| 04:10 | <Domenic> | Never too late to learn on the job :). I think a lot of us (not necessarily speaking for wanderview but at least for myself...) find it easier to review and guide than drive. |
| 05:10 | <dz85> | Hi , i'm new here, nice seeing u all. Could anyone tell me how can we find the roadmap about html6? thx.🤝 |
| 05:22 | <crowlkats> | Never too late to learn on the job :). I think a lot of us (not necessarily speaking for wanderview but at least for myself...) find it easier to review and guide than drive. |
| 07:28 | <annevk> | dz85: I encourage you to read https://whatwg.org/faq#living-standard and https://whatwg.org/faq#adding-new-features. We're mostly in the business of steady incremental improvement. |
| 11:27 | <freddy> | I was surprised to find out that the <svg><use> element is not really specified through fetch or some terms of "navigation". It also does not acknowledging that it is some sort of nested browsing context (or is it not?). |
| 11:28 | <freddy> | This is somewhat related to TrustedTypes experiencing bypasses with <use href="data:..."> and the question whether data should make things cross-origin? Discussion is in https://github.com/w3c/webappsec-trusted-types/issues/357 (scroll down) |
| 11:36 | <annevk> | freddy: I've not really played with svg:use much, but I think it fetches, parses into a tree, copies the tree, and it inserts it into a shadow root of sorts belonging to the svg:use. It has to use CORS (or be restricted in some way therefore). That also explains why data: URLs work I think as it doesn't create an execution environment (although in some ways it might arguably be close). |
| 11:47 | <freddy> | annevk: What exactly do you mean with "does not create an execution environment"? Scripts included in the external document do execute.. |
| 11:55 | <annevk> | freddy: yeah, but in the same way as <script> (I think), not <iframe> |
| 11:56 | <freddy> | mh, well scripts have always been loaded across origins (regardless of data), whereas documents loaded in an iframe via data do not share the same origin. maybe I don't follow? |
| 11:57 | <annevk> | In the sense that this doesn't create a new environment, but executes in the environment that used svg:use. |
| 12:01 | <freddy> | Yeah, that whole cloning logic via <use> doesn't really make it nested, right? On the one hand, data: should be safe to clone into the document (as per the same-origin policy) in comparison to a hosted foreign origin. But on the other hand, this is a weird primitive for security controls that can't track the origin of, say, event handler attributes after that clone. |
| 12:02 | <annevk> | If it was a nested browsing context the "used" scripts would see a document that's different from the svg:use document. That's not the case, right? I agree svg:use is weird. |
| 12:05 | <annevk> | And yeah, the rough policy we have for data: URLs is that if it creates a new authority it's an opaque origin and otherwise they become part of whatever used them. |
| 12:05 | <freddy> | fixing this with more weirdness is also undesirable. meh! Only thing I could think of would be "disallow data URLs", but that's probably annoying for image-related use cases.. |
| 12:06 | <freddy> | yeah and that policy makes sense for usages in images, but cloning a separate document into another is...unprecedented? :) |
| 12:07 | <annevk> | freddy: if CORS works here an attacker could also inject an HTTP URL, no? |
| 12:08 | <freddy> | You're right.. 😮 |
| 12:09 | <annevk> | To be clear, I haven't tested any of this and it might well be that browsers have varying levels of support here. SVG is unfortunately rather unloved. |
| 16:00 | <Domenic> | Oooh this is nice https://github.com/servo/rust-url/issues/742 |
| 16:12 | <crowlkats> | Oooh this is nice https://github.com/servo/rust-url/issues/742 |