#whatwg
2011-09-01
plaintext logs
prev next
source on github
04:40
<rillian>
cpearce: it looks like the spec currently lets you add alternate audio/video tracks either using fragments, or through the media.audioTracks[]/media.videoTracks[] interfaces
04:40
<rillian>
you can likewise add text tracks through media.textTracks
04:40
<rillian>
but you can't add alternate audio/video tracks through <track>
04:40
<rillian>
maybe that's just an oversight
08:58
<annevk>
w3.org is offline?
08:58
<annevk>
cannot connect to IRC or well, anything
08:59
<annevk>
just a hickup it seems
09:02
<rniwa>
annevk: I can access www.w3.org without any issues
09:02
<rniwa>
annevk: maybe try pinging 128.30.52.37?
09:04
<annevk>
it's working again
09:04
<annevk>
very temporary :)
09:05
<rniwa>
i see
09:22
<annevk>
alright
09:22
<annevk>
time to add Node.contains()
09:25
<Lachy>
Nice. HTML context menus now supported in Firefox nightly. https://twitter.com/#!/codepo8/status/108989867278614528
09:26
<Lachy>
just looks like they're using <menuitem> instead of <command>. Not sure why though
09:29
<annevk>
see some debate in a bug report somewhere
10:36
<annevk>
so should we have <data-...>
11:00
<annevk>
Is there a name for an interface other interfaces inherit from that is never instantiated itself but only exists by virtue of the interfaces that inherit from it?
11:01
<Ms2ger>
Abstract?
11:02
<annevk>
So "CharacterData is an abstract interface and does not exist as node. It is used by Text, Comment, and ProcessingInstruction nodes.
11:02
<annevk>
"
11:03
hsivonen
looks forward to OO pedants sending feedback about "abstract interface"
11:03
<annevk>
If they suggest alternatives it will be all good :)
11:04
<annevk>
This is just a non-normative note to clarify things since every other heading in that section is about a node
11:05
<Ms2ger>
Except Node
11:06
<annevk>
I guess that should get the same note
11:21
<annevk>
http://software.hixie.ch/utilities/js/live-dom-viewer/?x%3Cscript%3Edocument.body.firstChild.removeChild%28document.body%29%3C%2Fscript%3E
11:21
<annevk>
Gecko: HIERARCHY_REQUEST_ERR, WebKit: NOT_FOUND_ERR
11:21
<annevk>
I don't think http://dvcs.w3.org/hg/domcore/raw-file/tip/Overview.html#concept-node-pre-remove actually needs step 1 given step 2
11:22
<annevk>
Opera: NOT_FOUND_ERR
11:23
<annevk>
What do you think Ms2ger?
11:23
<Ms2ger>
wfm
11:23
<Ms2ger>
Please do update the test :)
11:24
<annevk>
I should check out the tests I guess
11:25
<annevk>
now they are separated from the specification
11:26
<annevk>
heh
11:26
<annevk>
added 563 changesets with 1341 changes to 478 files
11:30
<annevk>
Ms2ger, there is no test?
11:30
<Ms2ger>
Node-removeChild.html?
11:30
<annevk>
yeah it does not have a HIERARCHY_REQUEST_ERR in it
11:31
<annevk>
guess I can add something that makes Gecko fail
11:31
<annevk>
it also does a bunch of Attr (node) tests
11:31
<Ms2ger>
Not anymore :)
11:35
<annevk>
added a test for removeChild on a text node
11:35
<Ms2ger>
Thanks
11:35
<annevk>
someone else can file a bug on Gecko
12:32
<annevk>
I'm starting to think we should just go ahead and merge Range in
12:32
<annevk>
Is there much else to do that I am missing?
12:33
<annevk>
Also note it is prerequisite for adding modification listeners
12:33
<annevk>
Ms2ger, AryehGregor, ^^
12:34
<Ms2ger>
sURE
12:34
Ms2ger
hits caps lock
12:37
<annevk>
does this count as written permission per the license? :)
12:38
<annevk>
whoa
12:38
<annevk>
https://bitbucket.org/ms2ger/dom-core/raw/tip/dom-core.html
12:39
<annevk>
isn't this some giant XSS hole in bitbucket?
12:39
<Ms2ger>
Yes
12:42
<annevk>
Ranges is actually pretty big
12:47
<Ms2ger>
15 pages or so?
12:49
<annevk>
yeah something like that
12:49
<annevk>
2000 lines :)
13:11
<hsivonen>
that bitbucket thing is scary. has it been reported to bitbucket?
13:11
<Ms2ger>
Not by me
13:12
<hsivonen>
and bitbucket has been created *after* people were supposed to know about origins
13:18
<annevk>
it looks like a regression
13:19
<annevk>
what is the "Assert:" stuff Ms2ger?
13:19
<annevk>
can that be removed?
13:20
<Ms2ger>
Sure
13:20
<gsnedders>
assert stuff? where?"
13:21
<Ms2ger>
DOM Range
13:22
<gsnedders>
Ah. The asserts there are pretty much all just for WebIDL things>
13:22
<gsnedders>
*?
13:22
<Ms2ger>
Yeah
13:22
<gsnedders>
I'd say they don't add anything, then, really.
13:38
<hsivonen>
the DOM Core spec exposed a bug in my new View Source impl...
13:39
<Ms2ger>
Oh?
13:41
<annevk>
someone with a good term for "ancestors and the node itself"?
13:42
<annevk>
XPath calls it ancestor or self
13:42
<hsivonen>
Ms2ger: it appears that I broke the way View Source communicates the charset of the page to the main thread when I fixed https://bugzilla.mozilla.org/show_bug.cgi?id=675499
13:45
<annevk>
how about "reverse subtree"
13:46
<annevk>
(the current term is "ancestor containers")
13:46
<hasather>
annevk: wouldn't that be a supertree then?
