Without knowing the mechanism 
it's hard to judge if that is the case. 

In cases where a browser implementation provides a built-in shadow DOM, it 
seems particularly necessary to make it irreversibly private.


 
 3) the element.shadowRoot property points to the top of the tree
 stack, or null if the subtree at the top is in private or
 isolated setting.
 
 4) shadow.olderSubtree points to the older subtree in the stack or
 null if the older subtree is in private or isolated setting.
 
 5) ShadowRoot.host points to the shadow host or null, if the subtree
 is in private or isolated setting.
 
 6) The isolated setting essentially means that there's a new
 document and scripting context for this shadow subtree (specifics
 TBD). Watch https://www.w3.org/Bugs/Public/show_bug.cgi?id=16509 for progress.

That seems like a whole separate feature - perhaps we should figure out 
private vs public first. It would be good to know the use cases for this 
feature over using private or something like seamless iframes.

Cheers,
Maciej

Re: [webcomponents] More backward-compatible templates

2012-11-01 Thread Maciej Stachowiak


On Nov 1, 2012, at 1:57 PM, Adam Barth w...@adambarth.com wrote:

 
 
 (5) The nested template fragment parser operates like the template fragment 
 parser, but with the following additional difference:
  (a) When a close tag named +script is encountered which does not match 
 any currently open script tag:
 
 Let me try to understand what you've written here concretely:
 
 1) We need to change the end tag open state to somehow recognize 
 /+script as an end tag rather than as a bogus comment.
 2) When the tree builder encounter such an end tag in the  state(s), we 
 execute the substeps you've outlined below.
 
 The problem with this approach is that nested templates parse differently 
 than top-level templates.  Consider the following example:
 
 script type=template
  b
 /script
 
 In this case, none of the nested template parser modifications apply and 
 we'll parse this as normal for HTML.  That means the contents of the template 
 will be b (let's ignore whitespace for simplicity).
 
 script type=template
   h1Inbox/h1
   script type=template
 b
   /+script
 /script
 
 Unfortunately, the nested template in this example parses differently than it 
 did when it was a top-level template.  The problem is that the characters 
 /+script are not recognized by the tokenizer as an end tag because they 
 are encountered by the nested template fragment parser in the before 
 attribute name state.  That means they get treated as some sort of bogus 
 attributes of the b tag rather than as an end tag.

OK. Do you believe this to be a serious problem? I feel like inconsistency in 
the case of a malformed tag is not a very important problem, but perhaps there 
are cases that would be more obviously problematic, or reasons not obvious to 
me to be very concerned about cases exactly like this one.

Also: can you think of a way to fix this problem? Or alternately, do you 
believe it's fundamentally not fixable? I've only spent a short amount of time 
thinking about this approach, and I am not nearly as much an expert on HTML 
parsing as you are.


  
  (a.i) Consume the token for the close tag named +script.
  (a.ii) Crate a DocumentFragment containing that parsed contents of 
 the fragment.
  (a.iii) [return to the parent template fragment parser] with the 
 result of step (a.ii) with the parent parser to resume after the +script 
 close tag.
 
 
 This is pretty rough and I'm sure I got some details wrong. But I believe it 
 demonstrates the following properties:
 (B) Allows for perfect fidelity polyfills, because it will manifestly end the 
 template in the same place that an unaware browser would close the script 
 element.
 (C) Does not require multiple levels of escaping.
 (A) Can be implemented without changes to the core HTML parser (though you'd 
 need to introduce a new fragment parsing mode).
 
 I suspect we're quibbling over no true Scotsman semantics here, but you 
 obviously need to modify both the HTML tokenizer and tree builder for this 
 approach to work.

In principle you could create a whole separate tokenizer and tree builder. But 
obviously that would probably be a poor choice for a native implementation 
compared to adding some flags and variable behavior. I'm not even necessarily 
claiming that all the above properties are advantages, I just wanted to show 
that there need not be a multi-escapting problem nor necessarily scary 
complicated changes to the tokenizer states for script.

I think the biggest advantage to this kind of approach is that it can be 
polyfilled with full fidelity. But I am in no way wedded to this solution and I 
am intrigued at the mention of other approaches with this property. The others 
I know of (external source only, srcdoc like on iframe) seem clearly worse, but 
there might be other bigger ones.

  
 (D) Can be implemented with near-identical behavior for XHTML, except that 
 you'd need an XML fragment parser.
 
 The downside is that nested templates don't parse the same as top-level 
 templates.  

Indeed. That is in addition to the previously conceded downsides that the 
syntax is somewhat less congenial.

 Another issue is that you've also introduced the following security risk:
 
 Today, the following line of JavaScript is safe to include in an inline 
 script tag:
 
 var x = /+scriptimg onerror=alert(1);
 
 Because that line does not contain /script, the string alert(1) will be 
 treated as the contents of a string.  However, if that line is included in an 
 inline script inside of a template, the modifications of to the parser above 
 will mean that alert(1) will execute as JavaScript rather than being treated 
 as a string, introducing an XSS vector.

I don't follow. Can you give a full example of how this would be included in a 
template and therefore be executed?


  
 I hope this clarifies the proposal.
 
 Notes:
 - Just because it's described this way doesn't mean it has to be implemented 
 this way - implementations

Re: [webcomponents]: Making Shadow DOM Subtrees Traversable

2012-11-01 Thread Maciej Stachowiak


On Nov 1, 2012, at 12:41 PM, Tab Atkins Jr. jackalm...@gmail.com wrote:

 On Thu, Nov 1, 2012 at 9:37 AM, Maciej Stachowiak m...@apple.com wrote:
 On Nov 1, 2012, at 12:02 AM, Dimitri Glazkov dglaz...@google.com wrote:
 Hi folks!
 
 While you are all having good TPAC fun, I thought I would bring this
 bug to your attention:
 
 https://www.w3.org/Bugs/Public/show_bug.cgi?id=19562
 
 There's been several comments from developers about the fact that
 Shadow DOM encapsulation is _too_ well-sealed for various long tail,
 but important use cases
 
 What are these use cases? I did not seem them in the bug.
 
 http://w3cmemes.tumblr.com/post/34633601085/grumpy-old-maciej-has-a-question-about-your-spec
 
 For example, being able to re-render the page manually via DOM
 inspection and custom canvas painting code.  Google Feedback does
 this, for example.  If shadows are only exposed when the component
 author thinks about it, and then only by convention, this means that
 most components will be un-renderable by tools like this.

As Adam Barth often points out, in general it's not safe to paint pieces of a 
webpage into canvas without security/privacy risk. How does Google Feedback 
deal with non-same-origin images or videos or iframes, or with visited link 
coloring, to cite a few examples? Does it just not handle those things?

 For the public/private part at least, this is just a switching of the
 defaults.  There was no good *reason* to be private by default, we
 just took the shortest path to *allowing* privacy and the default fell
 out of that.  As a general rule, we should favor being public over
 being private unless there's a good privacy or security reason to be
 private.  So, I don't think we need strong use-cases here, since we're
 not having to make a compat argument, and the new model adds minimal
 complexity.

I don't enough of the context to follow this. Right now there's no good general 
mechanism for a component exposing its guts, other than by convention, right? 
It seems like adding a general mechanism to do so is a good idea, but it could 
work with either default or with no default at all and requiring authors to 
specify explicitly. I think specifying either way explicitly would be best. JS 
lets you have public properties in an object, or private properties 
(effectively) in a closure, so both options are available and neither is 
default. It's your choice whether to use encapsulation. I am not sure we need 
to specifically nudge web developers away from encapsulation.

 
 1) There's a 3-position switch on each shadow DOM subtree: public,
 private, isolated.
 
 Is there any special behavior associated with these three settings besides 
 what is in the other numbered points?
 
 I don't think so, no.  Public/private is just a matter of exposing or
 nulling some references.  Isolated is obviously not well-defined in
 this email, but the implications are relatively straightforward - it's
 like a cross-domain iframe.  (Which is, in fact, exactly how existing
 components hack in some isolation/security.)
 
 
 2) There's a mechanism in place to flip this switch (specifics TBD)
 
 Who gets to flip the switch? Can a private subtree still be accessed via 
 the element it is attached to by simply marking it public? That would make 
 private useless if so. It seems like whoever creates the shadow DOM should 
 be able to make it private in an irreversible way. Without knowing the 
 mechanism it's hard to judge if that is the case.
 
 In cases where a browser implementation provides a built-in shadow DOM, it 
 seems particularly necessary to make it irreversibly private.
 
 The idea so far is that the switch is just set at shadow creation
 time, and can't be changed.

That seems workable.

 
 
 6) The isolated setting essentially means that there's a new
 document and scripting context for this shadow subtree (specifics
 TBD). Watch https://www.w3.org/Bugs/Public/show_bug.cgi?id=16509 for 
 progress.
 
 That seems like a whole separate feature - perhaps we should figure out 
 private vs public first. It would be good to know the use cases for this 
 feature over using private or something like seamless iframes.
 
 Yeah, sure.  It's useful to bring up at the same time, though, because
 there are some decent use-cases that sound at first blush like they
 should be private, but really want even stronger security/isolation
 constraints.
 
 An existing example, iirc, is the Google +1 button widget.  Every
 single +1 includes an iframe so it can do some secure scripting
 without the page being able to reach in and fiddle with things.

What are the advantages to using an isolated component for the +1 button 
instead if an iframe, or a private component containing an iframe?

One thing that makes me nervous about theisolated idea, is thata scripting 
context is normally bound one-to-one to either a browsing context or a worker; 
and having multiple scripting contexts per browsing context seems like it could

[webcomponents] More backward-compatible templates

2012-10-30 Thread Maciej Stachowiak


In the WebApps meeting, we discussed possible approaches to template that may 
ease the transition between polyfilled implementations and native support, 
avoid HTML/XHTML parsing inconsistency, and in general adding less weirdness to 
the Web platform.

