| 00:19 | <Domenic> | aklein: I think Hixie has his own Pascal parser that should give something close to canonical |
| 00:30 | <crocket> | Is it ok to put two footers in a section of a page? |
| 00:34 | <Domenic> | crocket: yes. e.g. https://developers.whatwg.org/sections.html#the-footer-element shows two footers for the whole page; i can assume it also works for a section |
| 00:39 | <crocket> | Domenic, Is it ok semantically to put two footers in a sectioning content? |
| 00:39 | <Domenic> | crocket: yes |
| 00:40 | <crocket> | Domenic, The link you gave doesn't seem to imply that. |
| 00:40 | <Domenic> | crocket: it does how i read it. The first example, plus the way it always refers to "footers" and "a footer"; not e.g. "the footer" |
| 00:42 | <Domenic> | Plus more concretely there is no special restriction for footers outside of the restrictions for flow content |
| 00:42 | <crocket> | Domenic, How do two footers change semantics? |
| 00:43 | <aklein> | Hixie: confirmed it's a Blink bug |
| 00:43 | <crocket> | It'd be different semantically than one footer in <article> |
| 00:43 | <Domenic> | Yes … it means the section or article has two footers … that is indeed different than having one footer. |
| 00:45 | <crocket> | Domenic, Is it better to put <section>s in one footer semantically? |
| 00:46 | <Domenic> | They mean different things… two separate footers (neither of which creates a new subsection) versus one footer with two subsections. "better" depends on what you're trying to convey |
| 00:47 | <crocket> | Domenic, What is the meaning of a footer or two? |
| 00:48 | <Domenic> | Two footers means … two footers. Two separate sets of " information about its section such as who wrote it, links to related documents, copyright data, and the like." |
| 00:49 | <Domenic> | Maybe one is the legal footer and the other is the bibliography footer |
| 00:49 | <Domenic> | I gtg, hope this was helpful… |
| 00:50 | <crocket> | Domenic, Thanks!!! |
| 01:01 | <aklein> | Hixie: Blink's foster parenting seems to be quite a bit out of step with the current spec. I'm curious if you happen to know when the requirement of the table's parentNode being an element went away (a requirement enforced in Blink by http://src.chromium.org/viewvc/blink/trunk/LayoutTests/fast/parser/foster-parent.html) |
| 01:03 | <aklein> | Gecko seems to enforce that same requirement |
| 01:03 | <aklein> | so there may be a spec bug here, just not in the template stuff itself but related to it |
| 05:50 | <Hixie> | aklein: i would imagine it went away when we introduced <template> |
| 05:50 | <Hixie> | aklein: since otherwise foster parenting in <template> would drop nodes left right and center |
| 07:12 | <zcorpan> | Hixie: https://html.spec.whatwg.org/multipage/embedded-content.html#attr-img-srcset says Chrome 40+ but should be Chrome 38+ |
| 07:20 | <MikeSmith> | hsivonen: I'm beginning to wonder if we shouldn't just merge all the other validator github repos into the https://github.com/validator/validator repot |
| 07:22 | <MikeSmith> | hsivonen: to make things easier for users/contributors, so that they have just one place to submit PRs and issues, rather than 5 |
| 07:22 | <MikeSmith> | hsivonen: and to make maintenance easier, etc. |
| 07:23 | <MikeSmith> | hsivonen: or maybe it would be too disruptive at this point, or just not so necessary really |
| 07:28 | <Ms2ger> | zcorpan, blame caniuse? |
| 07:28 | <zcorpan> | Ms2ger: caniuse has it supported in 38..40 |
| 07:59 | <zcorpan> | can someone come up with a versioning scheme that doesn't suffer from the 10 problem? https://twitter.com/charmoto/status/519252143723667456 |
| 08:00 | <annevk> | euhm, don't expose version numbers as strings? |
| 08:01 | <zcorpan> | yeah i guess that would help |
| 08:01 | <annevk> | maybe only as a query interface; is() isgt() islt() |
| 08:02 | <annevk> | I wouldn't be surprised if people still managed to mess that up though |
