#whatwg on 2011-08-12

08:31	<zcorpan>	<http://www.w3.org/mid/D0BC8E77E79D9846B61A2432D1BA4EAE0341573B⊙Trcmc>; - wonder if i should object
10:04	<jgraham>	zcorpan: I swear DOM3 events is happening in some alternate reality
10:09	<Ms2ger>	And it only connects to our reality every few months?
10:15	<Ms2ger>	Do browsers support object.contentWindow?
10:19	<Ms2ger>	Ah, looks like Opera does
12:40	<zcorpan>	oh hey, the splitter ids have been updated! yay
12:41	<zcorpan>	or not? complete/ has video in the-iframe-element.html but multipage/ has video in the-video-element.html
12:41	<zcorpan>	Philip`: ^
12:43	<Philip`>	I think my instance of the splitter is only used for multipage/
12:43	<Philip`>	(and is the latest code from SVN)
12:44	<Philip`>	I don't know where complete/ is generated
12:44	<zcorpan>	Hixie: ^
14:49	<karlcow>	http://norman.walsh.name/2011/08/12/styleThis
14:49	<karlcow>	Styling list numerations with CSS
16:02	<AryehGregor>	Oops! Google Chrome could not connect to software.hixie.ch
16:02	<AryehGregor>	Try reloading: software.hixie.ch/utilities/js/live-dom-viewer/
16:02	<AryehGregor>	Nooooooooooo
16:02	<Ms2ger>	And Firefox can't establish a connection to the server at junkyard.damowmow.com either
16:03	<AryehGregor>	But whatwg.org is up. I thought they were on the same Dreamhost account?
16:05	<smaug____>	Hixie: you were writing down some ideas for <dialog>. I wonder where that page is
16:05	<Ms2ger>	wiki.whatwg.org somewher
16:05	<Ms2ger>	+e
16:05	<smaug____>	(since I wonder why we need dialog when we have showModalDialog)
16:06	<smaug____>	browsers could just implement showModalDialog in a bit different way
16:28	<dglazkov>	good morning, Whatwg!
16:30	<Ms2ger>	Evening
16:31	<manu-db>	Suggestion that the W3C TAG shut down the RDFa/Microdata Task Force initiative: http://lists.w3.org/Archives/Public/www-tag/2011Aug/0050.html
16:42	<jgraham>	Does anyone other than Opera support DOM 3 Load and Save?
16:43	<gsnedders>	jgraham: No
16:45	<karlcow>	jgraham: yes. Let me search, because I do not remember where
16:46	<Ms2ger>	We don't
16:46	<Ms2ger>	Except for some stuff on XHRProgressEvent
16:46	<karlcow>	Xerces-C++
16:47	<karlcow>	http://xerces.apache.org/xerces-c/program-dom-3.html
16:48	<karlcow>	Xerces is incomplete though
16:48	<karlcow>	there is also http://www.doxdesk.com/software/py/pxdom.html
16:49	<karlcow>	http://lists.w3.org/Archives/Public/www-dom/2003OctDec/0064.html
16:49	<karlcow>	and X-Hive, incomplete too
16:49	<karlcow>	http://www.w3.org/2003/10/DOM-Level-3-LS-implementations.html
16:49	<jgraham>	karlcow: That was a long way of saying "no"
16:50	<jgraham>	No one that needs to interoperate with web browsers
16:50	<karlcow>	heh, you didn't ask that question ;)
16:50	<jgraham>	This is #whatwg, it is implied :p
16:51	<karlcow>	haaa if you changed the rules
16:51	<Ms2ger>	There are no rules ;)
16:51	<karlcow>	sense of logic on #whatwg
16:51	<karlcow>	;)
16:51	<jgraham>	Well it would be logical that there was never a sense of logic. Having one sometimes is only illogical
17:06	<TabAtkins>	AryehGregor: http://nooooooooooooooo.com/
17:09	<AryehGregor>	for i in `seq 50`; do echo -n "$i: "; dig +short n`yes o \| tr -d "\n" \| head -c $i`.com; done
17:09	<AryehGregor>	Quite interesting, actually.
17:13	<AryehGregor>	(for i in `seq 62`; do dig +short n`yes o \| tr -d "\n" \| head -c $i`.com \| tr "\n" " "; echo -e "\t$i"; done) \| sort
17:14	<AryehGregor>	(for i in `seq 62`; do dig +short n`yes o \| tr -d "\n" \| head -c $i`.com; done) \| sort \| uniq -c \| sort -nr
17:14	<AryehGregor>	Most of these point to 72.3.199.7.
17:14	<AryehGregor>	The one with 15 o's is the only one that points to 74.208.14.77.
17:15	<AryehGregor>	Actually, there are only six IPs that have more than one variant pointing to them.
17:15	<TabAtkins>	Hahaha, now I see what you're doing.
17:15	<AryehGregor>	Okay, I really need to do work instead of wasting time.
17:15	<AryehGregor>	Did you run the commands?
17:15	<TabAtkins>	Yes.
17:15	<TabAtkins>	And I was confused by the list of ips.
17:15	<AryehGregor>	It only goes up to 62, apparently no part of the domain name can be longer than 63 bytes.
17:15	<TabAtkins>	Then I man'd some of the commands and figured it out.
17:15	<AryehGregor>	That command is a test of your Unix command line knowledge.
