On Friday 2009-12-11 02:17 -0800, Jeremy Orlow wrote:
But regardless.I don't think you could argue that having _some_ path
information is worse than _none_, right?
Many of those who commented in
https://bugzilla.mozilla.org/show_bug.cgi?id=143220 and its
duplicates would disagree. Users
On Sat, Dec 12, 2009 at 11:40 PM, Hugh Guiney hugh.gui...@gmail.com wrote:
With the exception that Flash does not need separate components to be
active to sustain that functionality. You can toggle quality in Flash
without any server- or client-side scripts at all. You may need
ActionScript in
What should happen to selected files in a case that a user selects multiple
files for input type=file multiple and then a script code removes the
multiple attribute from the input element?
- nothing, no change to the selected files and they will be submitted,
- cleared, or
- a single file
On Fri, Dec 11, 2009 at 10:18 PM, Michal Zalewski lcam...@coredump.cx wrote:
1) IFRAME semantics make it exceedingly cumbersome to sandbox short
snippets of text, and this task is perhaps the most common and
pressing XSS-related challenge. Unless the document is constructed on
client side by
Wasn't there talk of adding a @media attribute to video which could,
among other things, hold bitrate information which would allow the UA
to auto-determine whether it should play a file?
This would require a change to the current selection algorithm, as the
UA now has to make a 'best guess' of
On Sun, Dec 13, 2009 at 5:36 AM, TAMURA, Kent tk...@chromium.org wrote:
What should happen to selected files in a case that a user selects multiple
files for input type=file multiple and then a script code removes the
multiple attribute from the input element?
- nothing, no change to the
Rereading comments 1 - 24 of
https://bugzilla.mozilla.org/show_bug.cgi?id=143220 as cited below, reveals
to me that I was not the only one in the past 7 years to encounter the many
use cases (involving client-side access to local images). I was quite
disappointed when it finally became
I'm new to this list, but as a speech-scientist and web developer, I wanted
to add my 2 cents. Personally, I believe the future of speech recognition
is in the cloud.
Here are two services which provide Javascript APIs for speech recognition
(and TTS) today:
http://wami.csail.mit.edu/
I believe that the @doc attribute, discussed in the original threads
about @sandbox, will be introduced to deal with that. It'll take
plain html as a string, avoiding the opaqueness and larger escaping
requirements of a data:// url, as the only thing you'll have to escape
is whichever quote
Nah, token-guarding is no good. [...] More importantly, though,
it puts a significant burden on authors to generate unpredictable
tokens.
Btw, just to clarify - I am not proposing this instead of the current
method; we could very well allow token-guarded sandboxing on divs /
spans, and
On Sun, Dec 13, 2009 at 11:02 AM, Michal Zalewski lcam...@coredump.cx wrote:
More importantly, though, it puts a significant burden on authors to
generate unpredictable tokens. Is this difficult? No, of course not.
But people *will* do it badly, copypasting a single token in all
their
The @sandbox seems like a better fit for the advertising use case.
I am not contesting this, to be clear - I am aware of many cases where
it would be very useful - but gadgets are a fairly small part of the
Internet, and seems like a unified solution would be more desirable
than several very
On Sun, Dec 13, 2009 at 1:30 PM, Michal Zalewski lcam...@coredump.cx wrote:
I haven't really seen a compelling argument why all these can't be
unified without a significant increase in code or spec complexity -
maybe one exists.
That seems like a backwards way of proceeding. Do you have a
[...sorry for splitting the response...]
People screw up CSRF tokens all the time. The closing tag nonce
design has been floating around for years. The earliest variant I
could find is Brendan's jail tag.
Sure, I hinted it not as a brilliant new idea, but as a possibilty.
I do think giving
How do I use the jail tag to sandbox advertisements?
Huh? But that's not the point I am making... I am not arguing that
iframe sandbox should be abandoned as a bad idea - quite the opposite.
I was merely suggesting that we *expand* the same logic, and the same
excellent security control
On Sun, Dec 13, 2009 at 2:00 PM, Adam Barth wha...@adambarth.com wrote:
The sandbox tag is great at addressing that use case. I don't see why
we should delay it in the hopes that the jail tag comes back to
life.
And Adam - as you know, I have deep respect for your expertise and
contributions
There are many things that we would want to add to the source
element to allow for a better choice between the different source
files that are linked, but the biggest problem is that it is currently
only used to go through from top to bottom until the first file is
found that can be played back -
On Sun, Dec 13, 2009 at 2:13 PM, Michal Zalewski lcam...@coredump.cx wrote:
How do I use the jail tag to sandbox advertisements?
Huh? But that's not the point I am making... I am not arguing that
iframe sandbox should be abandoned as a bad idea - quite the opposite.
I was merely suggesting
2009/12/11 Anne van Kesteren ann...@opera.com
On Fri, 11 Dec 2009 15:24:37 +0100, Ian Fette (イアンフェッティ)
ife...@google.com wrote:
Ok, I sense resistance to putting it in .name. What about .path, undefined
in most cases except where there is an upload including files from
multiple
On Fri, Dec 11, 2009 at 11:18 PM, Michal Zalewski lcam...@coredump.cx wrote:
The ability to sandbox SPANs or DIVs using a token-guarded approach
(span sandbox=random_token/span sandbox=same_token) is, on the
other hand, considerably easier on the developer, and probably has a
very similar
2009/12/13 Ian Fette (イアンフェッティ) ife...@google.com:
2009/12/11 Anne van Kesteren ann...@opera.com
On Fri, 11 Dec 2009 15:24:37 +0100, Ian Fette (イアンフェッティ)
ife...@google.com wrote:
Ok, I sense resistance to putting it in .name. What about .path,
undefined
in most cases except where there is
span sandboxlt;spangt;But this span will have another span as its
child, sandboxed. The regular parser sees no entities here, only a
nested span!lt;/spangt;/span
That's a pretty reasonable variant for lightweight sandboxes, IMO. It
does not have the explicit assurance of a token-based
On Dec 13, 2009, at 8:12 PM, Silvia Pfeiffer wrote:
Oh! What are you doing with it? I mean - have the values in the media
attribute any effect on the video element?
Certainly! WebKit evaluates the query in the 'media' attribute if it believes
it can handle the MIME type. If the query
Ah that's excellent. I was under the impression that all
implementations so far are ignoring the media attribute in the
selection algorithm. But it seems I am mistaken. Do all browsers
implement this support then? And can we put the examples below into
the specification?
Indeed it seems to me the
On Sun, Dec 13, 2009 at 7:26 AM, Aryeh Gregor simetrical+...@gmail.com wrote:
JavaScript is an integral part of HTML to all intents and purposes.
HTML itself does not and should not try to cover use-cases that are
already adequately covered by HTML+JavaScript -- there will always be
things
25 matches
Mail list logo