| 06:21 | <JakeA> | Krinkle: wow, that's brilliant! Thanks for digging |
| 08:13 | <JakeA> | Given that NN2 shipped both JS and frames, I guess that's where it all began |
| 10:01 | <annevk> | Oh wow, that tainting seems horrible |
| 10:02 | <annevk> | I guess we still have tainting with <canvas> these days and it's a constant source of bugs |
| 10:02 | <annevk> | Thanks Krinkle for all these links 🙂 |
| 10:15 | <domfarolino> | I feel like this hasn't happened in a long time: https://github.com/whatwg/html/issues/5295 |
| 10:26 | <annevk> | domfarolino: that's a 404 for me |
| 10:29 | <domfarolino> | annevk: I figured you or someone deleted it after I closed it. It was some nude picture scam BS |
| 10:30 | <annevk> | domfarolino: did you report them to GitHub? |
| 10:31 | <annevk> | I mostly report to GitHub and let them decide what to do |
| 10:31 | <annevk> | Though I haven't seen any pictures thus far, mostly text-based spam |
| 10:32 | <domfarolino> | annevk: No I didn’t think of that. Good idea tho. Can’t remember the username, but maybe someone subscribed has it in an email/notification. |
| 10:32 | <domfarolino> | annevk: ya the profile pic was..”explicit”, and rest was a bitly link lol |
| 10:35 | <domfarolino> | It’d be cool if there was a GitHub label that when applied, auto-reported to GH |
| 10:37 | <annevk> | I don't understand why there's no "flag as spam" button, but I guess it'd probably be abused |
| 10:59 | <domfarolino> | I guess then the GitHub triagers would need an internal "flag as spam" button on the spam entries themselves, to sift through the abuse :p |
| 16:37 | <smaug____> | annevk: hmm, https://dom.spec.whatwg.org/#converting-nodes-into-a-node |
| 16:37 | <smaug____> | should that also deal with throwing |
| 16:37 | <smaug____> | related to https://github.com/whatwg/dom/pull/835 |
| 16:38 | <annevk> | smaug____: https://infra.spec.whatwg.org/#algorithm-control-flow |
| 16:39 | <smaug____> | annevk: ok, then I don't understand your comment in https://github.com/whatwg/dom/pull/835https://github.com/whatwg/dom/pull/835 |
| 16:39 | <smaug____> | er, https://github.com/whatwg/dom/pull/835 |
| 16:39 | <annevk> | smaug____: the conversion algorithm only takes place if there's multiple nodes, iirc |
| 16:39 | <annevk> | smaug____: so if you pass a single DocumentType, it'd get through |
| 16:40 | <annevk> | and "replace all" is not prepared to deal with a DocumentType |
| 16:40 | <annevk> | (or Document) |
| 16:40 | <smaug____> | annevk: I was just comparing to append() |
| 16:41 | <annevk> | smaug____: append() invokes append, which does deal with those corner cases |
| 16:41 | <smaug____> | uh |
| 16:42 | <annevk> | smaug____: replace all invokes insert, https://dom.spec.whatwg.org/#concept-node-append invokes pre-insert (which does validity checks) |
| 16:42 | <smaug____> | ok, sounds like there should be a variant of replace all which behaves similarly to append |
| 16:43 | <annevk> | smaug____: that'd be another way |
| 16:43 | <smaug____> | just to keep the pseudo-code somewhat consistent |
| 16:45 | <annevk> | smaug____: I'm not a big fan of the existing checks but there might well not be any shortcuts here |
| 16:45 | <annevk> | smaug____: one other way would be to always wrap things in a DocumentFragment |
| 16:46 | <annevk> | as replace all can deal with those due to innerHTML |
| 21:26 | <smaug____> | annevk: probably too late for you... |
| 21:26 | <smaug____> | https://html.spec.whatwg.org/#nonce-attributes again :) |
| 21:27 | <smaug____> | so whenever nonce is changed, the slot is changed |
| 21:27 | <smaug____> | Then later "Set an attribute value for element using "nonce" and the empty string." |
| 21:28 | <smaug____> | I assume somehow that latter 'Set an attribute value for element using "nonce" and the empty string.' isn't supposed to change the slot |
| 21:28 | <smaug____> | but I don't know how |
| 21:28 | <smaug____> | I'm probably missing something obvious here |
| 21:29 | <smaug____> | ah, hmm, the first one isn't about content attribute |
| 21:30 | <smaug____> | silly me |