17:16	AryehGregor	doesn't know if there's any easier way to repeat a string than yes piped to tr and head
17:20	<Ms2ger>	python "print i*\"o"
17:22	<TabAtkins>	Doesn't appear to be on my machine, but "string" has the ability to do that easily.
17:27	<swarren08>	Which browser right now has the most support for HTML5?
17:27	<swarren08>	everything i see is chrome beta 13 and 14
17:28	<smaug____>	swarren08: define HTML5 ;)
17:28	<swarren08>	lol
17:28	<swarren08>	good point
17:28	<smaug____>	and define "support"
17:29	<smaug____>	is support something that browser report to web page, or is it something actually usable
17:29	<swarren08>	Support= me using html5 and the browser showing it
17:29	<Ms2ger>	But the answer is obviously Firefox
17:29	<smaug____>	:p
17:29	<swarren08>	i use firefox nightly
17:29	<swarren08>	and chrome b13
17:30	<swarren08>	i have not tried internet explorer since ie7
17:30	<gnarf>	b13? isnt 13 stable now?
17:30	<smaug____>	I would guess Firefox,Chrome and Opera are pretty much in the same level
17:30	<smaug____>	they just happen to "support" different things
17:30	<swarren08>	not to my knowledge
17:31	<swarren08>	i just download the beta via google
17:31	<swarren08>	12.0.725.0 beta-m
17:31	<swarren08>	and got that
17:31	<gnarf>	chrome stable: http://cl.ly/1N261S430A403g172M0g
17:31	<gesa>	http://caniuse.com
17:32	<swarren08>	ah
17:32	<swarren08>	correct it is stable
17:32	<swarren08>	i just restarted chrome again
17:32	<swarren08>	and am currently sitting at 14.0.835.35 beta-m
17:32	swarren08	wishes he could use cloudapp
17:33	<timeless>	karlcow: the list numeration thing is impressively depressing
17:34	<timeless>	i think the way to do start right for the other case is probably: <ol><li class="hidden"><li class="hidden"><li class="hidden"><li class="hidden"><li class="hidden"><li class="hidden"><li class="hidden"><li class="hidden"><li class="hidden"><li>This is a continued list
17:37	<swarren08>	this version of chrome doesnt support Microdata
17:37	<timeless>	fwiw, ie10preview-whatever is pretty good
17:37	<timeless>	if you have windows, you really should grab it
17:37	<timeless>	they're actually implementing various proposals and giving constructive feedback
17:37	<timeless>	(they really aren't the enemy you remember)
17:38	<swarren08>	i remember, i just never liked ie
17:38	<TabAtkins>	Just wait until Windows 8. I'm betting on the enemy I remember returning.
17:38	<swarren08>	to be honest, i forgot why...
17:38	<timeless>	what do you remember the enemy doing?
17:38	<timeless>	fwiw, ie has gotten a bunch of things right
17:39	<timeless>	among other things, their developer tools (js debugger/profiler) are better than many others
17:39	<timeless>	they also automatically profile addons and tell end users when there are slow ones
17:39	<TabAtkins>	Embracing a platform, extending it with proprietary extensions, releasing dev tools that make it really easy to use said extensions, then taking the platform the way they want now that they ahve a captive audience.
17:39	<timeless>	and ie doesn't automatically enable addons anymore
17:39	<timeless>	you're told when new addons are added and you get to choose to enable them
17:39	<TabAtkins>	Basically I'm not afraid of IE. I'm afraid of Windows.
17:39	<timeless>	so far i haven't seen any addons violent/evil enough to violate that
17:40	<AryehGregor>	swarren08, Firefox/Chrome/Opera are all pretty comparable in standards support. Firefox/Chrome somewhat more, maybe. Safari is like Chrome except it lags behind due to release schedule. IE is worse, but it's rapidly closing the gap with IE9 and now IE10.
17:40	<timeless>	(my bet is microsoft would crack down on such things)
17:40	<AryehGregor>	Yeah, IE9's addon handling is awesome.
17:40	timeless	nods
17:40	<AryehGregor>	"Do you want to enable Piece-of-Garbage Add-On by Some Random Company You've Heard of But Never Authorized to Install Add-Ons, Inc.?" "No"
17:40	<timeless>	"and thanks for asking me"
17:41	<timeless>	which reminds me, i need to file a bug, our internal addon doesn't list a vendor
17:41	<gesa>	Or "This add-on created by M$ is doubling launch time. Do you want to disable it?"
17:41	<swarren08>	Like i said, i havent tried ie since ie7... and now that we are on ie9 (and beta 10) i figure ill give it a shot
17:41	<AryehGregor>	"Did you realize that all these stupid add-ons that have enabled themselves are causing the browser to take an extra 4.75 s to start up?" "Good grief, no, disable them all"
17:41	<AryehGregor>	Firefox should get with the picture on that score.
17:41	<swarren08>	yea
17:42	<timeless>	oh, right, they also have a genuine "disable all" button
17:42	<timeless>	Multiple add-ons are selected
17:42	<AryehGregor>	Add-ons are a huge performance drain in some cases. Which is why when I used Firefox, I eventually wound up with a grand total of like three extensions, and I was suspicious of those.
17:42	<timeless>	You have selected multiple add-ons in the list above. You can enable or disable all selected add-ons by clicking the appropriate button below.
17:42	<AryehGregor>	Firebug definitely killed performance in some cases, although it's probably gotten better.
