| 01:18 | <Hixie> | i could do a form post to an iframe and have the server respond with a 204 response and a Link: header, and check that the iframe has its stylesheet updated |
| 01:18 | <Hixie> | but maybe that's a bit contrived |
| 01:45 | <Hixie> | gotta say, it's hard to find bugs in teh processing of URIs |
| 01:47 | <jruderman> | how about bugs related to escaping and charsets? |
| 01:47 | <jruderman> | proper handling of backslash \ |
| 01:47 | <jruderman> | proper handling of % within javascript: or data: URIs |
| 01:48 | <Hixie> | got any specific examples of bugs? |
| 01:48 | <Hixie> | everything i've tried has worked in all browsers |
| 01:48 | <jruderman> | properly rejecting <img src="https:..."> when the cert is invalid |
| 01:48 | <Hixie> | (except for backslashes in data:, which is in the test) |
| 01:48 | <Hixie> | who says you should reject that? |
| 01:48 | <Hixie> | the problem is all the bugs i've found are things that aren't actually required by any specs |
| 01:50 | <jruderman> | common sense says you should reject that? |
| 01:50 | <jruderman> | how about <script src="https:..."> |
| 01:50 | <Hixie> | sadly common sense isn't normative |
| 01:50 | <Hixie> | and i have to be able to justify everything in acid3 with normative text |
| 01:51 | <jruderman> | so add something to HTML5 saying that embedded stuff (especially <script> and <style>) pointing at https has to be ignored if the server has a bogus cert. if browsers get that wrong (i don't know whether they do) it's pretty bad for security. |
| 01:52 | <Hixie> | can you send me mail reminding me to add that? |
| 01:52 | <Hixie> | that'd be useful to add |
| 01:52 | <othermaciej> | Hixie: relative URL resolution when the relative part has too many ./ or ../ used to not match the URI spec (not sure if that is still true) |
| 01:52 | <jruderman> | ok |
| 01:52 | <othermaciej> | but that likely needs to be fixed in the spec |
| 01:52 | <Hixie> | not useful for acid3, though, i'm trying to target 2004-or-earlier only |
| 01:52 | <othermaciej> | (regarding URI processing bugs) |
| 01:52 | <jruderman> | 2004-or-earlier specs? |
| 01:53 | <Hixie> | jruderman: yeah. anything that was in CR or REC in 2004 or earlier. |
| 01:53 | <jruderman> | so that you can have "acid 5" test html5? ;) |
| 01:53 | <Hixie> | othermaciej: i just tried some stuff like that and couldn't find any bugs |
| 01:53 | <Hixie> | jruderman: good idea :-D |
| 01:54 | <othermaciej> | Hixie: I think browsers may also collapse together ../ and ./ in the non-relative part with ones in the relative part |
| 01:54 | <othermaciej> | or something like that |
| 01:54 | <othermaciej> | (I'm not sure that's even possible) |
| 01:54 | <Hixie> | can you give me an example? i'm not really following. how can a non-relative part have .. parts? |
| 01:54 | <othermaciej> | or maybe there is ./ and ../ processing in absolute URIs |
| 01:55 | <othermaciej> | I don't think a non-relative part can, I'm not remembering this very well |
| 01:55 | <Hixie> | yeah that's my problem too |
| 01:55 | <othermaciej> | since I last dealt with this stuff in like 2002 or so |
| 01:55 | <Hixie> | none of my tests are finding anything useful to test |
| 01:56 | <othermaciej> | <a href="http://bsalert.com/./news/./2196/./Programmer_Testifies_He_Was_Paid_To_Hack_Florida_Election.html">check</a>; |
| 01:57 | <othermaciej> | I think browsers collapse away the ./ components there |
| 01:57 | <Hixie> | yeah, that's per spec |
| 01:57 | <Hixie> | rfc 3986 section 5.2.4 |
| 01:57 | <jruderman> | hixie: test proper handling of <a href="//www.google.com/">; perhaps? |
| 01:59 | <jruderman> | hixie: https://bugzilla.mozilla.org/show_bug.cgi?id=284474 and https://bugzilla.mozilla.org/show_bug.cgi?id=261929 (which parts of urls get sent as utf-8 and which parts get sent in the page's charset) ... dunno if any of that is covered by specs |
