Re: [whatwg] Proposal for cross domain security framework
Actually, DNS servers, particularly for reverse DNS lookups, are out of the control of a huge number of authors on the web. Shared hosting accounts for instance don't have a unique reverse IP look up. There are also plenty of The reverse DNS spec specifically allows one IP address to have multiple reverse domains. people who don't control their DNS at all for whatever reason. 1. People that do not have control over the reverse lookup seldom have control over multiple servers and seldom require to distribute load like this. 2. The script should be allowed to connect to its origin server (as unsigned Java applets are allowed to, today). 3. Hosting providers will add tools allowing their customers to configure this security framework, if it is required - but again; if you are on a shared server you most likely will not need to connect to multiple servers. It will also usually suffice to have a proxy on the server (like many people do for XMLHttpRequests now).
Re: [whatwg] document.readyState and its initial value
Editorial remarks: 1. The links to current document readiness are reflexive and should be removed. 2. The page loading process mentioned should be linked to the relevant section. It would be convenient for the reader and it would also provide a visual indication that it is a reference to a locally defined technical term. Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Fabulich Sent: Monday, June 23, 2008 12:56 AM To: [EMAIL PROTECTED] Subject: [whatwg] document.readyState and its initial value document.readyState was added to HTML5 in April of this year. http://lists.whatwg.org/pipermail/commit-watchers-whatwg.org/2008/000652.htm l http://www.whatwg.org/specs/web-apps/current-work/multipage/dom.html#current Each document has a current document readiness. When a Document object is created, it must have its current document readiness set to the string loading. Various algorithms during page loading affect this value. When the value is set, the user agent must fire a simple event called readystatechanged at the Document object. As far as I can tell via google, there has been no discussion of this property on lists.whatwg.org, so I'd like to suggest a small enhancement to the spec. HTML5 says that the current document readiness should be loading when the document is created; instead the initial state should be uninitialized. document.readyState was initially defined by Microsoft as a proprietary extension to DOM. Here's their MSDN documentation of document.readyState: http://msdn.microsoft.com/en-us/library/ms534359(VS.85).aspx An object's state is initially set to uninitialized, and then to loading. When data loading is complete, the state of the link object passes through the loaded and interactive states to reach the complete state. I believe HTML5 should change to agree with Microsoft on this point. Safari and Opera have implemented document.readyState to agree with Microsoft and I don't think it's appropriate for HTML5 to break new ground here. This matters to me because I'm trying to fix Firefox to support this property, and we need to know what the initial state should be. The point is small and not very important because it's almost impossible to encounter an HTML document in Internet Explorer in the uninitialized state. But I think the fix is small and uncontroversial: Index: source === --- source (revision 1790) +++ source (working copy) @@ -4613,7 +4613,7 @@ pEach document has a dfncurrent document readiness/dfn. When a codeDocument/code object is created, it must have its spancurrent document readiness/span set to the string - loading. Various algorithms during page loading affect this + uninitialized. Various algorithms during page loading affect this value. When the value is set, the user agent must spanfire a simple event/span called code title=event-readystatechangedreadystatechanged/code at the
Re: [whatwg] Proposal for cross domain security framework
On Mon, 23 Jun 2008 09:34:27 +0200, Frode Børli [EMAIL PROTECTED] wrote: [...] I'd suggest looking into the work the W3C has been doing on this for the past two years: http://dev.w3.org/2006/webapi/XMLHttpRequest-2/ http://dev.w3.org/2006/waf/access-control/ -- Anne van Kesteren http://annevankesteren.nl/ http://www.opera.com/
Re: [whatwg] Proposal for cross domain security framework
Hi! Thank you for pointing to that document. I quickly scanned trough it but I have a small problem with the specification: does it require web servers to check the Origin header? What happens with older web applications that do not check this header? Frode 2008/6/23 Anne van Kesteren [EMAIL PROTECTED]: On Mon, 23 Jun 2008 09:34:27 +0200, Frode Børli [EMAIL PROTECTED] wrote: [...] I'd suggest looking into the work the W3C has been doing on this for the past two years: http://dev.w3.org/2006/webapi/XMLHttpRequest-2/ http://dev.w3.org/2006/waf/access-control/ -- Anne van Kesteren http://annevankesteren.nl/ http://www.opera.com/ -- Best regards / Med vennlig hilsen Frode Børli Seria.no Mobile: +47 406 16 637 Company: +47 216 90 000 Fax: +47 216 91 000 Think about the environment. Do not print this e-mail unless you really need to. Tenk miljø. Ikke skriv ut denne e-posten dersom det ikke er nødvendig.
Re: [whatwg] Proposal for cross domain security framework
On Mon, 23 Jun 2008 14:18:22 +0200, Frode Børli [EMAIL PROTECTED] wrote: Hi! Thank you for pointing to that document. I quickly scanned trough it but I have a small problem with the specification: does it require web servers to check the Origin header? What happens with older web applications that do not check this header? It's not strictly required, but highly recommended. Older Web applications wouldn't opt-in and would therefore be as vulnerable as they are today. Anyway, this is the wrong list to debate that specification. You want [EMAIL PROTECTED] -- Anne van Kesteren http://annevankesteren.nl/ http://www.opera.com/
Re: [whatwg] commit-watchers mail format
On Sat, 21 Jun 2008, Philip Taylor wrote: So it could be nice if the commit message was in the subject line Done. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'