17:43	<timeless>	i'm using 8, i don't have firebug
17:43	<AryehGregor>	At one point I actually saw a notification in Gmail saying "Hey, we noticed you're using Firebug, and our statistics show this murders page responsiveness. Disable it when you're not using it."
17:43	<swarren08>	Firefox use to be pretty fast
17:43	<timeless>	AryehGregor: yeah, i remember that
17:43	<AryehGregor>	Sadly, Firebug is still essential for me on Firefox.
17:43	<timeless>	+1 to gmail team for doing that
17:43	<swarren08>	thats pretty cool
17:43	<AryehGregor>	I think Firebug has gotten better, though, like not enabling the network tab unless you're viewing it.
17:43	<TabAtkins>	AryehGregor: I had like 30 FF extensions. I just didn't shut it down often, and when I did took it as an opportunity to make myself a snack.
17:43	<timeless>	heh
17:43	<AryehGregor>	TabAtkins, they can also slow down page load.
17:43	timeless	should get lunch
17:43	<AryehGregor>	And new tab creation time.
17:44	<TabAtkins>	AryehGregor: Apparently not enough for me to have cared at the time.
17:44	<smaug____>	swarren08: Firefox is a lot faster than ever ;)
17:44	<timeless>	AryehGregor: note that IE actually tells you if an add-on slows down start up or page load
17:44	<timeless>	w/ timings!
17:44	<AryehGregor>	TabAtkins, or you just didn't realize how much slower it was making your browsing.
17:44	<AryehGregor>	Maybe that's part of why Chrome seemed so much faster when you tried it. :)
17:44	<AryehGregor>	timeless, yes, it's absolutely awesome.
17:44	<AryehGregor>	Firefox needs to just clone the whole feature.
17:44	<smaug____>	AryehGregor: Btw, Skype extension has been the worst extension ever, I think
17:44	<smaug____>	perf-vise
17:44	<smaug____>	it slowed down some DOM operations like 300x
17:44	<swarren08>	yes
17:44	<timeless>	smaug____: well, scanning the entire page for phone numbers...
17:44	<timeless>	constantly
17:45	<swarren08>	thank you to chrome
17:45	<swarren08>	it automatically shuts off my skype extension
17:45	<AryehGregor>	FWIW, I did notice a huge responsiveness difference between Firefox 3.6 (with no extensions) and Chrome on Linux when I tried them. It got a lot better with Firefox 4.
17:45	<TabAtkins>	AryehGregor: I switched to Chrome for the UI, not the speed.
17:45	<AryehGregor>	But you really can't beat Chrome's "nothing ever freezes the UI even briefly".
17:45	<swarren08>	The UI is very impressive
17:45	<timeless>	AryehGregor: have you had the chrome in IE freeze?
17:45	<TabAtkins>	That's not 100% true, but yeah, it's nice.
17:45	<smaug____>	AryehGregor: have you tried printing with Chrome ;)
17:45	<timeless>	i don't think i've seen it freeze in ie9/10 except when they crash
17:45	<AryehGregor>	Versus Firefox's "mostly the UI is responsive but the whole browser can hang sometimes due to long-running script etc.".
17:45	<smaug____>	that is the way to freeze Chrome
17:45	<timeless>	which doesn't count (and yes, i've crashed chrome)
17:46	<swarren08>	i dont think ive creshed chrome
17:46	<AryehGregor>	smaug____, I don't have a printer. Do people still use paper these days? I haven't noticed.
17:46	<swarren08>	i crash firefox and nightly constantly
17:46	timeless	prints
17:46	<AryehGregor>	(actually, I just use my parents' printer if I need one, and Chrome prints fine in my experience)
17:46	<smaug____>	printing has been the way to hang and crash chrome
17:46	<timeless>	swarren08: have you used about:crashes and ensured there are bugs filed?
17:46	<swarren08>	yep
17:46	<AryehGregor>	I haven't seen a whole-browser crash in Chrome for at least a year or two.
17:46	<swarren08>	i always do
17:46	<swarren08>	and i always put my email in
17:47	<AryehGregor>	I've seen plenty of individual tab crashes.
17:47	<AryehGregor>	Sometimes reproducible.
17:47	<dglazkov>	oh cool, a browser bash
17:47	<AryehGregor>	But they're really no big deal, just refresh.
17:47	<TabAtkins>	I suppose I havent' seen a full renderer crash since the %: or whatever bug.
17:47	<dglazkov>	I like curl myself
17:47	<AryehGregor>	(I especially get crashes in Web Inspector)
17:47	<TabAtkins>	dglazkov: I use a shell script that uses curl and smtp so I can read the web in pine.
17:47	<AryehGregor>	dglazkov, curl doesn't give you enough control. I think telnet is the only tenable option.
17:47	<Ms2ger>	dglazkov, wget, dammit
17:48	<AryehGregor>	Although it's tricky to use for HTTPS.
17:48	<AryehGregor>	You have to be really good at mental arithmetic.
17:48	<dglazkov>	AryehGregor: what's HTTPS?
17:49	<AryehGregor>	dglazkov, that thing that adds extra round-trips to the first page load in exchange for people not being able to play devastating practical jokes on you with Firesheep.
17:49	<dglazkov>	seems like a lot of pain to avoid being pranked.