Here are some possibilities, not necessarily mutually exclusive:

(1) template src

Specify templates via external files rather than inline content. External CSS 
and external scripts are very common, and in most cases inline scripts and 
style are the exception. It seems likely this will also be true for templates. 
It's likely desirable to provide this even if there is also some inline form of 
templates.

(2) template srcdoc

Use the same approach as iframe srcdoc to specifying content inline while 
remaining compatible with legacy parsing. The main downside is that the 
required escaping is ugly and hard to follow, especially in the face of nesting.

(3) script type=template (or script language=template?)

Define a new script type to use for templates. This provides almost all the 
syntactic convenience of the original template element - the main downside is 
that, if your template contains a script or another nested template, you have 
to escape the close script tag in some way. 

The contents of the script would be made available as an inert DOM outside the 
document, via a new IDL attribute on script (say, HTMLScriptElement.template).

Here's a comparison of syntaxes:

Template element:
template
div id=foo class=bar/div
script something();/script
template
 div class=nested-template/div
/template
/template

Script template:
script type=template
div id=foo class=bar/div
script something();\/script
script type=template
 div class=nested-template/div
\/script
/script

Pros:
- Similar to the way many JS-implemented templating sches work today
- Can be polyfilled with full fidelity and no risk of content that's meant to 
be inert accidentally running
- Can be translated consistently and compatibly to the XHTML syntax of HTML
- Less new weirdness. You don't have to create a new construct that appears to 
have normal markup content, but puts it outside the document.
- Can be specified (and perhaps even implemented, at least at first) without 
having to modify the HTML parsing algorithm. In principle, you could specify 
this as a postprocessing step after parsing, where accessing .template for the 
first time would be responsible for reparsing the contents and creating the 
template DOM. In practice, browsers would eventually want to parse in a single 
pass for performance.


Cons:
- script type=template is slightly more verbose than template
- Closing of nested scripts/templates requires some escaping


In my opinion, the advantages of the script template approach outweigh the 
disadvantages. I wanted to raise it for discussion on the list.

Re: Defenses against phishing via the fullscreen api (was Re: full screen api)

2012-10-22 Thread Maciej Stachowiak


On Oct 22, 2012, at 3:04 PM, Chris Pearce cpea...@mozilla.com wrote:

 
 This looks remarkably like Mozilla's original proposal:
 https://wiki.mozilla.org/Gecko:FullScreenAPI
 
 We chose not to implement this as it offers little protection against 
 phishing or spoofing attacks that don't rely on keyboard access. In those 
 cases making the user aware that they've entered fullscreen is pretty much 
 the best defence the user has. Other than not having a fullscreen API at all.

There may be phishing scenarios that work without keyboard access, but I expect 
they are *far* less common and harder to pull off. To argue from anecdote, I 
visit many sites where I identify myself with a typed password, and none where 
I exclusively have a mouse-based credential that does not involve typing 
(though I've seen sites that use it as an additional factor). I think it's not 
justified to conclude that the phishing risk with and without alphanumeric 
keyboard access is identical. They are not.

 
 Our fullscreen approval UI in Firefox is based around the assumption that for 
 most users the set of sites that use the fullscreen API that the user 
 encounters on a daily basis is small, and users would tend to opt to 
 remember the fullscreen approval for those domains. I'd imagine the set 
 would be YouTube, Facebook, and possibly ${FavouriteGame}.com for most users. 
 Thus users would see a notification and not an approval prompt most of the 
 time when they entered fullscreen. But when some other site goes fullscreen 
 they do get a prompt, which is out of the ordinary and more likely to be read.

I think the chance of the user paying attention to a prompt that, every time 
they have seen it before, has been completely harmless, is pretty low. The odds 
of the user making an informed security decision based on what the prompt says 
is even lower.

Based on all this, I continue to think that requesting keyboard access should 
involve separate API, so that it can be feature-detected and given different 
security treatment by vendors as desired. This is what Flash does, and they 
have the most experience dealing with the security implications of fullscreen 
on the Web.

Regards,
Maciej

Re: Defenses against phishing via the fullscreen api (was Re: full screen api)


On Oct 14, 2012, at 3:54 PM, Chris Pearce cpea...@mozilla.com wrote:

 On 14/10/12 00:49, Maciej Stachowiak wrote:
 
 Despite both of these defenses having drawbacks, I think it is wise for 
 implementations to implement at least one of them. I think the spec should 
 explicitly permit implementations to apply either or both of these 
 limitations, and should discuss their pros and cons in the Security 
 Considerations section.
 
 
 I don't support making these mandatory, but they should certainly be added to 
 the Security Considerations section; we considered them, and we may indeed 
 re-consider them in future if it proves necessary.
 
 I support making the spec general enough that implementors can chose their 
 security features based on their requirements; what's appropriate for a 
 desktop browser may not be appropriate for a tablet, for example.

I agree with both of these comments (in case it wasn't clear). I suggest that 
these mechanisms should be permitted, not mandatory. Right now it is not 
entirely clear if either is permitted per spec.

Regards,
Maciej

Re: full screen api


On Oct 14, 2012, at 3:52 PM, Chris Pearce cpea...@mozilla.com wrote:

 On 13/10/12 07:20, Carr, Wayne wrote:
 There’s a recent post on a phishing attack using the full screen api 
 [1][2}[3].
 
 It's worth noting that this attack has been possible in Flash for years, and 
 the sky hasn't fallen.

For most of that time, Flash has either not allowed any keyboard input, or 
allowed only non-alphanumeric keys. That has significantly different security 
characteristics against a phishing threat model than full-keyboard-enabled 
fullscreen.

Just recently (in Flash 11.3) they added optional full keyboard input, but that 
puts up a separate permission prompt and doesn't pass through keys until the 
user approves.

Regards,
Maciej

Re: Defenses against phishing via the fullscreen api (was Re: full screen api)


That's why I liked having a separate API to request fullscreen with full 
alphanumeric keyboard access. This allows apps to determine if fullscreen with 
keyboard is available on a given browser, and allows browsers to set separate 
security policies for that case. I think the spec should change back to having 
two distinct APIs, even though Mozilla is not interested in making a 
distinction between the two cases.

Regards,
Maciej

On Oct 15, 2012, at 3:45 AM, Florian Bösch pya...@gmail.com wrote:

 Ok, so here's my question. You have a webapp (that oh, happens to be a game, 
 or a slideshow app, or a video player with controls, etc.) which needs 
 keyboard/UI events access to work (come to think of it, can you honestly 
 think of any sort of usecase that does work entirely without user 
 intercation?). Anyways, so now this app needs to figure out if it's worth the 
 bother to even display a fullscreen icon/request fullscren (see, after all, 
 there woulnd't be a point if there's no keyboard/UI access).
 
 So how does an app do that? How do we figure out what the random behavior 
 changes are that vendors add, that would break our app, that make it 
 pointless to try to use the API on that vendors browser? Anyone?
 
 On Mon, Oct 15, 2012 at 12:32 PM, Maciej Stachowiak m...@apple.com wrote:
 
 On Oct 14, 2012, at 3:54 PM, Chris Pearce cpea...@mozilla.com wrote:
 
  On 14/10/12 00:49, Maciej Stachowiak wrote:
 
  Despite both of these defenses having drawbacks, I think it is wise for 
  implementations to implement at least one of them. I think the spec should 
  explicitly permit implementations to apply either or both of these 
  limitations, and should discuss their pros and cons in the Security 
  Considerations section.
 
 
  I don't support making these mandatory, but they should certainly be added 
  to the Security Considerations section; we considered them, and we may 
  indeed re-consider them in future if it proves necessary.
 
  I support making the spec general enough that implementors can chose their 
  security features based on their requirements; what's appropriate for a 
  desktop browser may not be appropriate for a tablet, for example.
 
 I agree with both of these comments (in case it wasn't clear). I suggest that 
 these mechanisms should be permitted, not mandatory. Right now it is not 
 entirely clear if either is permitted per spec.
 
 Regards,
 Maciej

Re: Defenses against phishing via the fullscreen api (was Re: full screen api)


On Oct 15, 2012, at 5:01 PM, Chris Pearce cpea...@mozilla.com wrote:

 On 16/10/12 11:39, Maciej Stachowiak wrote:
 
 That's why I liked having a separate API to request fullscreen with full 
 alphanumeric keyboard access. This allows apps to determine if fullscreen 
 with keyboard is available on a given browser, and allows browsers to set 
 separate security policies for that case.
 
 Would you implement keyboard access in fullscreen via this API if we spec'd 
 it? Or are you looking for a way to for authors to determine if key input 
 isn't supported in fullscreen mode?

Our most likely short-term goal would be the latter (enabling capability 
detection) but I wouldn't take full keyboard access off the table forever. We 
would want the freedom to apply different security policy to that case when/if 
we do it though. 

 
 
 I think the spec should change back to having two distinct APIs, even though 
 Mozilla is not interested in making a distinction between the two cases.
 
 I'd say fullscreen video is the only fullscreen use case where page script 
 shouldn't need key events dispatched to it. I'm sure some other fullscreen 
 uses wouldn't want key events, but most non-trivial users of fullscreen would 
 want keyboard shortcuts or input.

Many games could work with only non-alphanumeric keys or in some cases only the 
mouse. As could slideshows. You only need space/enter/arrows for a full screen 
slide presentation.

What are the cases where webpage-driven (as opposed to browser-chrome-driven) 
fullscreen is really compelling, but they need full keyboard access including 
alphanumeric keys? (Not saying there aren't any, I am just not sure what they 
would be - fullscreen Nethack?)

 
 Anyway, I'm curious what the Chrome guys think.

Likewise.


Cheers,
Maciej

Defenses against phishing via the fullscreen api (was Re: full screen api)

2012-10-13 Thread Maciej Stachowiak


On Oct 13, 2012, at 1:49 AM, Anne van Kesteren ann...@annevk.nl wrote:

 On Fri, Oct 12, 2012 at 8:25 PM, Florian Bösch pya...@gmail.com wrote:
 There was a limited discussion on that a few days ago with the limited
 consensus (?) being that requiring user-consent up front before switching to
 fullscreen is desired, should be in the standard and isn't sacrificing UX.
 