| 08:02 | tantek | can't wait for HTML10 |
| 08:03 | <hasather> | zcorpan: base 1 |
| 08:12 | <darobin> | tantek: I fully expect that all informative references will be to stable documents by then |
| 08:14 | <annevk> | http://lists.w3.org/Archives/Public/public-w3process/2014Oct/ o_O |
| 08:20 | <annevk> | karlcow: http://webcompat.com/ doesn't use TLS |
| 08:20 | <annevk> | karlcow: is there a bug on that? |
| 08:22 | annevk | finds https://github.com/webcompat/webcompat.com/issues/72 |
| 08:23 | <tantek> | annevk I thought this was spot on: http://lists.w3.org/Archives/Public/public-w3process/2014Oct/0021.html |
| 08:24 | <zcorpan> | annevk: file it on webcompat |
| 08:25 | <annevk> | tantek: yeah that was too bad. Although that Art got that impression is also a sign that something is amiss. |
| 08:25 | <annevk> | zcorpan: seems miketaylr already did |
| 08:25 | <annevk> | zcorpan: asked if they could up the priority |
| 08:25 | <tantek> | annevk - plenty of things suboptimal / amiss. Stating someone else's position as mal-intent is counter-productive. That issue was way out of line. |
| 08:26 | <jamesr__> | hmm, some specs expose permission denied as being different from other errors but i think most do not |
| 08:26 | <tantek> | I should point out that OpenStand itself does not follow OpenStand principles. |
| 08:27 | <annevk> | I don't think Art would overstate it without being seriously annoyed already |
| 08:27 | <annevk> | He's very reasonable normally |
| 08:27 | <annevk> | So there's probably more to it |
| 08:27 | <jamesr__> | my inclination would be to not distinguish permission denied by the user from other errors |
| 08:27 | <tantek> | annevk - in my personal experience Art is reasonable in person, but that's not the first time that an online interaction (whether tracker or email) was unreasonable. |
| 08:27 | <jamesr__> | but is there a general principle here? |
| 08:27 | <annevk> | jamesr__: permission denied does not seem like an exceptional case to me |
| 08:28 | <annevk> | jamesr__: but I don't think there's a general principle |
| 08:30 | <annevk> | jamesr__: e.g. I don't think Notification.requestPermission() should reject if the user says no, but there's a long debate on the WHATWG list about what exactly should happen there |
| 08:30 | <annevk> | jamesr__: I think it should reject if you invoke it with "TEST" as argument, since that's clearly wrong |
| 08:31 | <jamesr__> | my question is more about the Notification.permission attribute |
| 08:32 | <jamesr__> | what's the value of the transition from "default" to "denied" to the user? should we expose that the user clicked "no" vs ignored it or did something else? |
| 08:32 | tantek | closes the w3process thread. |
| 08:32 | tantek | … window. |
| 08:34 | <annevk> | jamesr__: if the value is "denied", the application will have no need to offer UI to allow the user to enable it |
| 08:36 | <annevk> | jamesr__: "denied" might be persisted, or active for the duration of the "session" |
| 08:37 | <jamesr__> | well my actual question was about http://dev.w3.org/geo/api/spec-source.html#position_error_interface |
| 08:38 | <jamesr__> | seems odd to expose the difference between PERMISSION_DENIED and POSITION_UNAVAILABLE |
| 08:40 | <annevk> | UNAVAILABLE seems like you would be able to try again |
| 08:41 | <annevk> | The geolocation API is rather sad looking at this point |
| 08:42 | <annevk> | Hmm, how is matchMedia() a problem for Blink, but watchPosition not? |
| 09:03 | <MikeSmith> | hsivonen: I e-mailed you with background info and more specific details on the idea of merging the ithub validator repos into a single repo that I pinged you about here earlier |
| 09:04 | <MikeSmith> | jgraham: If we do merge the vnu repos I guess it might make sense to move all the tests there too -- that is, out of wpt and into there instead |
