from:"Michael A. Peters"

Was just informed that using aria-hidden solves the problem of content
being there that shouldn't be seen in a screen reader until agreed, so
that issue has a solution too.

I guess none of this really is meaningful to this list - sorry for the
noise.

On 11/12/2017 04:18 AM, Michael A. Peters wrote:

Yes but since I always have the div first in HTML the user is likely to
always be aware of it, so skipping it in a screen reader is really
little different than just pressing the agree button - they have been
informed of the type of content.

On 11/12/2017 04:09 AM, Johannes Spangenberg wrote:

There is another problem with Modals on webpages. When there is a modal
created through HTML and CSS, the user can still select items in the
background by pressing tab. It seems that there is no good solution to
prevent it.

Am 12.11.2017 um 09:59 schrieb Michael A. Peters:

Thank you! That does seem like it is exactly what I need.

On 11/12/2017 12:11 AM, Yay295 wrote:

I think the alertdialog role fits here.
https://developer.mozilla.org/en-US/docs/Web/Accessibility/ARIA/ARIA_Techniques/Using_the_alertdialog_role

On Sun, Nov 12, 2017 at 1:03 AM, Michael A. Peters

wrote:

On webites that either are age restricted and/or have content that
may be
offensive to some people, often (but not as often as I'd like) there
is a
warning splashscreen that the server puts in the page if the user
has not
already agreed to see such content.

One way to do this is with a div that has absolute positioning and a
z-index that covers the content until the user clicks enter or
whatever,
then it does an ajax call to lett the server the user has verified
they
want to see the content and removes the div.

I would suggest a tagName "splashscreen" for this purpose. It would
have
the same properties as a div only it would have semantic meaning so
that
people using screen readers would know it is important.

An aria landmark of splashscreen would also properly distinguish it
from
complementary which is what I currently use for it (I would use
banner but
only one banner landmark per page is allowed).

Just a thought, I won't defend the thought but if it seems
reasonable to
the powers that be, I think it is worth it.

These splash screens do serve a different purpose than any other
semantic
tag.

Re: [whatwg] new tag and possible new aria role

On 11/12/2017 04:09 AM, Johannes Spangenberg wrote:

Am 12.11.2017 um 09:59 schrieb Michael A. Peters:

Thank you! That does seem like it is exactly what I need.

On 11/12/2017 12:11 AM, Yay295 wrote:

I think the alertdialog role fits here.
https://developer.mozilla.org/en-US/docs/Web/Accessibility/ARIA/ARIA_Techniques/Using_the_alertdialog_role

On Sun, Nov 12, 2017 at 1:03 AM, Michael A. Peters

wrote:

An aria landmark of splashscreen would also properly distinguish it
from
complementary which is what I currently use for it (I would use
banner but
only one banner landmark per page is allowed).

Just a thought, I won't defend the thought but if it seems
reasonable to
the powers that be, I think it is worth it.

These splash screens do serve a different purpose than any other
semantic
tag.

Re: [whatwg] new tag and possible new aria role


Thank you! That does seem like it is exactly what I need.

On 11/12/2017 12:11 AM, Yay295 wrote:

I think the alertdialog role fits here.
https://developer.mozilla.org/en-US/docs/Web/Accessibility/ARIA/ARIA_Techniques/Using_the_alertdialog_role

On Sun, Nov 12, 2017 at 1:03 AM, Michael A. Peters 
wrote:


On webites that either are age restricted and/or have content that may be
offensive to some people, often (but not as often as I'd like) there is a
warning splashscreen that the server puts in the page if the user has not
already agreed to see such content.

One way to do this is with a div that has absolute positioning and a
z-index that covers the content until the user clicks enter or whatever,
then it does an ajax call to lett the server the user has verified they
want to see the content and removes the div.

I would suggest a tagName "splashscreen" for this purpose. It would have
the same properties as a div only it would have semantic meaning so that
people using screen readers would know it is important.

An aria landmark of splashscreen would also properly distinguish it from
complementary which is what I currently use for it (I would use banner but
only one banner landmark per page is allowed).

Just a thought, I won't defend the thought but if it seems reasonable to
the powers that be, I think it is worth it.

These splash screens do serve a different purpose than any other semantic
tag.

[whatwg] new tag and possible new aria role

On webites that either are age restricted and/or have content that may 
be offensive to some people, often (but not as often as I'd like) there 
is a warning splashscreen that the server puts in the page if the user 
has not already agreed to see such content.


One way to do this is with a div that has absolute positioning and a 
z-index that covers the content until the user clicks enter or whatever, 
then it does an ajax call to lett the server the user has verified they 
want to see the content and removes the div.


I would suggest a tagName "splashscreen" for this purpose. It would have 
the same properties as a div only it would have semantic meaning so that 
people using screen readers would know it is important.


An aria landmark of splashscreen would also properly distinguish it from 
complementary which is what I currently use for it (I would use banner 
but only one banner landmark per page is allowed).


Just a thought, I won't defend the thought but if it seems reasonable to 
the powers that be, I think it is worth it.


These splash screens do serve a different purpose than any other 
semantic tag.

Re: [whatwg] JavaScript function for closing tags

2017-10-17 Thread Michael A. Peters


On 10/16/2017 10:08 AM, Roger Hågensen wrote:

On 2017-10-14 10:13, Michael A. Peters wrote:

I use TextTrack API but it's documention does not specify that it
closes open tags within a cue, in fact I'm fairly certain it doesn't
because some people use it for json and other related none tag related
content.

Looking at https://www.html5rocks.com/en/tutorials/track/basics/
it seems JSON can be used, no idea if content type is different or not
for that.


Some errors using the tracks in XML were solved by the innerHTML trick
where I create a separate html document, append the cue, and then grab
the innerHTML but that doesn't always work to close tags when html
entities are part of the cue string.


Mixing XML and HTML is not a good idea. Would it not be easier to have
the server send out proper XML instead of hTML? Valid XML is also valid
HTML (the reverse is not always true).


I agree, but what I was using an html document for - when using JS 
innerHTML it has closing tags so the only issue would be tags that html 
itself does not close (e.g. br) but those are not applicable with a 
WebVTT cue - which is only suppose to support a very small number of 
tags, all which have closing tags.


The problem is WebVTT does not require tags be closed in a cue, e.g.

04:05.000 --> 04:07.250
This is a cue.

That's allowed in WebVTT

I convert c.foo into

This is a cue.

and when I add that to the html document and use innerHTML it then has 
the closing  on it.


While it seems to work with some html entities, it breaks with others 
like  


So for now I have to just make sure all my WebVTT are closed and not use 
the hack that adds closing tags - but since WebVTT cues do not have to 
have closing tags, but the cues need to work in XML documents, a 
built-in parser in JS that can add missing closing tags I think would be 
a good thing.




And if XML and HTML is giving you issues then use JSON instead.
I did not see JSON mentioned in the W3C spec though.


I think the JSON in WebVTT cues is not spec but some are using it.

Basically the textrack API seems to allow almost any string, it really 
has to as WebVTT is not static and the spec changes. I wouldn't mind 
JSON being added to WebVTT as it would be a handy way to encode metadata 
about the media but that's another topic.


A built in JS HTML parser may also be of benefit in preventing code 
injection, e.g. stripping out tags from a WebVTT cue that a website does 
not allow.


The TextTrack API doesn't filter out things like script or other tags 
that aren't part of WebVTT which means any site that allows users to 
upload WebVTT files is creating a potential code injection vulnerability.


Server-side code should filter it on upload, but it would be nice to 
*someday* be able to pass a string through a native JS filter much the 
same way we can with htmltidy server-side and remove all but 
white-listed tags and attributes and get back a cleaned string with all 
tags closed.


It looks like Google has a library that does that but it isn't intended 
for client-side JS and may not be fast enough for things like phones to 
process time-sensitive cues (I don't know).


I might be wrong but it looked like the google library I found was 
intended for server-side Node.js use.

Re: [whatwg] JavaScript function for closing tags

2017-10-14 Thread Michael A. Peters

I use TextTrack API but it's documention does not specify that it closes 
open tags within a cue, in fact I'm fairly certain it doesn't because 
some people use it for json and other related none tag related content.


