| 06:42 | <mathiasbynens> | Hixie: `includeSubdomains` makes sure that once the user visits https://whatwg.org/, *.whatwg.org is in the HSTS cache, and so entering `http://somesubdomain.whatwg.org/` or even `http://idontexist.whatwg.org/` in the address bar would go to HTTPS instantly without ever making a connection over HTTP |
| 06:43 | <mathiasbynens> | that’s important, because as soon as you hit HTTP a MitM attacker can just strip the redirect to HTTPS, or send a response that they control (e.g. phishing page) |
| 06:44 | <annevk> | mathiasbynens: how cna they hijack idontexist.whatwg.org? |
| 06:47 | <mathiasbynens> | annevk: if `includeSubdomains` is not set, and the user enters the non-HTTPS URL |
| 06:47 | <mathiasbynens> | or another (attacker-controlled) page includes a resource from that domain or links/redirects to it over HTTP etc. |
| 06:51 | <mathiasbynens> | with `includeSubdomains`, as soon as the user visits any page on `whatwg.org`, HSTS kicks in for the entire domain including subdomains, and all future requests will go over HTTPS (even for subdomains that haven’t been visited before or that don’t resolve) |
| 06:52 | <mathiasbynens> | to get to the same level of safety when `includeSubdomains` is not set, the user would have to visit all the existing *.whatwg.org domains, including those that don’t even exist (→ ∞), assuming all subdomains send HSTS headers as well |
| 07:12 | <annevk> | mathiasbynens: is there some documentation on how an attacker would do that? |
| 07:12 | <annevk> | mathiasbynens: the RFC only mentions a cookie attack |
| 07:18 | <mathiasbynens> | annevk: it’s just a plain old MitM attack |
| 07:19 | <mathiasbynens> | moxie’s sslstrip talk explains the whole thing much better than i ever could http://www.thoughtcrime.org/software/sslstrip/ |
| 07:19 | <annevk> | mathiasbynens: not really, they'd have to MitM the DNS query |
| 07:20 | <mathiasbynens> | annevk: dns cache poisoning attacks are a thing |
| 07:22 | <annevk> | okay, so if we deployed DNSSEC we would not need includeSubdomains |
| 07:22 | <annevk> | of course, people could still be MitM for several subdomains that we chose not to have TLS on and DNSSEC doesn't actually work... |
| 07:29 | <mathiasbynens> | why can’t we switch all subdomains over? i missed this discussion |
| 07:36 | <zcorpan_> | mathiasbynens: namespaces |
| 07:37 | <mathiasbynens> | oh my |
| 07:43 | <zcorpan_> | there was also a demo page but i don't know why that can't be switched over or just nuked or moved to whatwg.org/demos |
| 07:47 | <annevk> | foolip: I think html-mirror might be down |
| 07:47 | <annevk> | foolip: I think the problem might be TLS |
| 07:49 | <annevk> | foolip: if you're using Python 2, the problem is Python not supporting SNI |
| 07:50 | <annevk> | mathiasbynens: http://krijnhoetmer.nl/irc-logs/whatwg/20140915#l-649 |
| 07:51 | <annevk> | mathiasbynens: also http://krijnhoetmer.nl/irc-logs/whatwg/20140915#l-918 |
| 07:52 | <hsivonen> | gsnedders: IIRC, the StartTLS ToS (which is called something other than ToS has subscriber obligations and, IIRC, you have the obligation to revoke if you believe the private key has been compromised) |
| 07:52 | <hsivonen> | oops. bad placement of ) |
| 07:53 | <annevk> | Hixie: https://spec.whatwg.org/ has a TLS error |
| 08:01 | <hsivonen> | oops. I almost removed an Encoding Standard encoding by accident |
| 08:01 | <hsivonen> | good thing I re-read my patch |
| 08:26 | <foolip> | annevk: yes, the git-svn stuff blew up, I'm looking at it now |
| 08:27 | <foolip> | because the URL changed, it can't figure out how to put it back together again :) |
| 08:27 | <foolip> | looking for a change other than rewriting the entire history |
| 08:31 | <annevk> | foolip: thanks, and sorry about that, unintended side effects |
| 08:31 | <annevk> | hsivonen: which bug is this? |
| 08:31 | <foolip> | annevk: do you know if Hixie rewrote everything to include data-revision="$Revision: 8770 $" at the top? |
| 08:32 | <foolip> | because my old mirror of that commit has that diff compared to a checkout of the same revision from https://... |
| 08:33 | <foolip> | or is $Revision$ some kind of magic that gets rewritten on the client only? |
| 08:33 | <annevk> | foolip: I doubt it, but I don't know for sure |
| 08:33 | <annevk> | foolip: I can tell you that on the WHATWG server SVN hasn't changed since 2011 |
| 08:34 | <annevk> | foolip: the SVN software that is |
| 08:34 | <annevk> | foolip: wait, did you not rewrite history to include those? |
| 08:34 | <annevk> | foolip: to keep web-apps-tracker working |
| 08:35 | <foolip> | annevk: I haven't noticed these $Revision$ things before |
| 08:36 | <foolip> | in the existing html-mirror, index and complete.html just say data-revision="$Revision$" |
| 08:37 | <foolip> | I guess this could be because I'm comparing a git-svn checkout with a plain svn checkout, maybe svn expands these things on the client side |
| 08:37 | <foolip> | I'll try a new git-svn clone to see what it looks like |
| 08:37 | <foolip> | Hixie: if you traffic from 37.139.17.34 is too much, let me know |
| 08:38 | <annevk> | foolip: I thought you added revision annotations in the git so I could extract them |
| 08:38 | <foolip> | annevk: you're probably thinking of the git-svn-id: http://svn.whatwg.org/webapps@8770 340c8d12-0b0e-0410-8428-c7bf67bfef74 line |
| 08:38 | <annevk> | ah yes |
| 08:39 | <foolip> | git-svn adds that by default, sadly it wasn't specially for you :) |
| 08:43 | <Philip`> | foolip: SVN does http://svnbook.red-bean.com/en/1.7/svn.advanced.props.special.keywords.html on the client side, if the file has the property svn:keywords="Revision" |
| 08:45 | <foolip> | Philip`: thanks |
| 08:46 | <Philip`> | $ svn propget svn:keywords index |
| 08:46 | <Philip`> | Revision |
| 09:13 | <annevk> | hsivonen: Philip`: jgraham: krijnhoetmer: mathiasbynens: gsnedders: matijs: zcorpan_: I take care of the http->https redirect now for all html5.org domains. You only have to set the HSTS header. Sorry for not figuring out I could do that earlier on. |
| 09:13 | <mathiasbynens> | annevk: thanks (and done) |
| 09:16 | <annevk> | mathiasbynens: writing a series of posts on TLS btw, thanks for the help so far :-) |
| 09:29 | <hsivonen> | annevk: should I go and remove the redirect from .htaccess? |
| 09:29 | <annevk> | hsivonen: yeah you can |
| 09:30 | <hsivonen> | annevk: ok. |
| 09:30 | <hsivonen> | annevk: the charset bug is https://bugzilla.mozilla.org/show_bug.cgi?id=997133 |
| 09:34 | <annevk> | hsivonen: ah so yeah, cyrillic should not be removed |