13:48
<hasather>
(I guess tree is not a good word to describe it though)
13:53
<annevk>
the roof :)
13:54
<annevk>
hasather, it's the best short word so far
13:54
<annevk>
hasather, though very novel afaict
13:55
<annevk>
and it might confuse people who are into this: http://en.wikipedia.org/wiki/Supertree
13:56
<hasather>
annevk: yea, saw that too
13:57
<Philip`>
"subtree" sounds confusing because you'd think it's a tree with branches, when acually it's just a list
13:59
Philip`
has a book where "ancestor" includes the node itself, and "proper ancestor" doesn't
14:02
<annevk>
subtree is standard terminology
14:02
<annevk>
interesting
14:03
<Philip`>
subtree is standard when referring to the tree formed by the descendants of a node, but not when referring to the chain of ancestors, I think
14:05
<annevk>
we'd use supertree for the the ancestor part
14:06
<Philip`>
"supertree" sounds confusing because you'd think it's a tree with branches, when actually it's just a list
14:07
<annevk>
alternatives?
14:07
Philip`
would probably assume the supertree is the largest tree that contains the given node (i.e. the one rooted at the most distant ancestor)
14:10
<Philip`>
If "ancestor" is already defined to exclude the node itself, "ancestor or self" doesn't sound too bad (it's a bit ugly but short and clear), or maybe "inclusive ancestor"
14:13
<annevk>
inclusive ancestor sounds rather clear and works a bit better in this context
14:16
<woef>
As someone who has no idea what you guys are talking about, "ancestor and self" is much easier to understand than "inclusivve ancestor"
14:19
<annevk>
true enough, but understanding this term is the least of your worries when you implement range
14:19
<Philip`>
The term (and "ancestor" by itself) should be linked to a precise definition, so I guess it's not too bad if people have to click the link to find what you mean
14:20
<Philip`>
(It'd be worse if they thought they knew what it meant, so they didn't check the definition, but actually had the wrong idea)
14:21
<woef>
"Let's name it something nobody will be certain to understand and force them to look for the proper definition"
14:21
<Philip`>
Call it "concept #382"
14:21
<woef>
That needs some usability testing :p
14:21
<woef>
Philip`: hehe
14:24
<Philip`>
Then you just define "Concept #382: A concept #53 that is the target concept #53 or a concept #197 of it", and "Concept #197: A concept #53 that is a concept #382 of the target concept #53 but is not the target concept #53 itself", etc
14:25
<woef>
And throw in some false links to make sure they're paying attention and not just clicking along.
14:41
<annevk>
I guess I should land Range before I make too many changes so people can follow on what is being changed
14:50
<annevk>
went from 37 to 44 pages
14:51
<annevk>
Should AryehGregor become co-editor of DOM Core now? I guess that would be a bit too unwieldy
14:51
<zcorpan>
annevk: shouldn't it be s/and/or/ in https://bitbucket.org/ms2ger/dom-core/changeset/e126979296ce ?
14:57
<annevk>
why?
15:00
<hsivonen>
hmm. so IGs "endorse" bugs
15:06
<zcorpan>
annevk: because it now says that objects that implements all of those interfaces are nodes
15:06
<zcorpan>
annevk: whereas if an object implements only one of them is not a node
15:07
<zcorpan>
hsivonen: which bug?
15:11
<annevk>
thanks
15:20
<Ms2ger>
annevk, if you feel like updating Selection for your changes... ;)
15:20
<hsivonen>
zcorpan: http://lists.w3.org/Archives/Public/public-html/2011Sep/0004.html
15:21
<AryehGregor>
annevk, go ahead and merge Range in, sounds good to me.
15:22
<annevk>
Ms2ger, I was about to say, and then I got that email, damnit
15:22
<AryehGregor>
Don't take the Selection stuff, obviously.
15:22
<annevk>
right
15:22
<annevk>
I haven't
15:22
<AryehGregor>
I'll take that at some point soonish.
15:22
<AryehGregor>
Oh, I see, you took it already.
15:22
<AryehGregor>
Good.
15:25
<zcorpan>
hsivonen: thanks
16:10
<zcorpan>
heycam: hey. http://dev.w3.org/2006/webapi/WebIDL/#es-attributes - why does it say "Otherwise, it exists on the interface’s interface prototype object or on every object that implements the interface." ? why leave a choice between having it on the prototype and having it on the object?
16:38
<dglazkov>
good morning, Whatwg!
16:42
<annevk>
hey hey dglazkov
17:28
<espadrine>
good evening, dglazkov!
17:30
<dglazkov>
annevk: do you like to travel?
17:30
<annevk>
I do
17:31
<annevk>
weird habbit :)
17:31
<annevk>
habit(sp?)
17:31
<Ms2ger>
hobbit
17:32
<annevk>
too tall for a hobbit
17:32
timeless
makes that typo too
17:32
<annevk>
would love a home like Bilbo though
17:32
<timeless>
rabbit hobbit habit
17:33
<timeless>
annevk: your irc client doesn't have a spell checker?
17:33
timeless
is using Nightly's spell checker (w/ freenode-webchat)
17:33
<annevk>
yeah (ctrl+t, enter word, hit enter, and see what Google says), but I don't always use it
17:34
<timeless>
eww
17:34
<timeless>
i do ctrl+t, e, down, enter, type word
17:34
<timeless>
e = https://encrypted.google.com/
17:35
<timeless>
but that's only when i don't have a text field available for Gecko's spellchecker
17:35
<annevk>
http://evolutionofweb.appspot.com/ is pretty cool
17:36
<timeless>
shiny
17:36
<MikeSmith>
nice
17:36
<MikeSmith>
annevk: who made that?