17:49	<Philip`>	It's the thing that triggers all those warnings about invalid certficates that you click "accept" on
17:49	<swarren08>	sometimes id rather be rick roll'd
17:49	<AryehGregor>	I know, right? But some people like it.
17:50	<AryehGregor>	Philip`, or that you click through four different menus that try to confuse and dissuade you before the thing will actually let you view the site, in Firefox's case.
17:50	<AryehGregor>	But in Chrome I've seen it not give any option to continue at all.
17:50	<AryehGregor>	That is absolutely unacceptable.
17:51	<timeless>	oh, sob
17:51	<AryehGregor>	It was some MS site that had a revoked cert for some reason, but I didn't care in the slightest because the most an attacker could steal was my MS login, which I don't care about.
17:51	<timeless>	our IE toolbar hasn't been updated since 2008
17:51	AryehGregor	stabs "security" zealots
17:52	<swarren08>	wow 2008?
17:52	<timeless>	swarren08: i presume it "just works" and doesn't really need maintenance
17:52	<zewt>	yeah chrome's https handling is beyond unacceptably broken
17:52	<timeless>	it's an internal tool
17:52	<zewt>	last i saw, anyway
17:52	<swarren08>	sounds like a bunch of people i know
17:53	<timeless>	yeah, the webkit client i use here uses curl
17:53	<zewt>	firefox's is also unacceptably broken, but not to the degree of actually preventing you from doing things you need to do
17:53	<timeless>	and the errors i get for web sites are terrible
17:53	<zewt>	firefox only goes to the point of ensuring every firefox user is trained to click through every security dialog without reading it
17:53	<TabAtkins>	AryehGregor: Argh, worst is the OMGWTFBBQ about self-signed certs. Not even a whisper of complaint when you visit a page that does login over HTTP POST, but if you dare to try to secure the connection without going through the registrar mafia? RED PAGE.
17:53	<timeless>	AryehGregor: there's sconnect or something for ssl
17:54	<timeless>	i've used that as a telnet replacement for https
17:54	<zewt>	tab: yeah, i've been ranting for a while about the ridiculousness of browsers training people to think of unsigned encryption as less secure than plaintext
17:54	<zewt>	i understand the rationale, but the end result is no less absurd for it
17:54	<timeless>	zewt: well
17:55	<TabAtkins>	I don't even understand the rationale.
17:55	<timeless>	the rationale is:
17:55	<timeless>	if you normally don't get an error
17:55	<TabAtkins>	You don't trust the endpoint, but you trust the connection.
17:55	<timeless>	then when you do get an error, you're probably being attacked
17:55	<zewt>	the rationale is that you don't want people loading their https://bank.com and having an attacker present the site with a self-signed cert
17:55	<TabAtkins>	That's better than trusting neither.
17:55	<timeless>	whereas if you are visiting a site that never pretends to be secure
17:55	<timeless>	then you're supposed to know that it isn't necessarily trustworthy
17:55	<timeless>	but you also know that there's no reason to consider today any more or less different from yesterday
17:56	<timeless>	the big problem is...
17:56	<timeless>	banks offer http://bank.com
17:56	<timeless>	and often have login pages on that page
17:56	<zewt>	the solution, IMO, is/was/should have been to have an shttp:// protocol, which is exactly identical to https but without the certificate check, so loading https URLs can't be compromised in that way, while still allowing people to use encryption without a cert
17:56	<timeless>	which teach users to enter their credentials there!
17:57	<timeless>	zewt: for what purpose?
17:57	<zewt>	i've never seen a bank with a login not on https (of course I only use my bank), but my electric or gas company (forget which) has a login on http (with some dumb flash hack to handle the actual encryption)
17:57	<AryehGregor>	TabAtkins, https:// with self-signed cert is, in general, worse than http://.
17:57	<zewt>	timeless: huh? for the purpose of encrypting :)
17:57	<timeless>	zewt: try http://www.discovercard.com/
17:57	AryehGregor	digs up rationale
17:57	<timeless>	there's a login form on that page
17:57	<timeless>	i've actually done surveys of banks
17:57	<timeless>	and it varies by size and region
17:57	<timeless>	but there are definitely plenty of banks w/ login forms on their front page (which is http)
17:57	<AryehGregor>	TabAtkins, http://lwn.net/Articles/413600/
17:58	<timeless>	and please note that having a phone number or hours/addresses on http is also bad
17:58	<zewt>	if there was an http* protocol meant for encryption-without-certs, every webserver in the world would ship with a default configuration allowing encryption, and the level of security in the world would be a notch higher
17:58	<swarren08>	wow... people will do anything to hack you
17:58	<timeless>	if i'm using an internet cafe in a foreign country
17:58	<timeless>	i can easily be tricked into going to a fake bank or fake atm
17:58	<timeless>	i wouldn't know the difference..
17:58	AryehGregor	<3 Google for giving his post as the first result for "lwn.net Simetrical self-signed"
17:58	<zewt>	it would not be a lot higher, since it obviously wouldn't protect against MITM, but the world would be substantially less susceptible to passive sniffing
17:58	<TabAtkins>	AryehGregor: Yes, the confusion angle is the only thing. Presenting the same UI for a self-signed and an EV-signed would be bad.
17:58	<AryehGregor>	zewt, tcpcrypt.org is a very neat technology.
17:59	<AryehGregor>	I hope it takes off.