| 09:35 | <hsivonen> | annevk: right |
| 09:38 | <foolip> | annevk: I think I'll have it sorted soon. note that the http will change to https in the git-svn-id line, so make sure you're not matching on that |
| 09:42 | <hsivonen> | annevk: I removed the redirect and kept HSTS |
| 09:42 | <mathiasbynens> | ^ same here |
| 09:43 | <zcorpan_> | seems i had done it already |
| 10:02 | <annevk> | foolip: I think I am |
| 10:03 | <annevk> | foolip: I guess I can fix that somehow |
| 10:03 | <annevk> | foolip: https://github.com/whatwg/web-apps-tracker/blob/master/web-apps-tracker#L275 |
| 10:33 | <annevk> | foolip: fixed by adding a second --grep that checks for https, couldn't figure out regexp syntax |
| 10:35 | <annevk> | foolip: https://github.com/whatwg/web-apps-tracker/commit/62d433b92278c257d6305bc5f3970682967f30fa |
| 10:39 | <foolip> | annevk: html-mirror is now up to date and should be auto-updating |
| 10:40 | <annevk> | foolip: great, I also updated the commit hook from GitHub as GitHub does not deal with redirects |
| 10:41 | <foolip> | what redirect is that? |
| 10:43 | <annevk> | foolip: http->https |
| 10:44 | <annevk> | foolip: html5.org is also on TLS |
| 10:44 | <foolip> | oh, you had a commit webhook pointing at http://html5.org/something? |
| 10:44 | <foolip> | I never looked at that half of things :) |
| 10:46 | <annevk> | yes |
| 10:50 | <foolip> | annevk: btw, I'm going to get back to the fullscreen bugs any week now! I've been distracted by some other things for a while |
| 11:06 | <annevk> | foolip: Hixie filed some too |
| 11:08 | <hsivonen> | jgraham: so to address the review comment, I'll just add another commit to the same branch, right? |
| 11:09 | <zcorpan_> | hsivonen: yeah |
| 11:10 | zcorpan_ | assumes it's about critic |
| 11:11 | tantek | waves from London |
| 11:11 | <foolip> | annevk: about the removal problem, I had assumed that what the spec currently says would apply for any removal, even if it was a parent that's removed |
| 11:12 | <annevk> | foolip: that was the idea |
| 11:12 | <annevk> | foolip: might have to rephrase I guess |
| 11:17 | <hsivonen> | zcorpan_: ok. thanks |
| 11:45 | <mathiasbynens> | annevk: you can remove the `; preload` part once you’ve submitted your site to hstspreload.appspot.com |
| 11:46 | <mathiasbynens> | (which you’ve done) |
| 11:54 | <jgraham> | hsivonen: Yeah, as zcorpan_ said |
| 12:40 | <jgraham> | annevk: r? https://critic.hoppipolla.co.uk/r/2600 The actual tests were already reviewed by bz, so they should be correct |
| 12:40 | <foolip> | woah, HTML joins the others under .spec.whatwg.org :) |
| 12:41 | <foolip> | finally I can write URLs like https://html.spec.whatwg.org/#htmlmediaelement which are shortish and won't redirect |
| 12:41 | <jgraham> | Oh, Hixie fixed it! |
| 12:41 | <jgraham> | Hixie: Thanks! |
| 12:42 | <annevk> | jgraham: that's some confusing ID naming |
| 12:42 | <jgraham> | annevk: Yeah, not my tests |
| 12:43 | <foolip> | heh, https://html.spec.whatwg.org has a SHA1 cert, I guess they're cheaper? |
| 12:44 | <jgraham> | Some (many?) CAs only do SHA1 certs :( |
| 12:44 | <foolip> | jgraham: I guess you've seen the drama around Chromiums pending changes here? |
| 12:44 | <jgraham> | Yeah |
| 12:44 | <jgraham> | I can't get a SHA2 cert from Gandi at this point |
| 12:45 | <jgraham> | https://twitter.com/gandibar/status/509116131173748736 |
| 12:45 | <annevk> | foolip: the certificate is SHA-256 |
| 12:46 | <annevk> | foolip: which is the same for all of whatwg.org except the home page at the moment as Hixie has not replaced that one, but that is also not SHA-1 afaict |
| 12:46 | <foolip> | annevk: oh, it says that the connection is SHA1, I guess that's separate from the cert itself |
| 12:46 | <annevk> | foolip: yeah, DreamHost is bad at TLS |
| 12:47 | <annevk> | jgraham: hasn't that test already been reviewed as part of the patch to Gecko? |
| 12:47 | <foolip> | clicked some more and see that the cert has a SHA-1 and a SHA-256 fingerprint |
| 12:47 | <annevk> | jgraham: anyway, first half is okay... |
| 12:47 | <foolip> | anyway, I like the new URL |
| 12:49 | <annevk> | jgraham: critic also does not seem to remember I logged in |
| 12:49 | <annevk> | foolip: jgraham managed to convince Hixie to switch it over |
| 12:51 | <jgraham> | annevk: Thanks |
| 12:51 | <annevk> | jgraham: we should have a policy though that if it passes mozilla.org peer review, it can bypass critic |
| 12:52 | <annevk> | jgraham: though perhaps require a pointer to the public bug report where the review happened |
| 12:52 | <jgraham> | annevk: We do, but in this case I rewrote the tests to be in testharness.js format rather than mochitest format |
| 12:52 | <annevk> | I see |
| 12:52 | <jgraham> | So technically that change needs review |
| 12:56 | <annevk> | hsivonen: seems Google is doing something with EV: http://www.certificate-transparency.org/ev-ct-plan |
| 13:17 | <annevk> | JakeA: so when is TLS coming to jakearchibald.com? ;-) |
| 13:18 | jgraham | wonders if annevk's new role in life is to ask everyone one by one when they will adopt TLS |
| 13:18 | <annevk> | jgraham: I'll start with this channel; have you TLS'd? |
| 13:21 | <jgraham> | annevk: You already asked me :p |
| 13:23 | <annevk> | jgraham: no repeats? |
| 13:24 | <boogyman> | jgraham: haha |
| 13:24 | <annevk> | oh hey boogyman, using TLS? |
| 13:24 | <JakeA> | annevk: I'm promising myself this year. We'll see if that happens. |
| 13:25 | <annevk> | JakeA: I've just added it to several domains, it took quite a few hours |
| 13:25 | <boogyman> | Good afternoon, and not right now. I use DH for hosting too. |
| 13:25 | <jgraham> | annevk: I like to imagine you as like the guy in Hitchhikers who is insulting every being in the universe one by one, in alphabetical order. Except in your case it's only the subset that have inadequate TLS setups. |
| 13:25 | <annevk> | JakeA: but at least now you know that fetch.spec.whatwg.org is really the Fetch Standard and not some MITM shit |
| 13:26 | <darobin> | jgraham: that's still pretty much every being in the universe |
| 13:26 | <annevk> | At least I have some new questions to ask at parties |
| 13:26 | <jgraham> | darobin: Indeed, I'm not saying it's a proper subset |
| 13:26 | darobin | grinds his teeth at how his plan to MITM Fetch through captive portal hacking has been foiled |
| 13:27 | <annevk> | Do you utf-8? "Yes" Great! Do you TLS? "Euh" Sorry |
| 13:27 | <darobin> | I *so* wanted to replace that dumb arrow logo with a picture of Lassie |
