01:11
<Domenic>
Could use editor review on https://github.com/whatwg/html/pull/10043 (easy) and https://github.com/whatwg/html/pull/10168 (bigger)
01:13
<akaster>
Is it expected that cryptographic keys created by SubtleCrypto are stored in a fun and secure place like a Trusted Platform Module or Secure Enclave?
01:13
<akaster>
Or would that just be a quality of implementation bonus
08:56
<freddy>
it's not expected and afaiu subtlecrypto predates wide availability and adoption of TPM / enclaves
08:58
<annevk>
Domenic: I'll leave the bigger one for zcorpan.
09:23
<annevk>
yulia | sick: https://github.com/w3c/trusted-types/issues/471 is probably of interest to you. Maybe also to littledan.
09:24
<annevk>
freddy: you too I suppose. Some of the research participants could really use a built-in sanitizer.
09:24
<emilio>
annevk: jarhar: Do you know what kind of styling differences do we want for the <select> case in https://github.com/w3c/csswg-drafts/issues/5998?
09:25
<emilio>
Basically, I think the main thing we really need is the non-replaced box stuff, but I'm not aware of all the intended differences between base and none
09:25
<annevk>
emilio: essentially we want to build something from the ground up, irrespective of auto/none styling.
09:25
<yulia | sick>
wow thats great
09:25
<emilio>
annevk: why? It seems virtually all the default select styles would be applicable to the "base" case
09:26
<yulia | sick>
(not really back yet)
09:26
<annevk>
emilio: the mechanism has to work for all form controls, not just select. So over-indexing on select doesn't seem useful.
09:26
<emilio>
annevk: modulo the !important stuff which right now can't be overridden by authors, but maybe we should just fix that
09:27
<emilio>
annevk: I guess I'm looking for a counter-example where it doesn't work. I've thought mostly about <select> and <input switch>, and seems not overcomplicating stuff would work for those at least
09:27
<emilio>
annevk: that is, the default styles for form controls are sorta reasonable, what is not customizable is the stuff inside them. And that is fixable with appearance: base without weird hacks / internal mechanisms which are generally unsound
09:33
<annevk>
emilio: I don't think people want the base style to match the none style. They want something closer to the auto style, except not platform bound.
09:35
<annevk>
emilio: Also select like other form controls is currently undefined, except for like 3 properties?
09:35
<emilio>
annevk: I thought the point of base was basically give you control over the inner bits of the control. none already gives you something that is a functional control, and the system colors used there are in control of the UA, so can be changed. border-radius is the only tricky thing IMO
09:36
<emilio>
annevk: it doesn't have to be that way, select styles are fairly interoperable iirc?
09:36
<annevk>
No the point of base is to give unified cross-browser controls that are fully stylable, but also accessible, etc.
09:37
<annevk>
I would expect some sort of consistency across base controls.
09:37
<emilio>
annevk: well, sure, my point is that appearance: none is that, except it doesn't let you style the stuff inside the control
09:38
<emilio>
and the "doesn't let you style stuff inside the control" part is solvable without weird shenanigans
09:38
<annevk>
It's not for checkboxes and it's also not really for other controls? Some of that might be fixable, but I don't think none always meets the bar. (And I'd rather none going forward actually mean none.)
09:39
<annevk>
(The stuff inside the control also has to be described in terms of CSS already for base, to be clear.)
09:40
<emilio>
Sure, but that's not an issue because we can do whatever in the UA sheet for inner elements / pseudos inside base, and have it not affect none / auto
09:41
<emilio>
You're right that checkboxes are an issue here, but those are the exception rather than the rule
09:46
<annevk>
emilio: I think the pseudo elements should also work for none.
09:47
<emilio>
annevk: that doesn't match how none behaves right now, but maybe, if we can get away with it? But that means that we should make the none behavior also describable via css.
10:00
<annevk>
emilio: the solution has to work for checkboxes too though. But I also think we want the freedom to be able to change certain things (such as the default size) for base to make them really good defaults for people to build on.
10:01
<annevk>
As such I don't really believe in trying to shoehorn it into the existing mess (which I do agree we should clean up as well, but I think we're more limited there in what can be done).
10:06
<emilio>
annevk: I don't see why it wouldn't work for checkboxes fwiw, assuming checkboxes gain some pseudo tree (which they'd need to, right), you could style that however you want. You'd need some special code to not render that tree in the none case, to match existing behavior, but that seems feasible
10:08
<emilio>
annevk: I don't think we want css magic, because whatever that magic is we're going to need to explain it to authors. And this is exactly the kind of magic that we don't want to expose to the web (https://wiki.csswg.org/faq#selectors-that-depend-on-layout)
10:09
<emilio>
Anyways I need to go do some work, but I think we can get away without CSS magic.
10:37
<annevk>
I think it's fine to have "magic" when it's constrained. This wouldn't really become a generic thing, it's just for form controls. You want the magic to be more tightly scoped it seems, but I'd rather have it a little wider to decouple things a little more.
14:54
<jarhar>
for appearance:base select as i am trying to implement it, most of the actual new styles are on the button and the datalist children, not the select itself, which makes it easier to put in the UA stylesheet. It looks kind of bad imo to still have the border and other stuff there from the appearance:auto select around the parent element of the button, but maybe once i finish implementing appearance:base and demo it to some more people then maybe nobody will care that much and we can just leave the UA rules in there.
14:55
<jarhar>
if you look at the "actual" and "expected" pictures of this test output, you can see what difference the built-in borders make: https://chromium-layout-test-archives.storage.googleapis.com/results.html?json=chromium/try/linux-rel/1729863/blink_wpt_tests%20%28with%20patch%29/full_results_jsonp.js
14:55
<jarhar>
also it should probably be completely the same across browsers by default when using appearance:base, and if we aren't using the same UA border rule for select then that wouldn't be the case anymore
17:01
<jub0bs>
Hey all. I have some more thoughts about CORS...
17:04
<jub0bs>