 There was no implementor involved in that discussion. I want to see
 their feedback before changing the standard.
 
 Also, FYI, http://dvcs.w3.org/hg/fullscreen/raw-file/tip/Overview.html
 is not maintained, http://fullscreen.spec.whatwg.org/ is.

I think it's unlikely that Apple would implement a requirement of prior user 
consent before entering fullscreen.

I also personally think OK/Cancel security nag dialogs are a very poor security 
mechanism in general. Users do not read them, and placing them in the path of 
operations that are harmless the vast majority of the time only has the effect 
of training users to click ok on dialogs. Cancel or allow dialogs are nearly 
useless for real security and seem mainly to provide CYA security - if a user 
gets hacked, you can tell them they were bad for clicking OK on the dialog.

Now, there are some limited cases where a permissions dialog may make sense. 
Specifically, these are cases where the user can reasonably be expected to 
relate the risk to the functionality requested. For example, when a site asks 
for your geolocation, a user can generally understand that there may be privacy 
implications to having a location tracked. But this does not really apply to 
fullscreen. A user is not likely to understand the security implications of 
fullscreen. So they won't be able to make a reasoned risk assessment based on a 
warning dialog. This situation is much like bad certificate warnings, where the 
evidence indicates that users almost always click through, even relatively 
informed users.


I think the most effective defense against phishing via fullscreen is to 
prevent keyboard access. The original design for requestFullscreen had an 
optional argument for requesting keyboard access, which led to a warning in 
some browsers and which for Safari we chose to ignore as the risk outweighed 
the benefit. The new spec does not have this parameter and makes no mention of 
keyboard access. It is not even clear if refusing to send key events or grant 
keyboard focus in fullscreen would be conforming. I think this should be fixed. 
I think the spec should at minimum explicitly allow browsers to block delivery 
of key events (or at least key events for alphanumeric keys). Regrettably, this 
defense would not be very effective on pure touchscreen devices, since there is 
no physical keyboard and the soft keyboard can likely be convincingly faked 
with HTML.

The second most effective defense that I can think of is a distinctive visible 
indicator that prevents convincingly faking the system UI. The common 
notification to press escape to exit partly serves that purpose. A potentially 
more effective version would be to show a noticeable visible indicator every 
time the user moves the mouse, presses a key, or registers a tap on a 
touchscreen. Ideally this would cover key areas needed to fake a real browser 
UI such as where the toolbar and address bar would go, and would indicate what 
site is showing the fullscreen UI. However, while such an effect is reasonable 
for fullscreen video (where the user will mostly watch without interacting), it 
might be distracting for fullscreen games, or the fullscreen mode of a 
presentation program, or a fullscreen editor.

Despite both of these defenses having drawbacks, I think it is wise for 
implementations to implement at least one of them. I think the spec should 
explicitly permit implementations to apply either or both of these limitations, 
and should discuss their pros and cons in the Security Considerations section.

Regards,
Maciej

Re: Defenses against phishing via the fullscreen api (was Re: full screen api)

2012-10-13 Thread Maciej Stachowiak


On Oct 13, 2012, at 4:58 AM, Florian Bösch pya...@gmail.com wrote:

 On Sat, Oct 13, 2012 at 1:49 PM, Maciej Stachowiak m...@apple.com wrote:
 I think the most effective defense against phishing via fullscreen is to 
 prevent keyboard access. The original design for requestFullscreen had an 
 optional argument for requesting keyboard access, which led to a warning in 
 some browsers and which for Safari we chose to ignore as the risk outweighed 
 the benefit. The new spec does not have this parameter and makes no mention 
 of keyboard access. It is not even clear if refusing to send key events or 
 grant keyboard focus in fullscreen would be conforming. I think this should 
 be fixed. I think the spec should at minimum explicitly allow browsers to 
 block delivery of key events (or at least key events for alphanumeric keys). 
 Regrettably, this defense would not be very effective on pure touchscreen 
 devices, since there is no physical keyboard and the soft keyboard can likely 
 be convincingly faked with HTML.
 I've got no objection against a user poll for things like keyboard 
 interactions in fullscreen as long as the implemention honors the intent to 
 show this once for a session or remembered state and not all the time when 
 going back and forth.

Our current intended behavior in Safari is to never allow alphanumeric keyboard 
access in fullscreen. No cancel/allow prompt. Did you read the part where I 
explained why such prompts are useless for security?

  
 The second most effective defense that I can think of is a distinctive 
 visible indicator that prevents convincingly faking the system UI. The common 
 notification to press escape to exit partly serves that purpose. A 
 potentially more effective version would be to show a noticeable visible 
 indicator every time the user moves the mouse, presses a key, or registers a 
 tap on a touchscreen. Ideally this would cover key areas needed to fake a 
 real browser UI such as where the toolbar and address bar would go, and would 
 indicate what site is showing the fullscreen UI. However, while such an 
 effect is reasonable for fullscreen video (where the user will mostly watch 
 without interacting), it might be distracting for fullscreen games, or the 
 fullscreen mode of a presentation program, or a fullscreen editor
 Such a scheme would render fullscreen virtually useless for most of its 
 intended purpose. 

That depends on what you think most of its intended purpose is. Many native 
video fullscreen implementations already have behavior somewhat like this, 
because they expect that the user is not producing UI events most of the time 
while watching the video. It may be annoying in the context of a game or 
slideshow. So far I have encountered such uses much less often than video.

Regards,
Maciej

Sandboxed Filesystem use cases? (was Re: Moving File API: Directories and System API to Note track?)

2012-09-25 Thread Maciej Stachowiak


On Sep 25, 2012, at 10:20 AM, James Graham jgra...@opera.com wrote:

 
 In addition, this would be the fourth storage API that we have tried to 
 introduce to the platform in 5 years (localStorage, WebSQL, IndexedDB being 
 the other three), and the fifth in total. Of the four APIs excluding this 
 one, one has failed over interoperability concerns (WebSQL), one has 
 significant performance issues and is discouraged from production use 
 (localStorage) and one suffers from a significant problems due to its legacy 
 design (cookies). The remaining API (IndexedDB) has not yet achieved 
 widespread use. It seems to me that we don't have a great track record in 
 this area, and rushing to add yet another API probably isn't wise. I would 
 rather see JS-level implementations of a filesystem-like API on top of 
 IndexedDB in order to work out the kinks without creating a legacy that has 
 to be maintained for back-compat than native implementations at this time.

I share your concerns about adding yet-another-storage API. (Although I believe 
there are major websites that have adopted or are in the process of adopting 
IndexedDB). I like my version better than the Google one, too, but I also worry 
about whether we should be adding another storage API at all.

I think we need to go back to the use case for sandboxed filesystem storage and 
understand which use cases cannot be served with IndexedDB.


Here are some use cases I have heard:

(1) A webapp (possibly working on offline mode) wants to stage files for later 
upload (e.g. via XHR).
Requirements:
- Must be able to store distinct named items containing arbitrary 
binary data.
- Must be able to read the data back for later upload.
- Must be able to delete items.

(2) A web-based mail client wants to download the user's attachments locally, 
then reference them by URL from the email and allow them to be extracted into 
the user's filesystem space.
Requirements:
- Must be able to store distinct named items containing arbitrary 
binary data.
- Must be able to reference items by persistent  URL from constructs in 
a webpage that use URLs.
- Must be able to delete items.

(3) A web-based web developer tool downloads copies of all the resources of a 
webpage, lets the user edit the webpage live potentially adding new resources, 
and then uploads it all again to one or more servers.
Requirements: 
- Must be able to store distinct named items containing arbitrary 
binary data.
- Must be able to replace items.
- Must be able to reference items by persistent  URL from constructs in 
a webpage that use URLs.
- Must be able to delete items.
- Must be able to enumerate items.
Highly desirable:
- Hierarchical namespace.

(4) A game wants to download game resources locally for efficient operation, 
and later update them
Requirements: 
- Must be able to store distinct named items containing arbitrary 
binary data.
- Must be able to replace items.
- Must be able to reference items by persistent URL from constructs in 
a webpage that use URLs.
- Must be able to delete items.
Highly desirable:
- Hierarchical namespace.


I believe the only requirement here that is not met by IndexedDB is:
- The ability to reference an item by persistent URL.

IndexedDB has enumeration, hierarchical namespace, ability to add, replace, 
remove, get, etc.


Are there other use cases? In particular, are there use cases that justify a 
whole new storage API instead of adding this one feature to IndexedDB?


Note: one aspect of the MinimalFileSystem proposal that is not obviously 
required by any of these use cases is the ability to incrementally update a 
file (beyond what you could already do with slice() and BlobBuilder). Basically 
the whole FileHandle interface. Is there truly a use case that you can't 
satisfy by using BlobBuilder to make your update and then atomically replacing?


Regards,
Maciej

Re: Moving File API: Directories and System API to Note track?

2012-09-25 Thread Maciej Stachowiak


Hi Glenn,

I read over your points. But I don't think they would change Apple's 
calculation about exposing an API to the real user filesystem in Safari, 
particularly as specified. I do think that my more minimal API might also be a 
better fit for the real filesystem use case, as it removes a bunch of 
unnecessary levels of indirection and abstraction that exist in the other 
proposals. But I think it is unlikely we would expose that aspect.

We are still open to solving the sandboxed local storage area use case, with 
a more minimal API. But first we'd like to understand why those use cases can't 
be solved with targeted additions to IndexedDB (see forked thread).

Regards,
Maciej

On Sep 25, 2012, at 12:35 PM, Glenn Maynard gl...@zewt.org wrote:

 On Wed, Sep 19, 2012 at 3:46 PM, James Graham jgra...@opera.com wrote:
 Indeed. We are not enthusiastic about implementing an API that has to 
 traverse directory trees as this has significant technical challenges, or may 
 expose user's path names, as this has security implications. Also AIUI this 
 API is not a good fit for all platforms.
 