| 13:27 | <jgraham> | Oh is that the new W3C approach? Make the WiFi at TPAC MITM whatwg.org to add W3C branding? |
| 13:28 | <darobin> | W3C branding? what for? I just wanted to change the green to a nicer change and inject silly jokes via the secondary logo |
| 13:28 | <darobin> | s/change/shade/ |
| 13:28 | <jgraham> | Oh well if you want to change the green then this is a plan that I can get behind |
| 13:29 | <jgraham> | TLS is clearly harmful |
| 13:30 | <zewt> | thread-local storage? heh |
| 13:36 | <JakeA> | annevk: \o/ I might bug you when I come to do it then |
| 13:37 | <annevk> | JakeA: yeah feel free; I decided to offer assistance to anyone who wants to try it out |
| 13:38 | <darobin> | annevk: mind mailing me your SSH key so I can set you up with a root account on my box? |
| 13:44 | <annevk> | https://twitter.com/annevk/status/511872386652962817 |
| 13:45 | <tantek> | congrats annevk! |
| 13:53 | <foolip> | annevk: "On the upside, they free for non-commercial usage" + offer? |
| 13:55 | <annevk> | foolip: fixed |
| 13:55 | <foolip> | also, sounds like not fun to be dutch with all the Van going on |
| 13:58 | <darobin> | hsivonen: word on the street is that you have a great recommended setup for TLS on nginx |
| 14:16 | <tantek> | darobin: see https://indiewebcamp.com/nginx#SSL_Setup and https://indiewebcamp.com/https#nginx |
| 14:34 | <zcorpan_> | annevk: irony: |
| 14:34 | <zcorpan_> | -<p><a href="http://www.w3.org/"><img alt="W3C" height="48" src="https://www.w3.org/Icons/w3c_home"; width="72"></a></p> |
| 14:34 | <zcorpan_> | +<p><a href="http://www.w3.org/"><img alt="W3C" height="48" src="http://www.w3.org/Icons/w3c_home"; width="72"></a></p> |
| 14:38 | <darobin> | tantek: thanks! |
| 14:39 | <annevk> | zcorpan_: how did that happen? Outdated version of respec? |
| 14:39 | <annevk> | zcorpan_: euh, Anolis |
| 14:39 | <zcorpan_> | annevk: yeah |
| 14:39 | <tantek> | darobin no problem! we just did a pretty decent https sprint at IndieWebCampUK the weekend before last which I just happened to have blogged about a couple of hours ago. |
| 14:40 | <annevk> | tantek: so is tantek.com getting the TLS? |
| 14:40 | <darobin> | tantek: all I need do now is run a sprint with myself to get it set up |
| 14:40 | <tantek> | darobin - also, feel free to ask any follow-ups re: setting up https re: those pages/instructions on #indiewebcamp |
| 14:41 | <tantek> | darobin - come on by #indiewebcamp and you'll have folks actively wanting to help get you to https |
| 14:41 | <tantek> | annevk - only self-signed for my admin interface for the moment |
| 14:41 | <tantek> | I'm behind. I'm only at what we call "Level 2" https support (out of 5) https://indiewebcamp.com/https#Level_2_security |
| 14:42 | <annevk> | seems I'm Level 4 |
| 14:43 | <tantek> | you should add yourself :) https://indiewebcamp.com/https#Level_4_security |
| 14:45 | <darobin> | tantek: thanks, I might actually join. That said, I'll probably be fine, the only reason it's not there yet is because my ancient experience with Apache + SSL was horrible. But that was back then. |
| 15:04 | <mathiasbynens> | annevk: i’m not using https://wiki.apache.org/httpd/RedirectSSL as per that twitter dude’s suggestion – works well, and much simpler |
| 15:32 | <annevk> | mathiasbynens: does not look simpler, what am I missing? |
| 15:34 | <mathiasbynens> | annevk: well it simplifies my setup, where i use vhosts.conf to configure each domain on my server |
| 15:34 | <annevk> | mathiasbynens: if you have root that does seem better |
| 15:35 | <mathiasbynens> | ah, so you’re not root, gotcha |
| 15:36 | <annevk> | mathiasbynens: noted this solution in the post |
| 15:37 | <annevk> | mathiasbynens: so Eric Lawrence discovered that I'm now sometimes sending out the HSTS header twice |
| 15:37 | <mathiasbynens> | \o/ |
| 15:37 | <annevk> | mathiasbynens: I might be invoking PHP in two different ways :-( |
| 15:37 | <mathiasbynens> | example URL? |
| 15:37 | <annevk> | mathiasbynens: https://annevankesteren.nl/2014/09/tls-next-steps vs home page |
| 15:38 | <mathiasbynens> | maybe it’s .htaccess + PHP in some weird cases? |
| 15:39 | <mathiasbynens> | i just accidentally downloaded your `index.php` source code :/ |
| 15:40 | <mathiasbynens> | brb |
| 15:40 | <annevk> | yeah that's fine, running experiments live :p |
| 15:45 | <annevk> | I am the first, I just discovered I was using prefixes for transitions and transforms on my site |
| 15:45 | <annevk> | And had not unprefixed them |
| 15:47 | <annevk> | I am using ::selection unprefixed however |
| 15:47 | <annevk> | But that seems to be gone :( |
| 16:15 | <Hixie> | uh |
| 16:15 | <Hixie> | what did i do to spec.whatwg.org |
| 16:17 | <Hixie> | ok that should be fixed |
| 16:17 | <Hixie> | no idea what i had done there |
| 16:17 | <Hixie> | whatever it was broke the dreamhost panel ui |
| 16:17 | <Hixie> | i guess i'll move the demos stuff back onto whatwg.org somehow |
| 16:17 | <annevk> | you broke the panel? lol |
| 16:18 | <Hixie> | i got some exception trying to edit the cert |
| 16:18 | <Hixie> | i just removed the domain and readded it and it worked |
| 16:20 | <Hixie> | so this demo is unmodified since 2011 |
| 16:20 | <Hixie> | maybe i should just disable it |
| 16:20 | <Hixie> | it gets virtually no traffic |
| 16:22 | <mathiasbynens> | annevk: double header is fixed – how? |
| 16:22 | <annevk> | Hixie: if that and some namespaces are standing in the way of HSTS, yes |
| 16:23 | <annevk> | mathiasbynens: I stopped using ForceType php5-cgi for extensionless files and instead renamed those files to end in .php |
| 16:23 | <Hixie> | what happens if in a subdomain with includesSubdomain, an https:// site redirects to an http:// site without HSTS? |
| 16:23 | <annevk> | mathiasbynens: the files ending in .php were the ones sending the duplicate header that was noticed, still not quite sure what is going on |
| 16:24 | <annevk> | Hixie: https://planet.html5.org/ is such a site |
| 16:25 | <mathiasbynens> | Hixie: same thing as any HTTPS URL that redirects to itself, i guess |
| 16:29 | <annevk> | Hixie: oh, to itself? Seems you created a loop |
| 16:30 | <Hixie> | no i mean what if https://whatwg.org has sts-includesubdomains, and https://x.whatwg.org redirects to http://x.whatwg.org without an sts header? |
| 16:30 | <Hixie> | or with a header, with maxage=0 |
| 16:31 | <annevk> | I think that should cause an infinite redirect as before the redirect fetch is done, the URL would be rewritten to https://x.whatwg.org/ |
| 16:32 | <Hixie> | why? |