Some errors using the tracks in XML were solved by the innerHTML trick 
where I create a separate html document, append the cue, and then grab 
the innerHTML but that doesn't always work to close tags when html 
entities are part of the cue string.


I use JS regex to turn  into  and  
into  and just jQuery .append() to place 
the cue in a div for captions/subtitles since browser standard html5 
audio players have zero support for captions by themselves, and the 
jQuery .append() is what needs closing tags in XML or it understandably 
completely fails.


Also using it for chapters which don't appear to be supported in either 
browser standard audio or video players.


On 10/14/2017 12:46 AM, Silvia Pfeiffer wrote:

Hi Michael,

It seems to me that the TextTrack API is made for this use case.
Why does it not work for you?

Cheers,
Silvia.


On Sat, Oct 14, 2017 at 4:36 PM, Michael A. Peters
 wrote:

There does not seem to be a JavaScript API for closing open tags.

This is problematic when dealing with WebVTT which does not require tags be
closed.

Where it is the biggest problem is when the document is being served as
XML+XHTML

I tried the following hack which seemed to be working:

cleandoc = document.implementation.createHTMLDocument("FuBar");
cleanbody = document.createElementNS("http://www.w3.org/1999/xhtml";,
"body");
cleandoc.documentElement.appendChild(cleanbody);


Then I could do the following when with a WebVTT cue:

cleanbody.innerHTML = string;
return (cleanbody.innerHTML);

That *mostly* works but seems to sometimes fail when string contains
entities, such as  

What happens is it returns an empty string.

Given that WebVTT is part of HTML5 and browser native html5 audio players
don't support caption tracks forcing us to write our own implementations if
we want captions with audio, it sure would be nice if there was a pure
JavaScript way to just add closing tags to a string because there is never a
guarantee valid WebVTT cue has closed tags which are required for XHTML sent
as XML.

Seems to me that a JS native function to add missing closing tags would have
more application than just WebVTT cues.

I looked for a jQuery filter that does it, but could not find one.

It also could be of benefit in emulating document.write() as many of
Google's tools *still* require document.write() despite the issues with
document.write() and XML having been known for 15+ years now.

Any chance of getting a parser into JavaScript that at least would be
capable of closing open tags in a string passed to it?

[whatwg] JavaScript function for closing tags

2017-10-13 Thread Michael A. Peters


There does not seem to be a JavaScript API for closing open tags.

This is problematic when dealing with WebVTT which does not require tags 
be closed.


Where it is the biggest problem is when the document is being served as 
XML+XHTML


I tried the following hack which seemed to be working:

cleandoc = document.implementation.createHTMLDocument("FuBar");
cleanbody = document.createElementNS("http://www.w3.org/1999/xhtml";, 
"body");

cleandoc.documentElement.appendChild(cleanbody);


Then I could do the following when with a WebVTT cue:

cleanbody.innerHTML = string;
return (cleanbody.innerHTML);

That *mostly* works but seems to sometimes fail when string contains 
entities, such as  


What happens is it returns an empty string.

Given that WebVTT is part of HTML5 and browser native html5 audio 
players don't support caption tracks forcing us to write our own 
implementations if we want captions with audio, it sure would be nice if 
there was a pure JavaScript way to just add closing tags to a string 
because there is never a guarantee valid WebVTT cue has closed tags 
which are required for XHTML sent as XML.


Seems to me that a JS native function to add missing closing tags would 
have more application than just WebVTT cues.


I looked for a jQuery filter that does it, but could not find one.

It also could be of benefit in emulating document.write() as many of 
Google's tools *still* require document.write() despite the issues with 
document.write() and XML having been known for 15+ years now.


Any chance of getting a parser into JavaScript that at least would be 
capable of closing open tags in a string passed to it?

Re: [whatwg] Allow alt attribute with the span element

2017-10-06 Thread Michael A. Peters


On 10/06/2017 08:44 AM, Léonie Watson wrote:


On 06/10/2017 11:26, Michael A. Peters wrote:

Nope, no problem at all. That looks like a simple solution I did not
find. Thank you.


Note that you need to provide an explicit role on the span if you use
aria-label to provide its accessible name.


I assume if I instead put the aria-label on the button rather than span 
that contains the pictograph, that would work too without needing a role 
since it is an actual button.

Re: [whatwg] Allow alt attribute with the span element

2017-10-06 Thread Michael A. Peters

Nope, no problem at all. That looks like a simple solution I did not 
find. Thank you.


On 10/06/2017 08:23 AM, Jonathan Garbee wrote:

Is there a problem with using aria-label
<https://www.w3.org/TR/wai-aria/states_and_properties#aria-label> for
this use case? It seems like this should do exactly what you're asking
for in the given scenario.

On Fri, Oct 6, 2017 at 11:15 AM, Michael A. Peters
mailto:mpet...@domblogger.net>> wrote:

With images, the alt attribute can and should be used to give a
description of an image for users who can not see the image.

With text, some glyphs are pictographs that have a meaning. For
example, U+1F502 is a pictograph indicating single loop, but it is
meaningless if you can not see it.

Even if screen readers can specify the codepoint and/or map the
codepoint to a description (do they?) sometimes fonts define PUA
codepoints for pictograph glyphs that are not official.

A span element with a title attribute does not always solve this
problem, sometimes the glyph is in a button element that has a title
attribute describing what the button will do rather than the what
the current state is.

For example, a button may show a single loop indicating the media is
currently in single loop mode but have a title attribute specifying
that pressing it enables continuous loop mode.

If there was an alt attribute on a span inside the button, screen
readers could treat the span with a pictograph the same way it would
treat an image child of a button attribute and describe the current
pictograph to the end user.

If there is already a solution to this issue, I apologize, I could
not find one.

We (er, WhatWG / W3C) could just add alt to the global attribute
list too, rather than just span. Or come up with a semantic
pictograph element specifically for this (just like we have tt and
code).

Thank you for opinions.

[whatwg] Allow alt attribute with the span element

2017-10-06 Thread Michael A. Peters

With images, the alt attribute can and should be used to give a 
description of an image for users who can not see the image.


With text, some glyphs are pictographs that have a meaning. For example, 
U+1F502 is a pictograph indicating single loop, but it is meaningless if 
you can not see it.


Even if screen readers can specify the codepoint and/or map the 
codepoint to a description (do they?) sometimes fonts define PUA 
codepoints for pictograph glyphs that are not official.


A span element with a title attribute does not always solve this 
problem, sometimes the glyph is in a button element that has a title 
attribute describing what the button will do rather than the what the 
current state is.


For example, a button may show a single loop indicating the media is 
currently in single loop mode but have a title attribute specifying that 
pressing it enables continuous loop mode.


If there was an alt attribute on a span inside the button, screen 
readers could treat the span with a pictograph the same way it would 
treat an image child of a button attribute and describe the current 
pictograph to the end user.


If there is already a solution to this issue, I apologize, I could not 
find one.


We (er, WhatWG / W3C) could just add alt to the global attribute list 
too, rather than just span. Or come up with a semantic pictograph 
element specifically for this (just like we have tt and code).


Thank you for opinions.

Re: [whatwg] header for JSON-LD ???

2017-07-25 Thread Michael A. Peters


On 07/25/2017 02:42 PM, Qebui Nehebkau wrote:

On 25 July 2017 at 17:32, Michael A. Peters  wrote:


Nor does his assumption that I am "new" to the web somehow disqualify me
from making suggestions with current use cases that could reduce the bloat
of traffic.



Oh, then I think you misunderstood his statement. As I read it, "spend more
time working with the web you have before trying to change it" was a
suggestion to look for a way to do what you want with current technology,
not an argument that you don't have enough web experience. "Spend more
time" on this particular project, not in general.



I have a way to do what I want with current technology.

I can detect bots based upon user agent and only send the JSON-LD when I 
do so.


However there are some things that may be of use to a browser with 
accessibility functions, such as declarations regarding whether or not a 
page (or resource on a page) has flashing content or has simulated 
motion. So there are legitimate reasons why an end user client may want 
the JSON-LD data before rendering a page.


Just like the accept header for WebP, an accept header for JSON-LD could 
solve this problem. Bots and non-bot users agents that want it send it. 
Webmasters who understand people in undeveloped countries benefit from 
non-bloated paged can then choose to only send the JSON-LD in their 
pages when it is wanted.