 I don't think there are any unsolvable problems for traversing native 
 directory trees.  (For example, hard links can be dealt with if they do turn 
 up--keep track of inodes in parents--and pathname limitations put an upper 
 limit, preventing infinite recursion.  I think they're very unlikely in 
 practice--infinite directory loops would break tons of native apps, too.  No 
 filesystem I've tried in Linux allows it.)  I don't think any proposals 
 expose user pathnames (eg. above the item that was dropped/opened).
 
 The main issue that needs to be explored is how to prevent users from 
 accidentally giving more access than they mean to, eg. pages saying please 
 open C:\ and drag in Users, and users not realizing what they're doing.  
 This is critically important, but I think it's too early to conclude that 
 this is unsolvable.
 
 (That's a UI issue more than a technical issue.  There are other clearly 
 technical issues, but I haven't seen any raised that look unsolvable.  The 
 two tricky ones I've seen are maximum filename/path length limitations, and 
 valid characters varying between platforms, which have been discussed a lot 
 and would need to be revisited--it's been too long and I forget where that 
 left off.)
 
 
 On Fri, Sep 21, 2012 at 7:37 PM, Maciej Stachowiak m...@apple.com wrote:
 - I'm not keen on exposing portions of the user's filesystem. In particular:
 - This seems like a potential security/social-engineering risk.
 - This use case seems more relevant to system apps based on Web 
 technology than Web apps as such; I fear that system-app-motivated complexity 
 is bloating the api.
 
 These are the *primary* use cases of a filesystem-like API.  There's lot of 
 value in being able to let a media player app play and (optionally) 
 manipulate my local media directories, for example--obviously I won't move my 
 music into IndexedDB.
 
 (I don't find the sandboxed case very compelling, and while I consider 
 IndexedDB to-be-proven for things like storing gigabytes of data for a 
 game, it should definitely be given that chance before introducing another 
 API for that set of use cases.)
 
 - Many of Apple's key target platforms don't even *have* a user-visible 
 filesystem.
 
 It's not inconsistent to have APIs that aren't relevant on every single 
 platform.  When you don't have a user filesystem in the first place, the use 
 cases themselves go away and you don't care about any of this.
 
 (For the sandboxed case, this isn't relevant.  It would be useful to separate 
 the sandboxed and native discussions, since except for the API style 
 question, the issues and objections are almost completely distinct, and it's 
 sometimes hard to keep track of which one we're talking about.)
 
 - We already have way too many storage APIs. To add another, the use cases 
 would have to be overwhelmingly compelling, and highly impractical to serve 
 by extending any of the other storage APIs (e.g. IndexedDB).
 
 I do find being able to allow users to work with their native data, just as 
 native apps do, to be overwhelmingly compelling.  I have about 4 TB of data, 
 and the only way I can use any of it with web apps is by dragging in 
 individual, flat lists of files, and even that's a strictly one-way street 
 (FileSaver is only a very tiny help here).
 
 -- 
 Glenn Maynard

Re: Moving File API: Directories and System API to Note track?

2012-09-24 Thread Maciej Stachowiak


On Sep 22, 2012, at 9:35 PM, Maciej Stachowiak m...@apple.com wrote:

 
 On Sep 22, 2012, at 8:18 PM, Brendan Eich bren...@mozilla.com wrote:
 
 
 And two of the interfaces are generic and reusable in other contexts.
 
 Nice, and DOMRequest predates yours -- should it be done separately since (I 
 believe) it is being used by other proposals unrelated to FileSystem-like 
 ones?
 
 Sorry if I missed it and it's already being split out.
 
 Yes, I borrowed DOMRequest. I think DOMRequest and DOMMultiRequest could be a 
 separate spec, if that sort of asynchronous response pattern is generally 
 useful. And it seems like it might be. That would leave only two interfaces 
 specific to the Minimal File System proposal, Directory and FileHandle.

Here's an alternate version where I renamed some things to match Filesystem API 
and FileWriter, and added the missing key feature of getting a persistent URL 
for a file in a local filesystem (extending the URL interface). It's still a 
much simpler API that provides most of the same functionality. 

https://trac.webkit.org/wiki/MinimalFileStorageAlternate

Regards,
Maciej

Re: Moving File API: Directories and System API to Note track?

2012-09-22 Thread Maciej Stachowiak


What does getMetadata a synchronously return?

I think this API as written is still a fair bit more complex than needed for 
the sandboxed storage use case. It does seem simpler than Filesystem API.

Regards,
Maciej

On Sep 21, 2012, at 10:10 PM, Jonas Sicking jo...@sicking.cc wrote:

 On Fri, Sep 21, 2012 at 5:37 PM, Maciej Stachowiak m...@apple.com wrote:
 
 My personal objections (ones that I think are shared by at least some other 
 Safari folks):
 
 - It's way too complicated. (As one crude metric, I count 22 interfaces; and 
 yes, I know many of those are callback interfaces or sync versions of 
 interfaces; it still seems overengineered).
 - I see value in the use case of a private sandboxed storage area, as 
 staging for uploads, to hold downloaded resources, etc. But:
- It's not totally clear to me why a filesystemlike API is the best way 
 to serve these use cases, particularly if in practice it is actually backed 
 by a database.
- The API as designed is way too complex for just that use case.
 - I'm not keen on exposing portions of the user's filesystem. In particular:
- This seems like a potential security/social-engineering risk.
- This use case seems more relevant to system apps based on Web 
 technology than Web apps as such; I fear that system-app-motivated 
 complexity is bloating the api.
- Many of Apple's key target platforms don't even *have* a user-visible 
 filesystem.
- We'd like to keep Web APIs consistent between our various platforms 
 consistent as much as possible.
- I think trying to serve the real filesystem use cases adds a lot of 
 complexity over the private storage area use case.
 - We already have way too many storage APIs. To add another, the use cases 
 would have to be overwhelmingly compelling, and highly impractical to serve 
 by extending any of the other storage APIs (e.g. IndexedDB).
- In particular, I have heard an explanation of why IndexedDB as it 
 currently exists can't handle all the use cases for file-like storage, but I 
 have heard no explanation of why it can't be extended in that direction.
 
 For these reasons, I think it is unlikely that Safari would ever support 
 Filesystem API in its current form. I could imagine considering a *much* 
 narrower API, scoped only to the use case of private storage areas for Web 
 apps, but only if a compelling case is made that there's no other way to 
 serve that use case.
 
 For what it's worth, even the DeviceStorage API proposal is too complex for 
 my tastes, in its current iteration.
 
 I think keeping the Filseystem API on the REC track in its current form is 
 actively bad, because it leads outside observers to be misled about where 
 the Web platform is going. For example,  sites like http://html5test.com 
 give out points for it even though it seems unlikely to advance on the 
 standards track as it stands today.
 
 For what it's worth, I put together a draft for what an API would look
 like that has basically the same feature set as the current FileSystem
 API, but based on DeviceStorage. It's a much smaller API that the
 current FileSystem drafts, but supports things like shallow as well as
 deep directory iteration.
 
 https://wiki.mozilla.org/WebAPI/DeviceStorageAPI2
 
 I think that if we at mozilla were to implement a sandboxed
 filesystem, it'd be something more like this.
 
 The FileHandle part of the API is definitely more complex to implement
 than the FileWriter API, but I'd argue that it's actually easier to
 use. For example you can start multiple write operations without
 having to wait for each individual write to finish.
 
 I also added an example of what a read-only DeviceStorage would look
 like if we wanted something like that for input type=file,
 drag'n'drop or a zip-reader. This shouldn't be considered as part of
 the remaining draft though since exposing a filesystem in those
 scenarios might very well be overkill.
 
 / Jonas

Re: Moving File API: Directories and System API to Note track?

2012-09-22 Thread Maciej Stachowiak


On Sep 21, 2012, at 10:10 PM, Jonas Sicking jo...@sicking.cc wrote:

 
 For what it's worth, I put together a draft for what an API would look
 like that has basically the same feature set as the current FileSystem
 API, but based on DeviceStorage. It's a much smaller API that the
 current FileSystem drafts, but supports things like shallow as well as
 deep directory iteration.
 
 https://wiki.mozilla.org/WebAPI/DeviceStorageAPI2
 
 I think that if we at mozilla were to implement a sandboxed
 filesystem, it'd be something more like this.

I took a crack at a pruned and cleaned up version:

https://trac.webkit.org/wiki/MinimalFileStorage

Only 4 interfaces (excluding the Navigator addition), 16 methods, 9 attributes. 
And two of the interfaces are generic and reusable in other contexts.

It removes cruft but adds features relative to the Mozilla version:

- Atomic create/open operation
- Renaming files and directories
- A Directory interface for less weirdness in directory handling
- Ability to open files in append mode (this makes more sense than an append() 
operation on the handle, given the way underlying filesystems work)

Features omitted include:
 - Multiple named filesystems (just use directories)
- Separate enumeration for writing (just use open)
- Ability to fetch matadata (does not appear to be needed for the use case)


It could be simplified a little bit, but really not that much, by removing 
hierarchy.

Regards,
Maciej

Re: Moving File API: Directories and System API to Note track?

2012-09-22 Thread Maciej Stachowiak


On Sep 22, 2012, at 8:18 PM, Brendan Eich bren...@mozilla.com wrote:

 
 And two of the interfaces are generic and reusable in other contexts.
 
 Nice, and DOMRequest predates yours -- should it be done separately since (I 
 believe) it is being used by other proposals unrelated to FileSystem-like 
 ones?
 
 Sorry if I missed it and it's already being split out.

Yes, I borrowed DOMRequest. I think DOMRequest and DOMMultiRequest could be a 
separate spec, if that sort of asynchronous response pattern is generally 
useful. And it seems like it might be. That would leave only two interfaces 
specific to the Minimal File System proposal, Directory and FileHandle.

Regards,
Maciej

Re: Moving File API: Directories and System API to Note track?

