| 01:19 | <Domenic> | Domenic: one thing I noticed with --set-upstream-to=X? |
| 04:03 | <Domenic> | The interop 2023 proposal for history & navigation is live: https://github.com/web-platform-tests/interop/issues/170 |
| 04:12 | <Domenic> | Is there anything in modern specs that strips usernames/passwords from URLs before fetching? Apparently we do this in at least one place in Chromium and I'm trying to figure out why... |
| 04:41 | <sideshowbarker> | Is there anything in modern specs that strips usernames/passwords from URLs before fetching? Apparently we do this in at least one place in Chromium and I'm trying to figure out why... |
| 04:47 | <sideshowbarker> | And found https://twitter.com/mikewest/status/846308572124397569 |
| 04:49 | <sideshowbarker> | https://github.com/whatwg/fetch/pull/465 |
| 04:51 | <sideshowbarker> | Domenic: are those relevant or do you mean in some other context? |
| 04:52 | <Domenic> | These are helpful, but the code we actually have seems to strip out the URL credentials, instead of blocking the request entirely... https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/platform/loader/fetch/fetch_parameters.cc;l=94;drc=a432cd59d51281057ba2a2673ca645a9600bb927 . I can't find any evidence of this in specs. |
| 04:54 | <Domenic> | It seems like we do this somewhat randomly... for various cross-origin images, prefetches, preloads, modules, stylesheets?? |
| 04:56 | <Domenic> | I guess I'll comment on the PR 465 |
| 08:09 | <annevk> | Commented with what I suspect is the cause |
| 08:27 | <Domenic> | Do you know what the rationale is behind which fetches set use-URL-credentials and which don't? |
| 08:35 | <annevk> | Domenic: for CORS and new APIs we wanted to avoid it |
| 08:38 | <annevk> | Domenic: stripping could work too btw, but have to be careful with redirects and service workers |
| 08:39 | <Domenic> |
This is not great, "authentication entry" is a concept but I think it's saying to extract the credentials from the URL... Will file an editorial issue I guess. |
| 08:40 | <annevk> | Domenic: well an authentication entry is the user agent having authorization data for some URL, but if there's also credentials in the URL itself those might override that |
| 08:41 | <annevk> | Domenic: those used to be the semantics, but I'm not really sure what has happened in the intervening years as there's been a bunch of interventions with poor cross-browser coordination |
| 08:41 | <Domenic> | Yeah I mean I'd at least expect this to say "the authentication entry for the URL", ideally with an algorithm detailing how to extract the username/password components from the URL itself. |
| 08:42 | <annevk> | Yeah, there's definitely a bunch of XXX around this |
| 08:52 | <Domenic> | OK, two issues and a PR later, I think I'm done shaving this yak... |
| 08:59 | <sideshowbarker> | speaking of yak shaving… let me present https://github.com/whatwg/html/pull/8338 |
| 09:00 | <sideshowbarker> | PR-preview rendered output at https://whatpr.org/html/8338/syntax.html#start-tags (step 6)
|
| 11:17 | <karlcow> | would there be a use case for this. such as, no we do not want to let you put your login and password in there, but the request is going through and the site will send you an authentification challenge instead for this URL so you can log in more securely instead of just failing. |
| 11:36 | <Jake Archibald> | sideshowbarker: https://twitter.com/mcmillanstu/status/1575579706556002304 😀 |
| 11:41 | <sideshowbarker> | sideshowbarker: https://twitter.com/mcmillanstu/status/1575579706556002304 😀 |
| 17:53 | <Drew Hintz> | Hi! Is there a process for asking for a review/merge on html5lib-python? I opened a small low-risk PR: https://github.com/html5lib/html5lib-python/pull/547 |
| 21:31 | <sideshowbarker> | Sam Sneddon [:gsnedders]: ↑ |
| 21:34 | <karlcow> | better to ask jgraham for this PR. |