Much better to implement this now when JSON-LD is still relatively young.

Whether JSON-LD is the best way to add structured data to a page 
probably depends upon a lot of different factors, that's a different 
discussion. But it is being used. That's the discussion, reducing the 
drawbacks of bloated content for clients that ignore it anyway.

Re: [whatwg] header for JSON-LD ???

2017-07-25 Thread Michael A. Peters


On 07/25/2017 02:29 PM, Qebui Nehebkau wrote:

Wow, that was unnecessary. "Working with the web since the late 90s"
doesn't intrinsically make you any more right or any better a web designer
than some 12-year-old from Geocities. If maintaining your worldview depends
on assuming that anyone who disagrees is "too biased", your worldview is
wrong. And, btw, your worldview is wrong. Content that only some users want
is separate content that should be in a separate resource.



Nor does his assumption that I am "new" to the web somehow disqualify me 
from making suggestions with current use cases that could reduce the 
bloat of traffic.

Re: [whatwg] header for JSON-LD ???

2017-07-25 Thread Michael A. Peters


On 07/25/2017 10:45 AM, Jonathan Zuckerman wrote:

This suggestion might have more success with the W3C? I'm not completely
clear on the politics and history of the two orgs, but it seems like the
W3C has supported JSON-LD in the past, so they might have some interest in
expanding it.

On a personal note, I think you've got really far down the path of a hammer
looking for a nail. Spend more time working with the web you've got before
trying to change it.


Fuck you. Seriously. I've been working with the web since the late 90s.

I don't need condensing crap like that.

No, I don't have a hammer looking for nail.

JSON-LD is a beautiful implementation of structured data, that 
potentially includes the ability to only include it when the client 
wants it included.


I'm sorry you are too biased against it to open your mind and see it.

Learn some fucking manners.

Re: [whatwg] header for JSON-LD ???

2017-07-24 Thread Michael A. Peters


On 07/24/2017 04:43 PM, Qebui Nehebkau wrote:

On 24 July 2017 at 19:21, Michael A. Peters  wrote:


But if you define your structured data as attributes then information
about the other 11 is not available to machines that fetch the page and
want to know what the page offers.



It sounds like the machines probably want to fetch some kind of index page,
not the page for a particular item. I think that if you find yourself
wanting to send two different sets of content to different users, you
probably need to be directing them to different resources.



No, the structured data should be generated the same time as the content.

It's just if it resides in a single script node in the head that can end 
up being quite large, there's no need to include that node when the 
client has no use for it.


Right now, I only send it if the client is an honest bot. But there may 
be some browser add-ons that make use of it, so they should be able to 
announce they want it and get it.

Re: [whatwg] header for JSON-LD ???

2017-07-24 Thread Michael A. Peters


When too much is displayed, the website is too busy.

If there are 12 audios in a group, the person can only listen to one at 
a time so it is pointless to have 12 audio nodes present.


But you can display one and have the other 11 accessible via a select 
menu, so that if and when the user wants them, they select the audio 
they want and JS swaps out the audio node.


But if you define your structured data as attributes then information 
about the other 11 is not available to machines that fetch the page and 
want to know what the page offers.


That's why JSON-LD is superior to the other methods of structured data. 
You can have the structured data for all 12 audios since all 12 audios 
are part of the page but only one has an (x)html audio node in the html 
as sent by the initial GET request.


Web pages aren't static, even after the client received the page the DOM 
can be altered without reloading the page.


Structured data separate from the content is the only logical way to 
account for that.


On 07/24/2017 08:00 AM, Jonathan Zuckerman wrote:

I think one of the best aspects of the web platform is that there can be a
single node in the network that is accessible to *all*. The linked data
approach hides the information from humans. The structured data alternative
you suggest (div display none) still hides the information from humans.
Here's a better alternative that is accessible to both humans and robots:
simply *display the div*. What's your objection to displaying this
information to humans? How can you justify displaying different content to
different classes of user?

On Sun, Jul 23, 2017 at 8:13 PM Michael A. Peters 
wrote:


On 07/23/2017 03:33 PM, Michael A. Peters wrote:

On 07/23/2017 02:42 PM, Qebui Nehebkau wrote:

*snip*




I can't speak for anyone else - I can barely speak for myself - but I
think
I'd argue that, intuitively, if your structured data isn't logically

part

of your content, there's a good chance that it doesn't belong there at
all.



It logically describes the content, and because it is separate from the
content it describes, is much easier to manage and inspect and bugfix.

Just for example, with an audio, I can describe the creator as a person
including the company the person works for etc. in JSON-LD without
needing to have tags in the content for those things to add attributes
to. That's information that is useful to machines especially when
linking different objects from domains together but it isn't necessarily
useful to the person reading the web page.

So keeping the structured data separate from the content allows richer
details to be added to the structured data for machines to read without
needing to alter the design intended for the human readers of the page.

Two audiences are thus served without needing to compromise the design
for either, both machine and human.

But the content for machines doesn't need to be sent to humans where
they don't care about it, hence the desire for a standard header
machines that do want it can send to have it included.


A better example.

I run an audio site (all legal, no piracy, I'm anti-DRM but also pro
intellectual property) where users can select a category.

There could be, say, 12 audios in that category, but the web page only
displays one. If the user wants to listen to a different audio, they use
a select menu. If its the same artist, there's enough info in the data-*
attributes of the select menu items to swap the audio node w/o even an
ajax call, If different artist, I do make an ajax call because more than
just the audio node changes.

With JSON-LD I can put structured data for all audios the person can
play from that page into the JSON-LD. I can't do that with tag based
structured data unless I make a div display display:none to contain all
the other audios.

I use libxml2 to create pages so I can modify any part of the DOM at any
point allowing me to create the JSON-LD from the same data used to
generate the page, so it is always in sync. I then can stuff it in the
head node at the end.

That's not possible with many platforms that send content before it is
finished generating all the page, so JSON-LD for many may not have the
kind of advantage I can from it, but the ability to describe objects
available through user actions (such as select menu) but aren't part of
the DOM when the page is sent is a huge benefit to me over tag based
implementations of structured data.

Hope that sheds some light on why I had an epiphany when I finally
stopped to read about JSON-LD.

Now, back on topic, a header would be nice so I only have to stuff it in
the head when a machine is asking for it ;)

Re: [whatwg] header for JSON-LD ???

2017-07-23 Thread Michael A. Peters


On 07/23/2017 03:33 PM, Michael A. Peters wrote:

On 07/23/2017 02:42 PM, Qebui Nehebkau wrote:

*snip*




I can't speak for anyone else - I can barely speak for myself - but I
think
I'd argue that, intuitively, if your structured data isn't logically part
of your content, there's a good chance that it doesn't belong there at
all.



It logically describes the content, and because it is separate from the
content it describes, is much easier to manage and inspect and bugfix.

Just for example, with an audio, I can describe the creator as a person
including the company the person works for etc. in JSON-LD without
needing to have tags in the content for those things to add attributes
to. That's information that is useful to machines especially when
linking different objects from domains together but it isn't necessarily
useful to the person reading the web page.

So keeping the structured data separate from the content allows richer
details to be added to the structured data for machines to read without
needing to alter the design intended for the human readers of the page.

Two audiences are thus served without needing to compromise the design
for either, both machine and human.

But the content for machines doesn't need to be sent to humans where
they don't care about it, hence the desire for a standard header
machines that do want it can send to have it included.


A better example.

I run an audio site (all legal, no piracy, I'm anti-DRM but also pro 
intellectual property) where users can select a category.


There could be, say, 12 audios in that category, but the web page only 
displays one. If the user wants to listen to a different audio, they use 
a select menu. If its the same artist, there's enough info in the data-* 
attributes of the select menu items to swap the audio node w/o even an 
ajax call, If different artist, I do make an ajax call because more than 
just the audio node changes.


With JSON-LD I can put structured data for all audios the person can 
play from that page into the JSON-LD. I can't do that with tag based 
structured data unless I make a div display display:none to contain all 
the other audios.


I use libxml2 to create pages so I can modify any part of the DOM at any 
point allowing me to create the JSON-LD from the same data used to 
generate the page, so it is always in sync. I then can stuff it in the 
head node at the end.


