WHATWG on 2023-10-25

08:02	<Domenic>	annevk: did you want to take a look at https://github.com/whatwg/html/pull/9860 before we merge it? It seems you were involved in those discussions originally.
09:08	<Noam Rosenthal>	Hola, do we have minutes from TPAC WhatWG meetings anywhere? maybe Panos Astithas
10:37	<aja>	https://www.w3.org/WAI/APA/minutes ?
10:41	<annevk>	Noam Rosenthal: they're in the TPAC issue on whatwg/meta
10:42	<Noam Rosenthal>	Noam Rosenthal: they're in the TPAC issue on whatwg/meta Makes sense, thanks!
10:43	<Noam Rosenthal>	annevk: on that note, I think all the issues on deferred fetching are resolved. `NotAllowed` is thrown only on 3p iframes and some such, there is no permission-based model currently
10:44	<annevk>	Domenic: it's not clear to me we have Gecko or WebKit buy-in at this point. For WebKit it'll require a bit more time anyway.
10:49	<annevk>	Noam Rosenthal: okay, that sounds reasonable in principle. I hope to have time this week.
10:54	<Noam Rosenthal>	annevk: I'm actually not seeing in the minutes anything about a problem with cross-origin iframes and deferred fetching.
11:08	<annevk>	Noam Rosenthal: I think we discussed that much earlier on at one of the Performance WG meetings. I had forgotten about it for a bit though and recently remembered again.
11:09	<Noam Rosenthal>	Noam Rosenthal: I think we discussed that much earlier on at one of the Performance WG meetings. I had forgotten about it for a bit though and recently remembered again. Yea I looked at those minutes and the cross-origin iframe discussion was about isInputPending and not about this
11:16	<annevk>	I think the concerns for `fetchLater()` came down to: If the limit is shared for a given partition, this might introduce certain leaks. If it's not shared it might be easier to hit the total limit. It's not clear that cross-site documents should have access to this capability by default. In particular if the budget is shared perhaps Permissions Policy ought to be used.
11:17	<annevk>	I also recall Alex not being super happy about giving cross-site documents access to such a powerful capability to begin with. (Though I imagine Permissions Policy would be acceptable as we have treated it as equivalent to `postMessage()` everywhere else.)
11:23	<Noam Rosenthal>	Ok thanks, let me ponder on this. For now the PR goes down that route
12:50	<Noam Rosenthal>	I think the concerns for `fetchLater()` came down to: If the limit is shared for a given partition, this might introduce certain leaks. If it's not shared it might be easier to hit the total limit. It's not clear that cross-site documents should have access to this capability by default. In particular if the budget is shared perhaps Permissions Policy ought to be used. The limit is per document. so this shouldn't be a problem
12:55	<Noam Rosenthal>	annevk: but for the other thing, yea, perhaps we should have permission policy for this. let me chat with the team about it
13:00	<annevk>	Noam Rosenthal: doesn't a per-document limit allow for limitless abuse? You can create near infinite nested documents.
13:02	<Noam Rosenthal>	annevk: what would be the point? you can simply call fetch instead
13:08	<Noam Rosenthal>	annevk: I think it comes down to what the quota tries to protect against
13:16	<Noam Rosenthal>	annevk: the keepalive quota is also per-document and one can abuse it with infiinte nested iframes, we wanted to be consistent with that
14:40	<Noam Rosenthal>	I also recall Alex not being super happy about giving cross-site documents access to such a powerful capability to begin with. (Though I imagine Permissions Policy would be acceptable as we have treated it as equivalent to `postMessage()` everywhere else.) Would be good to know what makes this more of a powerful feature than, let's say, regular keepalive
14:54	<Ms2ger>	Is yielding in the middle of an infra map for-each loop like in https://webidl.spec.whatwg.org/#es-map-iterator actually well-defined?
14:54	<Ms2ger>	CC annevk
15:19	<annevk>	Ms2ger: https://github.com/whatwg/infra/pull/451