| 09:06 | <MikeSmith> | jgraham: I mean just the conformance-checkers/ tests -- which were from the beginning an odd duck instead of wpt. I'd hoped that putting them tehre would encourage more people to contribute to them, but that hasn't happened and isn't likely to going forward either. So I guess it would make sense to just move them |
| 09:07 | <Ms2ger> | MikeSmith, wfm |
| 09:07 | <MikeSmith> | Ms2ger: ok |
| 09:07 | <MikeSmith> | I wonder if zcorpan has an opinion either way |
| 09:08 | <zcorpan> | wat? |
| 09:09 | <jgraham> | zcorpan: MikeSmith wants your opinions. On anything! |
| 09:09 | <zcorpan> | ah. don't mind moving them |
| 09:09 | <MikeSmith> | k |
| 09:11 | <MikeSmith> | it has the downside of making them seem implementation-specific to vnu -- which they're not of course |
| 09:12 | <MikeSmith> | but the reality there is, nobody has yet created another modern HTML-spec conforming validator engine, and it doesn't seem like anybody's likely to be doing so any time soon |
| 09:14 | <jgraham> | MikeSmith: If you really cared they could live in their own repo and be pulled in as a submodule, but it probably isn't worth the pain |
| 09:15 | <jgraham> | zcorpan: The version numbering scheme you're looking for is TeX |
| 09:18 | <MikeSmith> | jgraham: we got too many submodules on wpt already :) |
| 09:21 | <zcorpan> | jgraham: TeX -> Tex82 -> TeX 3.0 -> Tex n→π ? |
| 09:26 | <karlcow> | annevk: not yet. But you found already the issue. |
| 09:28 | <MikeSmith> | jgraham: if we move the validator tests, would/could you be able to hook critic up to it? |
| 09:30 | <karlcow> | zcorpan: for versioning without the 10 issue. Ⅰ Ⅱ Ⅲ Ⅳ Ⅴ Ⅵ Ⅶ Ⅷ Ⅸ Ⅹ |
| 09:30 | <karlcow> | romans had thought about everything |
| 09:32 | <karlcow> | though I guess people would start making mistakes with ⅩⅩ |
| 09:38 | <zcorpan> | maybe if you use ascii to represent roman numbers it would force people to support variable number of chars |
| 09:59 | smaug____ | assumes there isn't still any consensus about throwing from methods which return a Promise |
| 10:27 | <annevk> | smaug____: there is, they reject |
| 10:28 | <jgraham> | MikeSmith: Yeah, I can hook up critic |
| 10:28 | <jgraham> | annevk: Seems more like "consensus amongst the people who agree" :) |
| 10:29 | <annevk> | jgraham: Hixie changed the spec |
| 10:32 | <jgraham> | OK |
| 10:38 | <smaug____> | annevk: ? |
| 10:39 | <smaug____> | invalid params sure throw in bindings level |
| 10:39 | <annevk> | smaug____: no they don't |
| 10:40 | <smaug____> | whaat? |
| 10:40 | <annevk> | RTFS? |
| 10:40 | <smaug____> | Say I have some Promise<foo> addNode(Node foo); and call addNode(window); |
| 10:41 | <Ms2ger> | smaug____, that rejects the promise |
| 10:41 | <smaug____> | the exception would be reported using a Promise? |
| 10:41 | <smaug____> | that is crazy |
| 10:41 | <smaug____> | totally crazy |
| 10:41 | <Ms2ger> | smaug____, Hixie has been fighting that for months |
| 10:41 | <Ms2ger> | smaug____, but the people who agree agree this is best |
| 10:42 | <smaug____> | the the param validation depends on whether the method returns a Promise or not? |
| 10:42 | <smaug____> | that would be horrible inconsistency |
| 10:42 | <Ms2ger> | Correct |
| 10:43 | <smaug____> | this Promise nonsense is going too far ;) |
| 10:52 | <smaug____> | totally crazy |
| 10:53 | smaug____ | should stay away from APIs using Promises |
| 11:01 | <smaug____> | soo crazy |
| 11:02 | <smaug____> | now code may end up doing random stuff after calling some method, since the basic param validation related error is reported asynchronously |
| 11:03 | <smaug____> | such basic error should be caught as early as possible, to prevent anything else to happen |
| 11:50 | <zcorpan> | Hixie: opera mobile and blackberry browser are not in the caniuse boxes. |
| 12:06 | <jgraham> | zcorpan: Hixie said he limited to 12 by marketshare. Not sure why if there are only 14 |
| 12:28 | <MikeSmith> | jgraham: what were you saying about PFWG earlier? something about consensus? |