That's not possible with many platforms that send content before it is 
finished generating all the page, so JSON-LD for many may not have the 
kind of advantage I can from it, but the ability to describe objects 
available through user actions (such as select menu) but aren't part of 
the DOM when the page is sent is a huge benefit to me over tag based 
implementations of structured data.


Hope that sheds some light on why I had an epiphany when I finally 
stopped to read about JSON-LD.


Now, back on topic, a header would be nice so I only have to stuff it in 
the head when a machine is asking for it ;)

Re: [whatwg] header for JSON-LD ???

2017-07-23 Thread Michael A. Peters


On 07/23/2017 02:42 PM, Qebui Nehebkau wrote:

On 23 July 2017 at 14:12, Michael A. Peters  wrote:


It's a beautiful way to create structured data separate from the content,
just like layout (CSS) is best kept separate from the content. [...] I
wonder why people on this list don't like it. Reading about it was an
epiphany for me, it's (in my opinion) the right way to do structured data,
and far superior to sticking a bunch of attributes in tags - just like CSS
selectors are far superior to sticking style attributes in tags.



I can't speak for anyone else - I can barely speak for myself - but I think
I'd argue that, intuitively, if your structured data isn't logically part
of your content, there's a good chance that it doesn't belong there at all.



It logically describes the content, and because it is separate from the 
content it describes, is much easier to manage and inspect and bugfix.


Just for example, with an audio, I can describe the creator as a person 
including the company the person works for etc. in JSON-LD without 
needing to have tags in the content for those things to add attributes 
to. That's information that is useful to machines especially when 
linking different objects from domains together but it isn't necessarily 
useful to the person reading the web page.


So keeping the structured data separate from the content allows richer 
details to be added to the structured data for machines to read without 
needing to alter the design intended for the human readers of the page.


Two audiences are thus served without needing to compromise the design 
for either, both machine and human.


But the content for machines doesn't need to be sent to humans where 
they don't care about it, hence the desire for a standard header 
machines that do want it can send to have it included.

Re: [whatwg] header for JSON-LD ???

2017-07-23 Thread Michael A. Peters

Interesting. It's a beautiful way to create structured data separate 
from the content, just like layout (CSS) is best kept separate from the 
content.


I wonder why people on this list don't like it. Reading about it was an 
epiphany for me, it's (in my opinion) the right way to do structured 
data, and far superior to sticking a bunch of attributes in tags - just 
like CSS selectors are far superior to sticking style attributes in tags.


Not meaning to start a holy war, it's just I didn't come across anything 
negative about it during my initial research on JSON-LD. Other than my 
own observation that it bloats the content sent to every client, hence 
the desire for a header specifying it is actually wanted before it is 
stuffed in the document head node.



On 07/22/2017 10:12 PM, Jeffrey Yasskin wrote:

2¢: This list tends to disapprove of JSON-LD, so you should probably first
run your proposal by a group that likes JSON-LD. Maybe
public-rdf-comme...@w3.org referenced from https://www.w3.org/TR/json-ld/?
Or an issue against https://github.com/json-ld/json-ld.org?

Jeffrey

On Fri, Jul 21, 2017 at 2:21 PM, Michael A. Peters 
wrote:


I am (finally) starting to implement JSON-LD on a site, it generates a lot
of data that is useless to the non-bot typical user.

I'd prefer to only stick it in the head when the client is a crawler that
wants it.

Wouldn't it be prudent if agents that want JSON-LD can send a standardized
header as part of their request so web apps can optionally choose to only
send the JSON-LD data to clients that want it? Seems it would be kinder to
mobile users on limited bandwidth if they didn't have to download a bunch
of JSON that is meaningless to them.

Is this the right group to suggest that?

[whatwg] header for JSON-LD ???

2017-07-21 Thread Michael A. Peters

I am (finally) starting to implement JSON-LD on a site, it generates a 
lot of data that is useless to the non-bot typical user.


I'd prefer to only stick it in the head when the client is a crawler 
that wants it.


Wouldn't it be prudent if agents that want JSON-LD can send a 
standardized header as part of their request so web apps can optionally 
choose to only send the JSON-LD data to clients that want it? Seems it 
would be kinder to mobile users on limited bandwidth if they didn't have 
to download a bunch of JSON that is meaningless to them.


Is this the right group to suggest that?

Re: [whatwg] Media query for bandwidth ??


On 12/09/2016 06:14 PM, Florian Rivoal wrote:

On Dec 9, 2016, at 23:07, Michael A. Peters  wrote:

This was inspired by inspection of a style-sheet in the wild that uses 
screen-width to try and reduce bandwidth needs of mobile devices.

I like the concept, but very often I use my mobile devices where bandwidth 
doesn't matter and my laptop via a mifi where bandwidth does matter.

I would like a CSS media query for bandwidth so that I can reduce how many 
webfonts are used in low bandwidth scenarios. It seems browsers are already 
smart enough to only download a font defined by @font-face if they need it, so 
it only needs to be done where the font is used, e.g.


It's been considered before, and that approach will not work. Media queries are 
the wrong tool for this. Neutrality / bias warning: I'm co-editor of the Media 
Queries spec.

Media queries, by design, will switch instantly when the environment changes, 
stop applying the old styles, and start applying the new ones. So if you finish 
loading a page on your phone in your home wifi with the high-res and heavy 
assets, start reading, then walk outside into 3G, you'll discard the high res 
assets and start loading the low res ones. And if you're driving / riding a 
train in and out of tunnels, you'll toggle between high and low (or low and 
terrible) constantly, and never manage to finish loading anything, all while 
using copious amounts of bandwidth. This isn't a bug, this is how Media Queries 
work, and is the right thing to do for things where media queries are the right 
tool. If that's not what you want, what you want isn't a media query.

The right approach is something like srcset[1], the source element[2], or 
image-set()[3]: instead of switching between one variant or another based on a 
hard criteria, you provide the UA with all the variants you have, and let it 
switch intelligently.

Of course, these are UA based heurisitics, it is certainly possible that the UA 
will make poor decisions sometimes, but that's a lot better than the guaranteed 
bad behavior you'd get with Media queries.

For fonts, there isn't currently an equivalent mechanism, but we could think of 
adding qualifiers either the @font-face that declares the font, or font-family 
that tries to use it, to indicate that certain fonts are must-have, while 
others are optional things that are fine to skip in case of bad bandwidth or 
latency.

There's already one proposal in that direction, although it hasn't received 
much attention lately: https://tabatkins.github.io/specs/css-font-display/

Finally, while you're free to talk about this anywhere you like, traditionally 
the best forum for CSS related topics is the CSSWG, either through its 
github[4] or its mailing list[5].

—Florian

[1] https://html.spec.whatwg.org/multipage/embedded-content.html#attr-img-srcset
[2] 
https://html.spec.whatwg.org/multipage/embedded-content.html#the-source-element
[3] https://drafts.csswg.org/css-images-3/#image-set-notation
[4] https://github.com/w3c/csswg-drafts/issues
[5] https://lists.w3.org/Archives/Public/www-style/



I've thought about this for several hours now and I have to concede, a 
media query is not the right place for this.


I don't think @font-face is either as it would cause backwards 
compatibility problems, and there are other issues with @font-face.


For example, when I use @font-face to define a bold font face, then when 
I declare that font for strong I have to explicitly tell the CSS to use 
the normal weight or the browser applies a fake bold to the already bold 
font.


Perhaps what is needed is an @font-family declaration that can be used 
to specify the various variants of a font.


Then when the font-family is called and something like a strong tag is 
encountered, the browser will use the defined bold variant if it exists 
and apply fake bold to the roman font if it does not.


If variants within @font-family are declared optional, then the browser 
does not have to include it.


That would solve another problem with my media query solution. If the 
page was ever loaded when bandwidth isn't an issue, it may have the 
optional woff2 files in cache.


It would then be able to use them even in low bandwidth, since it 
already had them, and only apply fake variant instead if it doesn't have 
it in cache and it is flagged as optional.


I'll think about this some more, then join the right list for it and put 
the revised idea there.


But for now I have to concede media query is the wrong approach.

Re: [whatwg] Media query for bandwidth ??

