| 09:56 | <Noam Rosenthal> | Domenic: looking at a script's "base URL", is there any use for it in classic scripts? seems like it's only used for modules |
| 10:06 | <annevk> | Noam Rosenthal: dynamic imports maybe? |
| 10:07 | <annevk> | nicolo-ribaudo: while looking at that I noticed HTML still references (but doesn't use) FinishDynamicImport; could that be due to your refactoring work? |
| 10:08 | <nicolo-ribaudo> | nicolo-ribaudo: while looking at that I noticed HTML still references (but doesn't use) FinishDynamicImport; could that be due to your refactoring work? |
| 10:08 | <Noam Rosenthal> | annevk: dynamic imports are possible in classic scripts? |
| 10:10 | <annevk> | Noam Rosenthal: http://software.hixie.ch/utilities/js/live-dom-viewer/?%3Cscript%3E%0Aimport(%22.%2Fscript%22).then(w%2C%20w)%0A%3C%2Fscript%3E |
| 10:12 | <Noam Rosenthal> | ok TIL |
| 10:56 | <annevk> | Luca Casonato: unless you tell me otherwise I'm not gonna ask for a Deno issue for https://github.com/whatwg/fetch/pull/1655 |
| 11:39 | <Luca Casonato> | Yeah, it's not relevant. |
| 13:05 | <freddy> | Just let us know when you at deno are ready to start rendering documents :) |
| 13:22 | <Noam Rosenthal> | Do we have any principles/prior art about hiding things related to CORS cross-origin (opaque) scripts? I know about hiding their base URL and muting errors |
| 13:25 | <annevk> | Noam Rosenthal: as much as we can? |
| 13:26 | <Noam Rosenthal> | @annevk Thinking if itโs safe to expose that they took a lot of time in timing APIs, seems like everything you do in them is quite observable anyway |
| 13:30 | <zcorpan> | You could check the current time in a script before and a script after. Would timing APIs for scripts expose other/new information? |
| 13:32 | <Noam Rosenthal> | zcorpan: we expose time after parse and before execution. I don't mind omitting that for opaque scripts |
| 13:33 | <Noam Rosenthal> | @zcorpan: but my bigger doubt is about exposing the source URL of callbacks that take a long time. The problem is that once a callbacks goes into the JS engine soup it doesn't know anymore if it came from an opaque script. the alternative would be to either mark all JS functions with that info or stop reporting source URLs at all for a document that saw an opaque script |
| 13:36 | <zcorpan> | Right, I think the original reason to mute errors was to avoid exposing information from loading content that wasn't a script as a script (and thus would fail to parse and invoke window.onerror) |
| 13:38 | <zcorpan> | scripts have a "muted errors" flag, maybe you can use that to hide URLs |
| 13:39 | <Noam Rosenthal> | the mechanics of the spec are less of a problem |
| 13:39 | <Noam Rosenthal> | Does a particular callable have a spec way to link it back to a [=script=] in the spec? |
| 13:40 | <Noam Rosenthal> | (I'll try to look it up myself if no one knows this off the top of their head) |
| 13:41 | <zcorpan> | I don't know but https://html.spec.whatwg.org/#report-the-exception references "the relevant script" for exceptions |
| 13:42 | <zcorpan> | The relevant issue would be https://github.com/whatwg/html/issues/958 |
| 13:43 | <Noam Rosenthal> | I guess "active script" will do it https://html.spec.whatwg.org/multipage/webappapis.html#active-script |
| 13:44 | <Noam Rosenthal> | thanks zcorpan I'll take a look |
| 13:45 | <Noam Rosenthal> | oh yes this is exactly what I needed ๐ |
| 13:48 | <zcorpan> | https://github.com/whatwg/html/issues/958#issuecomment-582005343 says in which cases muting is important |
| 13:54 | <Noam Rosenthal> | https://github.com/whatwg/html/issues/958#issuecomment-586211296: @annevk: "At some point the browser needs to parse and execute an opaque response as classic script. That's a synchronous operation. Every exception that happens during that operation ought to be muted. Beyond that we should not bother as it requires stack inspection or similar such measures that are not worth it." |
| 13:58 | <Noam Rosenthal> | though in this case we don't introspect the stack, it's just an entry point, which might actually be worth it. anyway the "relevant script" to a callback sounds close enough |
| 14:12 | <Noam Rosenthal> | Actually the running script is even better and it's accessible at the end of the microtask queue, which is exactly when I need it |