| 00:05 | <Philip`> | TabAtkins: It'll cause things like h(h(0)) = 0 which sounds dodgy since algorithms wouldn't expect that |
| 00:05 | <TabAtkins> | It' |
| 00:05 | <TabAtkins> | It's just a fixed point, which can happen anyway. |
| 00:06 | <Philip`> | Normally finding fixed points of a hash should be computationally infeasible |
| 00:08 | <The_8472> | <TabAtkins> OH: If I were ever to design a hashing function, I'd try to set things up so that hash(0) = 0. Even if that meant appending a final step to the algorithm: <- why would you do that? |
| 00:09 | <TabAtkins> | The_8472: So it's easier to recognize when you're hashing the empty string? |
| 00:09 | <The_8472> | empty string != 0x00 |
| 00:33 | <TabAtkins> | The_8472: For hashing purposes, they *are* equal, aren't they? An empty string should be equivalent to a string of nulls |
| 00:33 | <The_8472> | no |
| 00:33 | <The_8472> | an empty string has a length of 0. a null byte has the length of 1 |
| 00:34 | <TabAtkins> | Yes, but hashes run over integers, not strings. What's the difference in the input number? |
| 00:34 | <Philip`> | When hashing arbitrary strings, you usually append a 1 bit and then as many 0 bits as necessary to reach the block size |
| 00:34 | <TabAtkins> | Ah, that would do it. |
| 00:34 | <Philip`> | because otherwise "x" and "x\0" would hash to the same thing |
| 00:34 | <TabAtkins> | Yeah, that makes sense then. |
| 00:34 | <The_8472> | Philip`, the hash algorithms already do that |
| 00:34 | <The_8472> | you don#t have to do it manually |
| 00:35 | <Philip`> | Depends what part you consider the hash algorithm :-) |
| 00:35 | <TabAtkins> | The hash preprocessor does it. ^_^ |
| 00:35 | <The_8472> | the whole merkle-demgard construction, not just the core function |
| 06:37 | <myakura> | zcorpan, re the form attribute example in html5-diff draft (section 3.2), I see form and id values don't match (form=foo vs. id=test). Do you mean you want to show the input isn't associated with the form? http://dev.w3.org/html5/html4-differences/#new-attributes |
| 06:45 | <Akilo> | saluton |
| 07:52 | <matjas> | hsivonen: Since 13 January 2011, the character encoding declaration is now allowed to be within the first 1024 bytes instead of the first 512 bytes. |
| 07:52 | <matjas> | hsivonen: Can haz validator.nu update? |
| 07:52 | <matjas> | http://www.w3.org/TR/html5-diff/ |
| 07:58 | <matjas> | http://www.whatwg.org/specs/web-apps/current-work/multipage/semantics.html#charset |
| 09:14 | <myakura> | matjas, https://bitbucket.org/validator/htmlparser/src/tip/src/nu/validator/htmlparser/impl/Tokenizer.java#cl-1173 says 512 so it might not. |
| 09:14 | <matjas> | myakura: I know, that’s why I’m asking for an update :) |
| 09:19 | <myakura> | matjas: :) I didn't even know that's been implemented. http://bugzilla.validator.nu/show_bug.cgi?id=413 is still open :) |
| 09:25 | <matjas> | line 14662 of validator/spec/html5.html says ”<li id=charset1024><span id=charset512 title="">The element containing the character encoding declaration must be serialized completely within the first 1024 bytes of the document.</span></li>” |
| 09:26 | <matjas> | that’s weird |
| 10:31 | <matjas> | The `id=charset512`, I mean |
| 10:34 | <Philip`> | That's just for compatibility with people linking to old #charset512 URLs, I believe |
| 11:35 | <Spacechimp> | wow |
| 11:36 | <Spacechimp> | Lots of folks here |
| 11:36 | <Spacechimp> | I have a question about websocket handshakes |
| 11:36 | <Spacechimp> | specifically draft-ietf-hybi-thewebsocketprotocol-00 |
| 11:37 | <Spacechimp> | and how to go about formulating the response |
| 11:37 | <Spacechimp> | this wikipedia article touches on it, http://en.wikipedia.org/wiki/WebSockets |
| 11:37 | <Spacechimp> | but its kinda murky |
| 11:38 | <Spacechimp> | anyone have a better resource? |
| 11:42 | <tomasf> | you've read the actual draft, right? :) |
| 11:42 | <Spacechimp> | no |
| 11:42 | <tomasf> | http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-00 |
| 11:43 | <Spacechimp> | ah, thank you Tomasf |
| 11:43 | <tomasf> | np |
| 11:43 | <Spacechimp> | I did see it, but didn't realize I could scroll down :P |