I have pondered that, and those cases will not be typical. The page may 
start to load the high bandwidth content (just like it does right now) 
and that may cause slow page loading as they walk outside (just like it 
does right now) but the next page at the site they load will use the 
low-bandwidth CSS and load a lot faster - unlike it does right now.


On 12/09/2016 11:58 AM, Jonathan Garbee wrote:

Also, Ponder this case:

User is on their cell phone and at home on wifi. So your "This user as
50MBs, send them 4k images!" query is hit on initial load. Well, 25%
through page resources being called, they walk 20 feet outside of their
home and now they are on their ~3G cell tower connection. If it is stuck on
initial test metrics, that user is stuck downloading 75% of your 4k images
and fonts over their cell connection. Now consider it as a pay-per-usage
connection and you have easily blown a hole in their wallet.

These things can't be locked into a single point in time. It just doesn't
work from the perspective of the user. So whatever is done here, would need
to be adaptable which in the case of CSS is even more complex since it is
declarative and developers give up so much control. Bandwidth Media Queries
simply aren't feasible.

On Fri, Dec 9, 2016 at 2:51 PM Jonathan Garbee  wrote:


FTR there was a working group to provide a Network Information API [1] to
let JS handle this more easily. In trying to do that, they had a difficult
time actually getting accurate information for the API to provide. So it
was canned in order to further assess the cases specifically and other
approaches. I highly doubt if there was trouble building a JS API for this
type of thing that CSS alone can handle it in some way.

If something like this is to happen, it *needs* to happen in JS first.
That way developers have control, from a working and proven implementation
there we could find a syntax for CSS to work on top of. So for now, you're
probably best off polyfilling some JS API and using that to experiment with
to present as a solution. That way it can be more easily vetted and tested.

[1] https://dvcs.w3.org/hg/dap/raw-file/tip/network-api/Overview.html

On Fri, Dec 9, 2016 at 12:43 PM Michael A. Peters 
wrote:

On 12/09/2016 09:03 AM, Boris Zbarsky wrote:

On 12/9/16 5:57 AM, Michael A. Peters wrote:

max-height and max-width and orientation change, but device-width does
not change.


Just as a point of fact, device-width can absolutely change.  The
simplest case is a two-monitor setup with the window getting dragged
from one monitor to another, but similar things can happen when things
are docked/undocked, monitors are plugged in or removed, etc.

-Boris


Ah yes, point taken.

With a bandwidth query I would recommend it only change on a page reload
but it wouldn't have to be done that way.

This wouldn't only be beneficial to fonts, a lot of images etc. are
defined in CSS too.

Re: [whatwg] Media query for bandwidth ??

I don't think it needs to happen in JS first. A CSS media query is 
completely opt-in. Developers don't need to use the media query if they 
do not want to, it is just a way that developers can make their websites 
more friendly to users with bandwidth constraints without sacrificing 
for users who do not have bandwidth constraints.


On 12/09/2016 11:51 AM, Jonathan Garbee wrote:

FTR there was a working group to provide a Network Information API [1] to
let JS handle this more easily. In trying to do that, they had a difficult
time actually getting accurate information for the API to provide. So it
was canned in order to further assess the cases specifically and other
approaches. I highly doubt if there was trouble building a JS API for this
type of thing that CSS alone can handle it in some way.

If something like this is to happen, it *needs* to happen in JS first. That
way developers have control, from a working and proven implementation there
we could find a syntax for CSS to work on top of. So for now, you're
probably best off polyfilling some JS API and using that to experiment with
to present as a solution. That way it can be more easily vetted and tested.

[1] https://dvcs.w3.org/hg/dap/raw-file/tip/network-api/Overview.html

On Fri, Dec 9, 2016 at 12:43 PM Michael A. Peters 
wrote:


On 12/09/2016 09:03 AM, Boris Zbarsky wrote:

On 12/9/16 5:57 AM, Michael A. Peters wrote:

max-height and max-width and orientation change, but device-width does
not change.


Just as a point of fact, device-width can absolutely change.  The
simplest case is a two-monitor setup with the window getting dragged
from one monitor to another, but similar things can happen when things
are docked/undocked, monitors are plugged in or removed, etc.

-Boris


Ah yes, point taken.

With a bandwidth query I would recommend it only change on a page reload
but it wouldn't have to be done that way.

This wouldn't only be beneficial to fonts, a lot of images etc. are
defined in CSS too.

Re: [whatwg] Media query for bandwidth ??


On 12/09/2016 09:03 AM, Boris Zbarsky wrote:

On 12/9/16 5:57 AM, Michael A. Peters wrote:

max-height and max-width and orientation change, but device-width does
not change.


Just as a point of fact, device-width can absolutely change.  The
simplest case is a two-monitor setup with the window getting dragged
from one monitor to another, but similar things can happen when things
are docked/undocked, monitors are plugged in or removed, etc.

-Boris


Ah yes, point taken.

With a bandwidth query I would recommend it only change on a page reload 
but it wouldn't have to be done that way.


This wouldn't only be beneficial to fonts, a lot of images etc. are 
defined in CSS too.

Re: [whatwg] Media query for bandwidth ??


How the browsers determine bandwidth would be up to the browser.

I assume they would have a reasonable default that the user can choose 
to override - like many other browser options.


On 12/09/2016 08:19 AM, Jonathan Garbee wrote:

So, if this were to get in it is magically up to users to know to go change
the settings (most don't) to get different modes. That is bad design. We
need to handle things for users in this situation. Not do something and
hope they pay attention.

If you're suggesting a feature that requires browser settings explicit for
it, rethink it.

JavaScript handling let's you do exactly what you want. Let the most
performance oriented solution be your default and enhance on top of that
after load. There are other things coming for fonts, like the font loading
API, to help make funny transitioning seamless.

Browsers are handling things like data saver modes to let users opt in to
certain things on their end. Overall, introducing media queries based on
the network is a bad design.

On Fri, Dec 9, 2016, 11:09 AM Yay295  wrote:


On another note, are you sure it's *font files* that are slowing down your
page load? Maybe I've just been lucky, but of the 24 font files I happen to
have in a folder on my computer, 19 of them are only about 50KB. That's
one-fifth the size of jQuery. Perhaps you should be looking at shrinking
your font files first if they're such a problem?

On Fri, Dec 9, 2016 at 8:32 AM, Jonathan Zuckerman 
wrote:


Michael - I think "high" and "low" are very relative terms, defining

those

terms for all users for all time doesn't seem possible. Also,
connectivity/bandwidth are subject to change at any moment during the
lifetime of a page. Current media queries like `max-height` or
`min-resolution` would respond to changes, have you thought about how

your

proposed addition would behave?

Currently you can use javascript to figure out if the network will

support

your enhanced experience (and you're free to define what that means) and
add a classname to the document to trigger the css rules for that
experience, so you can build the feature you're asking for using existing
parts. It's not baked into the platform, but because of the nature of the
web and vagueness of the requirements, I'm not sure it's possible to do

any

better.

On Fri, Dec 9, 2016 at 9:07 AM Michael A. Peters 
This was inspired by inspection of a style-sheet in the wild that uses
screen-width to try and reduce bandwidth needs of mobile devices.

I like the concept, but very often I use my mobile devices where
bandwidth doesn't matter and my laptop via a mifi where bandwidth does
matter.

I would like a CSS media query for bandwidth so that I can reduce how
many webfonts are used in low bandwidth scenarios. It seems browsers

are

already smart enough to only download a font defined by @font-face if
they need it, so it only needs to be done where the font is used, e.g.

pre {
   font-family: 'monoFont-Roman', monospace;
}
pre em {
   font-family: 'monoFont-Italic', monospace;
   font-style: normal;
}
pre strong {
   font-family: 'monoFont-Bold', monospace;
   font-weight: normal;
}
pre em strong {
   font-family: 'monoFont-BoldItalic', monospace;
   font-style: normal;
   font-weight: normal;
}
pre strong em {
   font-family: 'monoFont-BoldItalic', monospace;
   font-style: normal;
   font-weight: normal;
}
@media screen and (device-bandwidth: low) {
   pre strong {
 font-family: 'monoFont-Roman', monospace;
 font-weight: 700;
   }
   pre em strong {
 font-family: 'monoFont-Italic', monospace;
 font-weight: 700;
   }
   pre strong em {
 font-family: 'monoFont-Italic', monospace;
 font-weight: 700;
   }
}

That right there cuts the number of fonts the low-bandwidth device

needs

in half, and could have even gone further and used fake italic if the
fake italic for the font looks good enough.