17:36
<annevk>
found it at http://chrome.blogspot.com/2011/09/happy-third-birthday-chrome.html
17:37
<MikeSmith>
ah great
17:37
<timeless>
it doesn't speak spanish :(
17:38
<hsivonen>
MikeSmith: looks like something Google contracted out
17:38
<timeless>
hrm
17:38
<timeless>
the screenshots of opera are odd
17:38
<MikeSmith>
hsivonen: OK
17:38
<hsivonen>
What's the deal with Netscape not having releases before 4
17:38
<timeless>
opera v1 screenshot is w3.x
17:39
<timeless>
but 2.1 is a screenshot from wXP or newer
17:39
<timeless>
and 3 is from w7
17:39
<timeless>
but 4 is from 9x
17:39
<hsivonen>
also, Firefox 3.6 is missing
17:40
<hsivonen>
as well as some significant Safari point releases
17:40
<hsivonen>
and significant Opera releases
17:40
<timeless>
there's a "credits and sources" link in the left bar at the bottom
17:40
<hsivonen>
so, unfortunately, this doesn't work as a more complete "Modern browsers ship" visualization :-(
17:41
<timeless>
they're also missing ie1/2
17:41
<zewt>
these wavy lines are a bit too mysterious
17:41
<timeless>
but yeah, theyreally should have netscap 1, 2 and 3
17:41
<hsivonen>
and the mozilla suite
17:41
<timeless>
they quasi cover that w/ netscape versions 6..8
17:41
<timeless>
but yeah
17:42
<timeless>
have people followed the diginotar coverage?
17:42
<Ms2ger>
annevk, did you file a bug on HTML for the "root" thing?
17:42
<hsivonen>
also, the colored band for Java gets wider over time
17:42
<annevk>
Ms2ger, no
17:42
<hsivonen>
timeless: somewhat followed
17:43
<timeless>
hsivonen: it's interesting that there was an addons cert
17:43
<timeless>
i wonder if it'd be reasonable for browser vendors to add a requirement for all cas that want to list of the form:
17:43
<annevk>
Ms2ger, HTML uses concept-tree-root in a different manner?
17:43
<hsivonen>
timeless: addons cert?
17:43
<timeless>
if you ever try to issue a cert for any of our properties, you must contact us
17:43
<timeless>
http://www.computerworld.com/s/article/9219663/Hackers_may_have_stolen_over_200_SSL_certificates
17:44
<annevk>
Ms2ger, I do think we should maybe add subtree and root subtree for HTML
17:44
<timeless>
> Mozilla confirmed that a certificate for its add-on site had been obtained by the DigiNotar attackers. "DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July
17:44
<Ms2ger>
annevk, I copied the definition from HTML
17:44
<hsivonen>
timeless: It seems like a no-brainer that CAs should check if the hostnames they are minting certs for already have certs from someone else
17:45
<timeless>
hsivonen: sadly
17:45
<timeless>
as for profit companies
17:45
<timeless>
it's in your interest to steal your competitor's customers
17:45
<zewt>
how exactly can you tell if someone already has a certificate? heh
17:45
<Philip`>
They informed Mozilla in July, or they informed Mozilla now that they knew they issued fraudulent certs in July?
17:45
<timeless>
zewt: pretty easy
17:46
<timeless>
if i ask for a cert for super.example.com
17:46
<timeless>
then you try to visit https://super.example.com
17:46
<timeless>
if you can connect securely, then someone has a cert! :)
17:46
<timeless>
Philip`: my guess is informed nowish
17:46
<zewt>
i have certs that i don't use for https
17:46
<timeless>
and revoked in july
17:46
<zewt>
(ftp, etc)
17:47
<Philip`>
Shouldn't there be some requirement that if they revoke certs (presumably because they know they were invalidly issued), they at least inform the rightful owners of those domains (immediately, not a month later)?
17:47
<timeless>
Philip`: yeah well, um
17:47
<zewt>
can someone have an epiphany and come up with a new signing system that fixes the increasing breakage we have now, heh
17:47
<timeless>
i don't think i've ever seen that in requirements
17:47
<timeless>
mozilla has a crypto policy newsgroup
17:48
<timeless>
it can be proposed
17:48
<timeless>
and i'd imagine it'd get pretty decent support
17:48
<Philip`>
Seems like it's important to make it more expensive for a company to cover up its mistakes than for it to admit to them immediately
17:48
<timeless>
zewt: we don't have increasing breakage
17:48
<timeless>
so much as more people willing to spend the minimal effort to attack a system
17:49
<timeless>
Philip`: oh, that we're doing
17:49
<zewt>
sure we do; more and more entities with the ability to sign certificates; certificate exception dialogs becoming more and more pointlessly annoying :)
17:49
<timeless>
mozilla & co have killed diginotar
17:49
<timeless>
zewt: you played that card earlier
17:49
<timeless>
please don't replay a previously played card :)
17:50
<zewt>
perfectly valid when the card is correct :P
17:50
<Philip`>
Would the same killing have happened if they had admitted it immediately? (in which case they'd have no incentive to not try hiding it)
17:50
<timeless>
(there's a Hixie quote to be made here)
17:50
<timeless>
Philip`: past experience w/ CAs who have screwed up and fessed up hasn't resulted in death
17:51
<timeless>
which indicates, more or less, if you are honest and forthcoming you have historically gotten leeway
17:51
<Philip`>
I suppose that's good, then
17:51
<Philip`>
(although less good than if they didn't screw up)
17:51
<timeless>
past experience is of course not a commitment to future behavior
17:51
<timeless>
but, the goal is to provide carrot and stick
17:52
<timeless>
we've played carrot a few times, and stick once (now)
17:52
<zewt>
that's another breakage of the system: if a CA screws up and is dropped from browsers, there may be a *lot* of collateral damage
17:52
<timeless>
zewt: in this case, Vasco (recent parent of diginotar) indicated it has minimal business in this area
17:52
<zewt>
not frequently, but it's unpleasant that the possibility exists (of course, it's inherent to the system we have)
17:52
<timeless>
i haven't checked on their pricing model, but you should be able to calculate customer count
17:53
<zewt>
(not to suggest i know of any alternative model that doesn't have all of these problems, of course)
17:53
<timeless>
and yes, ideally those customers will ask for money back from their vendor (diginotar)
17:53
<timeless>
and take their business elsewhere (quickly, or lose customers while they dawdle)
17:54
<timeless>
anyway, that's the best economy i can offer today
17:54
hsivonen
wonders if phone vendors are taking any action to zap diginotar from the stock browsers on their phones
17:54
<timeless>
hsivonen: generally no
17:54
<timeless>
speaking from experience at nokia
17:54
<timeless>
we asked about issuing updates
17:54
<timeless>
and were turned down
17:54
<hsivonen>
timeless: yeah, it looks like only iPhone and the Nexus series get any reasonable updates
17:54
<timeless>
(This was from the previous CA disaster, and we sent things up the flagpole as hard as we could)
17:55
<timeless>
i can't speak for my current employer
17:55
<hsivonen>
though I don't know if either iOS or Android on Nexus got updates following the Comodo case
17:55
<timeless>
hrm, although i could test a current build of our platform :)
17:56
<timeless>
(for the record, previous disaster = comodo)
17:57
<hsivonen>
I wish companies that ship mobile OSs acted more like real software vendors
17:57
<timeless>
oh, fwiw MS hasn't gotten around to sending out kill bits for wXP
17:57
<timeless>
(ms would kinda like people to stop using XP...)