2012-09-21 Thread Maciej Stachowiak


I like the idea of offering asynchronous listing of files in input type=file 
multiple. But I think Filesystem API is overkill for this use case.

Regards,
Maciej

On Sep 21, 2012, at 3:50 PM, Darin Fisher da...@chromium.org wrote:

 No comment on the value of DirectoryEntry for enabling asynchronous listing 
 of files in input type=file multiple?
 
 -Darin
 
 On Thu, Sep 20, 2012 at 4:48 PM, Maciej Stachowiak m...@apple.com wrote:
 
 +1
 
 I don't see an indication of any major browser but Chrome planning to 
 implement this and expose it to the Web.
 
  - Maciej
 
 On Sep 18, 2012, at 4:04 AM, Olli Pettay olli.pet...@helsinki.fi wrote:
 
  Hi all,
 
 
  I think we should discuss about moving File API: Directories and System API
  from Recommendation track to Note. Mainly because the API hasn't been 
  widely accepted nor
  implemented and also because there are other proposals which handle the 
  same use cases.
  The problem with keeping the API in recommendation track is that people 
  outside
  standardization world think that the API is the one which all the browsers 
  will implement and
  as of now that doesn't seem likely.
 
 
 
 
  -Olli

Re: Moving File API: Directories and System API to Note track?

2012-09-21 Thread Maciej Stachowiak


My personal objections (ones that I think are shared by at least some other 
Safari folks):

- It's way too complicated. (As one crude metric, I count 22 interfaces; and 
yes, I know many of those are callback interfaces or sync versions of 
interfaces; it still seems overengineered).
- I see value in the use case of a private sandboxed storage area, as staging 
for uploads, to hold downloaded resources, etc. But:
- It's not totally clear to me why a filesystemlike API is the best way to 
serve these use cases, particularly if in practice it is actually backed by a 
database.
- The API as designed is way too complex for just that use case.
- I'm not keen on exposing portions of the user's filesystem. In particular:
- This seems like a potential security/social-engineering risk.
- This use case seems more relevant to system apps based on Web technology 
than Web apps as such; I fear that system-app-motivated complexity is bloating 
the api.
- Many of Apple's key target platforms don't even *have* a user-visible 
filesystem.
- We'd like to keep Web APIs consistent between our various platforms 
consistent as much as possible.
- I think trying to serve the real filesystem use cases adds a lot of 
complexity over the private storage area use case.
- We already have way too many storage APIs. To add another, the use cases 
would have to be overwhelmingly compelling, and highly impractical to serve by 
extending any of the other storage APIs (e.g. IndexedDB).
- In particular, I have heard an explanation of why IndexedDB as it 
currently exists can't handle all the use cases for file-like storage, but I 
have heard no explanation of why it can't be extended in that direction.

For these reasons, I think it is unlikely that Safari would ever support 
Filesystem API in its current form. I could imagine considering a *much* 
narrower API, scoped only to the use case of private storage areas for Web 
apps, but only if a compelling case is made that there's no other way to serve 
that use case.

For what it's worth, even the DeviceStorage API proposal is too complex for my 
tastes, in its current iteration.

I think keeping the Filseystem API on the REC track in its current form is 
actively bad, because it leads outside observers to be misled about where the 
Web platform is going. For example,  sites like http://html5test.com give out 
points for it even though it seems unlikely to advance on the standards track 
as it stands today.

Regards,
Maciej

On Sep 21, 2012, at 4:32 PM, Eric U er...@google.com wrote:

 While I don't see any other browsers showing interest in implementing
 the FileSystem API as currently specced, I do see Firefox coming
 around to the belief that a filesystem-style API is a good thing,
 hence their DeviceStorage API.  Rather than scrap the API that we've
 put 2 years of discussion and work into, why not work with us to
 evolve it to something you'd like more?  If you have objections to
 specific attributes of the API, wouldn't it be more efficient to
 change just those things than to start over from scratch?  Or worse,
 to have the Chrome filesystem API, the Firefox filesystem API, etc.?
 
 If I understand correctly, folks at Mozilla think having a directory
 abstraction is too heavy-weight, and would prefer users to slice and
 dice paths by hand.  OK, that's a small change, and the
 functionality's roughly equivalent.  We could probably even make
 migration fairly easy with a small polyfill.
 
 Jonas suggests FileHandle to replace FileWriter.  That's clearly not a
 move to greater simplicity, and no polyfill is possible, but it does
 open up the potential for higher perfomance, especially in a
 multi-process browser.  As i said when you proposed it, I'm
 interested, and we'd also like to solve the locking use cases.
 
 Let's talk about it, rather than throw the baby out with the bathwater.
 
   Eric
 
 On Tue, Sep 18, 2012 at 4:04 AM, Olli Pettay olli.pet...@helsinki.fi wrote:
 Hi all,
 
 
 I think we should discuss about moving File API: Directories and System API
 from Recommendation track to Note. Mainly because the API hasn't been widely
 accepted nor
 implemented and also because there are other proposals which handle the same
 use cases.
 The problem with keeping the API in recommendation track is that people
 outside
 standardization world think that the API is the one which all the browsers
 will implement and
 as of now that doesn't seem likely.
 
 
 
 
 -Olli

Re: Moving File API: Directories and System API to Note track?

2012-09-20 Thread Maciej Stachowiak


+1

I don't see an indication of any major browser but Chrome planning to implement 
this and expose it to the Web.

 - Maciej

On Sep 18, 2012, at 4:04 AM, Olli Pettay olli.pet...@helsinki.fi wrote:

 Hi all,
 
 
 I think we should discuss about moving File API: Directories and System API
 from Recommendation track to Note. Mainly because the API hasn't been widely 
 accepted nor
 implemented and also because there are other proposals which handle the same 
 use cases.
 The problem with keeping the API in recommendation track is that people 
 outside
 standardization world think that the API is the one which all the browsers 
 will implement and
 as of now that doesn't seem likely.
 
 
 
 
 -Olli

Re: Proposal for Cascading Attribute Sheets - like CSS, but for attributes!

2012-08-28 Thread Maciej Stachowiak


On Aug 27, 2012, at 2:07 PM, Tab Atkins Jr. jackalm...@gmail.com wrote:

 
 
 
 I have mixed feelings about this proposal overall, but I think it's a little 
 weird to use CSS property syntax instead of markup-like attribute syntax to 
 set attributes. I think this makes the syntax confusingly similar to CSS 
 even though proposed behavior is quite different. Something like this might 
 make more sense:
 
 img.placeholder {
src=/images/1x1.gif
alt=
 }
 
 In other words, make attribute setting look like attribute syntax.
 
 This is similar to the discussions about monocle-mustache in JS.  I
 prefer being able to simple re-use the existing CSS parser, but I'm
 not completely wedded to it.  I'd need some strong opinions from more
 relevant parties to switch over, though.

I doubt we would be able to actually reuse the CSS parser, at least at the code 
level, at least for WebKit. To give some examples of issues that arise:

- The CSS parser has specific knowledge of all the CSS properties we recognize 
and their value syntax. 
- It has no provision for catchall recognition of all other property names with 
a quoted string value.
- There are some CSS properties that have the same name as meaningful HTML 
attributes.

 
 And finally, I'm skeptical whether the convenience here is worth adding a 
 whole new language to the Web Platform technology stack. It is literally 
 just convenience / syntactic sugar. I'm not sure that rises to the high bar 
 needed to add an additional language to the Web Platform.
 
 Yeah, this is the major hurdle for this.  My hope is that, by reusing
 the CSS parser and restricting all the expensive parts of CSS
 (dynamicness, remembering where a value came from, etc.), I can pull
 the bar down low enough for this to make it.

I think your assumption is that it's possible to reuse the CSS parser is 
incorrect, at least for strong values of reuse.

Regards,
Maciej

Re: [UndoManager] Disallowing live UndoManager on detached nodes

2012-08-23 Thread Maciej Stachowiak


On Aug 22, 2012, at 11:08 PM, Olli Pettay olli.pet...@helsinki.fi wrote:

 On 08/22/2012 10:44 PM, Maciej Stachowiak wrote:
 
 On Aug 22, 2012, at 6:53 PM, Ojan Vafai o...@chromium.org 
 mailto:o...@chromium.org wrote:
 
 On Wed, Aug 22, 2012 at 6:49 PM, Ryosuke Niwa rn...@webkit.org 
 mailto:rn...@webkit.org wrote:
 
On Wed, Aug 22, 2012 at 5:55 PM, Glenn Maynard gl...@zewt.org 
 mailto:gl...@zewt.org wrote:
 
On Wed, Aug 22, 2012 at 7:36 PM, Maciej Stachowiak m...@apple.com 
 mailto:m...@apple.com wrote:
 
Ryosuke also raised the possibility of multiple text fields 
 having separate UndoManagers. On Mac, most apps wipe they undo queue when
you change text field focus. WebKit preserves a single undo 
 queue across text fields, so that tabbing out does not kill your ability to
undo. I don't know of any app where you get separate switchable 
 persistent undo queues. Thins are similar on iOS.
 
 
 Think of the use-case of a threaded email client where you can reply to any 
 message in the thread. If it shows your composing mails inline (e.g. as
 gmail does), the most common user expectation IMO is that each email gets 
 it's own undo stack. If you undo the whole stack in one email you wouldn't
 expect the next undo to start undo stuff in another composing mail. In 
 either case, since there's a simple workaround (seamless iframes), I don't
 think we need the added complexity of the attribute.
 
 Depends on the user and their platform of choice. On the Mac I think it's 
 pretty much never the case that changing focus within a window changes your
 undo stack, it either has a shared one or wipes undo history on focus 
 switch. So if GMail forced that, users would probably be surprised. I can
 imagine a use case for having an API that allows multiple undo stacks on 
 platforms where they are appropriate, but merges to a single undo stack on
 platforms where they are not. However, I suspect an API that could handle 
 this automatically would be pretty hairy. So maybe we should handle the
 basic single-undo-stack use case first and then think about complexifying it.
 