| 16:32 | <Hixie> | let me ask again with maxage=0 |
| 16:32 | <Hixie> | it's not clear to me if that would punch a hole through the includesubdomains |
| 16:32 | <annevk> | https://fetch.spec.whatwg.org/#concept-fetch step 1 |
| 16:33 | <annevk> | If a user agent lets a subdomain override includeSubdomains of a parent, that seems broken |
| 16:33 | <Hixie> | why? |
| 16:34 | <Hixie> | https://tools.ietf.org/html/rfc6797#section-8.1 |
| 16:34 | <Hixie> | you fetch the encrypted version of x.whatwg.org |
| 16:34 | <Hixie> | it unsets the hsts headers |
| 16:34 | <Hixie> | then you get the redirect |
| 16:34 | <Hixie> | so at step 1, you don't have any known hosts |
| 16:34 | <annevk> | what about the whatwg.org entry? |
| 16:35 | <Hixie> | it shouldn't be affected, right? |
| 16:35 | <annevk> | if that has includeSubdomains, why should that not apply to x.whatwg.org? |
| 16:35 | <annevk> | if you have not seen whatwg.org it would be different, but if you have it seems that ought to apply |
| 16:37 | <Hixie> | yeah i really can't tell from the rfc |
| 16:39 | <Hixie> | abarth: ping |
| 16:39 | <annevk> | IETF claims http://www.rfc-editor.org/info/rfc6797 provides information on how to give feedback, but it doesn't |
| 16:39 | <annevk> | I guess you need to click under "Source" http://tools.ietf.org/wg/websec/ and give feedback to that WG |
| 16:39 | <annevk> | IETF is a lot less clear than our "Participate:" boxes |
| 16:40 | <Hixie> | shocking |
| 16:40 | <Hixie> | hmmm |
| 16:40 | <Hixie> | includesubdomains doesn't interact very well with www.* |
| 16:41 | <Hixie> | k well i may have broken things more than before |
| 16:41 | <Hixie> | or i may have fixed them |
| 16:42 | <Hixie> | hard to tell until dreamhost propagates |
| 16:50 | <annevk> | Google friends, will there be a time when one can change their Hangouts / Google+ ID? https://gist.github.com/annevk/7f83773f82d52c721664 |
| 16:58 | <annevk> | Hixie: I attempted emailing websec with your question |
| 17:00 | <annevk> | Oh my, message being held for moderation |
| 17:00 | <Domenic_> | annevk: I have the same problem with the mandatory @gmail.com account :( |
| 17:00 | <annevk> | Domenic_: can you pull some strings? :-) |
| 17:01 | <annevk> | Domenic_: feel free to share that gist with anyone |
| 17:01 | <Domenic_> | I can ask around, I guess |
| 17:05 | <annevk> | Domenic_: in case I did not get this link through you https://blog.jcoglan.com/2013/03/30/callbacks-are-imperative-promises-are-functional-nodes-biggest-missed-opportunity/ |
| 17:25 | <caitp> | how does one argue that promises are somehow functional, they aren't really any different from callbacks except slightly more sugary and slower |
| 17:26 | <Domenic_> | did you read the article? |
| 17:26 | <caitp> | not only that, but the behaviour of promise methods depends on what? state |
| 17:26 | <TabAtkins> | Domenic_: Question from yesterday? |
| 17:26 | <Domenic_> | TabAtkins: about ecmarkdown wanting consistent indentation? |
| 17:27 | <caitp> | Domenic_ it sounds like the typical nonsense that the usual "functional vs imperative" crowd of blogs writes |
| 17:27 | <caitp> | haven't read it in full but I'm not confident in its contents |
| 17:27 | <Domenic_> | caitp: so you did, or did not read it? because i think it explains it pretty clearly. |
| 17:27 | <TabAtkins> | Domenic_: No, about why you want ecmarkdown to only use a single number for ol bullets. |
| 17:27 | <Domenic_> | TabAtkins: for consistency and simplicity, basically. |
| 17:27 | <TabAtkins> | I don't understand. |
| 17:27 | <caitp> | a promise is an object which contains state (which may or may not be mutable, implementation depending), and which has methods which behave differently depending on that state |
| 17:28 | <caitp> | this is not really functional |
| 17:28 | <Domenic_> | caitp: I am really not interested in correcting your misconceptions which can be corrected by you simply reading the linked article. |
| 17:28 | <Domenic_> | TabAtkins: more choices = less simplicity, less consistency |
| 17:28 | <caitp> | those aren't misconceptions |
| 17:28 | <caitp> | it's a fact |
| 17:28 | <Domenic_> | TabAtkins: perhaps the problem is the name |
| 17:28 | <TabAtkins> | Domenic_: I mean, what choices are there? |
| 17:29 | <Domenic_> | TabAtkins: whether to start with 1 and go up, or just to stick with 1 forever |
| 17:29 | <TabAtkins> | caitp: Promises are monads over time-dependent state. |
| 17:29 | <TabAtkins> | Domenic_: Just... require it to be numbered correctly? |
| 17:30 | <caitp> | except it's not really "time dependent", it's "dependent on the order of operations, because some operations affect their state" |
| 17:31 | <TabAtkins> | You seem to be arguing that, for example, the IO monad isn't functional either. |
| 17:31 | <Domenic> | TabAtkins: then refactoring steps messes up diffs |
| 17:32 | <caitp> | i don't really care to have a real argument about it, but it's like, functional is not better or worse than imperative, so the argument doesn't really mean anything; but objects containing state which is manipulated by some operations, and which affects the behaviour of other operations |
| 17:32 | <caitp> | that's not very functional |
| 17:32 | <caitp> | that's typical of any imperative programme |
| 17:32 | <TabAtkins> | Domenic: Sure, but the source is more readable. (I don't like how I have to go look at the rendered html to know what the number is for a given <li> in an <ol>.) |
| 17:33 | <Domenic> | TabAtkins: well I guess your answer then is we are prioritizing diffs (for which this is better) and authoring experience (for which this is neutral/slightly beter) over source readability (for which this is worse) |
| 17:33 | <TabAtkins> | caitp: It seems that you don't understand the functional encapsulation that monads can make over varying state; I suggest reading up a bit more on that. |
| 17:33 | <TabAtkins> | Domenic: Okay. Are you planning to have the "lists start with the number of the first item" behavior too? |
| 17:35 | <Domenic> | TabAtkins: for all of the ES6 spec lists start with 1, so probably not? |
| 17:35 | <Domenic> | TabAtkins: we'll probably change from 0. to 1. |
| 17:35 | <TabAtkins> | Domenic: That's generally true for most specs, sure, but, for example, Flexbox has an algorithm split over multiple sections, where each <ol> picks up where the last one left off. |
| 17:36 | <Domenic> | TabAtkins: yeah, that's fair. I mean in general we could try to do fully-general Markdown list syntax and just have a secondary linting tool that enforces our desired conventions for ES specs |
