| 05:35 | <annevk> | Dominic Farolino: yeah, during navigation the environment settings object is not yet established, it's just an environment |
| 05:37 | <Dominic Farolino> | Ah right |
| 05:40 | <Dominic Farolino> | Does this highlighted sentence seem wrong to anyone? https://w3c.github.io/IntersectionObserver/#:~:text=Any%20target%20of%20an%20explicit%20root%20observer%20is%20also%20a%20same-origin-domain%20target. It is saying that anytime you explicitly provide a root, the target is a same-origin-domain-target. But you can explicitly provide a root within cross-origin iframes, a context where no target will ever be a same-origin-domain target |
| 06:43 | <annevk> | Dominic Farolino: I don't see how the constructor sets root so it's hard to tell |
| 06:43 | <annevk> | Dominic Farolino: but per the assertions around that I guess the root has to be in the same document as the relevant global object's document, maybe? |
| 06:59 | <annevk> | But assuming the root passed is the root and a target has to be in the same document as that root, the statements do follow I suppose |
| 06:59 | <annevk> | emilio would know better 😊 |
| 11:58 | <annevk> | Jake Archibald: for setting Range, what is novel here? 1) You get more control over the value than you can get with media elements. This should be okay. 2) You get to set the other safelisted headers as part of a range request. This should be okay? 3) You get to POST a range request. Is this okay? I think it would be good to write a comment along these lines, perhaps in the original issue, to ensure we're not missing a security issue. |
| 12:08 | <Jake Archibald> | Shall do |
| 12:51 | <annevk> | Noam Rosenthal: I think I got all of them now, didn't immediately have feedback on your preload/cache analysis; looks promising though |
| 13:57 | <Dominic Farolino> | yes explicit roots have to be in the same document as the IntersectionObserver. It's just that no target will ever be same-origin-domain, since that specifically compares with top-level origin. I've checked with the author and he agrees it is worded wrong; I'll fix it |
| 14:30 | <Noam Rosenthal> | thanks @annevk; yes, preload is a bigger discussion, planning to have it as an agenda item in one the web performance work group meetings this month. |
| 14:55 | <zcorpan> | https://github.com/whatwg/html/issues/7116#issuecomment-928659511 -- I couldn't find the issue about clarifying document conformance requirements vs UA conformance requirements now, but did we conclude how to deal with cases like this? |
| 14:58 | <annevk> | zcorpan: I don't think we have a plan as of yet |
| 15:02 | <annevk> | The main thing I can think of is to split each element section into two sections, one for authors and one for implementers |
| 15:02 | <annevk> | And to merge "Obsolete features" back into the main body of the specification |
| 15:03 | <annevk> | Well, maybe only the bits there with impl requirements |
| 15:29 | <zcorpan> | annevk: that sounds reasonable |
| 15:44 | <Jake Archibald> | annevk: I'm feeling CORS-stupid. Can Access-Control-Allow-Methods be used to allow a method of foo? |
| 15:45 | <Jake Archibald> | I think I'm struggling to read 7.5 https://fetch.spec.whatwg.org/#cors-preflight-fetch-0 |
| 15:48 | <Jake Archibald> | ah, ignore me, I think I've ran into a Chrome bug |
| 15:51 | <Jake Archibald> | lol, yeah, if the method is foo, Chrome requires the preflight to be Access-Control-Allow-Methods: FOO |
| 15:53 | <Jake Archibald> | That's a security bug in some ways. But it's an edge case. |
| 15:55 | <Jake Archibald> | https://bugs.chromium.org/p/chromium/issues/detail?id=1228178 |
| 16:12 | <annevk> | Jake Archibald: I'm surprised that doesn't fail a bunch of WPT tests |
| 16:12 | <Jake Archibald> | Same |
| 16:27 | <annevk> | I created https://github.com/web-platform-tests/wpt/pull/30998 to fill that gap and Dominic Farolino kindly reviewed. Could do with more tests though. |
| 17:45 | <Jake Archibald> | annevk: does that test the case where Access-Control-Allow-Methods: FOO should not allow a method of foO? |
| 17:45 | <Jake Archibald> | That's what Chrome is failing right now |