 
 I think the undo-stack per editing context (like input) is pretty basics, 
 and certainly something I wouldn't remove from Gecko.
 (Largely because using the same undo for separate input elements is just 
 very weird, and forcing web apps to use iframes to achieve
 Gecko's current behavior would be horribly complicated.)

It might be ok to let Web pages conditionally get Gecko-like separate undo 
stack behavior inside Firefox, at least on Windows. (Firefox even seems to do 
per-field undo on Mac, so I'm starting to think that it's more of a Gecko quirk 
than a Windows platform thing.)

But, again, letting webpages force that behavior in Safari seems wrong to me. I 
don't think we should allow violating the platform conventions for undo so 
freely. You seem to feel strongly that webpages should be able to align with 
the Gecko behavior, but wouldn't it be even worse to let them forcibly violate 
the WebKit behavior?

So if there is an API for separate undo stacks, it has to handle the case where 
there's really a single undo stack. And that would potentially be hard to 
program with.

On the other hand, there are certainly use cases where a single global undo 
stack is right (such as a page with a single rich text editor). And it's easy 
to handle those cases without adding a lot of complexity. And if we get that 
right, we could try to add on something for conditional multiple undo stacks.

Regards,
Maciej

Re: [UndoManager] Disallowing live UndoManager on detached nodes

2012-08-22 Thread Maciej Stachowiak


Hi folks,

I wanted to mention that, in addition to the extra implementation complexity, I 
am not sure that multiple independent UndoManagers per page is even a good 
feature.

The use cases document gives a use case of a text editor with an embedded 
vector graphics editor. But for all the native apps I know of that have this 
feature, they present a single unified undo queue per top level document, at 
least on the Mac.

Ryosuke also raised the possibility of multiple text fields having separate 
UndoManagers. On Mac, most apps wipe they undo queue when you change text field 
focus. WebKit preserves a single undo queue across text fields, so that tabbing 
out does not kill your ability to undo. I don't know of any app where you get 
separate switchable persistent undo queues. Thins are similar on iOS.

Maybe things are wildly different on Windows or Linux or Android. But my 
feeling is that the use case for scoped UndoManagers is dubious at best, and 
may cause authors to create confusing UI.

Since the use cases are dubious *and* this aspect of UndoManager causes extra 
implementation complexity, I think dropping it is the right thing to do.

Regards,
Maciej


On Aug 21, 2012, at 2:00 PM, Ryosuke Niwa rn...@webkit.org wrote:

 Maciej, Ojan, and I had a further conversion about this matter off the list, 
 and we've concluded that we should drop the support for undoscope content 
 attribute altogether. So we're just going to do that and let authors use 
 iframe to have multiple undo managers.
 
 I can keep it around in the spec if other browser vendors are so inclined, 
 but I'm somewhat skeptical that we can get the required two independent 
 implementations given how much trouble we've had.
 
 - Ryosuke
 
 On Mon, Aug 20, 2012 at 9:52 PM, Ryosuke Niwa rn...@webkit.org wrote:
 Greetings all,
 
 We've been implementing undo manager in WebKit, and we've found out that 
 allowing live undo manager on a detached undo scope host is a terrible idea.
 
 e.g. say you have a subtree like follows:
 A
 B
 D
 C
 where A is the undo scope host. If we then detach B from A, and then insert A 
 under D, all automatic transactions in A's undo manager are broken and may 
 create a cyclic reference graph because nodes touched in automatic 
 transactions need to be kept alive for undo/redo.
 
 If there is no objection, I'm changing the spec to disallow live undo manager 
 on detached nodes so that scripts can't move the host around inside a 
 document or between documents; i.e. when a undo scope host is removed from 
 its parent, its undo manager must be disconnected and a new undo manager be 
 created for the node.
 
 Alternatively, we can turn all automatic transactions in the undo manager 
 into no-ops but I'd prefer disconnecting the undo manager altogether to make 
 the behavior simple.
 
 Best,
 Ryosuke Niwa
 Software Engineer
 Google Inc.

Re: Proposal for Cascading Attribute Sheets - like CSS, but for attributes!

2012-08-22 Thread Maciej Stachowiak


On Aug 21, 2012, at 1:59 PM, Tab Atkins Jr. jackalm...@gmail.com wrote:

 On Tue, Aug 21, 2012 at 1:37 PM, Brian Kardell bkard...@gmail.com wrote:
 On Tue, Aug 21, 2012 at 4:32 PM, Tab Atkins Jr. jackalm...@gmail.com wrote:
 Correct.  If we applied CAS on attribute changes, we'd have... problems.
 
 Because you could do something like:
 
 .foo[x=123]{ x:  234; }
 .foo[x=234]{ x:  123; }
 
 ?
 
 Precisely.  Any way around this problem pulls in a lot more complexity
 that I don't think is worthwhile.

I suspect it's actually pretty simple to fix. Ban attribute selectors, and 
forbid setting the class or id attributes using this language.


I have mixed feelings about this proposal overall, but I think it's a little 
weird to use CSS property syntax instead of markup-like attribute syntax to set 
attributes. I think this makes the syntax confusingly similar to CSS even 
though proposed behavior is quite different. Something like this might make 
more sense:

img.placeholder {
src=/images/1x1.gif
alt=
}

In other words, make attribute setting look like attribute syntax.

I also think the proposed semi-dynamic behavior of applying only at DOM 
insertion time but otherwise being static is super confusing.

And finally, I'm skeptical whether the convenience here is worth adding a whole 
new language to the Web Platform technology stack. It is literally just 
convenience / syntactic sugar. I'm not sure that rises to the high bar needed 
to add an additional language to the Web Platform.

Regards,
Maciej

Re: [UndoManager] Disallowing live UndoManager on detached nodes

2012-08-22 Thread Maciej Stachowiak


On Aug 22, 2012, at 6:53 PM, Ojan Vafai o...@chromium.org wrote:

 On Wed, Aug 22, 2012 at 6:49 PM, Ryosuke Niwa rn...@webkit.org wrote:
 On Wed, Aug 22, 2012 at 5:55 PM, Glenn Maynard gl...@zewt.org wrote:
 On Wed, Aug 22, 2012 at 7:36 PM, Maciej Stachowiak m...@apple.com wrote:
 Ryosuke also raised the possibility of multiple text fields having separate 
 UndoManagers. On Mac, most apps wipe they undo queue when you change text 
 field focus. WebKit preserves a single undo queue across text fields, so that 
 tabbing out does not kill your ability to undo. I don't know of any app where 
 you get separate switchable persistent undo queues. Thins are similar on iOS.
 
 Think of the use-case of a threaded email client where you can reply to any 
 message in the thread. If it shows your composing mails inline (e.g. as gmail 
 does), the most common user expectation IMO is that each email gets it's own 
 undo stack. If you undo the whole stack in one email you wouldn't expect the 
 next undo to start undo stuff in another composing mail. In either case, 
 since there's a simple workaround (seamless iframes), I don't think we need 
 the added complexity of the attribute.

Depends on the user and their platform of choice. On the Mac I think it's 
pretty much never the case that changing focus within a window changes your 
undo stack, it either has a shared one or wipes undo history on focus switch. 
So if GMail forced that, users would probably be surprised. I can imagine a use 
case for having an API that allows multiple undo stacks on platforms where they 
are appropriate, but merges to a single undo stack on platforms where they are 
not. However, I suspect an API that could handle this automatically would be 
pretty hairy. So maybe we should handle the basic single-undo-stack use case 
first and then think about complexifying it.

  
 Firefox in Windows has a separate undo list for each input.  I would find a 
 single undo list strange.
 
 Internet Explorer and WebKit don't.
 
 While we're probably all biased to think that what we're used to is the best 
 behavior, it's important to design our API so that implementors need not to 
 violate platform conventions. In this case, it might mean that whether text 
 field has its own undo manager by default depends on the platform convention.
 
 Also, another option is that we could allow shadow DOMs to have their own 
 undo stack. So, you can make a control that has it's own undo stack if you 
 want.

Again, I think it's not right to leave this purely up to the web page. That 
will lead to web apps that match their developer's platform of choice but which 
don't seem quite right elsewhere.


BTW, I don't think the API should impose any requirements on how browsers 
handle undo for their built-in form controls. I have not read the spec close 
enough to know if that is the case.


Regards,
Maciej

URL spec parameter-related methods use parameter in a way inconsistent with the URI RFC

2012-05-24 Thread Maciej Stachowiak


The current draft URL spec has a number of Parameter-related methods 
(getParameterNames, getParameterValues, hasParameter, getParameter, 
setParameter, addParameter, removeParameter, clearParameters)[1]. Apparently 
these methods refer to key-value pairs in the query part of the URL as 
parameters. However, the term parameter is used by the URI RFC[2] to refer 
to something else, a semicolon-delimited part of a path (which I think is 
nearly obsolete in modern use; I am not sure what it is for). I understand that 
for legacy reasons, much of the URL interface cannot be consistent with 
RFC-official terminology. But it seems like a bad idea to use the same term for 
a different piece of the URL, worse than using the same term for a different 
part. At least call it something like query parameters to disambiguate.

Another point of feedback on the parameter-related methods: they seem to form a 
dictionary-style interface, and it seems inelegant to have all these different 
methods giving a dictionary-style interface to something that is a piece of the 
URL, rather than something that is the URL.

One possible way to solve both these problems:

interface URL {
StringMultiMap queryParameters;
}

interface StringMultiMap {
 sequenceDOMString keys;
 sequenceDOMString getAll(DOMString name)
 boolean contains(DOMString name)
 DOMString? get(DOMString name);
 void set(DOMString name, DOMString value);
 void add(DOMString name, DOMString value);
 void remove(DOMString name);
 void clear();
}

The StringMultiMap interface could be reusable for other, similar key-value 
list contexts.

Or else use an appropriate dictionary type from ES if one is ever provided.