| 17:36 | <Domenic> | TabAtkins: the problem there is then I have to write more code :P |
| 17:37 | <TabAtkins> | Domenic: Sorry to be a bother, it's just that now that MD actually has a spec, I consider deviations from that to need strong justifications, rather than just being a matter of flavor. ^_^ |
| 17:37 | <TabAtkins> | (Bikeshed has a few deviations that it'll be maintaining, for example.) |
| 17:37 | <Domenic> | TabAtkins: would it help if it were named something else? It's just Markdown-inspired (i.e. literally I found writing specs in Markdown to be pleasant, and that inspired me to create a new language). It's not meant to be a Markdown flavor. |
| 17:38 | <Domenic> | We'd loose the nice punning of Ecmarkup (= custom elements vocabulary) + Ecmarkdown, sadly |
| 17:38 | <TabAtkins> | Domenic: Do what you want, I'm just pushing my own agenda of making it easier to transport text (and authoring assumptions) across markdowns. |
| 17:38 | <TabAtkins> | The less parsing diff I need to maintain in my head, the better. |
| 17:38 | <Domenic> | Hmm hmm |
| 17:41 | <TabAtkins> | Obviously text won't transport too well from CMD to ECMD, due to you changing what all of the inline elements mean, but still. |
| 17:50 | <annevk> | Safari on iPhone has interesting UI choices. It shows [padlock] whatwg.org for https://www.whatwg.org/ |
| 17:50 | <annevk> | It actually omits "www.", but does not do so for other subdomains |
| 17:53 | <Domenic> | boo to www |
| 17:54 | <SimonSapin> | Is "lossily" a word? |
| 17:55 | <TabAtkins> | Yes. |
| 17:56 | <jgraham> | True fact: a long time ago before the internet was something that people were familiar with, my Dad phoned me to ask if some server with the url w3.something.tld was the same as www.something.tld So www. has been causing confusion since the mid 90s |
| 17:58 | <annevk> | http://no-www.org/ (sadly no TLS) |
| 17:59 | <Hixie> | bummo, i broke https://n.whatwg.org |
| 17:59 | <Hixie> | let's see here... |
| 18:00 | <Domenic> | I still don't understand n.whatwg.org? |
| 18:00 | <Hixie> | ok, fixed it |
| 18:00 | <TabAtkins> | Which part? It's existence, or that it's staying on http:? |
| 18:00 | <annevk> | So as far as I can tell the only valid namespace is http://n.whatwg.org/work and it is not actually evident that is seeing much usage |
| 18:01 | <Hixie> | it's seeing basically no usage outside the html spec, as far as i'm aware |
| 18:02 | <annevk> | Hixie: and because it sees usage in the HTML spec we want to not do HSTS fully? |
| 18:02 | <Hixie> | namespaces are namespaces |
| 18:02 | <Hixie> | once you commit to have a namespace, you commit to having it for, like, ever. |
| 18:02 | <annevk> | Hixie: namespaces are also just strings |
| 18:02 | <annevk> | Hixie: and not actually something meant to resolve |
| 18:02 | <tantek> | except for the http vs https part |
| 18:02 | <tantek> | so I heard |
| 18:02 | <annevk> | Hixie: if n.whatwg.org didn't exist, the namespace would continue to exist |
| 18:03 | <Hixie> | annevk: it would continue to exist for sure, but some people would be confused. |
| 18:03 | <Domenic> | TabAtkins: the existence. Sounds like I should do Ctrl+F on the singlepage spec? |
| 18:03 | <Hixie> | anyway, we have includeSubdomains |
| 18:03 | <Hixie> | so this is a non-issue |
| 18:03 | <TabAtkins> | Domenic: It's nothing more than a namespace. |
| 18:03 | <jgraham> | I think an existance proof on those people would be interesting |
| 18:03 | <annevk> | Hixie: e.g. the W3C cannot configure its own server probably and has been redirecting namespaces for years |
| 18:03 | <Domenic> | TabAtkins: sure, but used for what, is the question |
| 18:03 | <annevk> | Hixie: try http://www.w3.org/1999/xhtml |
| 18:04 | <annevk> | Hixie: not many people have ended up being confused as a result |
| 18:04 | <annevk> | Hixie: though I have complained about it |
| 18:04 | <TabAtkins> | Domenic: It's used to have a page that the namespaces can resolve to. |
| 18:04 | <Hixie> | the w3c is not exactly the pinacle of good practices |
| 18:04 | <jgraham> | Nor are namespaces ;) |
| 18:04 | <Hixie> | i'd be interesting to test that hypothesis |
| 18:04 | <Hixie> | i wonder how many pages says xmlns="http://www.w3.org/1999/xhtml/"; |
| 18:04 | <Hixie> | say |
| 18:04 | Hixie | goes to find out |
| 18:05 | <annevk> | Hixie: the point is that if a widespread namespace can redirect, so can a namespace that is only used in fiction and is causing end user harm (by not being on the HSTS preload list) |
| 18:05 | <Domenic> | TabAtkins: what is the namespace used for, is the question. Answering it myself, looks like, used for microdata? |
| 18:05 | <TabAtkins> | Domenic: Ah, ok. Yes. |
| 18:05 | <Hixie> | annevk: we can be on the HSTS preload list |
| 18:05 | <Hixie> | annevk: this is not causing any such blockage |
| 18:06 | <tantek> | having namespaces break just serves to demonstrate they shouldn't have been used in the first place |
| 18:06 | <SimonSapin> | I just wrote a proto-spec for the WTF-8 encoding: https://github.com/rust-lang/rust/issues/12056#issuecomment-55786546 |
| 18:06 | <Hixie> | Domenic: the url answers that question :-) |
| 18:07 | <Domenic> | Hixie: haha, just goes to show, my strong assumption was that the actual namespace URL would be useless |
| 18:07 | <Hixie> | hehe |
| 18:07 | <Hixie> | technically this isn't actually a namespace |
| 18:07 | <Hixie> | it's a vocabulary identifier |
| 18:07 | <annevk> | SimonSapin: conversion to UTF-8 needs to be better |
| 18:07 | <SimonSapin> | annevk: better how? |
| 18:08 | <annevk> | SimonSapin: e.g. if you concat two surrogates, they can turn into a thing |
| 18:08 | <SimonSapin> | annevk: do we want to support that? |
| 18:09 | <annevk> | SimonSapin: if you ever want a JavaScript impl in Rust, yes |
| 18:10 | <Hixie> | ok, n.whatwg.org finally does what i want it to do |
| 18:10 | <gavinc> | Is there an explanation somewhere as to why I can't get the status code of the request that loaded the current page in javascript? Seems so very odd not to be able to |
| 18:10 | <SimonSapin> | annevk: so abandon equivalence with UCS-2? (Two WTF-8 strings have the same bytes if and only if their UCS-2 representation have the same bytes) |
| 18:12 | <annevk> | SimonSapin: why would that not be true? |
| 18:12 | <jgraham> | Is there a special reason that concatenation of two WTF-8 buffers has to produce a valid WTF-8 string? Presumably a WTF-8 library could examine the endpoints for WTF-8ness and convert if necessary |
| 18:13 | <SimonSapin> | jgraham: yeah, that sounds better |