| 12:28 | <annevk> | darobin: https://github.com/jan-ivar/mediacapture-main/commit/9e472bd2fa7894d89af6fe3c6a5340d5a90a36a5 |
| 12:33 | <zcorpan> | mathiasbynens: https://mathiasbynens.be/notes/html5-details-jquery doesn't have a green lock |
| 12:34 | <annevk> | Hmm, different browsers using different security indicators is not great |
| 12:35 | <erlehmann> | i bet you only have to have a lock icon as a favicon or something |
| 12:37 | <erlehmann> | http://www.troyhunt.com/2011/07/padlock-icon-must-die.html |
| 12:43 | <zcorpan> | erlehmann: browsers don't put the favicon in the address bar these days, do they? |
| 12:44 | <erlehmann> | zcorpan i bet you can have the lock anywhere :D |
| 12:44 | <erlehmann> | and i don't know, let me check |
| 12:44 | <erlehmann> | i use conkeror |
| 12:45 | <zcorpan> | wonder if there's a lock in unicode. a green lock would be nice for a subdomain |
| 12:45 | <erlehmann> | fortunately i happen to be an expert on the topic |
| 12:45 | <caitp> | "It�s easy � if you want to provide assurance regarding TLS, direct users to inspect the certificate in the browser." |
| 12:46 | <caitp> | > things that your grandma will not do |
| 12:46 | <zcorpan> | U+1F512 |
| 12:47 | <erlehmann> | zcorpan look lower left http://daten.dieweltistgarnichtso.net/pics/icons/unifont-symbols-emoji.png |
| 12:47 | <erlehmann> | 🔒 displays fine here |
| 12:47 | <erlehmann> | thanks to GNU unifont! :D |
| 12:48 | <erlehmann> | i hope my trollface gets merged :3 |
| 12:49 | <zcorpan> | seems it gets punycoded in the address bar |
| 12:50 | <erlehmann> | yeah, otherwise homoglyph attacks would be easy |
| 12:50 | <annevk> | I don't really agree with that post that you have to inspect the certificate |
| 12:50 | <zcorpan> | but you could put it path or query |
| 12:51 | <zcorpan> | http://example.org/🔒 |
| 12:51 | <erlehmann> | is shown percent encoded here |
| 12:51 | <erlehmann> | good! |
| 12:52 | <zcorpan> | not in opera/firefox/chrome |
| 12:54 | <annevk> | erlehmann: no disagreement though that this is hard for users |
| 12:55 | <annevk> | erlehmann: security UI needs to get better |
| 12:55 | <annevk> | zcorpan: might be worth filing a bug on that |
| 12:55 | <zcorpan> | annevk: yeah |
| 12:55 | <annevk> | I wonder if we should perhaps also color the chrome in addition to displaying a lock. |
| 12:56 | <caitp> | > accessibility issues |
| 12:56 | <caitp> | > people writing addons to circumvent it anyways |
| 12:56 | <annevk> | caitp: those issues apply to the icon-based solution we have today as well |
| 12:57 | <caitp> | well, yes |
| 12:57 | <annevk> | I'd imagine VoiceOver or some such would read out the address bar as "Secure www.example.org" |
| 12:57 | <caitp> | something that isn't too intrusive into the UI, but is noticeable enough to alert non tech-savvy users |
| 12:58 | <erlehmann> | users can and will do whatever they want |
| 12:58 | <caitp> | the thing is that you don't want to encourage people to shoot themselves in the foot |
| 12:59 | <caitp> | intrusive UI has that effect, because people will prioritize not having their eyes damaged over being safe from things they don't understand |
| 12:59 | <erlehmann> | indeeds |
| 12:59 | <erlehmann> | but the https cert warning is intrusive UI designed to let you be safe if you don't know |
| 13:00 | <erlehmann> | i hope notifications do not become a thing |
| 13:00 | <erlehmann> | otherwise the web is set up for the bubble apocalypse of windows xp days |
| 13:00 | <erlehmann> | where every application was thinking it has so important things to say! |
| 13:03 | <caitp> | aren't notifications already a thing? ios and android never seem to shut up with those :p |
| 13:03 | <annevk> | erlehmann: they're opt-in so if you don't like them you just ignore the request |