17:59	<timeless>	passive sniffing is kinda useless as risks go
17:59	<timeless>	if i'm in an internet cafe
17:59	<swarren08>	A good example of what you are talking about is Steam
17:59	<zewt>	spdy is also always encrypted, signed or no
17:59	<zewt>	iirc
17:59	<timeless>	there's really no way to protect me from a MITM
17:59	<AryehGregor>	tcpcrypt covers all TCP, though.
17:59	<timeless>	and that MITM becomes equivalent to passive snooping
17:59	<AryehGregor>	SPDY is always encrypted because it has to tunnel through HTTP proxies that try to meddle with regular HTTP.
17:59	<zewt>	mitm is ... the opposite of passive
18:00	<AryehGregor>	No, MITM can include passive as well as active.
18:00	<timeless>	you might as well get people to do the right thing and have good certs
18:00	<swarren08>	People go thru and do a web site dump of the Official site
18:00	<AryehGregor>	Generally any time you can do passive you can do active, but active is often harder to pull off and/or carries more risk of detection.
18:00	<swarren08>	and adjust it to the site they own, make own certs and send the links to people
18:00	timeless	notes that there are deployed attacks which actually do this
18:00	<TabAtkins>	AryehGregor: Thanks for reminding me about tcpcrypt. I meant to install it last time I saw it.
18:01	<timeless>	they've even been described on krebsonsecurity.com
18:01	<swarren08>	they are able to take over what they want and also capture the accounts of people
18:01	<zewt>	active is by nature riskier, which is a deterrant by itself
18:01	<AryehGregor>	tcpcrypt is clever that way: you don't know whether there will be authentication until the encryption is finished. So a MITM has to decide whether to intercept the connection before knowing if they'll be detected. If you have auth layered on top of tcpcrypt or similar, the attacker will intercept it fine, but then the authentication will fail and the attacker will be detected.
18:01	<AryehGregor>	In principle, if tcpcrypt were deployed, you could do things like expose the client's session id to JavaScript, say.
18:02	<timeless>	err
18:02	<timeless>	can't the server expose that already?
18:02	<AryehGregor>	So the server could send some code with the server's session id somewhere and check it against the client id. The attacker could theoretically rewrite the code to prevent that, but not in general -- it's the halting problem.
18:02	<timeless>	oh
18:02	<timeless>	well
18:02	<timeless>	no
18:03	<AryehGregor>	So the attacker could have special hacks to rewrite the checks for known apps, but some random webpage that does it in some slightly different way would still be able to throw up a scary error.
18:03	<timeless>	MITM could pretty trivially include code which tries to capture access to a property
18:03	<zewt>	AryehGregor: don't know how you mean that MITM can be done passively; the definition of MITM is active, sending packets to one or both parties
18:03	<AryehGregor>	timeless, you could make the property a non-replaceable global so that nothing can capture access to it.
18:03	<zewt>	(most often both, hence the term)
18:03	<AryehGregor>	zewt, it can include interception as well, AFAIK. MITMs can merely eavesdrop.
18:04	<AryehGregor>	Hmm, I see.
18:04	<zewt>	eavesdropping isn't MITM, it's sniffing
18:04	<AryehGregor>	Well, an MITM is perhaps always active to some extent, but not necessarily in a noticeable fashion.
18:04	<timeless>	AryehGregor: at that point, the attacker will just rewrite all streams looking for the keyword, replace `eval`, and rewrite any instance of `window` to an object which does shadowing
18:04	<AryehGregor>	A compromised router is a MITM.
18:04	<zewt>	depends on the particular attack
18:04	<AryehGregor>	But it might just be sniffing traffic, not doing anything discernibly wrong.
18:04	<timeless>	i wonder if someone has a toolkit that does that
18:04	<zewt>	a compromised router is a MITM if you're using it to sit between and manipulate the two endpoints
18:05	<zewt>	ngrep on a compromised router is not MITM
18:05	<AryehGregor>	timeless, hmm, I guess. You could make it a magic keyword, but then they could sniff for a keyword.
18:05	<AryehGregor>	Anyway, it would be a way to catch attackers who aren't careful.
18:05	<timeless>	yep
18:05	<timeless>	AryehGregor: the problem is...
18:05	<timeless>	attackers will share toolkits
18:05	<AryehGregor>	zewt, definitionally, I disagree, but it's semantics, so whatever.
18:05	<timeless>	which means the X months it takes to deploy a security feature
18:05	<AryehGregor>	timeless, sophisticated ones will. Script kiddies will use whatever they happen to get off the shelf, which may or may not be competently written depending on their connections and price range.
18:05	<zewt>	mitm is a specific term referring to a specific class of attacks
18:06	<timeless>	will be defeated in X/12 months and then shared
18:06	<timeless>	it will appear in the script kiddy toolkits in 3/7 * X months
18:06	<AryehGregor>	Yeah, it's just a speed bump. But it will catch some attacks.
18:06	<timeless>	it really isn't a useful speed bump
18:06	<timeless>	and it's somewhat expensive to implement
18:06	<AryehGregor>	It's basically free to implement, given that tcpcrypt is already being used.
18:06	<timeless>	cost benefit there is terrible
18:07	<AryehGregor>	Which is a good idea anyway to stop sniffers.
18:08	<timeless>	what protects tcpcrypt from a mitm that always claims not to support tcpcrypt?
18:08	<timeless>	(standard downgrade attack)
18:09	timeless	hunts lunch
18:10	<AryehGregor>	timeless, such a MITM could also just intercept the connection directly. So there's no added threat surface.