| 18:13 | <Hixie> | wait why does the hsts preload list require that we violate the hsts spec by adding the non-standard "preload" token |
| 18:13 | <SimonSapin> | so WTF-8 concat is a bit more work than byte concat, but I think that’s ok |
| 18:13 | <annevk> | Hixie: I think that's only temporary to ensure you can't add sites that don't want to be on it |
| 18:14 | <annevk> | Hixie: temporarily required* |
| 18:14 | <annevk> | Hixie: after you submit you can remove it again |
| 18:16 | <jgraham> | Argh |
| 18:16 | <jgraham> | Config file formats all suck |
| 18:17 | <Hixie> | ok i give up |
| 18:17 | <Hixie> | https://whatwg.org it is |
| 18:18 | <Hixie> | for a decide i have fought this no-www nonsense on sites that are clearly _about_ the www and therefore by all reason should have "www" in their name |
| 18:18 | <Hixie> | but lo, hsts has beaten me |
| 18:18 | <Hixie> | go forth and remove the www.s! |
| 18:19 | <SimonSapin> | Hixie: try do buy www.org? |
| 18:19 | <Hixie> | from the w3c? |
| 18:19 | <Hixie> | good luck with _that_ |
| 18:19 | <SimonSapin> | or convince ICANN to make a .www TLD :) |
| 18:19 | <Hixie> | .org is fine |
| 18:19 | <SimonSapin> | oh, I didn’t know W3C had this one |
| 18:22 | <jgraham> | You don't need to convince ICANN with more than just cash these days, do you? |
| 18:22 | <annevk> | Domenic: see https://javascript.spec.whatwg.org/#regexp |
| 18:22 | <annevk> | Domenic: not sure if mathiasbynens filed bugs on Allen for those yet |
| 18:23 | <Domenic> | annevk: yeah I saw that, not terribly helpful |
| 18:23 | <caitp> | is that a fork of es262 or something |
| 18:23 | <annevk> | It's a delta of sorts, I guess |
| 18:24 | <caitp> | neat |
| 18:25 | <Domenic> | It was more important when ES had none of these things |
| 18:25 | <Domenic> | Most of it is being absorbed into ES |
| 18:25 | <Domenic> | But curiously not the RegExp stuff (yet?) |
| 18:25 | <annevk> | Yeah, mathiasbynens should update it so it does not contradict the HTML ES6 draft |
| 18:26 | <annevk> | Date is also not covered by ES6 I think |
| 18:26 | <annevk> | Not sure about the comment syntax, I think that's still an open bug |
| 18:26 | <abarth> | Hixie: pong |
| 18:27 | <annevk> | abarth: it was a question about where HSTS defines that a policy for domain.com affects sub.domain.com |
| 18:27 | <abarth> | you mean where in the RFC? |
| 18:28 | <zcorpan> | yay no www |
| 18:32 | <tobie> | TabAtkins: I see from the Bikeshed doc that you're looking into importing some of the Specref data. Would anything make that easier (e.g. splitting up the existing stuff into various files)? |
| 18:33 | <TabAtkins> | tobie: Nah, I've already got it ready to go. |
| 18:33 | <TabAtkins> | I just need to do some profiling on it; loading up biblio and ref data is the most expensive part of running Bikeshed, and turning on SpecRef is a significant addition to that cost. |
| 18:34 | <TabAtkins> | Splitting things up would actually make it more difficult to handle. I don't do any downloads at processing time; you have to periodically run `bikeshed update` yourself, so all the linking data is stored locally. |
| 18:34 | <TabAtkins> | So I need to have all the data anyway. |
| 18:34 | <Hixie> | abarth: yeah |
| 18:34 | <tobie> | I'll be turning-on daily auto-updates this week, btw. |
| 18:35 | <TabAtkins> | Cool. |
| 18:35 | <Hixie> | abarth: say i have example.com and it has an STS policy with includesubdomains |
| 18:35 | <abarth> | 6.1.2. The includeSubDomains Directive |
| 18:35 | <abarth> | The OPTIONAL "includeSubDomains" directive is a valueless directive |
| 18:35 | <abarth> | which, if present (i.e., it is "asserted"), signals the UA that the |
| 18:35 | <abarth> | HSTS Policy applies to this HSTS Host as well as any subdomains of |
| 18:35 | <abarth> | the host's domain name. |
| 18:35 | <Hixie> | abarth: and then i have sub.example.com, and it has an STS with maxage=0 |
| 18:35 | <Hixie> | abarth: what happens? |
| 18:36 | <Hixie> | abarth: the rfc doesn't seem to cover that case, because it's not clear whether sub.example.com has an entry or not |
| 18:36 | <abarth> | maxage=0 doesn't create "holes" |
| 18:36 | <tobie> | TabAtkins: Are you grabbing the raw file or the output of the app? |
| 18:36 | <abarth> | the intent is that sub.example.com still has HSTS |
| 18:36 | <TabAtkins> | tobie: I'm pulling down http://specref.jit.su/bibrefs |
| 18:36 | <abarth> | the storage is per-header received |
| 18:36 | <tobie> | ok, cool. |
| 18:37 | <abarth> | so you'd have to set max-age: 0 on example.com to expire the policy for the subdomains |
| 18:37 | <Hixie> | abarth: what about if i have example.com with an STS includesubdomains, then foo.example.com also has an STS with includesubdomains, then i go to example.com again and it has maxage=0. Does that also remove the foo.example.com STS? Per the RFC, it seems like it would, since that header isn't stored since it's redundant with the parent one. |
| 18:37 | <abarth> | the intent is that the foo.example.com policy is not removed |
| 18:37 | <abarth> | not sure if the RFC is written correctly |
| 18:37 | <abarth> | i'd have to check it :) |
| 18:37 | <tobie> | TabAtkins: any preferences on exposing EDs? |
| 18:38 | <abarth> | the model is that you have a database that remembers the last header received for each domain |
| 18:38 | <jwalden> | annevk: you didn't happen to do any research into how to have a dreamhost site accessible on multiple https: origins at once, did you? that's probably the one thing incenting me not to move to full https: everywhere (right now I have https: for admin and http: for general-public-facing, as minor XSS mitigation) |
| 18:38 | <Hixie> | abarth: "domain"? |
| 18:38 | <TabAtkins> | tobie: I don't care all that much for biblio purposes. |
| 18:38 | <abarth> | host |
| 18:38 | <Hixie> | abarth: ah |
| 18:38 | <abarth> | to compute whether a given connection ought to be allowed |
| 18:38 | <tobie> | k |
| 18:38 | <abarth> | you walk the the host and its parent domains |
| 18:38 | <abarth> | checking for a non-expired policy |
| 18:38 | <TabAtkins> | tobie: We track ED/TR for linking (so that Bikeshed can prefer linking to one or the other, based on status of the spec being generated), but biblio stuff just uses whatever the ref points to. |
| 18:39 | <Hixie> | abarth: so what happens if you visit a host that is covered by includesubdomains, and that host has STS maxage=0 and redirects to its equivalent http:// url? is that treated as a redirect-to-self ? |