| 11:50 | <reschke> | actually, what you *want* to read is http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-07 |
| 11:51 | <Spacechimp> | is this what chrome is currently using? |
| 11:52 | <reschke> | dunno |
| 11:53 | <Spacechimp> | The handshake data I am recieving match what is in 00 |
| 11:54 | <reschke> | http://www.chromium.org/developers/web-platform-status |
| 11:54 | <reschke> | i see |
| 11:54 | <reschke> | but be prepared for it to change in future Chrome versions |
| 11:55 | <Spacechimp> | ah! Left before I could say thank you. |
| 11:56 | <Philip`> | Spacechimp: You can say it anyway and he'll see it in the IRC logs :-) |
| 11:56 | <zcorpan> | Spacechimp: browsers are going to move away from -00 |
| 11:56 | <Spacechimp> | Ok, I will write current and legacy support |
| 11:58 | <zcorpan> | Spacechimp: if you're writing a -00 server, you might find opera's error console helpful (enable websockets in opera:config first) |
| 11:59 | <Spacechimp> | ok, I will check it out. |
| 11:59 | <Spacechimp> | ty |
| 11:59 | <zcorpan> | and a tcp inspector like wireshark is probably helpful |
| 11:59 | <Spacechimp> | yeah, i have been using wireshark |
| 11:59 | <Spacechimp> | :P |
| 11:59 | <zcorpan> | good :) |
| 12:00 | <Spacechimp> | Was using sysinternals tcp endpoint viewer, but it doesn't log afaik |
| 12:04 | <Spacechimp> | ah, This is exaclt what I was looking for. |
| 12:04 | <Spacechimp> | *exactly |
| 12:05 | <zcorpan> | what was? |
| 12:05 | <Spacechimp> | Thanks for the links guys! |
| 12:05 | <Spacechimp> | the docs you linked |
| 12:06 | <Spacechimp> | beats trying to figure out specs from wikipedia articles |
| 12:07 | <smaug____> | Spacechimp: Fx4 has websocket -00, but it is disabled by default |
| 12:07 | <smaug____> | Fx6, I hope, will have -07 |
| 12:08 | <Spacechimp> | Do you think the security concerns are realistic? |
| 12:09 | <smaug____> | for -00? |
| 12:09 | <smaug____> | yes, that is a reason why WebSockets aren't enabled by default in Opera or Fx4 |
| 12:09 | <Spacechimp> | firefox pulling websockets in general |
| 12:10 | <smaug____> | other reason was that the protocol specification was very unstable at the -00 time |
| 12:10 | <zcorpan> | doesn't seem particularly stable now either |
| 12:11 | <smaug____> | well, it is more stable :) |
| 12:11 | <zcorpan> | how is it more stable? |
| 12:11 | <smaug____> | do we expect handshaking to change? |
| 12:12 | <smaug____> | I wonder what is a stable spec nowadays... |
| 12:12 | <zcorpan> | i didn't expect handshaking to change at -00 time before the security thing was brought up |
| 12:12 | <zcorpan> | if i had known that websocket would be changed, we wouldn't have implemented it in opera yet |
| 12:13 | <smaug____> | that is probably true for gecko too |
| 12:13 | <smaug____> | since -07 implementation is quite different to -00 |
| 12:14 | <smaug____> | at least the -07 spec has gone through more reviews than -00 |
| 12:14 | <smaug____> | and that is usually good thing |
| 12:14 | <Spacechimp> | Yeah, I really love the idea of websockets. I do feel like a testpilot atm though. I have a feeling that I am going to be writing support for other (psudo)push tech for browsers that do not support it though. |
| 12:14 | <zcorpan> | smaug____: have you read my review of -06? |
| 12:15 | <smaug____> | nope |
| 12:15 | <smaug____> | apparently I should |
| 12:15 | <zcorpan> | smaug____: http://www.ietf.org/mail-archive/web/hybi/current/msg07063.html |
| 12:15 | <zcorpan> | smaug____: the security problem might have been fixed, but the spec is *bad* compared to -00 |
| 12:17 | <zcorpan> | i don't really want opera's implementation work to start with the state the spec is in now |
| 12:17 | <smaug____> | interesting |
| 12:17 | <zcorpan> | but i have not got any indication that the spec is going to be good, so i guess we'll just have to make something up or reverse engineer gecko and chrome |
| 12:18 | <smaug____> | I need to ask Patrick what he thinks about the stability of the spec |
| 12:19 | <Philip`> | Isn't this exactly the kind of case where it's been argued that specs should be forked? |
| 12:20 | <Philip`> | (so browser implementers can override the standardisation groups, without ending up in an unspecified mess) |
