| 16:01 | <Domenic> | annevk: for the Origin-Isolation header PR should I use "Is URL potentially trustworthy" like the COOP PR currently does? Or are we going to create some new environment-accepting algorithm? |
| 16:02 | <annevk> | Domenic: https://github.com/whatwg/html/issues/5558 |
| 16:03 | <Domenic> | I'm not sure how that answers my question... |
| 16:04 | <annevk> | Domenic: well that's my progress towards addressing the second question |
| 16:04 | <Domenic> | Got it |
| 16:04 | <Domenic> | annevk: I guess my question is more, is using potentially-trustworthy URL incorrect? Or is it a reasonable thing to do for now, and we can maybe replace it later? |
| 16:04 | <annevk> | But it requires changes to Shivani's work which isn't great |
| 16:04 | <annevk> | (in terms of timing) |
| 16:05 | <annevk> | Domenic: it's reasonable for a top-level navigation |
| 16:06 | <annevk> | I don't have Origin-Isolation paged in entirely |
| 16:06 | <Domenic> | Oh, OK, so not great for origin-isolation. |
| 16:07 | <annevk> | Domenic: if you have a handle to the top-level document you could use it, but it might end up looking ungainly |
| 16:07 | <Domenic> | I see |
| 16:08 | <Domenic> | Maybe I should just try to help out with 5558... |
| 16:08 | <annevk> | Domenic: review would be nice 🙂 |
| 16:08 | <Domenic> | 5558 is complicated though :( |
| 16:09 | <annevk> | Effectively it's merging target top-level origin and top-level origin (and place them both on environment) and adding top-level creation URL |
| 16:10 | <Domenic> | So the reason we need top-level creation URL is because we want pages which are top-level data: or top-level about:blank to make all their descendants count as secure contexts? |
| 16:13 | <Domenic> | annevk: ^ |
| 16:13 | <annevk> | Domenic: hmm maybe we don't need it then though then you have top-level origin potentially switching between two origins rather than null and an origin |
| 16:14 | <annevk> | Domenic: I hadn't looked too closely at what the URL secure contexts thing did, I just saw that the environment thing was using it |
| 16:14 | <Domenic> | Cool, glad to be helpful |
| 16:14 | <annevk> | Domenic: in fact, if we go with top-level document decides we could drop it entirely, which is nice |
| 16:14 | <Domenic> | annevk: switching between two origins seems closer to what I'm understanding of the implementation |
| 16:15 | <annevk> | Domenic: oh wait, an opaque origin doesn't have a scheme |
| 16:15 | <annevk> | Domenic: so if the the top-level is sandboxed, how would you tell it's secure? |
| 16:15 | <Domenic> | How can the top-level be sandboxed? |
| 16:15 | <Domenic> | <iframe sandboxed>, right? |
| 16:16 | <annevk> | Domenic: CSP: sandbox |
| 16:16 | <Domenic> | Ah |
| 16:16 | <annevk> | Domenic: I guess in theory that would create an insecure context, but I doubt that's what we want |
| 16:16 | <Domenic> | Looks like currently the Secure Contexts specs says it's insecure, yeah. |
| 16:16 | <Domenic> | I.e. "Not Trustworthy" |
| 16:17 | <annevk> | The number of yaks to shave is too damn high |
| 16:17 | <Domenic> | Oh, no, it says the URL is "Not Trustworthy", but the "Is environment a secure context?" returns "Secure", I think. |
| 16:17 | <Domenic> | It doesn't bother checking the URL or origin if sandboxed origin browsing context flag is set. |
| 16:18 | <annevk> | aaah right |
| 16:18 | <annevk> | and that's why we need top-level creation URL |
| 16:18 | <annevk> | 🙂 |
| 16:18 | <Domenic> | It is? |
| 16:18 | <annevk> | I think so, because then you don't use an opaque origin but instead use the real URL |
| 16:18 | <annevk> | which will be secure |
| 16:18 | <Domenic> | Oh, step 5.3 |
| 16:19 | <annevk> | Note that I simplified that a bit in https://github.com/w3c/webappsec-secure-contexts/pull/75 |
| 16:19 | <Domenic> | annevk: I'm inclined to let Shivani finish her PR using top-level origin, then just work on top of that as we need to, in a behavior-preserving way? |
| 16:20 | <annevk> | well, how many concepts do we want to end up with? |
| 16:20 | <annevk> | so then we have target top-level origin and top-level origin, which have some overlap |
| 16:20 | <annevk> | and we'll need top-level creation URL for secure contexts |
| 16:21 | <annevk> | gotta go for a bit |
| 16:21 | <Domenic> | That seems acceptable to me, and then if we find a simplification we can do another PR on top of it to narrow them down |
| 16:21 | <Domenic> | Or we can convert top-level origin into top-level URL as part of our secure contexts fixup PR, but it can be our responsibility to do so in a way that preserves the behavior Shivani's PR introduces |
| 16:50 | <annevk> | Yeah, I guess if Shivani is okay with this setup I can put some time into making it work |
| 16:51 | <annevk> | I'd rather not clean up afterwards as I'm somewhat afraid there'll be many incoming references to these things |
| 16:56 | <annevk> | Also put that in the issue |
| 18:08 | <annevk> | Domenic: can you merge https://github.com/whatwg/infra/pull/306 so it gets picked up tonight? |
| 18:08 | <Domenic> | Done, sorry that slipped through |
| 18:19 | <annevk> | Domenic: thanks, the Web storage thing is ready for hot takes btw |
| 18:20 | <annevk> | I think that's all I got to today more or less |
| 18:22 | <Domenic> | Sounds good |
| 18:45 | <Domenic> | Why is disowned separate from opener = null again? |
| 18:47 | <annevk> | Domenic: isn’t it the result of setting to null? |
| 18:47 | <Domenic> | annevkL We have two states on WindowProxy: opener BC, which can be either null or a BC, and disowned, a boolean. |
| 18:48 | <Domenic> | It looks like "familiar with" consults opener BC and disregards disowned. |
| 18:49 | <annevk> | I don’t recall. Familiar with is 313 iirc |
| 18:50 | <Domenic> | Nice recall |
| 22:25 | <saber1> | Domenic: I haven't created a issue about this because I wonder if I missed something obvious. Say the dialog is vertical (means `top:0, bottom:0`) , if we do `window.scroll(0, 2000); dialog.showModal()`, to make it's centered, we'd need to change the `top` value. Don't you feel this is a bit odd? |
| 22:25 | <Domenic> | saber1: what is odd about it? |
| 22:26 | <saber1> | Domenic: top is set to 0 by `inset-inline-start`? |
| 22:26 | <Domenic> | Sure, but that's just the UA stylesheet. Centered alignment mode overrides that. |
| 22:34 | <saber1> | okay..let me think about this a bit more... |