2023-01-02 [16:38:43.0996] https://stackoverflow.com/questions/74978033/how-should-this-erroneous-html5-be-parsed-where-should-the-end-tag-be-inserte [00:55:14.0015] jugglinmike: jgraham: can either of you tackle https://github.com/w3c/webdriver-bidi/issues/347? [01:00:25.0469] kblom3: frank-dspeed: while we're not super strict regarding what is on and off topic, this channel is generally intended for discussions about web standards, and primarily WHATWG standards. [02:18:21.0506] i guess your correct i am still struggling with correcting my mind model but your right it was my failure this channel is only about WHATWG related stuff not about internet or web or browsers and WHATWG is a standard that is open to get used by people who like it and ignored by people who do not agree with it [02:19:51.0228] i want to apologice for that it is really a missconception in my mind because as i was a kid i expected internet to be equal to WHATWG [02:20:58.0635] and that was still holding me back i need to pray to my self that browsers are not related to whatwg as it is a indipendent free standard without any affilation to real world [02:32:38.0355] the real world is equal to the browsers dom api's and HTML is just a syntax that can get translated to it so it is a declarativ instruction set a language not more not less [02:33:42.0210] frameworks like react circumvent the WHATWG standard total while still use the term html which is maybe also missleading [03:36:27.0610] I'm currently setting up a personal blog, and I thought I'd cross-publish my post from the WHATWG blog on newline normalization in forms (https://blog.whatwg.org/newline-normalizations-in-form-submission) [03:36:29.0531] and as part of that, I noticed there's a code sample in that post that uses the `DataTransfer` hack for setting an ``'s file list, with no explanation [03:37:38.0106] I don't have edit permissions, but it'd be great to add even a one-line comment like ```js // This is a hack to add files to an from JS. ``` [03:38:10.0161] * I'm currently setting up a personal blog, and I thought I'd cross-publish my post from the WHATWG blog on newline normalization in forms (https://blog.whatwg.org/newline-normalizations-in-form-submission) [07:49:56.0397] Domenic: is putting effort into https://github.com/whatwg/url/pull/502 worth it? Would you implement it in whatwg-url? 2023-01-03 [17:58:51.0456] annevk: I was thinking of doing it as a holiday project... and I still have 8 days of holiday in Japan. So, probably? [17:59:46.0329] "doing it" = "adding full validation error support to jsdom/whatwg-url" [18:00:02.0317] Which could then be extended pretty easily with named variants [00:27:49.0056] annevk: with getting the "internal response" - do I need to do something like "if this is a filtered response, getting response's internal response, otherwise response" [00:31:35.0981] ok answered on the issue, thanks :) [00:35:19.0403] Noam Rosenthal: if you find a place where that would be useful we should upstream HTML's unsafe response (perhaps if it's really useful for HTML we should do that anyway, but I still need to convince myself) [00:36:05.0856] annevk: gotcha, will take a look [00:55:19.0606] smaug: emilio: did you see my ping in https://github.com/whatwg/fullscreen/issues/149? If you all are still on break feel free to ignore, I'll try to remember to ping again [02:17:23.0644] annevk: Yeah I think while retargetting would make some amount of sense, it's not really useful for fullscreen/pip [02:18:09.0391] what was the exact usecase of shadow dom? [02:18:25.0117] css encapsulating, offering slots? [02:18:34.0557] what was the main driver does any one know that? [02:21:29.0316] i mean i never used it for any usefull use case only for demos when i import css as ESModule so a CSSDeclaration Object and Object.assign(el.style, cssDeclaration) [02:21:44.0550] i get cached compose able css that is applyed directly on the element [02:22:48.0273] much less to write no id tag clashing nothing i do not even use ID or class when i programatical create html Elements a combo of document.create object.assign gives me total declarativ js syntax to compose elements and styles [02:23:44.0804] i write whole app dependent component frameworks in less then 20 lines of code and complex elements with a lot of events like whole IDE Environments in 50 sloc [02:26:45.0102] ```js const createComponent = (el = {}, componentDefinition = {}) => { Object.assign(el.style, componentDefinition.style); Object.keys(componentDefinition).filter((key) => key !