| 12:20 | <Philip`> | (if they refuse to implement what the standardisation group proposes) |
| 12:20 | <zcorpan> | Philip`: yeah forking the spec is a possibility |
| 12:22 | <zcorpan> | Philip`: it's not that i refuse to implement the spec, it's just that it leaves a lot of things undefined, so i have no idea what to implement |
| 12:23 | <zcorpan> | (not that it's me who's going to implement it, i'm just QA, but nevertheless) |
| 13:20 | <zcorpan> | seems the canvas spec has most support in the poll |
| 13:47 | <smaug____> | does anyone know any public tests for server sent events? |
| 13:50 | <zcorpan> | http://tc.labs.opera.com/apis/EventSource/ |
| 13:51 | <zcorpan> | has svn interface if you want to grab the php files |
| 14:24 | <smaug____> | zcorpan: where is the svn interface? |
| 14:25 | <zcorpan> | smaug____: same server i think |
| 14:26 | <smaug____> | zcorpan: btw, does 1 out of 1 PASSED mean that all the tests pass? |
| 14:27 | <smaug____> | since if there are failures the result is something X out of 46 PASSED |
| 14:27 | <zcorpan> | smaug____: i guess, dunno |
| 14:28 | <smaug____> | there are also strange cases when assert_throws doesn't seem to detect exceptions properly |
| 14:30 | <zcorpan> | smaug____: send email to annevk |
| 14:42 | <smaug____> | zcorpan: apparently it should report more that 1 PASSED |
| 14:42 | <smaug____> | the testrunner doesn't seem to work properly in Opera atm |
| 14:43 | <smaug____> | I need to click back to get it to run the tests |
| 14:49 | <zcorpan> | smaug____: ok |
| 19:50 | AryehGregor | keeps on confusing foolip with Philip` :( |
| 19:56 | <Philip`> | But we have totally different names :-p |
| 19:56 | <Philip`> | I have a "`", he doesn't |
| 20:49 | <Hixie> | ok i'm back |
| 20:49 | <Hixie> | is anyone editing CORS these days? |
| 21:11 | <AryehGregor> | Okay, so, what's a good company to look into getting a laptop from? Would probably be my primary computer, and I'd ultimately want Linux on it, probably with Windows in a VM. Is it reasonable to just look at someplace like Dell? What should I be looking for? |
| 21:12 | <Hixie> | what's your budget? |
| 21:12 | <Hixie> | that's really the dominating factor |
| 21:12 | <AryehGregor> | Well, I expect I'll be using it an awful lot, and don't expect to have lots of expenses anytime soon, so if a higher price tag will buy me features that are really useful then I'd be willing to go pretty high. |
| 21:12 | <Hixie> | if your budget is above $1000, something from the macbook line is probably the best option |
| 21:12 | <AryehGregor> | But I don't know what features are worth it. |
| 21:13 | <Hixie> | if it's below that, dunno |
| 21:14 | <Philip`> | Do you care about e.g. 3D graphics acceleration? |
| 21:14 | <AryehGregor> | I'm not really interested in going for Apple unless it's really clearly worth it. Also, Matthew Garrett always complains about how Linux doesn't work so well on Macs because of their nonstandard firmware. |
| 21:14 | <Hixie> | the apple hardware is definitely worth it |
| 21:14 | <Hixie> | i haven't seen anything comparable in quality |
| 21:14 | <Hixie> | and the tech support is by far the best |
| 21:14 | <AryehGregor> | Well, I've gone for a pretty long time with no 3D graphics acceleration on my primary computer, because of lack of open-source driver support, so I wouldn't say it's necessary. |
| 21:15 | <Hixie> | can't speak for the linux compatibility |
| 21:15 | <Philip`> | Graphics cards usually seem to be a distinguishing factor between decent-but-cheap business-oriented laptops and much more expensive home-user/gamer ones |
| 21:16 | <AryehGregor> | Decent-but-cheap sounds okay to me. |
| 21:16 | Philip` | uses a pretty cheap Lenovo laptop which was like a third of the price of a MacBook Pro, with similar CPU and RAM and disk |
| 21:17 | <Philip`> | (and a much less irritating keyboard) |
| 21:17 | <AryehGregor> | I'd mostly want battery life and lots of RAM, I imagine. |
| 21:17 | <Philip`> | (and a much worse screen) |
| 21:17 | <AryehGregor> | And known Linux compatibility, ideally. |
| 21:17 | <Hixie> | the lenovos were pretty good for linux back when they were thinkpads |