17:58
<zewt>
i've never even seen a browser update in android of any kind except during a full OS update
17:58
<timeless>
the problem w/ classic hardware vendors is that they're hardware vendors
17:58
<zewt>
it's bizarre but google doesn't seem to care much about the android browser
17:58
<timeless>
they, like CAs don't have recurring revenues from past customers
17:59
<timeless>
and thus the cost of doing support/maintenance is something which isn't factored in and doesn't make sense to them
17:59
<zewt>
CAs do, since certs expire
17:59
<timeless>
zewt: yeah, technically CAs do
17:59
<timeless>
but only kinda
17:59
<zewt>
heh reminds me of some fraud godaddy has
17:59
<zewt>
they automatically set your cert to auto-renew (at the full rate, like $50/year), without asking or telling you
17:59
<zewt>
(presumably buried in some 100-page "agreement")
18:00
<zewt>
you have to go through a zillion menus to even find that it's on and get rid of it
18:00
<hsivonen>
timeless: I wonder how many iPod Touch users bought OS updates. Has it been proven that mobile hardware companies cannot sell software updates?
18:00
<timeless>
hsivonen: i didn't buy my update
18:00
<hsivonen>
timeless: Apple has managed to sell software updates for desktop/laptop hardware
18:01
<timeless>
the license agreement for my Finnish iPod as presented by iTunes was in Finnish
18:01
<timeless>
and thus, I couldn't accept it
18:01
<timeless>
so, i never bought the update
18:01
<timeless>
i'm now in .CA
18:01
<hsivonen>
timeless: you are weird
18:01
<zewt>
heh
18:01
<Philip`>
When the TLS stuff was designed, was it expected that the response to fraudulent certificates would require multiple independent software vendors to ship updated versions, or was there meant to be a more elegant/robust way of handling it?
18:01
<zewt>
software loves showing me things in japanese, even though my system language is english (because they incorrectly use the system codepage)
18:01
<timeless>
and once I get around to plugging in one of my computers (probably my G5), I'll see about buying the update
18:01
<hsivonen>
timeless: (so am I. I, too, today rejected a piece of software due to not having the time to wade through their legal stuff)
18:01
<hsivonen>
(software from cisco)
18:02
<timeless>
Philip`: do you mean TLS or SSL?
18:02
<Philip`>
timeless: I don't know
18:02
<timeless>
TLS is a rather recent thing (since it's SSL3.1/3.2)
18:02
<Philip`>
timeless: Whatever makes the question make most sense
18:02
<timeless>
the assumption in PKI / SSL
18:02
<timeless>
was that the vendors would be few
18:02
<timeless>
and would have decent and proper CRLs
18:03
<timeless>
there was a limited amount of handwaving involving how CRLs would be deployed to devices
18:03
<timeless>
but it mostly assumed devices would be connected enough to be able to retrieve them
18:03
<timeless>
it also mostly assumed that you wouldn't have Rogue Countries
18:03
<timeless>
or rather
18:03
<timeless>
it accepted that you couldn't defeat a Rogue Country if you wanted to
18:03
<timeless>
and thus it was out of scope
18:04
<timeless>
Basically, if the US wanted to do something evil in VeriSign or RSA or whichever, it was assumed it could, but that was a risk one was willing to take
18:04
<timeless>
plus in the US at least, sunshine and leaks were probably assumed to catch such things
18:05
<timeless>
which actually is still applying to the current Rogue Countries
18:05
<timeless>
as zewt notes, the system we have is the best anyone can really think of to date
18:05
<timeless>
it isn't perfect
18:06
<hsivonen>
when VeriSign bought Network Solutions, I sent my bank a question asking them what they are going to do now that the entity that can tamper with DNS and the entity that guards against DNS tampering are the same
18:06
<hsivonen>
they actually forwarded it to someone technical
18:07
<hsivonen>
who called me and said the situation wasn't good but they'd just acknowledge the situation and their powerlessness about it
18:10
<AryehGregor>
timeless, there's an easy solution: pin particular CAs for sites, using STS. AFAIK, Chrome already does this for Google sites, so anyone who tried to use the forged cert against Chrome users would trigger unrecoverable failure.
18:10
<timeless>
hsivonen: you're looking forward to DNSSEC, eh? :)
18:11
<AryehGregor>
Alternatively, get certs-via-DNSSEC working properly and supported in all browsers, then only allow that.