The small increase in CSS file size doesn't matter with high bandwidth
clients and is justified for low-bandwidth as it reduces the content
that needs to be fetched.

It would be up to the client to define the device-bandwidth, web
developers should create the CSS for high bandwidth and only have the
alternate CSS kick in when a media query says it is low.

Honestly I think low or high are the only definitions needed with low
being the only one that a site should have conditional styles set for.

-=-

The same concept could be applied to html5 media too. e.g. I could

serve

the 64 kbps opus to clients that don't define themselves as low, and

the

32 kbps opus to clients that do define themselves as low.

How to handle media in situations where a service worker pre-fetches
content I haven't thought about, because a client may pre-fetch content
before the bandwidth constraint changes, but I suspect there'

Re: [whatwg] Media query for bandwidth ??

My pages are not slow and tend to be much smaller than the typical web 
page out there.


The size of a woff2 file can vary greatly depending upon what characters 
it covers and the complexity of those characters.


jQuery is only needed once as it should then be cached for a very long 
time, and quite often is served from a CDN where the user does not need 
to load it for each and every site they visit.


With fonts, many sites use at least three different families and often 
several faces within those families, which is appropriate because many 
characters are far more readable when a genuine font face is used rather 
than fake italic or bold. The w character for example is often drawn 
different and more readable in the italic variant of the family.


There are free fonts that also exist on CDNs but there are many to 
choose from so it is less likely the user already has them cached even 
if they are on a common CDN (e.g. Google Fonts), and many webmasters 
license fonts that can't be on a common CDN due to the license.


There is a push for privacy reasons to limit a browsers ability to use 
fonts from the system, access to system fonts can be used for browser 
fingerprinting. If that push is successful (and I hope it is) then web 
font usage may increase due to the limited fonts that a particular 
browser may ship with.


Allowing for genuine font faces (and fatter font faces) where bandwidth 
isn't an issue but limiting the font faces (and using slimmer fonts) 
where bandwidth is an issue can provide for a better user experience 
when there are bandwidth constraints on the client.


A better experience for the end user under those fairly common 
conditions (especially common in developing countries) I believe is a 
worthwhile goal.


Web developers that don't want to or feel they don't need to accommodate 
those users won't have to, but those who do want to take bandwidth 
concerns into consideration will be able to.


I don't know how common it is, but it was a style sheet I saw in the 
wild where the web developer was trying to use device-width to 
accomplish that goal that made me think about a better way, because I do 
believe taking bandwidth into consideration is a noble thing for a web 
developer to do, and they shouldn't have to use device-width to try and 
accomplish that.


In my opinion.

On 12/09/2016 08:09 AM, Yay295 wrote:

On another note, are you sure it's *font files* that are slowing down your
page load? Maybe I've just been lucky, but of the 24 font files I happen to
have in a folder on my computer, 19 of them are only about 50KB. That's
one-fifth the size of jQuery. Perhaps you should be looking at shrinking
your font files first if they're such a problem?

On Fri, Dec 9, 2016 at 8:32 AM, Jonathan Zuckerman 
wrote:


Michael - I think "high" and "low" are very relative terms, defining those
terms for all users for all time doesn't seem possible. Also,
connectivity/bandwidth are subject to change at any moment during the
lifetime of a page. Current media queries like `max-height` or
`min-resolution` would respond to changes, have you thought about how your
proposed addition would behave?

Currently you can use javascript to figure out if the network will support
your enhanced experience (and you're free to define what that means) and
add a classname to the document to trigger the css rules for that
experience, so you can build the feature you're asking for using existing
parts. It's not baked into the platform, but because of the nature of the
web and vagueness of the requirements, I'm not sure it's possible to do any
better.

On Fri, Dec 9, 2016 at 9:07 AM Michael A. Peters 
wrote:


This was inspired by inspection of a style-sheet in the wild that uses
screen-width to try and reduce bandwidth needs of mobile devices.

I like the concept, but very often I use my mobile devices where
bandwidth doesn't matter and my laptop via a mifi where bandwidth does
matter.

I would like a CSS media query for bandwidth so that I can reduce how
many webfonts are used in low bandwidth scenarios. It seems browsers are
already smart enough to only download a font defined by @font-face if
they need it, so it only needs to be done where the font is used, e.g.

pre {
   font-family: 'monoFont-Roman', monospace;
}
pre em {
   font-family: 'monoFont-Italic', monospace;
   font-style: normal;
}
pre strong {
   font-family: 'monoFont-Bold', monospace;
   font-weight: normal;
}
pre em strong {
   font-family: 'monoFont-BoldItalic', monospace;
   font-style: normal;
   font-weight: normal;
}
pre strong em {
   font-family: 'monoFont-BoldItalic', monospace;
   font-style: normal;
   font-weight: normal;
}
@media screen and (device-bandwidth: low) {
   pre strong {
 font-family: 'monoFont-Roman', monospace;
 font-weight: 700;
   }

Re: [whatwg] Media query for bandwidth ??

max-height and max-width and orientation change, but device-width does 
not change.


It should behave like device-width because it should be applied when the 
resources are fetched and the page is rendered.


Yes low and high are relative, which is why it should be determined by 
the browser potentially with user preference settings to what means high 
and low to the user.


Someone using a service where they pay for all their bandwidth may want 
it always defined as low except when on wifi, someone who doesn't pay 
for bandwidth may want it only set to low when their phone only has two 
bars.


Leaving it up to the client allows it to remain relative. It doesn't 
need to be more fine-grained than high or low because web designers 
aren't likely to make use of more than two options anyway.


On 12/09/2016 07:32 AM, Jonathan Zuckerman wrote:

Michael - I think "high" and "low" are very relative terms, defining those
terms for all users for all time doesn't seem possible. Also,
connectivity/bandwidth are subject to change at any moment during the
lifetime of a page. Current media queries like `max-height` or
`min-resolution` would respond to changes, have you thought about how your
proposed addition would behave?

Currently you can use javascript to figure out if the network will support
your enhanced experience (and you're free to define what that means) and
add a classname to the document to trigger the css rules for that
experience, so you can build the feature you're asking for using existing
parts. It's not baked into the platform, but because of the nature of the
web and vagueness of the requirements, I'm not sure it's possible to do any
better.

On Fri, Dec 9, 2016 at 9:07 AM Michael A. Peters 
wrote:


This was inspired by inspection of a style-sheet in the wild that uses
screen-width to try and reduce bandwidth needs of mobile devices.

I like the concept, but very often I use my mobile devices where
bandwidth doesn't matter and my laptop via a mifi where bandwidth does
matter.

I would like a CSS media query for bandwidth so that I can reduce how
many webfonts are used in low bandwidth scenarios. It seems browsers are
already smart enough to only download a font defined by @font-face if
they need it, so it only needs to be done where the font is used, e.g.

pre {
   font-family: 'monoFont-Roman', monospace;
}
pre em {
   font-family: 'monoFont-Italic', monospace;
   font-style: normal;
}
pre strong {
   font-family: 'monoFont-Bold', monospace;
   font-weight: normal;
}
pre em strong {
   font-family: 'monoFont-BoldItalic', monospace;
   font-style: normal;
   font-weight: normal;
}
pre strong em {
   font-family: 'monoFont-BoldItalic', monospace;
   font-style: normal;
   font-weight: normal;
}
@media screen and (device-bandwidth: low) {
   pre strong {
 font-family: 'monoFont-Roman', monospace;
 font-weight: 700;
   }
   pre em strong {
 font-family: 'monoFont-Italic', monospace;
 font-weight: 700;
   }
   pre strong em {
 font-family: 'monoFont-Italic', monospace;
 font-weight: 700;
   }
}

That right there cuts the number of fonts the low-bandwidth device needs
in half, and could have even gone further and used fake italic if the
fake italic for the font looks good enough.

The small increase in CSS file size doesn't matter with high bandwidth
clients and is justified for low-bandwidth as it reduces the content
that needs to be fetched.

It would be up to the client to define the device-bandwidth, web
developers should create the CSS for high bandwidth and only have the
alternate CSS kick in when a media query says it is low.