| 13:05 | <erlehmann> | annevk each and every opt-in solution can and will be abused. i can imagine “enable notifications to see this site” or even “enable media device access to see this site” to be as abusive as “enable javascript to see this static text so we can track you reliably” |
| 13:05 | <erlehmann> | i bet someone will do this |
| 13:06 | <darobin> | annevk: you want [mixed-content] |
| 13:06 | <darobin> | annevk: it depends on specref |
| 13:06 | <erlehmann> | caitp i mean web notifications. and yes, i hate those. the gnu/linux notify infrastructure though is surprisingly good. |
| 13:07 | <darobin> | annevk: if you open up any ReSpec document, in the top right menu there's a search option. If you search for "mixed content" you'll see all the available references in specref |
| 13:07 | <zcorpan> | "like us on facebook to see this site" |
| 13:07 | <erlehmann> | zcorpan exactly |
| 13:07 | <mathiasbynens> | zcorpan: thanks; fixed |
| 13:07 | <erlehmann> | btw, annevk, i do not think it is always possible to be notified when a notification closes. if i am not mistaken, on linux notifications are usually fire-and-forget. |
| 13:08 | <caitp> | well web notifications have already shipped, so I mean |
| 13:08 | <erlehmann> | on gnu/linux desktop systems at least |
| 13:08 | <erlehmann> | caitp yeah, so i just hope they do not become popular |
| 13:08 | <caitp> | facebook and twitter aren't using them yet so most people are probably okay for now :p |
| 13:08 | <erlehmann> | it is certainly possible for useful features that are widely supported to not be popular at all. |
| 13:09 | <annevk> | darobin: okay, left a comment there with that, thanks |
| 13:09 | <erlehmann> | like, a web dev i know had a startup but was amazed when i showed him you don't have to scrollTo some element but can use fragments :D |
| 13:09 | <erlehmann> | s/had/has/ |
| 13:10 | <mathiasbynens> | as for browser security UI, I might be biased but I really like the way Opera does it |
| 13:10 | <mathiasbynens> | HTTPS with mixed content gets same UI as HTTP |
| 13:10 | <erlehmann> | how does opera |
| 13:10 | <erlehmann> | notify-send(1) gives me an urgency level (low, normal, critical), an expiration timer, an icon and a category. |
| 13:14 | <annevk> | mathiasbynens: so I have Opera Next 12.15 and when I search for updates it tells me I have the latest copy |
| 13:15 | <mathiasbynens> | annevk: i know ಠ_ಠ it confuses users daily. there’s an open bug on it |
| 13:15 | <annevk> | mathiasbynens: is there a dev channel I should get instead? |
| 13:16 | <mathiasbynens> | annevk: linux? yeah |
| 13:16 | <erlehmann> | only lower-class operating systems do not have functional package management |
| 13:16 | <mathiasbynens> | annevk: http://www.opera.com/developer |
| 13:16 | <mathiasbynens> | (http://, i know, there’s a bug on that too) |
| 13:16 | <annevk> | better fix it |
| 13:17 | <annevk> | filed a couple on Mozilla too to force TLS |
| 13:18 | <annevk> | mathiasbynens: Opera is inconsistent; for EV it shows a trailing slash, when there's no EV (TLS or no TLS does not matter) it shows no trailing slash; |
| 13:19 | <annevk> | mathiasbynens: good that it hides https:// though |
| 13:20 | <mathiasbynens> | ah, there’s a setting to override that and show the scheme anyway, which I have enabled |
| 13:20 | <mathiasbynens> | annevk: example host with no EV? |
| 13:20 | <annevk> | mathiasbynens: html5.org |
| 13:20 | <annevk> | ooh |
| 13:21 | <annevk> | I clicked the twitter link on the start page |
| 13:21 | <annevk> | which goes to /?partner=opera |
| 13:21 | <annevk> | and then Opera hides the ?partner=opera bit |
| 13:21 | <annevk> | but forgets about the / |
| 13:21 | <mathiasbynens> | heh |
| 13:21 | <annevk> | which would otherwise be hidden |
| 13:22 | <annevk> | sneaky |
| 13:22 | <annevk> | and arguably buggy |
| 13:23 | <annevk> | I think I still like Safari on iOS8 the best, although I haven't seen it on an iPad |
| 13:57 | <Manishearth> | Hixie: https://html.spec.whatwg.org/multipage/forms.html#dom-fs-target |
