| 02:17 | <sideshowbarker> | Domenic: For ReadableStream, do we have some specific tests for cross-origin requests? |
| 02:18 | <sideshowbarker> | I donโt see anything in https://github.com/web-platform-tests/wpt/tree/master/fetch/api/cors |
| 05:03 | <Domenic> | I'm not sure anyone actually implements readable stream request bodies so I suspect the test coverage is low. |
| 05:03 | <Domenic> | Hmm Safari I guess |
| 05:20 | <sideshowbarker> | Domenic: Iโm curious what (per spec) the preflight for ReadableStream request looks like |
| 05:21 | <sideshowbarker> | specifically, does Access-Control-Request-Headers include Transfer-Encoding |
| 07:46 | <annevk> | Thinking more about history.length, does it at some point return 50 and not increase beyond that? cc smaug Jake Archibald |
| 07:46 | <annevk> | Because if that's the case Navigation API dispose events would be a novel leak. |
| 08:06 | <annevk> | sideshowbarker: can you ban the spammer on https://github.com/w3c/webauthn/pull/1706 from the w3c org? |
| 08:29 | <sideshowbarker> | sideshowbarker: can you ban the spammer on https://github.com/w3c/webauthn/pull/1706 from the w3c org? |
| 08:40 | <Alex.hsu> | hi,all HMTL has different rendering in different versions of android or in different manufacturers android has different rendering?? |
| 08:45 | <smaug> | annevk: yes, 50 is the max length. After that adding new entries will cause old entries being dropped from the beginning. |
| 08:50 | <annevk> | smaug: and history.length will continue to return 50? So wouldn't that mean that any kind of math on top of history.length is super fragile already? |
| 08:51 | <smaug> | yes |
| 08:52 | <smaug> | it is, but is that been that way for ages. So I wouldn't be surprised if some site actually relies somehow on this behavior. |
| 08:54 | <smaug> | But I guess very few sites rely on history.length in any way. |
| 08:58 | <annevk> | smaug: but how can you rely on it given that past visits will influence what it returns (and whether it returns something meaningful) |
| 08:59 | <smaug> | you may rely on it on a newly opened windows. Or you may use it to check if there are web pages in history before your site |
| 08:59 | <annevk> | Either way, it does make me more concerned about dispose events when history.length === 50 |
| 09:02 | <annevk> | smaug: yeah, so for those cases Nika's suggestion would work. For each new origin/site it's either 1 or 2 depending on whether there was a prior site (and maybe limit that to "in the same top-level browsing context" so you get 1 if you COOP). |
| 09:03 | <smaug> | + you need to increase .length for your own navigations |
| 09:05 | <Jake Archibald> | good catch |
| 09:06 | <Jake Archibald> | I wasn't aware of the 50 limit |
| 09:06 | <smaug> | 50 was the limit already in Netscape 4.* https://bugzilla.mozilla.org/show_bug.cgi?id=62651#c14 |
| 14:09 | <annevk> | Nice of GitHub to start being flaky in the middle of a review |
| 15:21 | <Domenic> | I'm just accumulating issue comments which GitHub will not let me submit... :( |
| 15:39 | <Luca Casonato> | Sorry to poke again, but who can I get reviews on https://github.com/whatwg/webidl/pull/1098 from? Domenic annevk maybe? |
| 15:40 | <Luca Casonato> | I have a patch prepared for this change and the Response.json addition for Chromium, but I don't want to open any CLs until the spec changes have actually gone through |
| 15:46 | <Domenic> | Timothy Gu and Edgar Chen are the editors |
| 15:48 | <Luca Casonato> | Ah! I looked at the top of the spec, and didn't see an editor list, so I thought there was just none |
| 15:48 | <Luca Casonato> | but now I see that it is in the "Acknowledgements" section for WHATWG specs |
| 16:13 | <annevk> | Domenic: so is the dispose leak essentially only a thing when the user manually goes back or some such across a site boundary? (I'm assuming that we use least-recently-used as a removal policy.) |
| 16:14 | <annevk> | Still trying to wrap my head around this not so important leak. ๐ |
| 16:15 | <annevk> | Because if you're the latest you don't really get dispose events until you hit 50 yourself, I'm guessing. |
| 16:15 | <Domenic> | I'm not sure... how many frames are involved in your example? |
| 16:16 | <annevk> | Domenic: good question; I've really only considered this from the perspective of top-level documents trying to attack each other in some way. I'm not sure how much nested documents are at risk due to (eventual) partitioning. |
| 16:16 | <Domenic> | Like... if there's only one frame, then I feel like the same-origin contiguous boundary is pretty strong protection. |
| 16:17 | <Domenic> | The nested documents are where I can see actual leaks happening, because of the global shared resource that is these 50 entries. |
| 16:18 | <Domenic> | I guess maybe with one frame... you put in 49 entries for your site, the user goes cross-site for 5 entries, the user goes back go(-6), if you are somehow still in bfcache, now you get 4 dispose events which told you the user visited 5 cross-site pages before coming back? |
| 16:19 | <Domenic> | You could also tell that with history.state/fragments/etc. if you were willing to do your own go(-49), go(-48), etc. until only go(-45) succeeded. |
| 16:19 | <annevk> | Yeah, I guess even with partitioning nested documents could be problematic. An ad could fill up the entries (though this would require some interaction iirc) and then as the user same-document navigates it would get dispose events. |
| 16:21 | <Domenic> | (Or maybe browsers turn go(-49) into go(-45), you could also detect that.) |
| 16:22 | <annevk> | Yeah, it seems there's only a top-level leak if you go back, which seems pretty good. I'm not sure how concerned I am about the nested document leak as nested documents have all kinds of bad privileges already that we haven't tackled. |
| 16:22 | <Domenic> | And I think if we gave browser-UI-initiated cross-site (origin?) navigation its own separate 50-entry session that would tackle the worst case where you are tracking independent user action, instead of tracking something that happened because the user clicked a link you already control |
| 16:45 | <annevk> | Noam Rosenthal: I'm really surprised the local redefinition of fetch controller in the XHR PR doesn't cause issues; I guess Bikeshed is nice enough to let you do that kind of thing |
| 16:47 | <annevk> | Noam Rosenthal: regardless, I think I'll add a for= attribute now so it won't become an issue if things are moved around; I can take care of those edits. Thanks a lot for supplying the PR! |
| 16:55 | <Noam Rosenthal> | Noam Rosenthal: regardless, I think I'll add a for= attribute now so it won't become an issue if things are moved around; I can take care of those edits. Thanks a lot for supplying the PR! <dfn for> like fetch params's request it should be valid |
| 16:56 | <Noam Rosenthal> | Noam Rosenthal: regardless, I think I'll add a for= attribute now so it won't become an issue if things are moved around; I can take care of those edits. Thanks a lot for supplying the PR! |
| 17:02 | <annevk> | If anyone still has a >7 day request to me on GitHub please let me know, because according to my notifications I'm up-to-date until this week. |
| 21:14 | <ntim> | Domenic: ๐ฌ to https://markdotto.com/2022/03/16/dialog-element/#details-element |
| 21:15 | <Domenic> | You may enjoy https://github.com/github/details-dialog-element even more |