| 21:17 | <Hixie> | i used that for several years |
| 21:18 | <Philip`> | (and if it breaks then I can just buy a new one) |
| 21:18 | <Philip`> | (and in practice it's not broken more often than the MBP) |
| 21:19 | <Philip`> | This isn't a ThinkPad-equivalent one, it's some cheaper range |
| 21:19 | <The_8472> | <AryehGregor> Well, I expect I'll be using it an awful lot, and don't expect to have lots of expenses anytime soon, so if a higher price tag will buy me features that are really useful then I'd be willing to go pretty high. <- if you can afford it, get a SSD |
| 21:20 | <Hixie> | Philip`: ah |
| 21:20 | <The_8472> | laptop hard disks are practically the slowest part. getting a core 2 or even an i7 is affordable. a few gb of ram are cheap too... but the HDDs are the bottleneck. at least if you do developing work on it |
| 21:20 | <AryehGregor> | My workload is almost completely in-memory other than booting, so I'm not sure if I'd prefer the reduced disk space. Unless it has a small ancillary SSD. |
| 21:20 | <AryehGregor> | What sort of developing work uses the disk all the time? Compilation? I don't do that. |
| 21:20 | <The_8472> | well, nobody needs DVD drives anymore. kick the drive, add something useful into the bay |
| 21:20 | <Hixie> | i can vouch for the perf benefits of SSD |
| 21:21 | <Hixie> | no spin-up time, faster seeks, it's just crazy what a difference it makes |
| 21:21 | Philip` | wonders if HDD+SSD uses significantly more battery than either by itself |
| 21:21 | <The_8472> | AryehGregor, yeah... live compiling, automatic redeployment and stuff like that |
| 21:21 | <AryehGregor> | I had an Intel SSD in my desktop for a while, barely noticed the difference. |
| 21:21 | <AryehGregor> | Because I have 4 GB of RAM and never reboot. |
| 21:21 | <AryehGregor> | And have the same applications always open. |
| 21:21 | <The_8472> | 4GB of ram? that's full after booting for me |
| 21:22 | <The_8472> | i need 8+ |
| 21:22 | <AryehGregor> | So for a laptop, it might make a difference to hibernate time. |
| 21:22 | <The_8472> | but yeah, it depends on your usage patterns |
| 21:22 | <AryehGregor> | The_8472, I generally only have a browser, IRC, and terminal running. |
| 21:22 | <The_8472> | mhhh... |
| 21:22 | <AryehGregor> | Well, currently three browsers, 21 IRC windows, three terminal windows, plus OO.org Writer and Gnumeric. |
| 21:22 | <AryehGregor> | But I'm still way under 2 GB memory usage. |
| 21:23 | <Philip`> | Why hibernate? |
| 21:23 | Philip` | always uses suspend-to-RAM which is instant |
| 21:23 | The_8472 | has a 400+ tab browser session, 1 VM, 2 terminal windows, 2 java applications, irc, mail client, database workbench and a few other things open |
| 21:23 | <AryehGregor> | Doesn't it eventually hibernate to save more battery? Or is the difference small enough that it doesn't matter? |
| 21:24 | <AryehGregor> | My parents' Toshiba laptop with Windows 7 always hibernates eventually. |
| 21:24 | <AryehGregor> | (Even when plugged in, annoyingly.) |
| 21:24 | <The_8472> | you can configure that |
| 21:24 | <AryehGregor> | I know. |
| 21:24 | <Philip`> | I think it could last >20 hours in suspend on a full battery |
| 21:24 | <AryehGregor> | But I tend to assume defaults are sane until proven otherwise. |
| 21:24 | <AryehGregor> | Plus, it's not my laptop. |
| 21:24 | <Philip`> | and I never have it unplugged for more than about an hour |
| 21:24 | <Hixie> | Philip`: do you encrypt the disk? |
| 21:24 | <The_8472> | that's a faulty assumption |
| 21:24 | <The_8472> | windows defaults are always wrong. |
| 21:25 | <Philip`> | Hixie: No, but I'd probably notice if someone tried stealing it while suspended since I'm always carrying it |
| 21:26 | <Hixie> | if you don't encrypt the disk, suspend vs hybernate doesn't matter |
| 21:26 | <Hixie> | so nevermind :-) |
| 21:27 | Hixie | really needs changes to CORS |
| 21:27 | <Hixie> | i need two new ways of invoking CORS |
| 21:29 | <Hixie> | one that doesn't send Origin headers but supports the CORS semantics including through redirects, and either returns the data origin-tainted if no CORS headers are in the final response, or blocks if they're present and disallow; or lets the data out untainted if they're present and alllowed |