| 13:57 | <Manishearth> | should that^ say "limited only to allowed values"? |
| 13:57 | <Manishearth> | also, whatwg down |
| 13:58 | <zcorpan> | Manishearth: no, a browsing context name can be anything |
| 13:58 | <zcorpan> | not down for me |
| 13:59 | <Manishearth> | zcorpan: okay, thanks |
| 13:59 | <Manishearth> | zcorpan: A valid browsing context name is any string with at least one character that does not start with a U+005F LOW LINE character. |
| 14:00 | <Manishearth> | if we include keywords, that adds _blank, _self, _parent, or _top. |
| 14:00 | <Manishearth> | apparently it just reflects in Gecko though |
| 14:03 | <jgraham> | hsivonen: Making compat decisions based on Presto is at least a little bit suspect :p |
| 14:20 | <erlehmann> | _ |
| 14:34 | <Manishearth> | zcorpan: "The action and formaction content attributes, if specified, must have a value that is a valid non-empty URL potentially surrounded by spaces." |
| 14:34 | <Manishearth> | what happens if I specify an invalidURL? |
| 14:35 | <zcorpan> | Manishearth: what you quoted is author requirement |
| 14:35 | <Ms2ger> | Manishearth, doesn't apply to you |
| 14:35 | <Manishearth> | Ms2ger: as in? |
| 14:35 | <Manishearth> | ah |
| 14:39 | <Manishearth> | Ms2ger: Gecko seems to behave differently from this spec |
| 14:39 | <Manishearth> | form.action="foo"; form.action |
| 14:39 | <Ms2ger> | Possible |
| 14:39 | <Manishearth> | will return baseurl/foo |
| 14:39 | <Ms2ger> | Sounds correct |
| 14:39 | <Manishearth> | whereas the spec says that it should just reflect the content attribute |
| 14:39 | <Manishearth> | (which is "foo") |
| 14:39 | <Ms2ger> | Well, see |
| 14:39 | <Ms2ger> | "reflect" means a lot of things |
| 14:39 | <Manishearth> | bah |
| 14:40 | <Manishearth> | https://html.spec.whatwg.org/multipage/infrastructure.html#reflect |
| 14:40 | <Ms2ger> | Annoyingly, reflecting URLs is the only case where UA requirements depend on author requirements |
| 14:40 | <Ms2ger> | (AFAIK) |
| 14:51 | <annevk> | Ms2ger: what do you mean? |
| 14:52 | <Ms2ger> | annevk, https://html.spec.whatwg.org/multipage/infrastructure.html#reflect says something along the lines of "If there is an authoring requirement that the attribute contains a URL, resolve etc" |
| 14:53 | <annevk> | I see. We should have IDL extensions for reflection imo |
| 14:54 | <Ms2ger> | Dunno about that |
| 16:44 | <Hixie> | zcorpan: 34-37 were only limited support |
| 16:45 | <Hixie> | zcorpan: it's limited to 12 browsers by usage share. I thought there were only 11 though. There's 14? |
| 16:45 | <Hixie> | zcorpan: are the two with minimal usage share worth mentioning? |
| 16:47 | <zcorpan> | Hixie: right so it should say 38, not 40 |
| 16:47 | <zcorpan> | Hixie: video also says 40 |
| 16:49 | <zcorpan> | Hixie: maybe top 12 is OK |
| 16:55 | <annevk> | WebRTC WG :-( |
| 16:56 | <annevk> | Also o_O |
| 16:59 | <Hixie> | zcorpan: ? |
| 16:59 | <Hixie> | zcorpan: oh |
| 16:59 | <Hixie> | hm |
| 16:59 | <Hixie> | odd |
| 16:59 | <Hixie> | oh |
| 16:59 | <Hixie> | hey can you file a bug on it to remind me to look at it after this meeting? |
| 17:00 | <Hixie> | i can reply to w3process e-mails but actually coding requires me to concentrate |
| 17:03 | <annevk> | Hixie: you have meetings? |
| 17:06 | <Hixie> | annevk: it happens |
| 17:49 | <zcorpan> | Hixie: reminder |
| 18:37 | <miketaylr> | annevk: zcorpan: added HTTPS/TLS to webcompat.com |
| 18:38 | <miketaylr> | thx for the gentle reminder |
| 19:07 | <annevk> | miketaylr: cool, also HSTS? |
| 19:09 | <miketaylr> | annevk: yes, minus includeSubdomains |
| 19:09 | <miketaylr> | (for now) |
| 19:09 | <annevk> | miketaylr: I could get you a wildcard certificate (or one with several alternative names |
| 19:09 | <annevk> | miketaylr: from StartSSL |
| 19:09 | <miketaylr> | that would be sweet |
| 19:09 | <miketaylr> | i used the free one from StartSSL |
| 19:09 | <annevk> | miketaylr: just need to forward hostmaster@ email to me and then we need to figure out how to exchange a key |