== 'style') .forEach((key) => (el[key] = componentDefinition[key])); return el; }; const appendNewComponent = (el,tagName, componentDefinition) => el.appendChild( createComponent(createElement(tagName),componentDefinition)); // End framework const controls = el.appendChild(document.createElement('ul')); appendNewComponent(controls, 'button', { innerText: `${getChildIndex(el)}|+`, onclick: (ev) => { el.parentElement.appendChild(new Notebook()); }, style: { color: "red" } }); appendNewComponent(controls, 'input', { onclick: (ev) => {}, placeholder: `https://.....js`, value: ``, style: { color: "red" } }); appendNewComponent(controls, 'button', { onclick: (ev) => {}, innerText: `FETCH`, style: { color: "red" } }); ``` [03:25:34.0961] annevk: emilio yeah, I'm not sure retargeting the css state would be useful here. [04:27:14.0492] smaug: emilio: could either of you elaborate in the issue as to why? Ryosuke seemed to think it was necessary still; I was hoping to avoid having to dive into it myself (I forgot the design rationale) [04:34:28.0024] annevk: I guess the idea is that it'd be necessary to avoid exposing the existence of the shadow tree (so that you can't know if the element has a closed shadow tree if `document.fullscreenElement && !document.fullscreenElement.matches(":fullscreen")`) [04:34:32.0245] * annevk: I guess the idea is that it'd be necessary to avoid exposing the existence of the shadow tree (so that you can't know if the element has a closed shadow tree if `document.fullscreenElement && !document.fullscreenElement.matches(":fullscreen")`) [04:34:56.0171] annevk: which is true, but it doesn't make much sense to style an ancestor of the fullscreen element based on it having a shadow descendant in fullscreen [04:37:11.0730] emilio: maybe we should offer `:fullscreen-within` or something similar to the `:focus-within` thingie? [04:47:45.0733] Oh, `:focus-within` is different. It would be more akin to how `:fullscreen` is defined per specification. [04:48:00.0178] Right, that doesn't quite make much sense to me [04:49:52.0336] Oh, so `:focus` should match the shadow host, but `:focus-visible` does not. How many focus-related pseudo-classes do we need? [04:50:25.0323] Yeah, that focus retargetting is also slightly weird fwiw [04:50:44.0653] but it's less problematic because what you really want to style is `:focus-visible` 99% of the time [04:52:37.0183] I'm also confused as to how it helps as that still gives you a shadow host detector [05:00:29.0671] Anyway, thanks emilio for the useful example. I'll chat a bit more with rniwa and Tim. [05:01:33.0001] annevk: focus-visible kind of can match and not mach depending on various things, but yeah it does if you do `host.focus({ focusVisible: true })` and then `:focus-visible` doesn't match on the host but on a nested kid (because of `delegatesFocus`) [05:38:18.0407] * Anyway, thanks emilio for the useful example. I'll chat a bit more with rniwa and ntim. [13:44:16.0291] > <@annevk:matrix.org> jugglinmike: I suppose, but that would be confusing for all callers as it's to be used from web platform specs, which don't really use completion records As a reader familiar with ECMA262, I'm confused by the subversion of that convention. I hear what you're saying about the web platform not using completion records, and that makes me think that maybe the `?` shorthand isn't really appropriate. It's only used three times in Infra, so perhaps we could replace it with a different macro-like expansion--one which doesn't rely on 262's control flow conventions. What do you think? (Also, happy new year!) 2023-01-04 [23:41:30.0455] jugglinmike: Happy New Year to you as well! There's a couple places where we mix styles at the moment. HTML, Web IDL, and Infra. It might be worth addressing in some way, but I'm not sure if that would end up being more or less confusing and it would also be quite a bit of work. I suppose it's worth tracking formally as an issue somewhere. 2023-01-05 [17:50:52.0930] annevk: Thanks! I'll see if I can write something up in the next week or so [07:12:53.0535] Just a heads up to anyone interested: https://github.com/domfarolino/specfmt is in decent shape and works in most cases I use it for, so I'd love for people to try it out more and report bugs so we can make it even better. Please give it a shot! [07:13:44.0252] It's not to the point yet where we can just perfectly format full pre-existing specs, but I think it's getting there... [07:16:19.0633] And it also currently follows WHATWG column-limit line breaking instead of semantic line breaking, so some people hate it :) Maybe it should have 2 modes [07:35:23.0190] Dominic Farolino: Oh interesting. Does it try to keep named things on the same line (i.e. for things like `[=long reference=]` avoid linebreaks after `[=long`)? That's been requested on the WebDriver-BiDi spec because people were finding it hard to