18:11
<AryehGregor>
For sites that opt in.
18:11
<timeless>
AryehGregor: you didn't read https://twitter.com/#!/moxie__/statuses/108567203829387264 ?
18:11
<hsivonen>
timeless: actually I am considering that the current system already fails if the curator of the root goes rogue
18:11
<zewt>
of course, it seems more likely that dnssec will be implemented, and both dnssec and tls certs will be accepted for most sites, giving two independent trees which are both points of failure...
18:12
<AryehGregor>
timeless, you can remove registrars with DNSSEC. Why not? Just have the registrar one step up revoke the cert, or not renew it.
18:12
<AryehGregor>
zewt, you could have a DNSSEC record that says "only use DNSSEC certs to access this site".
18:12
<hsivonen>
AryehGregor: did you read the whole tweet thread with Moxie and Dan Kaminsky?
18:12
<AryehGregor>
Or, just use STS and bake a list of sites and approved CAs for each site into the browsers.
18:12
<AryehGregor>
hsivonen, no.
18:13
<hsivonen>
AryehGregor: looks like we are going to have to replay it here
18:13
<timeless>
heh
18:13
<zewt>
but is there a TLS equivalent to say "never use dnssec"?
18:13
<hsivonen>
AryehGregor: https://twitter.com/#!/moxie__/status/108331615004000256
18:13
<AryehGregor>
zewt, you can use STS and have all browsers ship with hardcoded lists of all major sites (i.e., all likely attack targets).
18:14
<timeless>
hsivonen: appreciated, since i'm not a fan of twitter
18:14
<AryehGregor>
hsivonen, nothing is realistically going to protect us against ICANN or the IANA going bad, unless we abandon centralized DNS.
18:14
<zewt>
special casing to make the rest of the world second-class citizens? that's horrible
18:15
<AryehGregor>
hsivonen, basically they're not likely to do bad stuff unless the US forces them to, and if the US wants to learn about Google sites it has easier ways to do that.
18:15
<AryehGregor>
Like subpoenas.
18:15
<AryehGregor>
I mean, it's a possibility, but you can't defend against everything.
18:16
<AryehGregor>
Stopping Iran from intercepting Google-bound traffic is feasible, stopping the US or VeriSign from doing it is not so feasible.
18:16
<hsivonen>
zewt: umm. the rest of the world is already second-class even on the legislative level
18:17
<AryehGregor>
Heck, the US government could nationalize Google if it really felt like it. Eminent domain, right?
18:17
<timeless>
technically yes
18:17
<zewt>
...
18:17
<Philip`>
Are there ways to independently verify that browser vendors aren't doing bad stuff (like shipping binaries which whitelist some fake certificates), so that they're unlikely to be a point of failure?
18:18
<zewt>
my website should not be a second-class citizen compared to any other website
18:18
<AryehGregor>
If the scenario you're worried about is the US government doing evil things to US corporations, I'm pretty sure you lose either way.
18:18
<AryehGregor>
zewt, the list could be one that anyone can add themselves to.
18:18
<timeless>
Philip`: well, mostly
18:18
<timeless>
certainly with firefox you can build it yourself
18:18
<timeless>
and compare what you have against what is shipped
18:18
<AryehGregor>
E.g., it could just be a matter of Googlebot finding STS headers and building a list of all the ones with suitably long expiration dates.
18:18
<AryehGregor>
And publishing it.
18:18
<zewt>
... but then you're just expanding the problem, since now you have to verify that whoever's modifying that record is authorized to do so
18:18
<zewt>
back to square one
18:19
<AryehGregor>
That's the browser vendor, who you have to trust anyway.
18:19
<AryehGregor>
They could be installing a backdoor for all you know.
18:19
<timeless>
it's moderately painful since firefox has whole-program-optimization
18:19
<AryehGregor>
Entities you realistically have to trust to some degree here: the US government, your browser vendor, your OS vendor, possibly your computer's manufacturer.
18:20
<timeless>
woohoo
18:20
<AryehGregor>
Entities you should not have to trust: every single two-bit company in the world that gets certified as a CA by someone.
18:20
<timeless>
after 1 email and ~1minute, i can now see bug reports i file myself!
18:20
timeless
likes this company
18:20
<timeless>
at nokia, it'd probably have taken a month :)
18:20
<timeless>
or 3
18:20
<timeless>
or 9
18:20
<timeless>
(possibly just getting a reply saying "do you still need this?")
18:21
<Ms2ger>
And why?
18:21
<AryehGregor>
Why what?
18:21
<Ms2ger>
Why one would want to see such bug reports
18:23
<zewt>
(i don't understand the question--of course you want to be able to see your own bug reports)
18:24
<hsivonen>
zewt: Opera seems to disagree :-)
18:24
<zewt>
causing me to not (often) submit opera bug reports :)
18:24
<zewt>
(but we've been over that :)
18:24
<timeless>
Ms2ger: why would one want to see one's own bug reports?
18:24
timeless
shrugs
18:24
<AryehGregor>
If I have long-running scripts, how can I stop the long-running script alerts? Is there some simple way I can spin the event loop in the middle or similar?
18:24
<timeless>
zewt: i switched to sending opera bug reports by email to opera employees
18:25
<timeless>
they reply eventually with updates :)
18:25
AryehGregor
sends them by IRC in this channel
18:25
<timeless>
(this also more or less works for google bug reports)
18:25
<Ms2ger>
setTimeout(..,0)?
18:25
<zewt>
AryehGregor: run a synchronous xhr to a php script that pauses? :P
18:25
<AryehGregor>
zewt, :(
18:25
<Ms2ger>
zewt--
18:25
<Philip`>
Maybe you could use alert() to spin the event loop
18:25
<AryehGregor>
Ms2ger, will that slow stuff down if I do it a lot?