| 19:09 | <miketaylr> | k, traveling tomorrow for a conf but will try to do that on Thurs |
| 19:09 | <miketaylr> | thx annevk |
| 19:10 | <annevk> | miketaylr: having said that, if you have several domains yourself it might be better if you do it or get Mozilla IT to manage it |
| 19:10 | <annevk> | miketaylr: otherwise in two years time we'll have to this dance again and not forget about it |
| 19:11 | <miketaylr> | annevk: yeah... or the other option is for me to just buy it and expense it |
| 19:11 | <miketaylr> | and then in theory transfer it to moz within 2 years |
| 19:11 | <miketaylr> | cost isn't really an issue |
| 19:12 | <miketaylr> | should probably just do that. |
| 19:27 | <iamstef> | Hey All |
| 19:28 | <iamstef> | loading WebWorker via CORS seems to be a pain point currently, is this a spec or implementors concern? |
| 19:29 | <aklein> | Hixie: g'afternoon, just saw your answer from last night about foster parenting into DocumentFragments. |
| 19:30 | <aklein> | Hixie: both Blink and Gecko, despite supporting template parsing, won't foster parent into non-template DocumentFragments. I wonder if this needs to be captured in the spec |
| 19:30 | <iamstef> | seems like a spec thing |
| 19:32 | <Domenic> | annevk: Hixie: see iamstef's question. An interesting intersection of Fetch and HTML. |
| 19:44 | <Hixie> | aklein: oh the template document fragments are considered special? that's odd |
| 19:44 | <Hixie> | i wonder if the spec says that |
| 19:44 | <Hixie> | it might |
| 19:44 | <Hixie> | iamstef, Domenic: i thought i had a bug tracking the idea of cross-origin workers |
| 19:45 | <Hixie> | iamstef, Domenic: but i can't find it. maybe it was just e-mail. |
| 19:45 | <iamstef> | Hixie: i was surprised when i realized CORs wasn’t an option |
| 19:46 | <Domenic> | Hixie: iamstef found it. It's hard-coded to same-origin with no CORS provisions in the spec. Seems like it should just use Fetch in some way. |
| 19:46 | <Domenic> | s/found it/found the answer to his question/ |
| 19:46 | <Hixie> | the idea is that if you fetch cross-origin, it should instantiate a worker in that origin |
| 19:46 | <Hixie> | but it's not specced |
| 19:46 | <Domenic> | hmm |
| 19:46 | <Hixie> | i thought there was an open bug on that |
| 19:46 | <Hixie> | but can't find it |
| 19:46 | <Domenic> | why not just treat it as if they had XHRed the code from the other origin and then instantiated with a data URL |
| 19:47 | <iamstef> | Domenic: i could see desire for both |
| 19:47 | <iamstef> | especially when you are using a WW to handle/maintain data flow with something. |
| 19:47 | <iamstef> | where it would be lovely if it was origined to the origin it came from |
| 19:48 | <iamstef> | so i think ^^ sounds goo for scriptURL |
| 19:48 | <iamstef> | building a WW from a blob resulting in same origin also makes sense? |
| 20:08 | <Hixie> | Domenic: the idea is to make it possible to have remote services, essentially |
| 20:08 | <Domenic> | Hixie: yeah makes a lot of sense |
| 20:33 | <caitp> | This function belongs to HUMANITY not to Google !!!! |
| 20:33 | <Hixie> | oh ffs, bugzilla changd to require a token during LOGIN?! |
| 20:34 | <boogyman> | Hixie: probably temporary while the zero-day is fixed |
| 20:36 | <aklein> | Hixie: I haven't looked at the Gecko code to see how they get special-cased there. in the Blink parser it's really hacky (and thus was the source of my <template><a><table><a> bug) |
| 20:37 | <jamesr__> | HUMANITY must be a blocking operation |
| 20:37 | <Hixie> | aklein: sounds like a good reason not to have the limitation |
| 20:37 | <Hixie> | boogyman: zero-day? |
| 20:38 | <boogyman> | https://krebsonsecurity.com/2014/10/bugzilla-zero-day-exposes-zero-day-bugs/ |
| 20:38 | <Hixie> | <input type="hidden" name="Bugzilla_login_token" |
| 20:38 | <Hixie> | value=""> |
| 20:38 | <Hixie> | wtf |