find/update by search when needing to consider the possibility of linebreaks, and led to a proposed lint to disallow them (but no automatic enforcement, which makes me worry about the tradeoffs). [07:35:54.0905] No, that would be semantic line breaking, which the tool (and WHATWG specs more generally to my knowledge) do not follow. [07:36:24.0366] It's not what I think of when I think of semantic linebreaking at least [07:36:55.0962] (I thought sematic linebreaking was about putting each clause on a seperate line, even if it's rather short, which I personally dislike) [07:37:04.0431] Dominic Farolino: most of "my" specs break at a 100 columns but never break inside a term, e.g., Fetch (sometimes I don't catch it in review though) [07:38:01.0119] (and I tend to not break inside tags) [07:38:07.0850] Perhaps I don't know what semantic line breaking is then [07:38:51.0506] I was going off of https://github.com/tabatkins/bikeshed/issues/662#issuecomment-1332775833, which seems to indicate that WHATWG specs all break and column length regardless of whether we're inside a term [07:39:14.0280] Apparently that's not the case (though in HTML it definitely seems to be the case) [07:40:11.0898] Completely unrelated question about response headers in a navigation redirect chain: Cross-Origin-Opener-Policy was designed to be taken into account during redirects, but as far as I can tell, the HTTP fetch step (https://fetch.spec.whatwg.org/#http-fetch, S7.2.manual) returns a response with nulled out headers (https://fetch.spec.whatwg.org/#concept-filtered-response-opaque-redirect). Am I missing something or is it broken? [07:40:36.0716] Per my understanding, semantic linebreaking is when you always break after a clause, usually a comma or a fullstop, kind of like this. The argument is it makes for cleaner diffs. But I find it's hard to read, like poetry. [07:41:20.0786] Dominic Farolino: HTML allows a break whenever there's already whitespace (you don't get to insert additional whitespace though, such as between a start tag and the first character) [07:42:00.0650] Yeah, the tool wraps to what I believe is consistent with HTML (I mostly wrote the tool while working on the navigation and session history rewrite) [07:42:43.0811] Fair, I'd love a feature that avoids breaking inside terms as that makes editing a whole lot easier (no need to regex search all the time) [07:44:01.0562] That does seem nice. The current tool is really simple; it doesn't do any parsing to know if you're inside a term or not etc, which is why the HTML-like formatting is easiest for it. But I do personally like not breaking inside a term. PRs welcome heh! [07:44:28.0594] But a while ago I was told to not do that in HTML, so I just assumed that WHATWG specs were like that more generally. Good to know that's not always the case [07:50:29.0806] Yeah, I think to do a really nice job you'd want to actually have some kind of parser. And since spec parsing is kind of defined as "whatever bikeshed does" (except for HTML and stuff using respec, but increasingly also those), it's not that easy to produce a high quality implementation. Although maybe it doesn't really need to be _that_ high quality. [07:54:56.0545] Especially given all the Markdown that's now mixed with HTML... [07:55:31.0355] (I wonder if one could implement on top of tree-sitter or something. I suppose the dream would be an LSP server for spec documents) [08:41:55.0179] I aspire to not dream of specs [15:29:07.0606] https://stackoverflow.com/questions/75024554/what-javascript-dom-algorithms-behave-differently-with-an-xmldocument-than-wit 2023-01-06 [22:38:21.0061] https://stackoverflow.com/questions/75027584/unexpected-websocket-buffer-data-w-masked-fragmented-messages-as-data-grows-s [05:38:28.0902] Arthur Hemery: missed your question yesterday somehow. The idea is that HTML pokes through to the internal response for that, but it probably does not do so today. [05:39:54.0712] Arthur Hemery: Fetch doesn't remove the headers, but it does obscure them. (Given Spectre ideally we would remove most headers before handing the response to an attacker process, but that's a thing we haven't tried tackling so far.) 2023-01-07 [02:25:44.0203] https://stackoverflow.com/questions/75026200/how-can-the-global-window-object-be-created-before-there-is-a-realm-in-existance?noredirect=1#comment132404888_75026200 It's unclear how the global object Window can be created and passed to JS since WebIDL's "new" asks to check if realm.