18:11	<AryehGregor>	Either way, it forces them to become an active attacker -- they can't just sniff.
18:11	<AryehGregor>	Also, tcpcrypt exposes a very nice, useful primitive (session id) that you can trivially layer authentication on top of.
18:11	<AryehGregor>	So it would allow a lot of code to be unified that currently has to be redone for every different application-level protocol.
18:11	<Ms2ger>	Oh hey, go Microsoft
18:12	<AryehGregor>	?
18:13	<Ms2ger>	They like DOM Views
18:13	<AryehGregor>	So that was sarcastic?
18:15	<Ms2ger>	Apologies
18:15	<Ms2ger>	</sarcasm>
18:15	AryehGregor	is never quite sure without context, since MS does occasionally do things surprisingly right
18:16	<AryehGregor>	They're okay with a notice, though, so I think that's fine.
18:16	<AryehGregor>	Actually rescinding is going to be a waste of time, and it won't happen if the replacement isn't also a REC.
18:18	<TabAtkins>	I just notice how much they talked about "stability" in that email, and not "correctness".
18:18	<Ms2ger>	Well duh
18:18	<AryehGregor>	Yes, because that's what their corporate customers care about.
18:18	<AryehGregor>	Standards compliance is an item on a checklist, not something they directly care about for any practical reason.
18:19	<AryehGregor>	MS cares about the practical reasons, but most of their customers don't.
18:19	<AryehGregor>	They're the only major browser vendor to actually deal with large corporations to any meaningful extent, remember.
18:19	<AryehGregor>	(as users of their browsers, that is)
18:37	<gsnedders>	AryehGregor: Well, we ship to customers who care about these sorts of things
18:37	<swarren08>	Who is Mr. Lastweek?
18:37	<AryehGregor>	gsnedders, yeah, okay, but you clearly aren't as concerned with them as MS.
18:37	<Ms2ger>	MikeSmith
18:37	<Ms2ger>	Or so I hear
18:38	<gsnedders>	swarren08: That was a big question a few years back. Still unknown, AFIAK.
18:38	<swarren08>	ah
18:38	<swarren08>	im reading a book
18:38	<swarren08>	and its in here
18:38	<gsnedders>	AryehGregor: Well, yeah. Most of our customers care more about CE-HTML and the like than HTML.
18:38	<Ms2ger>	Which book?
18:39	<swarren08>	Addison Wesley HTML5 Guidelines for Web Developers
18:39	<swarren08>	An imaginary character,
18:39	<swarren08>	Mr. LastWeek, comments on the events with sometimes hefty blog entries at
18:39	<swarren08>	http://lastweekinhtml5.blogspot.com in reaction to the publicly accessible IRC
18:39	<swarren08>	protocols at http://krijnhoetmer.nl/irc-logs
18:40	<gsnedders>	AryehGregor: And from a more sane POV, things like HbbTV.
18:40	<Ms2ger>	The IRC protocols?
18:40	<swarren08>	lol thats what the book says
18:42	<swarren08>	Apparently im oblivious to everything... or just didnt know but they are actually working on xhtml2?
18:43	<gsnedders>	swarren08: They were. It never had much interest from browser vendors, and totally stopped a couple of years back.
18:43	<swarren08>	ah
18:43	<Ms2ger>	Well, the WG was disbanded
18:43	<Ms2ger>	And then continued to publish specs for another year
18:43	<swarren08>	i looked up the guy who was doing it and it had info on his site about xhtml
18:43	<swarren08>	xhtml2*
18:44	<gesa>	xhtml made us all write cleaner code. rip.
18:45	<swarren08>	did you not like to write cleaner code?
18:45	<gesa>	i LOVED writing cleaner code. I'll always write cleaner code because xhtml existed.
18:46	<swarren08>	i make my coding look nice
18:46	<gesa>	none of this non-quoted attribute values, unclosed tags nonsense
18:46	<swarren08>	i always close my tags
18:46	<TabAtkins>	Unquoted attributes are the major reason I write my SVG in HTML. ^_^
18:47	<Ms2ger>	Ugh
18:47	<gesa>	me too. but future web developers have no reason to anymore.
18:47	<Ms2ger>	Next you're going to claim you write <br/>
18:47	<swarren08>	i do actually
18:47	<gesa>	... me too.
18:47	<Ms2ger>	And <script/> as well?
18:48	<gesa>	Though I find I don't use <br /> very often anymore
18:48	<gesa>	no way.
18:48	<gesa>	<script></script>
18:48	<gesa>	<script/> breaks some (most? all?) browsers.
18:48	<Ms2ger>	All
18:48	<swarren08>	lol
18:48	<Philip`>	Ms2ger: Surely not <br/>, it has to be <br /> for compatibility
18:49	Ms2ger	throws a cake at Philip`
18:49	<Ms2ger>	And tell me my test updates are correct
18:49	<gsnedders>	Ms2ger: But don't you care about NN! You insensitive sod!
18:49	<AryehGregor>	gesa, <script/> breaks all browsers, it's parsed the same as <script>.
18:49	<AryehGregor>	Except if served as XML.
18:49	<Philip`>	(Also, never forget to comment out your script contents)
18:50	<gesa>	Yeah. Learned that the hard way in a night of obsessive over the top code cleanup
18:51	<GlitchMr>	Browsers don't understand /> in SGML mode. Only while parsing documents as XML. Otherwise, they consider that / is just some random character to ignore.