Regards,
Maciej


[1] 
http://dvcs.w3.org/hg/url/raw-file/tip/Overview.html#dom-url-getparameternames
[2] http://www.ietf.org/rfc/rfc2396.txt

Re: Shrinking existing libraries as a goal

2012-05-18 Thread Maciej Stachowiak


On May 17, 2012, at 10:58 PM, Jonas Sicking jo...@sicking.cc wrote:

 On Thu, May 17, 2012 at 3:21 PM, Yehuda Katz wyc...@gmail.com wrote:
 I am working on it. I was just getting some feedback on the general idea
 before I sunk a bunch of time in it.
 
 For what it's worth, I definitely support this idea too on a general
 level. However as others have pointed out, the devil's in the details,
 so looking forward to those :)
 
 Of course, ideal are proposals which not just shrinks existing
 libraries, but also helps people that aren't using libraries at all
 but rather uses the DOM directly.

I also agree that providing functionality which can help reduce side of JS 
libraries is a good goal (though one of many). And also that the merits of 
specific proposals depend on the details. One aspect of this that can be 
challenging is finding functionality that will allow a broad range of libraries 
to shrink, rather than only one or a few.

 - Maciej

Re: [websockets] Moving Web Sockets back to LCWD; is 15210 a showstopper?

2012-05-08 Thread Maciej Stachowiak


I think it would be reasonable to defer the feature requested in 15210 to a 
future version of Web Sockets API. It would also be reasonable to include it if 
anyone feels strongly. Was a reason cited for why 15210 should be considered 
critical? I could not find one in the minutes.

Cheers,
Maciej


On May 3, 2012, at 3:41 PM, Arthur Barstow art.bars...@nokia.com wrote:

 During WebApps' May 2 discussion about the Web Sockets API CR, four Sockets 
 API bugs were identified as high priority to fix: 16157, 16708, 16703 and 
 15210. Immediately after that discussion, Hixie checked in fixes for 16157, 
 16708 and 16703and these changes will require the spec going back to LC.
 
 Since 15210 remains open, before I start a CfC for a new LC, I would like 
 some feedback on whether the new LC should be blocked until 15210 is fixed, 
 or if we should move toward a new LC without the fix (and thus consider 15210 
 for the next version of the spec). If you have any comments, please send them 
 by May 10.
 
 -AB
 
 [Mins] http://www.w3.org/2012/05/02-webapps-minutes.html#item08
 [CR] http://www.w3.org/TR/2011/CR-websockets-20111208/
 [Bugz] http://tinyurl.com/Bugz-Web-Socket-API
 [15210] https://www.w3.org/Bugs/Public/show_bug.cgi?id=15210

Re: Element.create(): a proposal for more convenient element creation

2011-08-02 Thread Maciej Stachowiak


On Aug 1, 2011, at 8:36 PM, João Eiras wrote:

 On , Ian Hickson i...@hixie.ch wrote:
 
 On Mon, 1 Aug 2011, Ryosuke Niwa wrote:
 On Mon, Aug 1, 2011 at 6:33 PM, Maciej Stachowiak m...@apple.com wrote:
 
  In an IRC discussion with Ian Hickson and Tab Atkins, we can up with
  the following idea for convenient element creation:
 
  Element.create(tagName, attributeMap, children�)
 
 Can we alternatively extend document.createElement?  Or was this
 intentionally avoided to associate new elements with documents?
 
 We could, but I'd much rather have the shorter name, personally. Having
 the name be so long really makes that API unusable.
 
 
 However, Nodes need a ownerDocument, and that needs to be supplied, even if 
 optionally. Doing document.createElement implies the document, Element.create 
 does not.

The intent is that it supplies the Window's current Document. It's true that 
sometimes you need to make a node for another Document, sometimes even one that 
lacks a namespace, but that's a sufficiently specialized case that it does not 
really need a convenience shortcut.

Regards,
Maciej

Re: Element.create(): a proposal for more convenient element creation

2011-08-02 Thread Maciej Stachowiak


On Aug 1, 2011, at 8:43 PM, Tab Atkins Jr. wrote:

 On Mon, Aug 1, 2011 at 7:05 PM, Charles Pritchard ch...@jumis.com wrote:
 Can we have it 'inherit' a parent namespace, and have chaining properties?
 
 Element.create('div').create('svg').create('g').create('rect', {title: 'An 
 svg rectangle in an HTML div'});
 
 Ooh, so .create is defined both on Element (defaults to HTML
 namespace, just creates an element) and on Element.prototype (defaults
 to namespace of the element, inserts as a child)?  That's pretty
 interesting.  Presumably the new element gets inserted as a last child
 of the parent.
 
 I like it.

With just the old propose you could get the same effect like this:

Element.create('div', {}, Element.create('svg', {}, Element.create('g', {}, 
Element.create('rect', {title: 'An svg rectangle in an HTML div'}

Chaining .create() is certainly less verbose. Doesn't work as well for 
inserting multiple children into an element though.

Regards,
Maciej

Re: CORS/UMP to become joint WebApps and WebAppSec joint deliverable

2011-08-02 Thread Maciej Stachowiak


On Aug 2, 2011, at 4:10 AM, Anne van Kesteren wrote:

 On Tue, 02 Aug 2011 12:53:49 +0200, Thomas Roessler t...@w3.org wrote:
 Well, groups can decide to stop working on a deliverable without having to 
 recharter; further, we've had separate groups work on joint deliverables in 
 the past.  In practical terms, the minimum that webapps needs to do is to 
 give its consent to publication and transition decisions; that can easily be 
 done through a call for consensus.  I trust that Art will help to nudge 
 discussions over to the WebAppSec group.
 
 None of that requires charter language beyond what's there already, and none 
 of it requires a rechartering of webapps.
 
 Can we at least make it so that public-webapps@w3.org stays the list for 
 technical discussion on CORS? We already switched mailing lists once (twice 
 if you count going from the initial proposal on public-web...@w3.org to 
 public-appform...@w3.org) and I would like to avoid doing it again. Getting 
 feedback is hard enough as it is, requiring all relevant people to subscribe 
 to yet another list would be bad.
 
 If that is not possible I think I would prefer CORS and From-Origin to stay 
 in the WebApps WG.

At Apple we have a somewhat lengthy internal process for joining new Working 
Groups, so if feedback has to go to a new WG's list, you will likely miss out 
on Apple feedback for at least a few months.

In addition to this, I'd personally prefer to have discussion remain on 
public-webapps because we've managed to gather all the stakeholders here, and 
gathering them again will just add disruption and delay. Perhaps WebAppSec 
could be focused on new deliverables instead of taking over a deliverable that 
is relatively on track as it is. This could include a hypothetical CORS 2, or 
even production of the CORS test suite.

Regards,
Maciej

Re: CORS/UMP to become joint WebApps and WebAppSec joint deliverable


On Jul 15, 2011, at 7:51 AM, Thomas Roessler wrote:

 On Jul 15, 2011, at 16:47 , Anne van Kesteren wrote:
 
 On Fri, 15 Jul 2011 14:43:13 +0200, Arthur Barstow art.bars...@nokia.com 
 wrote:
 As indicated a year ago [1] and again at the end of last month [2], the 
 proposal to create a new Web Application Security WG has moved forward with 
 a formal AC review now underway and ending August 19.
 
 The proposed charter includes making CORS and UMP a joint deliverable 
 between the WebApps and WebAppSec WGs:
 
 [[
 http://www.w3.org/2011/07/appsecwg-charter.html
 
 Secure Cross-Domain Resource Sharing - Advance existing recommendations 
 specifying mechanisms necessary for secure mashup applications, including 
 the Cross-Origin Request Sharing (CORS) and Uniform Messaging Policy (UMP) 
 Such recommendations will be harmonized and published as joint work with 
 the W3C Web Applications Working Group.
 ]]
 
 Does this mean twice as much email? 
 
 Hope not -- the intent is that, for all intents and purposes, webappsec takes 
 over the deliverable, but webapps needs to agree to formal publications.
 
 Joint deliverable seems even worse than moving it.
 
 The goal of making this a joint deliverable is to preserve the patent 
 commitments out of webapps.  This was a concern that came up when we proposed 
 moving the document over to webappsec instead of making it a joint one.

Perhaps the charter should be edited to make this clear, so that AC reps will 
understand that Web Apps would no longer have operational control over these 
deliverables. (And incidentally, I don't see how that can validly be done 
without amending the Web Apps WG charter.)

Regards,
Maciej

Re: From-Origin FPWD


On Jul 31, 2011, at 5:52 PM, Bjoern Hoehrmann wrote:

 * Anne van Kesteren wrote:
  http://www.w3.org/TR/from-origin/
 
 The proposed `From-Origin` header conveys a subset of the information
 that is already available through the Referer header.

From-Origin is a response header and Referer is a request header, so this 
statement would be irrelevant  even if true. Also, it is not true. Referer 
indicates the resource responsible for generating the request, From-Origin list 
the sites that are allowed embed access to the resource.

I think you may be confusing the From-Origin header with the Origin header.

Regards,
Maciej

Re: From-Origin FPWD


On Aug 1, 2011, at 10:29 AM, Hill, Brad wrote:

 The ability to do all of these things server-side, with referrer checking, 
 has been universally available for fifteen years.  (RFC 1945)
  
 In every one of the use cases below, From-Origin is a worse solution than 
 referrer checking.  What is the benefit?  Why should I choose From-Origin?  
 Why should we expect it to become universally deployed where referrer 
 checking is not?

The From-Origin design has two advantages over server-side Referer checking:

1) The Referer header is stripped by intermediaries, often enough that sites 
targeting a wide user base must be prepared for the fact that it may not be 
present. This limits the effectiveness of checking it.

2) In many static hosting environments, it is easier to add a fixed response 
header than to add server-side logic to check Referer. It also enables better 
caching by intermediaries, as the response would not require a Vary: Referer 
rule. It's quite common to serve resources such as images or CSS from a 
dedicated host that only serves static resources and does not execute 
application logic.