| 02:01 | <Hixie> | everyone seems to handle "//..." correctly |
| 02:01 | <Hixie> | sadly the character encoding stuff is wrong in the specs |
| 02:01 | <Hixie> | so i can't test it, lest i prevent the specs from being fixed |
| 02:01 | <Hixie> | man, testing URIs is a pain |
| 02:04 | <jruderman> | because browsers aren't buggy enough? |
| 02:05 | <Hixie> | no, because the specs are so vague |
| 02:05 | <jruderman> | i see #fragments in my server's referrer logs sometimes, but i don't know whether that's due to browsers being buggy or something else |
| 02:05 | <Hixie> | if they were written like HTML5, with very specific things that must happen, it would be easy to see if it was working |
| 02:05 | <Hixie> | most bad HTTP seems to be down to spammers' spiders, as far as i can tell |
| 02:06 | <Hixie> | right. no more URI and HTTP tests. maybe I'll focus on DOM Traversal and DOM Range instead |
| 02:06 | <Hixie> | those don't have much testing |
| 02:06 | Philip` | has never seen href="//..." except on slashdot.org |
| 02:07 | <jruderman> | test that IDN works? |
| 02:07 | <Hixie> | Philip`: it's suprisingly common |
| 02:07 | <othermaciej> | I think I need a new laptop |
| 02:08 | <jruderman> | test that port 25 is blocked? ;) |
| 02:08 | <Philip`> | othermaciej: You could get a nice HP one |
| 02:09 | <othermaciej> | Philip`: sure, I'll keep it next to my Zune and my Windows Mobile phone |
| 02:10 | <jruderman> | huh, RFC 3986 explicitly disallows URIs that use IP address formats other than dotted-decimal |
| 02:11 | <Hixie> | jruderman: but does it say what the error handling for the others should be? |
| 02:11 | <Philip`> | You could test IPv6 URIs |
| 02:11 | <Hixie> | Philip`: not sure how :-) |
| 02:11 | <jruderman> | nope, it says "many implementations allow..." |
| 02:11 | <othermaciej> | jruderman: does that include ruling out IPv6 addresses? |
| 02:11 | <Hixie> | jruderman: typical |
| 02:12 | <jruderman> | so i guess it doesn't exactly disallow them, just says they aren't valid URIs |
| 02:12 | <Hixie> | it disallows them, just like <em><i></em></i> is disallowed |
| 02:12 | <Hixie> | but that doesn't mean much for UAs |
| 02:14 | <Philip`> | Hixie: I'm not quite sure how you could do it so it's only testing the browser and not the whole network path to some external server :-( |
| 02:14 | <Hixie> | yeah |
| 02:15 | <othermaciej> | you could test that IPv6 IP addresses in a URI are not rejected |
| 02:15 | <othermaciej> | by using the <a> element's attributes to see that the host part is right |
| 02:16 | <othermaciej> | that would not test the network path at all |
| 02:16 | <othermaciej> | HTMLAnchorElement.host etc |
| 02:16 | <Hixie> | sadly those attributes aren't in DOM2 HTML :-( |
| 02:16 | <othermaciej> | they're not? |
| 02:16 | <Hixie> | (html5 has them) |
| 02:16 | <Hixie> | not as far as i can tell |
| 02:16 | <Hixie> | i may have missed them |
| 02:16 | <othermaciej> | good gravy |
| 02:16 | <Hixie> | but i couldn'd find them |
| 02:17 | <othermaciej> | yeah, only href |
| 02:17 | <othermaciej> | though you can use that to test relative URI resolution without having to load the target |
| 02:17 | <Philip`> | Is there any other way to detect invalid URI vs unreachable URI? |
| 02:17 | <Hixie> | othermaciej: true |
| 02:27 | <Philip`> | Does anything say that e.g. <iframe src="http://[::1]"> .src should give back an absolute URI like "http://[::1]/"? |
| 02:29 | <othermaciej> | it's so weird that HTMLFrameElement and HTMLIFrameElement don't inherit from anything in common besides HTMLElement |
| 02:30 | <othermaciej> | but anyway, it appears that the src property is not specified to resolve the value of the src attribute |