18:51	<TabAtkins>	s/SGML/HTML/
18:52	<Ms2ger>	Nah
18:52	<TabAtkins>	In SGML mode, the / closes the tag, and the > is part of the text content. Luckily, no one's been an SGML browser for some time.
18:52	<GlitchMr>	Oh, right. Browsers fail at SHML. They don't know that <br/> in actually <br> and after that > character...
18:52	<Ms2ger>	They acknowledge the trailing solidus
18:54	<Philip`>	TabAtkins: No one except the W3C validator, which will happily parse your document completely differently to any real browser before validating the result
18:54	<GlitchMr>	I remember <!-- -- >The comment is closed :). Browsers implemented it for some time just because of ACID2...
18:55	<GlitchMr>	W3C Validator is lame for me anyways. It doesn't take into account real problems and it blatantly accepts markup like <h1><ins><h2><del><h3></h3></del></h2></ins></h1>.
18:56	<GlitchMr>	And it's not error in validator :P. HTML shouldn't be parsed using DTD.
19:22	<Hixie>	Philip`: in case it comes up again, anne's he one running the splitter for complete.html
19:40	<swarren08>	hmmm i apparently could buy an HTML5 tshirt....
19:41	<swarren08>	How much does the css we use today differ from CSS3
19:42	gsnedders	facepalms at the sizes of the HTML5 t-shirts — the XL "body width" is the same size as my entire waist. Woops.
19:45	<swarren08>	im glad im not the only one gsnedders
19:45	<gsnedders>	"Profits from the sale of every HTML5 shirt go directly to the development of HTML5 test suite." — uh, who?
19:45	<gsnedders>	(And to those worried, don't worry. I've eaten almost 250g of chocolate this afternoon)
19:46	<gesa>	gsnedders: Women's XL width is way larger than my entire waist. Humans are varied, that's all.
19:46	<swarren08>	it goes to W3C
19:47	<gsnedders>	swarren08: No W3C employee has submitted a single test to the testsuite…
19:47	<swarren08>	lol
19:47	<swarren08>	it was a joke
19:47	<swarren08>	relax
19:48	<gsnedders>	gesa: And I thought my flatmate was thin…
19:50	<gesa>	gsnedders: Not thin. Just petite.
19:50	<annevk>	I wonder, did anyone miss the WHATWG Weekly?
19:50	swarren08	slowly raises hand
19:50	<swarren08>	ive been stuck in the hospital since last sat for a family member, so ive missed a bunch
19:51	<annevk>	heh
19:51	<gsnedders>	gesa: Well, you can still be thin in generic terms while being petite, and hence not thin relative to the rest of you.
19:51	<annevk>	I mean missed as in "omg why was it not written and published last Monday"
19:51	<gesa>	annevk: in that case, yes.
19:51	<annevk>	swarren08, my best to your family member
19:52	<gesa>	thought i was missing a bigger picture
19:52	<swarren08>	thanks, we hope she will awake soon
19:52	gsnedders	concludes a girls small HTML5 t-shirt would fit him in terms of width, though not be at all long enough
19:53	Philip`	guesses the measurements must be in inches, since if they were cm the XL wouldn't quite be wide enough for him
19:53	<swarren08>	i must agree with that one philip
19:59	<Ms2ger>	gsnedders, http://dvcs.w3.org/hg/html/rev/1a50586be65c
19:59	<gsnedders>	Ms2ger: Oh, my bad.
19:59	<Ms2ger>	That makes one :)
21:36	<Hixie>	is there really no spec out there that describes how to parse application/x-www-form-urlencoded data?
21:37	<Hixie>	hey we didn't register application/x-www-form-urlencoded either
21:37	<Hixie>	i guess we should do that huh
21:38	<gsnedders>	Hixie: Not that I could find.
21:38	<Hixie>	we suck
21:39	<TabAtkins>	Holy crap.
21:39	<TabAtkins>	I can't believe that these things go undefined like that.
21:39	<TabAtkins>	For decades.
21:39	<gsnedders>	How many impls are there, though, really?
21:39	<Hixie>	like six bazillion?
21:40	<TabAtkins>	Every HTTP server?
21:40	<Hixie>	and every cgi library
21:40	<gsnedders>	TabAtkins: That's still not a huge number.
21:40	<Hixie>	and every custom cgi script not based on a library
21:40	<gsnedders>	Hixie: Does each CGI library implement its own?
21:40	<TabAtkins>	More impls than there are browsers, by an order of magnitude or two.
21:40	<gsnedders>	TabAtkins: Well, yes.
21:40	<Hixie>	gsnedders: all the ones i've seen do
21:40	<Hixie>	i mean it's trivial to implement
21:40	<gsnedders>	Hixie: Heh.
21:40	<Hixie>	you just cut on &s and then cut on =s and then expand the %xxs
21:40	<gsnedders>	PHP does it all internally.
21:40	<Hixie>	and replace the +s
21:41	<Hixie>	and guess the encoding somehow
21:41	<Hixie>	by MAGIC
21:41	<gsnedders>	Hixie: We managed to do it wrong in one of our systems, which is why I realized there was no spec.
21:41	<Hixie>	heh
21:41	gsnedders	forgets what exactly the bug was
21:41	<TabAtkins>	We can just define the encoding, hopefully, and shut down one more place where the encoding wars hurt everyone.