| 21:29 | <Hixie> | and one that does regular simple CORS except with the tainted-but-allowed case if there's no header in the response |
| 21:29 | <Hixie> | and this all seems way more complicated than it should be |
| 21:30 | <Hixie> | which is bad for security |
| 21:36 | <zcorpan> | hsivonen: apparently some people use <!--[if IE]><![endif]--><!doctype html> as a way to make ie not ignore x-ua-compatible despite having CCs before it |
| 21:45 | <zcorpan> | myakura: woah, thanks, will fix |
| 21:47 | <othermaciej> | Hixie: why do you need two modes? |
| 21:48 | <Hixie> | i may in fact not need those two modes |
| 21:48 | <Hixie> | i'm testing to see if browsers send origin with <video> currently |
| 21:48 | <Hixie> | the spec said they should, which is why i'd need two modes (<img> doesn't) |
| 21:49 | <Hixie> | looks like they don't though |
| 21:49 | <Hixie> | so maybe i can treat <img> and <video> exactly the same |
| 21:49 | <Hixie> | that'd be convenient |
| 21:52 | <othermaciej> | Hixie: incidentally, do you have any opinion on whether new resource embedding interfaces should be same-origin-only by default? |
| 21:53 | <othermaciej> | (with CORS exception) |
| 21:53 | <Hixie> | i think it very much depends on the type of resource in question |
| 21:53 | <othermaciej> | the case where this is relevant currently is @font-face |
| 21:53 | <Hixie> | i don't really see how fonts can contain origin-sensitive data (though we do currently taint the canvas when cross-origin fonts are used) |
| 21:53 | <othermaciej> | when I say "embedding", I mean to imply an inactive resource, and no ability to read back the contents, just to use it |
| 21:54 | <Hixie> | you can read back the contents of a font |
| 21:54 | <Hixie> | character presence, width, and height, at a minimum |
| 21:54 | <Hixie> | if we didn't taint the canvas, you could further obtain character pixel data |
| 21:55 | <othermaciej> | Mozilla folks argue that all new resource types should be same-origin-only by default, because that protects against hot linking and is easier for authors |
| 21:55 | <othermaciej> | some others (me included) tend to argue that it's better to match existing resource types even if there is a new model that is arguably better but not backwards-compatible |
| 21:56 | <Hixie> | it's not clear to me that hot linking needs protecting against, and it's certainly not easier for authors to require CORS as far as i can tell |
| 21:56 | <Hixie> | but i think it depends entirely on the resource type |
| 21:56 | <Hixie> | it's not something for which i think it makes sense to have a default |
| 21:56 | <othermaciej> | Mozilla event wanted to make video same-origin-only until that turned out to be impractical |
| 21:56 | <Hixie> | video data can be quite sensitive |
| 21:56 | <Hixie> | i think that one _should_ have been same-origin by default |
| 21:57 | <Hixie> | indeed the spec still says it is, though i'm fixing that as we speak |
| 21:59 | <Hixie> | hsivonen, roc: in case this isn't known, <video> in Gecko seems to sprout a tabindex="0" attribute out of nowhere |
| 21:59 | zcorpan | noticed that years ago |
| 22:05 | AryehGregor | noticed that in his execCommand() tests too |
| 22:23 | <Hixie> | when anne gets back i think he and i need to speak about making a spec that merges all the fetch and cors stuff into one single algorithm |
| 22:23 | <Hixie> | this is just crazy |
| 22:59 | <karlcow> | There I was working before, we had a (unvoluntary) DDOS with a simple IMG. The IMG on a very high traffic Web site was calling another server home page (with weaknesses) instead of an IMG. Each request from random user was creating processes on the small server app with crashes. At least we had the control of the two servers. |
| 23:44 | <Yuhong> | The funny thing about IE6 and CSS was that it was praised as standard compliant back in 2001. |
| 23:44 | <jcranmer> | it was the most standards-compliant browser when it came out |
| 23:47 | <Yuhong> | There is a reason I sent an email to ask about the history of position is everything. |
| 23:48 | <aho> | +10 years ago |
| 23:48 | <aho> | ;) |