| 02:30 | <othermaciej> | http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-50708718 |
| 02:30 | <othermaciej> | though it's hard to tell what the actual normative requirement is if any |
| 02:35 | <Hixie> | html5 requires any dom attribute reflecting a content attribute that contains a url to be absolute/resolved |
| 02:35 | <Hixie> | bbiab |
| 02:36 | <Philip`> | Hixie: If you'd just worked a bit faster and got HTML5 published as CR in 2004, you'd have saved yourself a lot of problems writing these tests |
| 02:37 | <Hixie> | if i'd gotten html5 done in 2004, either it would be as crap as all these specs are, or i'd be dead. |
| 02:37 | <Hixie> | :-) |
| 02:37 | <Hixie> | so i disagree :-P |
| 02:38 | Hixie | goes to dinner |
| 03:03 | <MacDome> | kig: there are plenty o' tablets aroudn me |
| 04:08 | <kig> | MacDome: good to hear :) |
| 13:22 | <hsivonen> | Philip`: I deployed a very quick and very dirty temporary fix for the astral character issue in the XML serializer |
| 13:24 | <hsivonen> | I'm not yet sure whether I should 1) wait for the Xalan folks to fix it upstream, 2) develop a proper fix that not only fixes my use case but their myriad of other configurations that I don't need or 3) write my own serializer |
| 13:33 | <hsivonen> | note to whoever flagged my statement about hacking Xalan serializer in the IRC logs: a reasonable non-prettyprinting SAX ContentHandler to UTF-8 byte stream serializer should take one or two smallish source files. The Xalan serializer does a lot more and has 93 source files, so quickly hacking just what I need could easily break something else that someone else uses the code for |
| 13:38 | <Hemebond> | I have no idea what you just said. |
| 13:38 | <Hemebond> | Isn't that awful? |
| 13:40 | <hsivonen> | Hemebond: did I say something that didn't make sense? |
| 13:40 | Philip` | wonders if anyone has a C preprocessor implementation in JavaScript |
| 13:40 | <Hemebond> | hsivonen: No. I just have no idea what it means. |
| 13:49 | <kig> | how are the svg filters implemented? software renderer is draw to temp surface, apply filter, composite? hardware, shader chain |
| 13:52 | <Philip`> | kig: I believe Firefox's SVG uses Cairo, which does different things on different platforms (e.g. sending commands to X on Linux so it can use whatever hardware acceleration the X driver supports) |
| 13:53 | <Philip`> | and different things for different compositing/filtering/etc modes, depending on what features the backend provides and what it has to emulate itself |
| 13:55 | krijnh | doesn't get http://arjaneising.nl/me/2007-as-an-html-element :s |
| 14:08 | <kig> | Philip`: okay, but if you want to do them using the 2d canvas? |
| 14:09 | <kig> | it's going to be hellishly slow, but better than not having them.. |
| 14:13 | <Philip`> | I guess that depends on what the filter is - some look fairly straightforward, but others could only be done with getPixelData |
| 14:20 | <zcorpan> | Hixie: something for acid3 (assuming the spec covers it): # in data: url |
| 14:26 | <Lachy> | # in URLs is, I believe, covered by the URI RFC. It's always supposed to mean a fragment identifier in all URIs |
| 14:27 | <Lachy> | is anyone able to access http://lachy.id.au/ ? It's timing out for me. |
| 14:28 | Philip` | wonders if he's forgetting an easy way to load stuff from one XML file into scripts in another XHTML file, without requiring something irritating like XHR |
| 14:29 | <Philip`> | Oh, maybe <iframe> does it |
| 14:29 | <zcorpan> | Lachy: well, that doesn't really make sense for e.g. mailto: or javascript: |
| 14:29 | <Philip`> | except that's a bit ugly :-( |
| 14:31 | zcorpan | can't access http://lachy.id.au/ |
| 14:31 | <zcorpan> | Lachy: but in any case, firefox and opera treat # in data: differently |