Honestly I think low or high are the only definitions needed with low
being the only one that a site should have conditional styles set for.

-=-

The same concept could be applied to html5 media too. e.g. I could serve
the 64 kbps opus to clients that don't define themselves as low, and the
32 kbps opus to clients that do define themselves as low.

How to handle media in situations where a service worker pre-fetches
content I haven't thought about, because a client may pre-fetch content
before the bandwidth constraint changes, but I suspect there's a clever
solution to that (e.g. always fetch high bandwidth when async pre-fetch
and then use high bandwidth when cached even if in low bandwidth mode)

But html5 media can be figured out later, CSS is what I really would
like to see a bandwidth media query for.

Thoughts?

[whatwg] Media query for bandwidth ??

This was inspired by inspection of a style-sheet in the wild that uses 
screen-width to try and reduce bandwidth needs of mobile devices.


I like the concept, but very often I use my mobile devices where 
bandwidth doesn't matter and my laptop via a mifi where bandwidth does 
matter.


I would like a CSS media query for bandwidth so that I can reduce how 
many webfonts are used in low bandwidth scenarios. It seems browsers are 
already smart enough to only download a font defined by @font-face if 
they need it, so it only needs to be done where the font is used, e.g.


pre {
  font-family: 'monoFont-Roman', monospace;
}
pre em {
  font-family: 'monoFont-Italic', monospace;
  font-style: normal;
}
pre strong {
  font-family: 'monoFont-Bold', monospace;
  font-weight: normal;
}
pre em strong {
  font-family: 'monoFont-BoldItalic', monospace;
  font-style: normal;
  font-weight: normal;
}
pre strong em {
  font-family: 'monoFont-BoldItalic', monospace;
  font-style: normal;
  font-weight: normal;
}
@media screen and (device-bandwidth: low) {
  pre strong {
font-family: 'monoFont-Roman', monospace;
font-weight: 700;
  }
  pre em strong {
font-family: 'monoFont-Italic', monospace;
font-weight: 700;
  }
  pre strong em {
font-family: 'monoFont-Italic', monospace;
font-weight: 700;
  }
}

That right there cuts the number of fonts the low-bandwidth device needs 
in half, and could have even gone further and used fake italic if the 
fake italic for the font looks good enough.


The small increase in CSS file size doesn't matter with high bandwidth 
clients and is justified for low-bandwidth as it reduces the content 
that needs to be fetched.


It would be up to the client to define the device-bandwidth, web 
developers should create the CSS for high bandwidth and only have the 
alternate CSS kick in when a media query says it is low.


Honestly I think low or high are the only definitions needed with low 
being the only one that a site should have conditional styles set for.


-=-

The same concept could be applied to html5 media too. e.g. I could serve 
the 64 kbps opus to clients that don't define themselves as low, and the 
32 kbps opus to clients that do define themselves as low.


How to handle media in situations where a service worker pre-fetches 
content I haven't thought about, because a client may pre-fetch content 
before the bandwidth constraint changes, but I suspect there's a clever 
solution to that (e.g. always fetch high bandwidth when async pre-fetch 
and then use high bandwidth when cached even if in low bandwidth mode)


But html5 media can be figured out later, CSS is what I really would 
like to see a bandwidth media query for.


Thoughts?

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-02 Thread Michael A. Peters


On 12/02/2016 08:47 AM, Boris Zbarsky wrote:

On 12/2/16 11:34 AM, Michael A. Peters wrote:

It seems that CSP behavior has radically changed since the last time I
looked at it


I can't speak to when you last looked at it, but the current state
shipping in browsers is, as far as I know, no different from what
browsers shipped initially for purposes of this discussion.


At least historically, the on* attributes were not allowed, the style
attributes were not allowed, and any script nodes in the body were not
allowed.


If you specify script-src and style-src and don't include
'unsafe-inline', sure.


If CSP now allows them by default then I am not very happy about that


CSP allows the things you don't issue directives for.  If you don't
issue any script-src directives (or default-src directives), then there
won't be any limitations on scripts.

-Boris


Last time I read the specification, unsafe-inline didn't exist. Last 
time I glanced at the site, unsafe-inline existed but was not supported 
by all browsers and required a declared hash to work.

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-02 Thread Michael A. Peters


On 12/02/2016 08:23 AM, Boris Zbarsky wrote:

On 12/2/16 11:01 AM, Michael A. Peters wrote:

Personally I love CSP but it does not allow inline scripts or inline CSS


Only if you say to not allow them.  The default behavior allows them.
For example, this disallows inline scripts, because script-src is
explicitly specified without unsafe-inline, but does nothing about
inline CSS:

  
  
  body { color: green; }
  This is green
  alert("I am not alerted")


I believe there now are CSP parameters that relax those prohibitions but
from I understand they are only relaxed when a hash of the inline
scripts / CSS is declared in the head.


That's ... not correct.  Simple example; compare it to the previous one:


It seems that CSP behavior has radically changed since the last time I 
looked at it, which was to create support for it in my php class that 
generates web pages using DOMDocument, so I can't comment on what the 
current state of it is then.


At least historically, the on* attributes were not allowed, the style 
attributes were not allowed, and any script nodes in the body were not 
allowed.


They were not allowed for very good reasons - there is no way for the 
browser to determine if they are intentional or are the result of a XSS 
injection in the web application.


JS and CSS in external files referenced from the head was the only way 
to safely determine they were intended and not injected.


If CSP now allows them by default then I am not very happy about that, 
as it would greatly reduce the effective security, but it sounds like I 
would have to read through the current documentation to further comment 
on CSP.

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

2016-12-02 Thread Michael A. Peters

Personally I love CSP but it does not allow inline scripts or inline CSS 
and over 95% of the web makes heavy use of both.


I believe there now are CSP parameters that relax those prohibitions but 
from I understand they are only relaxed when a hash of the inline 
scripts / CSS is declared in the head.


Google Webmaster Tools including PageSpeed also heavily encourage all 
JavaScript being referenced at the end of the page so that it isn't 
above the fold and because they are Google, most of the masses believe 
that is best and will help with page search ranking and that too isn't 
compatible with CSP where the scripts need to be defined in the head 
(except for maybe with the new unsafe-inline option that requires 
checksum in the head ???)


I don't know what the planned CSP option for window.opener() looks like, 
I just know that most websites break as soon as a CSP header is sent and 
it isn't always trivial to make them work.


On 12/02/2016 05:01 AM, Jonathan Zuckerman wrote:

Could you elaborate on the point made earlier that CSP is too complicated
to implement? What would the fix for this particularly security hole look
like, using CSP?

On Fri, Dec 2, 2016 at 1:11 AM Richard Maher  wrote:

Thanks Michael. So to be safe one should use Edge? Who'd have thunk it?

Anyone tested Michael's example on FireFox or Safari?

It does look like Chrome is the driver of rel=noopener. Does the credential
API https://w3c.github.io/webappsec-credential-management/ rely on this
flaw?

On Fri, Dec 2, 2016 at 11:44 AM, Michael A. Peters 
wrote:


If window.opener() did not work cross-domain then as far as I can tell
that would be secure.


On 12/01/2016 07:23 PM, Richard Maher wrote:


I see what you're saying Michael and also agree it's serious. Would I be
correct in thinking that MS Edge solves the problem by not returning
window.opener cross-domain? Is the UA not a logical and uniform place for
this?

BTW I've also experienced the CitHub topic-closure nazis many times :-(


On Fri, Dec 2, 2016 at 10:42 AM, Michael A. Peters <
mpet...@domblogger.net>
wrote:

Well if it was done as a header, I suppose it could be added as a

http-equiv meta tag for those who want to.

Header is the easiest solution to make sure it is applied everywhere
without question. It could even be added at the front-end proxy to cover
numerous web applications on many domains at once.

And I know this is conspiracy theory, but that's why I think there is
such
resistance to it.

Since the flaw is required for OAuth to work, companies invested in

OAuth

and that profit from OAuth solutions don't want sites behind proxies

that

would break OAuth and don't want webmasters to understand they have to
reduce security in order to implement an OAuth solution.

That's just a suspicion of mine, but I can't think of any other logical
reason as to why a node attribute was chosen as the solution, and why
there
is such resistance to doing it the right way with a header. To me it

just

doesn't make sense.