One: A common misunderstanding (dispelled by annevk long ago) about CORS is that it is some kind of defence. I think some overeager middleware libraries can be blamed for this confusion, but I'm starting to wonder whether CORS error messages (in Chromium specifically) could be improved:

Access to fetch at 'https://example.org' from origin 'https://example.com' has been blocked by CORS policy. [...]

(my emphasis)

17:06
<jub0bs>

The phrase "blocked by CORS policy" seems to mislead some practitioners into conflating the effects of the SOP and CORS. How about something like the following message instead?

Access to fetch at 'https://example.org' from origin 'https://example.com' has been blocked because the requested resource's CORS policy is insufficiently permissive. [...]

(my emphasis)

17:10
<jub0bs>
More verbose, but clearer IMHO.
17:17
<jub0bs>

Two: Some folks attempt to solve their CORS issues by including an Origin header in their request. Of course, because Origin is a forbidden request-header name, user agents deny clients' attempts to include such a header in a request. The XHR API is vocal about it and issues an error message:

httpRequest = new XMLHttpRequest();
httpRequest.open('GET', 'https://www.example.com', true);
httpRequest.setRequestHeader("Origin", "http://localhost")
httpRequest.send(null);

In Chrome and Safari:

Refused to set unsafe header "Origin"

And in Firefox:

Attempt to set a forbidden header was denied: Origin

However, the Fetch API denies such attempts silently:

fetch('https://example.com', {headers: {origin: 'http://localhost'}});

(no error message about Origin being unsafe, per the Fetch standard)

17:18
<jub0bs>
Shouldn't the Fetch API be more vocal about those misguided attempts to include unsafe headers in requests?
17:23
<jub0bs>
Three: Many people also attempt to solve their CORS issues by including CORS response headers (such as Access-Control-Allow-Origin) in their request, which may in fact make their CORS issues worse if the requested resource's CORS policy doesn't allow arbitrary request-header names. In connection to my second point above, I think there is a case for adding all CORS response headers (Access-Control-Allow-* and Access-Control-Max-Age) to the list of forbidden request-header names. I'm conscious that such a change could break existing clients, but including such CORS response headers to a request is almost always a mistake anyway.
17:35
<annevk>
jub0bs: for 1/2, improving warning messages is probably best filed directly with web browsers. Maybe sideshowbarker has done some work on these in the past perhaps. I'd certainly be open to reviewing WebKit patches that improve this. For 3, I think that's also best done as a warning message by web browsers. I wouldn't want to constrain what people can do with HTTP at the API level, but giving them a hint they're likely making a mistake seems reasonable.
17:39
<jub0bs>
annevk: Thanks. I was hoping to catch some browser folks here, actually. As for 3, I believe a warning would be a good middle ground.
23:51
<Luke Warlow>
Could I get bug edit permissions on whatwg/html for labelling issues?