| 20:39 | <jamesr__> | can't scrape it any more? |
| 20:39 | <boogyman> | essentially anyone could sign up with an "origin server" domain address and be privy to critical security bugs. |
| 20:40 | <Hixie> | i don't understand what token it wants |
| 20:40 | <Hixie> | boogyman: ah, yeah, i see |
| 20:41 | <Hixie> | i don't understand how to log in any more |
| 20:41 | <Hixie> | sigh |
| 20:41 | <boogyman> | You should file a bug in … oh wait. Anyone here from Mozilla? |
| 20:42 | <boogyman> | Hopefully it's temporary while they implement a domain owner check. |
| 20:43 | <caitp> | there are mozillers in here |
| 20:43 | <Hixie> | i mean i can log in fine myself |
| 20:43 | <Hixie> | hm |
| 20:43 | <Hixie> | actually |
| 20:43 | <Hixie> | let me check that i can... |
| 20:44 | <Hixie> | yeah i can |
| 20:45 | <Hixie> | so wtf |
| 20:45 | <Hixie> | omg, i wonder if some accounts are given a higher level of security or something |
| 20:46 | <TabAtkins> | Per that article, Mozilla does not attach security-bug credentials to domains, but it does expose *some* private bugs based on domain. |
| 20:50 | <smaug____> | based on domain? |
| 20:51 | <TabAtkins> | Domain of the email on the account. |
| 20:51 | <smaug____> | ah, sort of, mozilla.com |
| 20:51 | <TabAtkins> | YTeah |
| 20:51 | <smaug____> | hmm |
| 20:51 | <smaug____> | I doubt it is really that way |
| 20:53 | <jgraham> | http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/ |
| 20:54 | <smaug____> | oh, it is |
| 20:54 | <smaug____> | that is surprising |
| 20:54 | <Hixie> | when my script tries to log in, it gets "Untrusted Authentication Request" |
| 20:54 | <smaug____> | since I think moco addresses have been used for non-employee cases too |
| 20:54 | <smaug____> | oh well |
| 20:54 | <jgraham> | Well also there are lots of employees using non-moco addresses |
| 20:54 | <jgraham> | In bugzilla |
| 20:55 | <smaug____> | indeed |
| 20:56 | <smaug____> | which is why it feels a bit odd if the email address itself would give some permissions |
| 20:56 | <smaug____> | I guess I could create a dummy account using moco address and test |
| 21:21 | <annevk> | miketaylr: also gives you TLS for your other domains more easily |
| 21:21 | <annevk> | miketaylr: if you have a phone bill and some ID documents it's really quite easy, otherwise it goes through a letter and takes a little longer, still not a big deal though |
| 21:35 | <annevk> | http://dev.w3.org/html5/2014/10/url-ref.html o_O |
| 21:35 | <annevk> | There's a lot of mistakes there |
| 21:35 | <annevk> | But, also, bed > 386 |
| 21:58 | <caitp> | is there a reason why nobody seems to implement the title parameter of history.pushState() yet? |
| 21:59 | <caitp> | or rather, why everybody ignores it* |
| 21:59 | <caitp> | sort of puzzling :> |
| 22:06 | <Hixie> | caitp: it shouldn't be there |
| 22:07 | <Hixie> | caitp: but we couldn't remove it once we realised that |
| 22:07 | <Hixie> | caitp: because people already used the first and third arguments |
| 22:07 | <caitp> | why shouldn't it? |
| 22:07 | <Hixie> | it's redundant with document.title, which is the better place for this |
| 22:08 | <caitp> | except that setting document.title doesn't affect the history list in any browser |
| 22:08 | <caitp> | so you end up with a huge list of items which all look the same |
| 22:08 | <caitp> | that kind of sucks |
| 22:09 | <caitp> | (eg holding down the back button in chrome) |
| 22:09 | <caitp> | well, I'm wrong, it does in FF nightly |
| 22:10 | <caitp> | but honestly that's probably not a very good behaviour |
| 22:10 | <caitp> | since the title as it appears in history should really be the initial title of the document, to avoid confusion imo |
| 22:10 | <caitp> | (or the initial title of the state) |
| 22:11 | <caitp> | the two things shouldn't be considered redundant even if one of them does end up using the other :p |
| 22:12 | <caitp> | probably too late to fix that now though :( |
