| 09:21 | <Domenic> | annevk: I'm done for the night, but I think I've teed up all the PRs at https://github.com/whatwg/whatwg.org/issues/401 . They should be ready to merge. If you merge the stylesheet and the specs aren't immediately re-built it looks fine, the subheading is just small and boring. So I think you should try to merge ASAP to unblock the various PRs across the ecosystem. I'll be back in some hours and can help then. I think we don't have access to merge https://github.com/tabatkins/bikeshed-boilerplate/pull/29 so hopefully TabAtkins can do so when he wakes up. |
| 09:28 | <Hugo Tunius> | Right, I think that makes sense. I found it surprising that APIs like window.open and the resulting WindowProxy are impacted by this(website controlling their content). I understand how changing the URL to load a different document after a site is loaded can be problematic(e.g. bankofamerica.com to bankofamerica.evil.com) but I don't see how positioning and closing the window is. Neither of those three operations(positioning, closing the window, or changing the URL) feel like they meet the definition of "control their content" to me. From the perspective of the opener the opened website is a black box here |
| 09:29 | <Hugo Tunius> | I tried to look for discussions around these changes to see if any of these concerns were raised but couldn't find anything, do you know if such context exists? |
| 09:34 | <annevk> | Thanks, I'll have a look in a bit |
| 09:52 | <TabAtkins> | Domenic: I'm still on vacation, I won't be in the office until Friday |
| 09:53 | <TabAtkins> | Oh but I can do a merge |
| 09:53 | <annevk> | TabAtkins: thanks and enjoy! |
| 10:01 | <Domenic> | Hugo Tunius: resizing and positioning a window is definitely pretty abuse-prone. Imagine taking trustedbank.example's window and making it fly around the screen like a ping-pong ball. Who do you think the user's going to blame? The bank, or the mysterious opener window which has some hidden programmatic connection to it the user is not aware of? |
| 10:01 | <Domenic> | Similarly imagine closing the window randomly, making it look like the site is crashy or broken... |
| 10:03 | <TabAtkins> | Domenicor annevk: actually I only have Internet on my phone, so I can't run the manifest regen. Could one of y'all run the generate/__init__.py script and add it to your pr? |
| 10:03 | <TabAtkins> | Also I'll give y'all edit rights |
| 10:04 | <TabAtkins> | Wait what's Anne's github |
| 10:05 | <Domenic> | It's annevk |
| 10:05 | <TabAtkins> | Weird, wasn't showing up. I'll try again |
| 10:05 | <TabAtkins> | Oh because I did the thing I always do |
| 10:05 | <TabAtkins> | And try to search for then among the existing collabs |
| 10:06 | <Domenic> | I have confirmed write access so can merge later tonight if necessary. Thanks so much! |
| 10:06 | <TabAtkins> | Np, just remember to run the regen or else Bikeshed won't pick up any changes. |
| 10:06 | <TabAtkins> | I need to put that into ci super bad |
| 10:07 | <Hugo Tunius> | Domenic: You're right that you could do that. I guess I didn't think of that from the "control of their content" angle though. Thanks for clarifying |
| 10:08 | <Hugo Tunius> | Do you know if there are any discussions from the COOP spec work that goes deeper into these motivations? |
| 10:08 | <Domenic> | I'm not aware, I think everyone just had it as background knowledge that allowing cross-origin opener control has been a mistake since the beginning of the web, and it's good to cut that off as much as possible. |
| 10:09 | <Hugo Tunius> | Aight. Thanks again for the explainer, it was helpful |
| 10:38 | <annevk> | Hugo Tunius: there's a bunch of design discussion on whatwg/html; but as it essentially inverses rel=noopener, it was quite intentional |
| 10:39 | <annevk> | Domenic: all reviewed and pushed some nits; Bikeshed PR merged |
| 10:40 | <annevk> | I guess with the Bikeshed PR merged, specifications ought to be able to build again |
| 10:46 | <Andreu Botella> | I keep typing https://w3c.github.io/csswg-drafts/indexes as "indices" |
| 10:46 | <Andreu Botella> | maybe adding a redirect would help |
| 10:51 | <annevk> | Hmm so bikeshed-data is updated, but it's not reflected by any tooling... |
| 11:59 | <Domenic> | Gotta run bikeshed update? |
| 12:00 | <Domenic> | Maybe the CSSWG CI server does not do that often... |
| 12:17 | <Domenic> | PRs should be working again now; they might need a rebase. |
| 12:26 | <TabAtkins> | As I said, the regen script needs to be run, to update the manifest file, before Bikeshed will pick up the new data. |
| 12:26 | <TabAtkins> | (And then the updated manifest checked in.) |
| 13:15 | <annevk> | TabAtkins: I did that and bikeshed-data did pick it up; it's just api.csswg.org that hasn't yet at this point |