18:25
<zewt>
alert("Please click OK")
18:25
<timeless>
AryehGregor: on Gecko you can use a magic thing
18:25
<AryehGregor>
Like by interpreting 0 as 15 or something?
18:26
<timeless>
generators
18:26
<timeless>
if you can manage to get them to work
18:26
<Ms2ger>
4, and only if nested, AIUI
18:26
AryehGregor
observes that if the tab is in the background, Chrome doesn't whine about long-running scripts, so doesn't see that it's worth the effort
18:26
<zewt>
well, the theory is if you have long-running scripts they should be in workers
18:26
<zewt>
of course, that's often hard in practice
18:28
<timeless>
anyone here have /. mod points?
18:28
timeless
needs something down-modded
18:30
Philip`
appears to have 13
18:30
<timeless>
http://it.slashdot.org/comments.pl?sid=2407244&cid=37271796
18:32
<Philip`>
Why do you object to that?
18:32
<timeless>
one sec
18:33
<zewt>
"Educate people" heh
18:33
<timeless>
eh? this would only fix something if the certificate client hard fails when it can't get CRL or OCSP working and only if mapping diginotar.nl happened to magically map www.diginotar.nl (which is where some of the CRLs live), plus service.diginotar.nl validation.diginotar.nl crl.pkioverheid.nl (which are home to OCSP/CRLs)
18:33
<zewt>
any security mechanism that requires educating users fails
18:33
<timeless>
Philip`: ^ is my response, but basically that hosts line doesn't do anything
18:35
<hsivonen>
386 time clearly
18:35
<timeless>
?
18:36
<Ms2ger>
xkcd.com/386
18:37
<timeless>
oh yes
18:37
<timeless>
that's one of only 3 my browser knows
18:41
<hsivonen>
timeless: I'm quickly losing my DNSSEC enthusiasm as I read more about it
18:42
<hsivonen>
(my SIP enthusiasm also went down when I started reading about SIP)
18:43
AryehGregor
is still insufficiently disillusioned, perhaps
18:43
AryehGregor
is still enthusiastic about DNSSEC :)
18:45
AryehGregor
sighs very loudly about CSSOM incompatibilities
18:45
Ms2ger
makes AryehGregor a co-editor
18:46
<AryehGregor>
Is anyone even trying to follow this? http://dev.w3.org/csswg/cssom/#serializing-css-values
18:46
<AryehGregor>
It seems way too vague to follow anyway. "Where CSS component values of the value can be omitted without changing the meaning of the value (e.g. initial values in shorthand properties), omit them. If this would remove all the values, then include the first allowed value."
18:46
<AryehGregor>
This needs to be defined inline with each property, methinks.
18:46
AryehGregor
works around it, grumble grumble
18:48
<hsivonen>
AryehGregor: DNSSEC does seem attractive as a defense against small-time wifi hijacking, though
18:48
<AryehGregor>
It has a lot of uses.
18:49
<AryehGregor>
That's one, yeah.
18:49
<AryehGregor>
I'm also excited about being able to have TLS without extra CAs.
18:50
<zewt>
also if it allows delegating subdomains
18:50
<zewt>
the inability to do that with tls is ridiculous
18:51
<hsivonen>
btw, now that Moxie got mentioned: what's the business model of Whisper Communications? how do they make money?
18:58
<smaug____>
is Hixie the only one who has access to the server which has acid3 test?
18:58
<AryehGregor>
smaug____, I assume so.
18:59
<hsivonen>
smaug____: I believe there are others who can access the *server* but probably not the relevant directory
18:59
<smaug____>
that is unfortunate
18:59
<AryehGregor>
Why?
19:00
<smaug____>
is something happens to Hixie
19:00
AryehGregor
discovers that he massively messed up his clipboard somehow by trying to copy and paste something huge into a terminal on a remote server
19:00
<smaug____>
but anyway, I wait Hixie to change the test
19:00
<AryehGregor>
If something happens to Hixie and his Dreamhost account goes down, yeah, that will be fun. :)
19:00
<hsivonen>
smaug____: good luck. :-/
19:00
<AryehGregor>
Tons of stuff is on that. Like whatwg.org.
19:00
<smaug____>
hsivonen: I think this change is agreed
19:00
<hsivonen>
smaug____: nice
19:01
<smaug____>
doctype.ownerDocument test should be removed
19:03
<timeless>
hsivonen: sorry to hear that re SIP
19:03
<timeless>
yeah, i'm not sure where i stand on SIP
19:03
<timeless>
i like it in theory, and some of my devices do a good job
19:03
<timeless>
but sadly the uptake of classic SIP just isn't there
19:03
<timeless>
for a while, Skype was the best hope
19:04
<timeless>
there actually was some progress on that front, someone is selling Skype ATAs - http://voip.about.com/b/2011/09/01/skype-gets-fully-residential.htm
19:06
<timeless>
so...
19:06
<timeless>
i'm not really sure how dnssec is much different from having decent Sub CAs offered by each ISP
19:06
<timeless>
or rather each DNS registrar
19:07
<timeless>
not actually a Root CA, just a sub CA
19:07
<timeless>
hsivonen: does whisper charge for speaking engagements? :)
19:12
<zewt>
guhh
19:12
<zewt>
gmail just logged me out *while i was writing an email*
19:12
<AryehGregor>
Is a draft saved, at least?
19:12
<zewt>
yeah
19:12
<zewt>
it's not even "we logged you out because", it's just surprise! you're at the login page
19:14
<timeless>
zewt: at least your message was saved
19:14
<timeless>
i've had other webmail things which helpfully eat my message
19:15
<timeless>
and yeah, i've hit that logged out case w/ gmail
19:21
<timeless>
hsivonen: hrm
19:21
<timeless>
one of my devices doesn't trust www.diginotar.com
19:21
<timeless>
or because of an update
19:21
<timeless>
of course, that could be because it never trusted it
19:24
<timeless>
err www.diginotar.nl
19:25
<timeless>
iirc some phone vendors are slow to add CAs
19:25
<timeless>
which in some cases is a good thing :)
19:35
<AryehGregor>
Nice, I froze the Chrome UI for once.