| 18:39 | <abarth> | (with the "includesubdomains" flag if the entry in the database isn't for the host itself) |
| 18:40 | <abarth> | the fact about the host having HSTS with maxage=0 isn't relevant |
| 18:40 | <abarth> | that would clear out any past header that host had set |
| 18:40 | <abarth> | but the header for the parent domain would still be in the database |
| 18:40 | <abarth> | so HSTS would still be in effect for that host |
| 18:41 | <abarth> | (I'm off to lunch---will be back later) |
| 18:42 | <tobie> | TabAtkins: can you point to where you're storing that data? Would like to use same schema if possible. (Need to expose this in specref.) |
| 18:42 | <TabAtkins> | tobie: Right now I'm just storing it literally; I do the processing into Bikeshed's data structure on each run. I need to fix that. |
| 18:45 | <TabAtkins> | tobie: But here's the data structure I use to store biblio data currently: https://github.com/tabatkins/bikeshed/blob/master/bikeshed/biblio.py |
| 18:45 | <TabAtkins> | It's a straight translation of the Refer file format, with some minor tweaks to handle the specref format better. |
| 18:46 | <TabAtkins> | I currently just throw away some of the SpecRef data, like versions, but might add that in the future. |
| 18:50 | <tobie> | TabAtkins: funny you're transforming href into url, we changed that in Respec to match Anolis. |
| 18:51 | <tobie> | TabAtkins: iirc, versions isn't exposed by the API, but used to construct [[FOO-YYYYMMDD]] refs. |
| 18:52 | <TabAtkins> | Accident of history; I happened to write BiblioEntry quite a while ago, and named the attribute "url". When I started processing SpecRef stuff I just put down a translation. |
| 18:52 | <Hixie> | annevk: k, i added us to the hsts queue |
| 18:54 | <TabAtkins> | tobie: All of my biblio handling code is ancient by this project's standards, anyway. Don't pay much attention to it. It needs to be rewritten. |
| 18:54 | <Domenic> | annevk Hixie Mixed content in the wiki |
| 18:54 | <Hixie> | where? |
| 18:55 | <Domenic> | https://wiki.whatwg.org/wiki/FAQ has no stylesheet |
| 18:57 | <Hixie> | odd |
| 18:57 | <Domenic> | https://wiki.whatwg.org/wiki/IRC works O_O |
| 18:57 | <Hixie> | home page too |
| 18:57 | <Hixie> | i don't get it |
| 18:57 | <Hixie> | who's our wiki guy |
| 18:57 | <Hixie> | GPHemsley? |
| 18:58 | <Domenic> | https://lists.whatwg.org/htdig.cgi/implementors-whatwg.org/ link from https://whatwg.org/mailing-list is broken |
| 18:59 | <Hixie> | oops |
| 18:59 | <Hixie> | oh |
| 18:59 | <Hixie> | crap |
| 18:59 | <Hixie> | HSTS will totally screw our list archives |
| 18:59 | <Hixie> | and list management |
| 18:59 | <Hixie> | since dreamhost don't have that on ssl |
| 19:00 | <Hixie> | well this will be an interesting support request... |
| 19:00 | <zcorpan> | Domenic: huh, firefox and chrome i get http: for scripts and styles, but in opera i get https: |
| 19:01 | <zcorpan> | there is http://lists.w3.org/Archives/Public/public-whatwg-archive/ but i guess not for help@ or implementors@ |
| 19:02 | <Hixie> | and that won't let you subscribe to the list |
| 19:02 | <zcorpan> | ah yeah |
| 19:03 | <zcorpan> | and it doesn't use TLS so how knows what bad things can happen |
| 19:03 | <zcorpan> | (like, maybe the site will work) |
| 19:04 | zcorpan | has updated xref and html-differences |
| 19:05 | <Hixie> | support request sent |
| 19:05 | <Hixie> | i expect this to not go well |
| 19:06 | <Hixie> | wtf, spec.whatwg.org is still broken |
| 19:06 | <Hixie> | what have i done |
| 19:07 | <zcorpan> | https://simon.html5.org/html-elements is now broken. (it was very out of date anyway) |
| 19:08 | <Hixie> | heh |
| 19:08 | <Hixie> | why is it broken? |
| 19:08 | <Hixie> | mixed content? |
| 19:08 | <zcorpan> | yep |
| 19:08 | <zcorpan> | http: in iframe |
| 19:08 | <Hixie> | oh, i see |
| 19:08 | <Hixie> | should be easy to fix |
| 19:08 | <zcorpan> | yes |
| 19:09 | <zcorpan> | the harder fix is making it not be so out of date |
| 19:09 | <Hixie> | well, yeah |
| 19:09 | <zcorpan> | preferably automate it |
| 19:09 | <zcorpan> | since i no longer maintain it |
| 19:10 | <Hixie> | spec.whatwg.org is seriously messed up in the dreamhost config |
| 19:10 | <zcorpan> | btw what's up with developers.whatwg.org |
| 19:11 | <Hixie> | i need to regen it |
| 19:11 | <Hixie> | i broke it all when i updated my pipeline |
| 19:11 | <Hixie> | ok i've killed spec.whatwg.org entirely |
| 19:11 | <Hixie> | i'm going to go have lunch, let dreamhost digest this change |
| 19:11 | <Hixie> | then i'll reinstate it |
| 19:12 | zcorpan | gets a redirect loop |
| 19:12 | <Hixie> | yeah it's just totally messed up right now |
| 19:13 | <Hixie> | oh wait |
| 19:13 | <Hixie> | for what? |
| 19:13 | <Hixie> | developers? |
| 19:13 | <Hixie> | bbiab |
| 19:16 | <zcorpan> | no for spec.whatwg.org |
| 19:16 | <zcorpan> | ok "fixed" html-elements (but developers still has mixed content) |
| 20:46 | <zcorpan> | Hixie: the spec's popup when filing a bug has links but they're not discoverable without hovering the text |
| 20:53 | <Hixie> | yeah... if you have non-ugly suggested styles to make them more discoverable, file a bug |
| 20:56 | <zcorpan> | the popup is ugly already :-P |
| 20:58 | <TabAtkins> | Domenic: Sorry, one final argument for numbering your list items properly, rather than giving them all the same number: it makes it easier to, at a glance, tell where sub-lists start and end; if they're all the same, you have to pay more attention to indentation, which isn't quite as obvious. |
| 21:00 | <Domenic> | spec. still broken? :) |
| 21:00 | <Domenic> | *:( |
| 21:07 | <zcorpan> | maybe we should update the browser icons |
| 21:23 | <Hixie> | zcorpan: if you can file a bug with styles to make it less ugly, all the better |
| 21:23 | <Hixie> | zcorpan: right now the spec is using the browser icons from html5.org |
| 21:24 | <zcorpan> | Hixie: yeah |
| 21:30 | <annevk> | Hixie: awesome |
| 21:30 | <Hixie> | hm? |
| 21:30 | <annevk> | jwalden: I'm not sure what you mean |
| 21:31 | <annevk> | jwalden: what do you mean by multiple https: origins? |
| 21:31 | <jwalden> | annevk: I have http://whereswalden.com/ as public-facing right now; https://whereswalden.com/ purely for wp-admin pages and such |
| 21:31 | <jwalden> | annevk: I |
| 21:31 | <annevk> | Hixie: in response to HSTS and also no-www I guess |
| 21:31 | <Hixie> | ah |
| 21:31 | <jwalden> | annevk: I'd like https://whereswalden.com/ as public-facing, but I want some other origin than that for wp-admin pages |
