| 08:08 | <freddy> | annevk: https://nastystereo.com/security/cross-site-post-without-content-type.html -- Uh, why are they posting this instead of reporting a bug with browsers? Is that a standards bug, a browser bug or both? |
| 08:09 | <freddy> | zcorpan (OOO 22 Nov): suggested forwarding this here. Copying his take from elsewhere: https://fetch.spec.whatwg.org/#concept-bodyinit-extract I suppose that step could throw if type is null and there's no content-type header, and method is POST (or disallow no content-type for all methods?) |
| 08:10 | <freddy> |
|
| 08:23 | <hsivonen> | Why does Chromium have a layer between its URL parser and the ICU4C IDNA code that introduces non-conforming behaviors? Given that Firefox and Safari work well enough without such a layer suggests that it's not absolutely necessary for Web compat for Chromium to second-guess ICU4C. https://wpt.fyi/results/url/IdnaTestV2.window.html?label=master&label=experimental&aligned&q=%2Furl%2FIdnaTestV2.window.html Now that UTS 46 has an IgnoreInvalidPunycode flag, some folks think that Chromium sets that flag and think that behaviors not actually covered by that flag are legitimate. annevk , might be worthwhile to resolve https://github.com/whatwg/url/issues/821 sooner than later. |
| 08:45 | <annevk> | hsivonen: have you been able to verify "recent" UTS46 changes with regards to whether they are a net good? There's https://github.com/web-platform-tests/wpt/pull/48301 and the general Unicode 16.0 issue against URL. I probably need to look into it to see whether all the changes and now failing tests make sense. But we also can't land this now with Interop 2024 almost wrapping up... With regards to that flag: I think Firefox and Safari are correct, but I also don't understand why it was introduced. I think it would be better if that flag was not there at all. But I guess while it is, we might as well explicitly set it to false and continue to complain to UTS46 authors on the side... (However, updating the URL standard to set it to false would require dealing with the tests situation I suspect or perhaps we could argue that part is covered by existing tests?) |
| 08:46 | <hsivonen> |
|
| 08:47 | <annevk> | That is nothing new? You need to check whether you actually got a Content-Type header. |
| 08:49 | <hsivonen> | Firefox implements Unicode 16.0 with IgnoreInvalidPunycode=false on the algorithm level but uses Unicode 15.1 data. |
| 08:49 | <hsivonen> | (Unicode 16.0 data is blocked on ICU4X 2.0, i.e. Real Soon Now.) |
| 08:49 | <annevk> | That's good to hear. So maybe we can just swap this in when the Interop 2024 frenzy is over early February (I suspect) and call it a day. |
| 08:53 | <freddy> | The CVEs they are quoting are not an indication that this is something to be fixed but rather something that sites need to watch out for? |
| 09:38 | <Maxim Vaarwel> | The custom element specification has this wording:
What is meant by "non-upgrade case"? Can someone explain the sense of written? |
| 09:40 | <annevk> | Maxim Vaarwel: if you construct a custom element directly it's not upgraded |
| 09:42 | <Simon☀️> | I think he is asking what upgrading is. |
| 09:43 | <Simon☀️> | I'm not competent here but https://html.spec.whatwg.org/#custom-elements-upgrades-examples sounds like it is used for progessive enhancements. The definition of the process is here https://html.spec.whatwg.org/#upgrades |
| 09:58 | <Maxim Vaarwel> | @annevk What do you mean by directly? And does customElements.define exist there? |
| 10:00 | <Ms2ger> | ".. Given an ESO settings, get settings's relevant global object .." |
| 10:01 | Ms2ger | mumbles about word salad |
| 10:01 | <Maxim Vaarwel> | I'm pretty good at custom elements (I think). My question is about the wording of the sentence, I don't quite get the gist of what "non-upgrade case" means. |