On 12/01/2016 05:45 PM, Zac Spitzer wrote:

how about rather than requiring this on every  why not support a base

tag directive
for the whole document i.e. , similar to ?

On Fri, Dec 2, 2016 at 12:39 PM, Domenic Denicola  wrote:

From: whatwg [mailto:whatwg-boun...@lists.whatwg.org] On Behalf Of Ian


Hickson

I believe that's a bit of an overstatement. There are certainly risks



involved in window.opener (they're briefly discussed in the spec

itself),
but it doesn't remove the origin checks.

This is the crucial point.

Whenever you are discussing a supposed security issue, you need to

make

clear what the threat model is. That is:

- What would be the impact on the victim if the security hole is taken
advantage of?
- Is this something we are trying to prevent on the web platform?

In this case, the impact on the victim (a user of a web browser) is
that
they could click a link from page A to page B, which opens in a new

tab

(tab B). Then, tab A could be navigated to a new URL, instead of
staying
on
page A.

This is not a big impact. Notably, page B is not able to read any of
the
content of page A, which might be sensitive. Page B is not able to
interfere with the operation of any of page B's scripts. And

crucially,

when page B navigates tab A to another page, the URL bar of tab A
changes
to indicate that.

There is no desired security guarantee on the platform that we want to
prevent pages from directing users to "bad" sites. We count on users
inspecting the URL bar to understand what page they are interacting
with
in
a given tab.

So, while it might be a bit surprising that suddenly tab A is
navigating
somewhere else, there is no security issue here, and users are not
endangered in any way---at least, not in any more danger than they
already
are from browsing the web without looking at their URL bar to see

where

they've ended up at.

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

If window.opener() did not work cross-domain then as far as I can tell 
that would be secure.


On 12/01/2016 07:23 PM, Richard Maher wrote:

I see what you're saying Michael and also agree it's serious. Would I be
correct in thinking that MS Edge solves the problem by not returning
window.opener cross-domain? Is the UA not a logical and uniform place for
this?

BTW I've also experienced the CitHub topic-closure nazis many times :-(


On Fri, Dec 2, 2016 at 10:42 AM, Michael A. Peters 
wrote:


Well if it was done as a header, I suppose it could be added as a
http-equiv meta tag for those who want to.

Header is the easiest solution to make sure it is applied everywhere
without question. It could even be added at the front-end proxy to cover
numerous web applications on many domains at once.

And I know this is conspiracy theory, but that's why I think there is such
resistance to it.

Since the flaw is required for OAuth to work, companies invested in OAuth
and that profit from OAuth solutions don't want sites behind proxies that
would break OAuth and don't want webmasters to understand they have to
reduce security in order to implement an OAuth solution.

That's just a suspicion of mine, but I can't think of any other logical
reason as to why a node attribute was chosen as the solution, and why there
is such resistance to doing it the right way with a header. To me it just
doesn't make sense.


On 12/01/2016 05:45 PM, Zac Spitzer wrote:


how about rather than requiring this on every  why not support a base
tag directive
for the whole document i.e. , similar to ?

On Fri, Dec 2, 2016 at 12:39 PM, Domenic Denicola  wrote:

From: whatwg [mailto:whatwg-boun...@lists.whatwg.org] On Behalf Of Ian

Hickson

I believe that's a bit of an overstatement. There are certainly risks



involved in window.opener (they're briefly discussed in the spec itself),
but it doesn't remove the origin checks.

This is the crucial point.

Whenever you are discussing a supposed security issue, you need to make
clear what the threat model is. That is:

- What would be the impact on the victim if the security hole is taken
advantage of?
- Is this something we are trying to prevent on the web platform?

In this case, the impact on the victim (a user of a web browser) is that
they could click a link from page A to page B, which opens in a new tab
(tab B). Then, tab A could be navigated to a new URL, instead of staying
on
page A.

This is not a big impact. Notably, page B is not able to read any of the
content of page A, which might be sensitive. Page B is not able to
interfere with the operation of any of page B's scripts. And crucially,
when page B navigates tab A to another page, the URL bar of tab A changes
to indicate that.

There is no desired security guarantee on the platform that we want to
prevent pages from directing users to "bad" sites. We count on users
inspecting the URL bar to understand what page they are interacting with
in
a given tab.

So, while it might be a bit surprising that suddenly tab A is navigating
somewhere else, there is no security issue here, and users are not
endangered in any way---at least, not in any more danger than they
already
are from browsing the web without looking at their URL bar to see where
they've ended up at.

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)


On 12/01/2016 06:14 PM, Elliott Sprehn wrote:

On Wed, Nov 30, 2016 at 10:53 PM, Boris Zbarsky  wrote:


On 12/1/16 1:41 AM, Chris Holland wrote:


I think the devil would be in implementation detail. Slapping a
"rel/noopener" attribute on a specific link is very deterministic and
straightforward from a logic standpoint  Whichever window was created
from this link can't control the parent.



It's a much stronger guarantee.  The guarantee is that the parent and the
created window have no way to see each other at all.  Neither one can read
any state from the other, or even know the other one exists.

In particular, the idea is that rel="noopener" allows the new window to be
opened in a separate process, or even a separate browser if desired. The
only difference between it and the user copying the link and then pasting
it into some other tab or other program is that a referrer header is sent.

Note that this guarantee makes for fairly simple implementation.

Having a header that opts in all links targeted at anything other than
_parent, _self, and _top have the noopener behavior would be doable. Having
a header that opts in some links based on the origin of the link href or
something would probably be doable.  Having a header that tries to add some
sort of new mode wherein the two windows _can_ see each other but can't do
some things that they can normally do would be a snake pit of complexity
that is best avoided.



I would like us to think about adding a mode where you get a MessageChannel
between the two windows. There's no synchronous access, and no ability to
navigate it, but you can talk back and forth with it.


I haven't tried but I don't see why service workers couldn't be used for 
that.

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

Well if it was done as a header, I suppose it could be added as a 
http-equiv meta tag for those who want to.


Header is the easiest solution to make sure it is applied everywhere 
without question. It could even be added at the front-end proxy to cover 
numerous web applications on many domains at once.


And I know this is conspiracy theory, but that's why I think there is 
such resistance to it.


Since the flaw is required for OAuth to work, companies invested in 
OAuth and that profit from OAuth solutions don't want sites behind 
proxies that would break OAuth and don't want webmasters to understand 
they have to reduce security in order to implement an OAuth solution.


That's just a suspicion of mine, but I can't think of any other logical 
reason as to why a node attribute was chosen as the solution, and why 
there is such resistance to doing it the right way with a header. To me 
it just doesn't make sense.


On 12/01/2016 05:45 PM, Zac Spitzer wrote:

how about rather than requiring this on every  why not support a base
tag directive
for the whole document i.e. , similar to ?

On Fri, Dec 2, 2016 at 12:39 PM, Domenic Denicola  wrote:


From: whatwg [mailto:whatwg-boun...@lists.whatwg.org] On Behalf Of Ian
Hickson


I believe that's a bit of an overstatement. There are certainly risks

involved in window.opener (they're briefly discussed in the spec itself),
but it doesn't remove the origin checks.

This is the crucial point.

Whenever you are discussing a supposed security issue, you need to make
clear what the threat model is. That is:

- What would be the impact on the victim if the security hole is taken
advantage of?
- Is this something we are trying to prevent on the web platform?

In this case, the impact on the victim (a user of a web browser) is that
they could click a link from page A to page B, which opens in a new tab
(tab B). Then, tab A could be navigated to a new URL, instead of staying on
page A.

This is not a big impact. Notably, page B is not able to read any of the
content of page A, which might be sensitive. Page B is not able to
interfere with the operation of any of page B's scripts. And crucially,
when page B navigates tab A to another page, the URL bar of tab A changes
to indicate that.

There is no desired security guarantee on the platform that we want to
prevent pages from directing users to "bad" sites. We count on users
inspecting the URL bar to understand what page they are interacting with in
a given tab.

So, while it might be a bit surprising that suddenly tab A is navigating
somewhere else, there is no security issue here, and users are not
endangered in any way---at least, not in any more danger than they already
are from browsing the web without looking at their URL bar to see where
they've ended up at.

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)