| 21:32 | <Hixie> | annevk: well, we broke lists.whatwg.org, so there's that. |
| 21:32 | <annevk> | jwalden: move wp-admin to /wp/ |
| 21:32 | <annevk> | jwalden: or get a more expensive certificate that allows alternate names, and setup admin.whereswalden.com |
| 21:33 | <jwalden> | annevk: yeah, that's the sadmaking hackaround as I understand it |
| 21:33 | <annevk> | jwalden: I'm not sure how it's a hack |
| 21:33 | <annevk> | jwalden: if you want to serve different content, you need different addresses :-) |
| 21:33 | <jwalden> | annevk: well, maybe not, now; last I remembered they didn't support SNI |
| 21:33 | jwalden | hasn't looked into this in awhile |
| 21:34 | <annevk> | jwalden: DreamHost supports SNI, the question is whether your certificate is valid for admin.whereswalden.com |
| 21:35 | <annevk> | Hixie: so lists.whatwg.org is broken because DreamHost sets it up automatically? |
| 21:36 | <Hixie> | yeah |
| 21:36 | <Hixie> | i sent them a support request |
| 21:36 | <Hixie> | i expect this to be like pulling teeth |
| 21:36 | <Hixie> | not sure what we can do without their help |
| 21:37 | <annevk> | self-host :-( |
| 21:37 | Hixie | looks around for bags of cash |
| 21:37 | <Hixie> | nope, don't see any |
| 21:38 | <Hixie> | well, except that one, but that one's mine |
| 21:38 | Hixie | grabs one poorly-hidden bag of cash |
| 21:39 | <gsnedders> | Hixie: security through obscurity is no security at all! |
| 21:40 | <Domenic> | Speaking pretty much from ignorance, but I can't imagine an nginx server for static content on Amazon EC2 would be all that expensive... |
| 21:41 | <annevk> | Domenic: it's mostly that porting everything is a hassle |
| 21:41 | <Hixie> | before we talk about how expensive it is, let's first consider that the entirety of the cost of hosting *.whatwg.org for the next two years is the cost anne just spent on the certs. |
| 21:41 | <annevk> | Domenic: and migrating all the databases, etc. |
| 21:41 | <Domenic> | Hixie: DreamHost is free? |
| 21:41 | <Domenic> | annevk: yeah that part makes sense, just not the expense claim |
| 21:42 | <Hixie> | and that we currently have unlimited bandwidth, users, storage, and subdomains, along with some level of tech support. |
| 21:42 | <annevk> | DreamHost is free for Hixie since he's on top of a pyramid |
| 21:42 | <Hixie> | what anne said |
| 21:43 | <annevk> | I guess we could claim I had to get validated anyway to make html5.org and some of my own setups work, which would make whatwg.org still running for zip |
| 21:43 | <Hixie> | heh |
| 21:43 | <Hixie> | i actually do pay for some stuff on dreamhost, but i'm hosting like 60+ domains on this account |
| 21:43 | <Hixie> | so the marginal cost of whatwg.org is free |
| 21:44 | <annevk> | html5.org: "That domain name is already preloaded!" |
| 21:44 | <Hixie> | wtf, spec.whatwg.org is still broken |
| 21:45 | <annevk> | Hixie: infinite redirects |
| 21:49 | <Hixie> | screw it. |
| 21:49 | Hixie | sends a support request |
| 21:51 | <Hixie> | btw n.whatwg.org is all https now |
| 21:51 | <Hixie> | and the one vocabulary identifier on there now just redirects to the spec so there's no confusion |
| 22:04 | <annevk> | nice |
| 23:02 | <zcorpan> | annevk: i've updated icons on web-apps-tracker |
| 23:03 | <zcorpan> | hmm possibly the svg ones need width="32" height="32" so that background-size:50% works for Hixie |
| 23:05 | <Domenic> | calling it now: svg is the next tls/utf8 |
| 23:06 | <zcorpan> | Domenic: svg is old man :-) |
| 23:07 | <Domenic> | probably newer than tls :P |
| 23:09 | <zcorpan> | annevk: pls review and deploy if it looks ok |
| 23:18 | <zcorpan> | i added a logo for chrome but it's not used yet |
| 23:18 | <GPHemsley> | Hixie: What's going on? Do I need to do something? |
| 23:18 | <Hixie> | the faq is not getting its style sheet |
| 23:18 | <Hixie> | probably mixed content issue |
| 23:18 | <GPHemsley> | Hixie: Can you be more specific? I'm not seeing anything wrong. |
| 23:19 | <Hixie> | oh, hm |
| 23:19 | <Hixie> | it's working now |
| 23:19 | <GPHemsley> | oh |
| 23:19 | <GPHemsley> | logged out only, maybe |
| 23:19 | <Hixie> | ah, yes |
| 23:19 | <Hixie> | whatwg.org/faq when logged out |
| 23:19 | <Hixie> | results in no styles |
| 23:19 | <GPHemsley> | ah, yeah, I think that's cached |
| 23:19 | <GPHemsley> | hang on |
| 23:19 | <Hixie> | though actually |
| 23:20 | <Hixie> | if we can change the styles for that page when logged out specifically... |
| 23:20 | <Hixie> | might be worth doing... |
| 23:20 | <GPHemsley> | well, I think I have it set up so that the anonymous pages are cached |
| 23:20 | <GPHemsley> | but the logged-in ones aren't |
| 23:20 | <GPHemsley> | or something |
| 23:20 | <GPHemsley> | it's been a while |
| 23:20 | <Hixie> | since that page with no styles and the headers and footers removed looks better than that page with the mediawiki styles |
| 23:22 | <GPHemsley> | well, it's every logged out page |
| 23:26 | <GPHemsley> | now if only I could remember my login details.. |
| 23:28 | <Hixie> | btw, i've made the mailing-list page not mention lists.whatwg.org so that it doesn't much matter anymore |
| 23:29 | <Hixie> | wow, https://www.w3.org actually redirects (with a valid cert) to http://www.w3.org? |
| 23:29 | <Hixie> | that seems worse than not having anything on https://... |
| 23:32 | <GPHemsley> | Hixie: How pressing is this wiki issue? |
| 23:32 | <Hixie> | *shrug* |
| 23:33 | <Hixie> | it makes the wiki ugly |
| 23:33 | <Hixie> | how serious that is, that's your call :-) |
| 23:35 | <GPHemsley> | hey, I'm logged in all the time, so it makes no difference to me :P |
| 23:47 | <Hixie> | you have got to love the w3c, really |
| 23:47 | <Hixie> | on the one hand you have jeff saying how much the w3c respects the whatwg |
| 23:48 | <Hixie> | and on the other hand you have checkins consisting of only the text "minor fixes" that remove even a small suggestion of a mention of the whatwg _which included a 'stable' reference_. |
| 23:48 | <Hixie> | https://github.com/w3c/html/commit/5665b66d3bc7720fcaaeff5817e6eacbf782d835 |
| 23:48 | <Hixie> | i mean, the relevant text is only 2 days old (https://github.com/w3c/html/commit/5b04c84af9bb460fa0ffddb5af7fac41a17b1938) |
| 23:50 | <Hixie> | man i wish the ietf had stable specs |
| 23:51 | <Hixie> | by which i mean a url that i could reference for a particular technology that wouldn't change over time when they update the spec |
| 23:51 | <Hixie> | instead of the current situation where every 5 days some spec or other gets obsoleted and i have to update all my IETF references |