| 10:02 | <annevk> | Domenic: if you have time to read/skim through https://github.com/whatwg/html/pull/9841 I'd appreciate it. Very close to r+'ing but would like a second pair of eyes given the number of changes. |
| 10:02 | <Domenic> | Will try to get it in tomorrow |
| 10:05 | <annevk> | well if you do new MyCustomElement() or document.createElement("custom-element") |
| 10:06 | <Maxim Vaarwel> | well if you do new MyCustomElement() or document.createElement("custom-element") |
| 10:07 | <annevk> | I dunno, but I very much doubt this is possible to change. And this has also been known forever. |
| 10:08 | <annevk> | I'm not sure what that means, but if you haven't registered your custom element there's no custom element. |
| 10:08 | <Luke Warlow> | Idk if Keith has done the aria PR to go along with it yet but if not I'll probably find some time this weekend to chuck something together. |
| 10:09 | <annevk> | Sigh, we really need an a11y/i18n checkbox in the PR template I think. I keep forgetting about it. |
| 10:09 | <annevk> | keithamus: ^^ |
| 10:10 | <smaug> | annevk ah,the cors-safelist pr is about ensuring Last-Event-ID gets "CORS-unsafe request-header byte" check. (I wish remembered why "CORS-unsafe request-header byte " does what it does) |
| 10:10 | <Luke Warlow> | Sigh, we really need an a11y/i18n checkbox in the PR template I think. I keep forgetting about it. |
| 10:15 | <Maxim Vaarwel> | You wrote that directly it is Okay, so the definition for the custom element is present. That is, if I understand correctly, this describes the case when the definition for the custom element is present and we write Right? |
| 10:21 | <annevk> | smaug: some servers were known to get compromised with certain byte values so we put restrictions on header value bytes without preflight |
| 10:22 | <smaug> | ah |
| 12:48 | <Dominic Farolino> | FWIW when scanning the commandfor PR, I found that clicking the new table of contents entry in https://whatpr.org/html/9841/dac8ec1...34e7de8/interaction.html seems to navigate you to a broken absolute URL |
| 12:48 | <Dominic Farolino> | I guess this is some kind of PR preview issue, unless it's just happening to me |
| 12:49 | <annevk> | It looks like the ToC uses URLs that are a bit too absolute for PR preview to work well |
| 12:49 | <annevk> | The fragment is correct and once landed it should work, but that's indeed annoying |
| 12:51 | <Dominic Farolino> | Right, I'm just trying to recall if this is new or if it's always been broken like this? |
| 12:52 | <annevk> | I actually forgot what software generates multipage, but assuming it's Wattsi I think it's been broken for a while/forever |
| 12:53 | <sideshowbarker> | yeah multipage generation is all in Wattsi |
| 12:53 | <Domenic> | We really should fix PR preview to run the whole build server now that it exists |
| 12:53 | <Domenic> | It should not be hard |
| 12:54 | <Domenic> | Now that https://github.com/whatwg/build.whatwg.org?tab=readme-ov-file#html-build exists instead of just the /wattsi endpoint |
| 13:30 | <Maxim Vaarwel> | Maxim Vaarwel: if you construct a custom element directly it's not upgraded |
| 14:43 | <annevk> | That's what happens when you define after the element is created. |
| 14:44 | <annevk> | See also https://html.spec.whatwg.org/#custom-elements-upgrades-examples |
| 17:24 | <Jake Archibald> | If a paragraph includes a custom element, which includes a div inside its shadow DOM, is that breaking the content model, or does it not matter because it's shadow DOM? |
| 18:18 | <annevk> | Jake Archibald: I'm not sure it's well-defined. But I think I'd argue that is fine, as long as the custom element could be placed in a paragraph per however the author intended that custom element to be used. The div is an implementation detail after all. |
| 18:18 | <annevk> | Jake Archibald: see also https://github.com/whatwg/html/issues/10722 |
| 19:54 | <Jake Archibald> | Thank you! |
| 22:15 | <fcano07> | HOLA, No entiendo para nada el proceso, alguien que hable español que pueda ayudarme? |