21:42	<gsnedders>	TabAtkins: We can't. No way.
21:42	<TabAtkins>	Damn.
21:42	<Hixie>	yeah that's a lost battle
21:42	<Hixie>	_charset_ is the only way out of that one
21:42	<gsnedders>	TabAtkins: What encoding you want to use depends upon what you expect it will be, which is related to the encoding of the page it is sent frm.
21:42	<gsnedders>	*from
21:43	<TabAtkins>	;_;
21:44	<gsnedders>	Hixie: IIRC we were doing something like map(lambda x: x.split("=", 1), foo.split("&")) and then decoding
21:44	<gsnedders>	OH, no!
21:44	<Hixie>	that should work except for +s, no?
21:44	<gsnedders>	We did the decoding too soon.
21:44	<gsnedders>	That's what.
21:44	<Hixie>	ah, yeah
21:44	<TabAtkins>	Oh, heh.
21:44	<Hixie>	rookie mistake :-P
21:45	<TabAtkins>	Argh, figuring out what to do in mathematically degenerate cases is annoying.
21:45	<gsnedders>	Hixie: Sadly not in the code that was originally yours, so I can't blame you :P
21:45	<Hixie>	woot!
21:46	<Hixie>	http://www.w3.org/Bugs/Public/show_bug.cgi?id=12819 look right to you?
21:46	<Hixie>	wow i just mistook a chrome version number for an ip address
21:46	<Hixie>	that was confusing
21:47	<hober>	heh
21:49	<Hixie>	bbiab
21:52	<gsnedders>	Hixie: isindex just gets a single item?
21:52	<gsnedders>	Just the value?
21:56	<Ms2ger>	Hixie, http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A...%3Cscript%3E%0Aw%28%22width%22%20in%20document.createElement%28%22input%22%29%29%0A%3C%2Fscript%3E
22:00	<AryehGregor>	Does Gecko not fire keyup/keydown for things like Ctrl+B, or what?
22:00	AryehGregor	can't seem to get it to work
22:01	<smaug____>	works fine here
22:01	AryehGregor	tries again
22:04	<Hixie>	gsnedders: isindex is you skip the &-split step and the =-split step and just assign the whole thing to one 'value'
22:05	<AryehGregor>	I get a keydown for the ctrl, but not the b.
22:05	<Hixie>	Ms2ger: oh you mean the IDL attributes, ok
22:05	<gsnedders>	Hixie: Yeah, that's what I thought.
22:05	<Hixie>	Ms2ger: interesting
22:05	<Hixie>	Ms2ger: (your bug was too terse!)
22:05	<Ms2ger>	Oh, yes, should have said that
22:06	<Hixie>	gsnedders: what do you mean about non-ASCII bytes?
22:07	<gsnedders>	Hixie: If I have a FF byte, what do I do? What happens when I decode?
22:07	<gsnedders>	(pretend we're UTF-8 here)
22:07	<gsnedders>	Per HTML5 what is sent should be ASCII. What if it's not?
22:08	<AryehGregor>	Ah, I see.
22:08	<AryehGregor>	I was just getting confused.
22:08	<AryehGregor>	Oh, it's sending a capital B for keyCode instead of lowercase.
22:08	<AryehGregor>	Fun.
22:08	<Philip`>	Some libraries (e.g. CGI in Perl) split on ';' as well as '&' - should specs require/allow that?
22:09	<AryehGregor>	Don't you love interop?
22:09	AryehGregor	grumbles
22:09	<smaug____>	AryehGregor: what should it do then?
22:10	<smaug____>	other browsers give the same keyCode
22:10	<TabAtkins>	Philip`: That's part of the original definition of the encoding. Several libraries expose it as an option.
22:10	<smaug____>	er, charcode
22:11	AryehGregor	scratches head
22:11	<AryehGregor>	Now I'm confused.
22:11	<smaug____>	keypress gives charcode, keydown/up give keycode
22:11	<smaug____>	Opera seems to have some strange handling
22:11	<AryehGregor>	Because I could swear WebKit was giving the keycode for lowercase B before (97?), not uppercase.
22:12	<AryehGregor>	But my eyes must have been deceiving me.
22:12	<AryehGregor>	Oh well.
22:12	<smaug____>	keycode 66 for down/up
22:12	<smaug____>	and charcode 98 for press
22:13	<AryehGregor>	Right, I'm looking only at down/up.
22:13	<Ms2ger>	Hixie, should I reopen or will you?
22:15	<Hixie>	Ms2ger: please do
22:15	<Hixie>	gsnedders: ah, error handling
22:15	<Hixie>	gsnedders: yeah
22:15	<Hixie>	gsnedders: dunno
22:16	<Hixie>	gsnedders: interop isn't a big deal on that matter so maybe i just don't spec it
22:17	<gsnedders>	Hixie: Probably good enough to just leave it undefined, on the whole
22:44	<gsnedders>	Hixie: Pff, r6434! I mean, there's already a SHOULD requirement to solve the halting problem!
22:47	<Hixie>	yeah but that one only applies to validators :-P
22:47	<Hixie>	heycam\|away: dude, stop changing the terms you use in webidl :-P
22:50	<Hixie>	is there some list i can subscribe to that e-mails me all changes to webidl?
22:50	<Hixie>	and dom core for that matter?