19:35
<timeless>
congrats
19:35
<AryehGregor>
By accidentally trying to paste a super-giant URL into the URL bar.
19:36
<AryehGregor>
(several hundred KB at least)
19:36
<AryehGregor>
(not actually a URL, just some random text)
19:36
<timeless>
so...
19:36
<timeless>
clipboard is actually somewhat special anyway
19:36
AryehGregor
has to force-quit
19:36
<timeless>
iirc there historically hasn't been a good async api for it or something
19:36
<timeless>
(at least on windows)
19:36
<AryehGregor>
First time that's happened to me in Chrome for a long time.
19:36
<AryehGregor>
I'm on Linux.
19:36
<timeless>
which meant one could get very stuck
19:36
<timeless>
oh, the story on x11 is probably worse
19:36
<timeless>
i don't think there are any good x11 apis :)
19:38
<zewt>
AryehGregor: heh, "view image" on a canvas in firefox does that
19:38
<zewt>
opens it as a gigantic data:
19:40
timeless
remembers a time when the urlbar would stop painting text when it got too much content
19:40
<zewt>
(doesn't crash, just chugs)
19:40
timeless
also remembers a time when too many characters in the urlbar would kill x servers
19:40
<timeless>
(there's at least one bugzilla bug on that in case people don't believe me)
20:09
<zewt>
am I the only one that finds the firefox "save password" thing almost always disappears before I can do anything with it now?
20:09
<zewt>
"save password? psyche!"
20:20
<AryehGregor>
. . . seriously? WebKit computes "font-style: oblique" to "font-style: italic"?
20:20
<AryehGregor>
http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!doctype%20html%3E%0A%3Cspan%20style%3Dfont-style%3Aoblique%3E%3C%2Fspan%3E%0A%3Cscript%3Ew(getComputedStyle(document.querySelector(%22span%22)).fontStyle)%3C%2Fscript%3E
20:20
<AryehGregor>
. . .
20:20
<Ms2ger>
Unsurprising
20:20
<AryehGregor>
Really?
20:30
AryehGregor
stabs browser CSSOM implementations. STAB STAB STAB STAB.
20:31
<AryehGregor>
Guess what node.style.length is for <span style="text-decoration: line-through">?
20:31
<AryehGregor>
. . . 4.
20:31
<AryehGregor>
-moz-text-blink, -moz-text-decoration-color, -moz-text-decoration-line, -moz-text-decoration-style.
20:31
<AryehGregor>
This is a regression, too, I'm pretty sure.
20:31
AryehGregor
works around it, grumble grumble
20:34
<AryehGregor>
Could someone check what this outputs in Firefox 4 and/or 5 and/or 6 and/or 7 for me? http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!doctype%20html%3E%0A%3Cspan%20style%3Dtext-decoration%3Aline-through%3E%3C%2Fspan%3E%0A%3Cscript%3Ew(document.querySelector(%22span%22).style.length)%3C%2Fscript%3E
20:34
<AryehGregor>
In 8 it's 4.
20:34
<AryehGregor>
It should be 1.
20:35
<Philip`>
In 6.0 it's 4
20:35
<AryehGregor>
Hmm, so not a recent regression.
20:35
<Philip`>
6.0 is pretty recent
20:35
<AryehGregor>
Conceivably it's been since 4 or 5, yeah.
20:36
<annevk>
AryehGregor, want to take over CSSOM?
20:36
<AryehGregor>
annevk, no. Have no time.
20:36
<AryehGregor>
More than enough editing stuff to do for now.
20:36
<AryehGregor>
Maybe someday.
20:36
<annevk>
AryehGregor, the serializing stuff is going to be taken over by the individual modules btw
20:36
<AryehGregor>
Yeah, it definitely should be.
20:36
<AryehGregor>
There needs to be a central place where it defines some useful primitives, but for nontrivial properties the details need to be specced per-property.
20:37
<annevk>
if you have details for the primitives and the grammar you should be okay
20:38
<annevk>
which is what CSSOM has now, it's just not very detailed (and the way CSS is written makes it hard to hook into things)
20:43
<zewt>
when at first you don't succeed, mail listserv commands to the list again
20:43
<zewt>
(don't most lists try to detect that and stop it?)
20:52
<annevk>
karlcow, don't get your comment on twitter
21:18
<AryehGregor>
jgraham, did you ever figure out why testharness.js was producing no output for my reflection tests anymore?
21:19
AryehGregor
is observing something similar in another file too, it seems
21:19
<AryehGregor>
Oh, never mind for the other thing.
21:20
<AryehGregor>
I wasn't running the tests before the load event.
21:20
<AryehGregor>
Reflection tests are still a question, though. :)
21:36
<AryehGregor>
. . . How is a JS file's encoding determined?
21:45
<annevk>
AryehGregor, based on the referring file, BOM, HTTP
21:45
<annevk>
and maybe a charset attribute on <script>
21:45
<annevk>
(not in that order)
21:45
<AryehGregor>
In what order of precedence?
21:47
<annevk>
HTTP, charset="", BOM, referring file
21:47
<annevk>
defined in HTML
21:48
<AryehGregor>
k, thx.
21:49
<zewt>
bom in .js? D :
21:57
<annevk>
WRONG_DOCUMENT_ERR is actually useful for Range, who'd have thought
21:58
<AryehGregor>
Is it?
21:58
<AryehGregor>
When is it thrown?
21:58
<AryehGregor>
compareBoundaryPoints.
21:58
<annevk>
comparePoint throws it per spec
21:58
<AryehGregor>
Makes sense there, I guess.
21:59
<AryehGregor>
Would make more sense to return a special value, but okay.