| 14:31 | <Philip`> | Lachy: I can ping it and ssh into it and connect to port 80, but then it times out before responding |
| 14:33 | <Lachy> | Philip`, same result I'm getting |
| 14:33 | <Lachy> | thanks |
| 14:33 | Lachy | emails tech support... |
| 14:34 | <Lachy> | that's weird, I can't ssh to it. |
| 14:41 | <Philip`> | $ ssh lachy.id.au |
| 14:41 | <Philip`> | The authenticity of host 'lachy.id.au (207.210.111.50)' can't be established. |
| 14:41 | <Philip`> | RSA key fingerprint is 5e:13:16:fc:77:53:f5:f5:2a:7a:62:04:38:b2:9b:53. |
| 14:41 | <Philip`> | ...seems to indicate that it's connecting fine |
| 14:42 | Philip` | wonders how cryptographically hard it is to get a "near collision" between RSA key fingerprints, so that somebody comparing two of them by eye will think they're the same |
| 14:43 | <Philip`> | (I usually compare MD5 checksums by only looking at the first half a dozen hex digits, which doesn't do much good to its security properties) |
| 14:49 | <Lachy> | Philip`, I once read an article somewhere that discussed the usability of fingerprints, and IIRC, it said if the first and last few chars are the same, it's enough to fool most people. |
| 14:50 | <MugginsM> | would be an interesting programming problem, produce matching hexes that to a passing glance, look the same |
| 14:50 | <Lachy> | looks like lachy.id.au is back up |
| 14:53 | <Philip`> | Ooh, 'gl_FragColor = normal' makes prettily-coloured spheres |
| 15:53 | <zcorpan> | http://software.hixie.ch/utilities/js/live-dom-viewer/?%3Ctextarea%20style%3D%22overflow%3Avisible%22%3E%0D%0A1%0D%0A2%0D%0A3%0D%0A4%0D%0A%3C%2Ftextarea%3E |
| 15:53 | <zcorpan> | try that in ie |
| 15:54 | <zcorpan> | seems useful... any reason why we shouldn't copy this behavior? |
| 15:58 | <krijnh> | Please copy that, it's super handy :) |
| 16:00 | <zcorpan> | i wonder why ie only does it in quirks mode |
| 16:01 | <krijnh> | Does it? |
| 16:01 | <zcorpan> | yeah |
| 16:01 | <krijnh> | I've used it in standards mode |
| 16:02 | <zcorpan> | ...in ie7 |
| 16:02 | <zcorpan> | ie6 does it in standards mode too |
| 16:02 | <krijnh> | IE7 as well |
| 16:02 | krijnh | tests |
| 16:03 | krijnh | still sucks at that |
| 16:03 | <krijnh> | You're right :) |
| 16:03 | <zcorpan> | perhaps they dropped it because they didn't know how to do it with correct impl of 'height' |
| 16:04 | <zcorpan> | should the text overflow outside the textarea when you've set a height? |
| 16:05 | <zcorpan> | or should height act as min-height? |
| 16:05 | <krijnh> | You shouldn't set a height when you want it to be as high as the content |
| 16:06 | <zcorpan> | that doesn't tell what UAs should do |
| 16:07 | <zcorpan> | ignore height altogether? |
| 16:07 | <zcorpan> | (act as min-height seems more useful of the alternatives, like ie6) |
| 16:11 | <krijnh> | Yeah, I think so |
| 16:29 | <Philip`> | http://www.microsoft.com/beta/downloads/About.aspx - hmm, the "Step 2" text on the right gets drawn underneath some other text in FF/Opera - does it work better in IE? |
| 16:30 | <krijnh> | Yes |
| 22:44 | <jruderman> | Hixie: does the nodelist returned by getElementsByClassName have to be in document order? |
| 23:46 | <gsnedders> | Hixie: http://www.digitalcitizen.info/2007/12/30/ogg-theoravorbis-as-default-for-video-scuttled-in-html5-spec-who-benefits/#comment-1487 |
| 23:53 | <zcorpan> | http://tech.gtaero.net/2008/01/xhtml2-vs-html5.html -- hmm, someone should write a comment there. i don't have the energy to do so atm |
| 23:56 | <Hixie> | jruderman: spec doesn't say. feel free to send me e-mail if you think it should be defined |
| 23:59 | <Dashiva> | gsnedders: Why is it that those people always take "won't implement something new unless there's an advantage" and turn it into "won't implement something new, ever"? |