For these reasons, despite the availability of server-side Referer checking, 
many Web developers would find a solution like From-Origin convenient and 
helpful

Regards,
Maciej

Element.create(): a proposal for more convenient element creation


In an IRC discussion with Ian Hickson and Tab Atkins, we can up with the 
following idea for convenient element creation:

Element.create(tagName, attributeMap, children…)

   Creates an element with the specified tag, attributes, and children.

   tagName - tag name as a string; by default it does smart selection of SVG, 
HTML or MathML namespace. Authors can also use an html: svg: or mathml: prefix 
to override these defaults. (And further, you can use xmlns in attribute map to 
use a custom namespace.)
   attributeMap - JS object-as-dictonary or whatever dictionary type is 
appropriate to the language, or null for no attributes
   children… - veridic parameter, can include nodes, strings, or arrays. 
Strings are converted to text nodes. Arrays are unpacked and treated as lists 
of nodes/strings. Array support is for cases where you want to have a call-site 
that may take a veriable-length list, with possible prefix and suffix.

Examples:

Element.create(a, {href: http://google.com/}, Google}

Element.create(p, null, 
Please consider these instructions ,
Element.create(em, {class: intense}, very),
carefully)

Element.create('svg:a', {href: 'example.html'}, 'Click Me! Yay bad link text!');

Element.create('select', {multi: ''}, optionArray);

The default namespace mapping would be HTML, with possibly SVG or MathML 
elements that don't localName-collide with HTML elements mapping to their 
default namespace.


Why Element.create() instead of new Element()? It's a factory method. In 
general it returns instances of many different classes. new Foo() carries a 
strong expectation of returning a direct instance of Foo, not one of several 
subclasses.

We could also add new Text('foo') for the cases where you want to create a text 
node without an element around it.

Regards,
Maciej

Re: Publishing From-Origin Proposal as FPWD


On Jun 30, 2011, at 7:22 AM, Anne van Kesteren wrote:

 Hi hi,
 
 Is there anyone who has objections against publishing 
 http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html as a FPWD. The 
 idea is mainly to gather more feedback to see if there is any interest in 
 taking this forward.
 
 (Added public-web-security because of the potential for doing this in CSP 
 instead. Though that would require a slight change of scope for CSP, which 
 I'm not sure is actually desirable.)

I approve of publishing this as FWPD.

I also don't think it makes sense to tie this to CSP.

Regards,
Maciej

Re: Component Model: Landing Experimental Shadow DOM API in WebKit


On Jun 29, 2011, at 9:08 AM, Dimitri Glazkov wrote:

 Hi Folks!
 
 With use cases (http://wiki.whatwg.org/wiki/Component_Model_Use_Cases)

So I looked at this list of use cases. It seems to me almost none of these are 
met by the proposal at http://dglazkov.github.com/component-model/dom.html.

Can you give a list of use cases that are actually intended to be addressed by 
this proposal?

(I would be glad to explain in more detail why the requirements aren't 
satisfied in case it isn't obvious; the main issues being that the proposal on 
the table can't handle multiple bindings, can't form controls, and lacks proper 
(type 2) encapsulation).

These use cases are also, honestly, rather vague. In light of this, it's very 
hard to evaluate the proposal, since it has no obvious relationship to its 
supporting use cases.

Could we please get the following to be able to evaluate this component 
proposal:

- List of use cases, ideally backed up with very concrete examples, not just 
vague high-level statements
- Identification of which use cases the proposal even intends to address, and 
which will possibly be addressed later
- Explanation of how the proposal satisfies the use cases it is intended to 
address
- For bonus points, explanation of how XBL2 fails to meet the stated use cases

Regards,
Maciej

Re: Component Models and Encapsulation (was Re: Component Model: Landing Experimental Shadow DOM API in WebKit)

On Jun 30, 2011, at 10:57 AM, Dimitri Glazkov wrote:

Hi Maciej!

First off, I really appreciate your willingness to get into the mix of
things. It's a hard problem and I welcome any help we can get to solve
it.

I also very much liked your outline of encapsulation and I would like
to start using the terminology you introduced.

I am even flattered to see the proposal you outlined, because it's
similar to the one we originally considered as part of the first
iteration of the API
(https://raw.github.com/dglazkov/component-model/cbb28714ada37ddbaf49b3b2b24569b5b5e4ccb9/dom.html)
or even earlier versions
(https://github.com/dglazkov/component-model/blob/ed6011596a0213fc1eb9f4a12544bb7ddd4f4894/api-idl.txt)

We did remove them however, and opted for the simplest possible API,
which effectively only exposes the shadow DOM part of the component
model (see my breakdown here
http://lists.w3.org/Archives/Public/public-webapps/2011AprJun/1345.html).

One of the things to keep in mind is that the proposal outlined in
http://dglazkov.github.com/component-model/dom.html is by no means a
complete component model API. It's just the smallest subset that can
already be useful in addressing some of the use cases listed in
http://wiki.whatwg.org/wiki/Component_Model_Use_Cases.

It seem obvious that it is better to have few small, closely related
useful bits that could be combined into a bigger picture rather than
one large monolithic feature that can't be teased apart.

The problem is that some pervasive properties (encapsulation, security, etc)
can't be added after the fact to a system that doesn't have them designed in.

As for addressing encapsulation concerns, one of the simplest things
we could is to introduce a flag on the ShadowRoot (we can discuss the
default value), which if set, prohibits access to it with the
element.shadow property.

Why is that better than my proposal? I believe all the benefits I listed for my
proposal over yours still apply to this new proposal. Can you either rebut
those stated benefits, or tell me what benefits this version has over mine?

Regards,
Maciej

Re: Component Models and Encapsulation (was Re: Component Model: Landing Experimental Shadow DOM API in WebKit)


On Jun 30, 2011, at 1:03 PM, Dimitri Glazkov wrote:

 Maciej, as promised on #whatwg, here's a more thorough review of your
 proposal. I am in agreement in the first parts of your email, so I am
 going to skip those.
 
 == Are there other limitations created by the lack of encapsulation? ==
 
 My understanding is yes, there are some serious limitations:
 
 (1) It won't be possible (according to Dmitri) to attach a binding to an 
 object that has a native shadow DOM in the implementation (e.g. form 
 controls). That's because there can only be one shadow root, and form 
 controls have already used it internally and made it private. This seems 
 like a huge limitation. The ability to attach bindings/components to form 
 elements is potentially a huge win - authors can use the correct semantic 
 element instead of div soup, but still have the total control over look and 
 feel from a custom script-based implementation.
 
 (2) Attaching more than one binding with this approach is a huge hazard. 
 You'll either inadvertently blow away the previous, or won't be able to 
 attach more than one, or if your coding is sloppy, may end up mangling both 
 of them.
 
 I think these two limitations are intrinsic to the approach, not incidental.
 
 I would like to frame this problem as multiple-vs-single shadow tree
 per element.
 
 Encapsulation is achievable with single shadow tree per element by
 removing access via webkitShadow. You can discover whether a tree
 exists (by the fact that an exception is thrown when you attempt to
 set webkitShadow), but that's hardly breaking encapsulation.
 
 The issues you've described above are indeed real -- if you view
 adding new behavior to elements a process of binding, that is
 something added to existing elements, possibly more than once. If we
 decide that this the correct way to view attaching behavior, we
 definitely need to fix this.
 
 I attempted to articulate a different view here
 http://lists.w3.org/Archives/Public/public-webapps/2011JanMar/0941.html.
 Here, adding new behavior to elements means creating a sub-class of an
 element. This should be a very familiar programming concept, probably
 more understood than the decorator or mixin-like binding approach.

How would your subclass idea resolve the two problems above?

 
 For the key use case of UI widgets, sub-classing is very natural. I
 take a div, and sub-class it into a hovercard
 (http://blog.twitter.com/2010/02/flying-around-with-hovercards.html).
 I rarely bind a hovercard behavior to some random element -- not just
 because I typically don't need to, but also because I expect a certain
 behavior from the base element from which to build on. Binding a
 hovercard to an element that doesn't display its children (like img or
 input) is useless, since I want to append child nodes to display that
 user info.
 
 I could then make superhovercard by extending the hovercard. The
 single shadow DOM tree works perfectly in this case, because you
 either:
 1) inherit the tree of the subclass and add behavior;
 2) override it.
 
 In cases where you truly need a decorator, use composition. Once we
 have the basics going, we may contemplate concepts like inherited
 (http://dev.w3.org/2006/xbl2/#the-inherited-element) to make
 sub-classing more convenient.
 
 Sub-classing as a programming model is well-understood, and easy to grasp.
 
 On the other hand, the decorators are less known and certainly carry
 hidden pains. How do you resolve API conflicts (two bindings have two
 properties/functions by the same name)? As a developer, how do you
 ensure a stable order of bindings (bindings competing for the z-index
 and depending on the order of they are initialized, for example)?

I think decorators have valid use cases. For example, let's say I want to make 
a component that extracts microformat or microdata marked up content from an 
element and present hover UI to allow handy access to it. For example, it could 
extract addresses and offer map links. I would want this to work on any 
element, even if the element already has an active behavior implemented by a 
component. I should not have to subclass every type of element I may want to 
apply this to. It's especially problematic if you have to subclass even 
different kinds of built in elements. Do I need separate subclasses for div, 
span, address, section p, and whatever other kind of element I imagine this 
applying to? That doesn't seem so great.

You are correct that figuring out how multiple bindings work is tricky. But 
even if we choose not to do it, making components truly encapsulated does not 
make it any harder to have a one-binding-only model with no inheritance.


 Notice that this scheme is not significantly more complex to use, spec or 
 implement than the shadow/shadowHost proposal. And it provides a number of 
 advantages:
 
 A) True encapsulation is possible, indeed it is the easy default path. The 
 component provider has to go out of its way to

Re: Component Models and Encapsulation (was Re: Component Model: Landing Experimental Shadow DOM API in WebKit)