21:59
<annevk>
yeah dunno, I haven't actually tested any of this
21:59
<AryehGregor>
You noticed I have like a zillion Range tests?
21:59
<AryehGregor>
You should steal those.
21:59
<AryehGregor>
(note: they might be slightly hard to understand in some cases)
21:59
<AryehGregor>
(note: that also might be an understatement)
22:00
<AryehGregor>
https://bitbucket.org/ms2ger/dom-range/src/tip/test/
22:00
<AryehGregor>
Nothing tests compareBoundaryPoints yet, though, it looks like.
22:01
<annevk>
yeah cool
22:01
<annevk>
guess we should move those to the DOMCore repo at some point
22:02
<AryehGregor>
It would make sense.
22:04
<nlogax>
might as well ask here too. :) can i get rid of the default drag&drop cursor? (a green (+) thingie on os x, some equally ugly thing on windows)
22:04
<nlogax>
other than setting dropEffect
22:58
<roc>
grr ... why is offline GMail a Chrome app and not a Web app? https://chrome.google.com/webstore/detail/ejidjjhkpiempkbhmpbfngldlkglhimk
23:03
<AryehGregor>
More general: why doesn't the Chrome Web Store support other browsers?
23:03
<AryehGregor>
"Sorry, we don't support your browser just yet. You'll need Google Chrome to install apps, extensions and themes."
23:03
<AryehGregor>
That makes it sound like they intend to add support eventually, but . . .
23:06
<AryehGregor>
I imagine they will add support for other browsers eventually, since to do otherwise seems inconsistent with their general approach to the web. But it's pretty annoying that they seem not to view that as urgent.
23:06
AryehGregor
has no more idea than anyone what the Chrome Web Store or Gmail people are thinking, obviously
23:07
<roc>
who knows, but there must certainly be a huge temptation to follow Apple and Microsoft into proprietary app stores
23:08
<AryehGregor>
Why? Google makes virtually all its money off ads, and Firefox displays ads as well as Chrome does.
23:09
<AryehGregor>
What money it does make directly off the store will only be increased if it allows more browsers to use it.
23:10
<AryehGregor>
Unlike Microsoft and Apple, Google doesn't have a history of trying to obtain lock-in, and in fact has often tended to do the opposite -- make switching to other services as easy as possible.
23:10
<AryehGregor>
E.g., Gmail supports unlimited forwarding, IMAP, etc. out of the box, which (AFAIK) some other major webmail providers don't.
23:11
<roc>
yeah, they've been good
23:11
<roc>
but if they get lots of good stuff into the Chrome app store, then that increases Chrome usage
23:12
<roc>
and that translates into power over the Web, and app developers
23:12
<zewt>
google's mobile browser support has been terrible for web apps, in my experience
23:12
<zewt>
seems like they really don't care
23:13
<roc>
we'll see how things go down
23:13
<zewt>
just trying to implement a basic full-screen web app in android's browser (at least as of 2.3.x) is a nightmare
23:14
<roc>
but I really want offline GMail and I don't want to have to switch to Chrome to get it (nor do I want other people to have to switch to Chrome to get it, of course)
23:14
<zewt>
"installed web apps" should be considered an oxymoron
23:15
<zewt>
all of the "chrome apps" and all that nonsense just kills what's great about web apps
23:22
<roc>
offline GMail uses WebSQL, which is dead as a standard
23:22
<zewt>
(because using a language that every programmer in the world already intuitively understands is overrated; we Need More Wheels)
23:25
<jamesr_>
the new offline gmail uses websql? i thought it just used filesystem (although i'm not directly involved)
23:25
<roc>
in fact, the "SQL" every programmer in the world intuitively understands is different things to different people and often quite different to the SQLite 3.6.19 or whatever that WebSQL is
23:25
<roc>
jamesr_: khuey looked at it and that's what he says
23:25
<roc>
but regardless of the detabable merits of WebSQL, its deadness as a standard is a fact
23:26
<jamesr_>
good thing offline gmail isn't part of the web, then
23:27
<roc>
two wrongs don't make a right
23:27
<zewt>
roc: it doesn't matter if it's different in the details, the basic language (and most of the day-to-day as well) is well-understood, which makes learning variants easy
23:27
<AryehGregor>
roc, there's not any realistic alternative, though, given the low adoption so far of IDB. Not to mention the fact that it's staggeringly complicated to use for even the most trivial use-cases.
23:27
<jamesr_>
i have no idea what lead to that decision
23:27
<AryehGregor>
One line of localStorage that's instantly understandable to any web developer is so many lines of IDB that I've given up every time I tried it.
23:28
<roc>
AryehGregor: it is supported in Chrome though, so if you're going to write a Chrome app ...
23:28
<AryehGregor>
Well, true.
23:28
<zewt>
(similar to a major reason svn was so successful: it was very intuitive to cvs users, so you only had to learn the differences, where eg. git being so different gives it a much higher learning curve)
23:28
<AryehGregor>
But I suspect it's a lot harder to learn and use, especially given that anyone writing this sort of app already knows some sort of SQL.
23:29
<AryehGregor>
At least, I'm pretty sure I could pick up WebSQL a heck of a lot more easily.
23:29
<AryehGregor>
I wouldn't be surprised if WebSQL has way more features and better performance at this point, too.
23:30
<AryehGregor>
Not that I'm saying people should use WebSQL instead of IDB, but there are pretty clear reasons for doing so.
23:34
<AryehGregor>
Does anyone know if there's a Mozilla bug for supporting Node.contains()?
23:34
<AryehGregor>
If not, I'll file one.
23:35
<AryehGregor>
Found it: https://bugzilla.mozilla.org/show_bug.cgi?id=683852
23:37
<AryehGregor>
Okay, does anyone know what the status of my reflection tests are in the HTMLWG?
23:37
<AryehGregor>
They're still not "approved", it seems?