[[GlobalObject]]'s implements the interface, but at this time the realm doesn't have a [[GlobalObject]] since that would be that Window object we need to create. [07:19:25.0314] It's essentially atomic. This is what is intended by https://html.spec.whatwg.org/multipage/document-sequences.html#creating-a-new-browsing-context step 9 being a single step instead of something like "1. create the Window; 2. create the realm and supply the Window to it." 2023-01-08 [13:22:55.0092] someone know who made JS ? [13:49:33.0356] ? [15:19:14.0218] I have a question about the original W3C Recommendation (for annevk, maybe ?). The rec was quite prescriptive about server-side processing; see https://www.w3.org/TR/2014/REC-cors-20140116/#resource-processing-model. In particular > If the value of the Origin header is not a case-sensitive match for any of the values in list of origins, do not set any additional headers and terminate this set of steps. I see no such prescription in the current Fetch standard. Out of curiosity, what motivated its removal? (If necessary, I can provide more context for my question.) [15:20:57.0174] * I have a question about the original W3C Recommendation (for annevk, maybe ?). The rec was quite prescriptive about server-side processing; see https://www.w3.org/TR/2014/REC-cors-20140116/#resource-processing-model. In particular > If the value of the Origin header is not a case-sensitive match for any of the values in list of origins, do not set any additional headers and terminate this set of steps. Unless I'm missing something, I see no such prescription in the current Fetch standard (which is for the best, I believe). Out of curiosity, though, what motivated that less prescriptive stance? (If necessary, I can provide more context for my question.) [15:21:26.0939] * I have a question about the original W3C Recommendation (for annevk, maybe ?). The rec was quite prescriptive about server-side processing. In particular > If the value of the Origin header is not a case-sensitive match for any of the values in list of origins, do not set any additional headers and terminate this set of steps. Unless I'm missing something, I see no such prescription in the current Fetch standard (which is for the best, I believe). Out of curiosity, though, what motivated that less prescriptive stance? (If necessary, I can provide more context for my question.) [15:21:38.0224] * I have a question about the original W3C Recommendation (for annevk, maybe ?). The rec was quite prescriptive about server-side processing. In particular > If the value of the Origin header is not a case-sensitive match for any of the values in list of origins, do not set any additional headers and terminate this set of steps. (source: https://www.w3.org/TR/2014/REC-cors-20140116/#resource-processing-model.) Unless I'm missing something, I see no such prescription in the current Fetch standard (which is for the best, I believe). Out of curiosity, though, what motivated that less prescriptive stance? (If necessary, I can provide more context for my question.) 2023-01-09 [22:29:58.0408] jub0bs: there is https://fetch.spec.whatwg.org/#http-cors-protocol still [22:31:44.0203] jub0bs: I think I wrote it anew because the old approach wasn't really liked by server developers, but I'm not entirely sure [01:02:27.0764] Thanks annevk. [01:06:42.0185] * Thanks annevk; that actually helps. [05:21:17.0018] annevk: wasn't your test correct and then someone broke it? https://searchfox.org/mozilla-central/source/testing/web-platform/tests/html/infrastructure/safe-passing-of-structured-data/shared-array-buffers/blob-data.https.html#109 [05:30:56.0917] or perhaps I'm missing something? Chrome has had issues with data: urls elsewhere, like https://github.com/w3c/webappsec-secure-contexts/issues/69#issuecomment-585780599 [05:32:01.0916] smaug: the most significant change I can find is https://github.com/web-platform-tests/wpt/commit/ce281cc3f32d8e93ecbb33a51321d846ee2aae37 [05:32:40.0963] right. The question is how data: workers should behave [05:34:19.0817] er, I was missing something [05:34:29.0195] "If is shared is false and response's url's scheme is "data", then set worker global scope's cross-origin isolated capability to false." [05:35:20.0803] I'm not sure if Firefox has the "capability" feature, that got added a bit later [05:35:55.0417] It also had some wrinkles around shared/service workers that might not be sorted yet spec-wise [07:14:28.0677] annevk: In connection with my earlier question: I think one reason why many people find debugging CORS issues frustrating is that CORS-middleware developers followed that resource-processing model to the letter, and never relaxed their implementation when the spec moved to the Fetch standard. [07:19:20.0186] One example: Alice configures CORS on `https://alice.com` to allow `https://example.com` with request headers `Authorization`. However, in her client (running on `https://example.com`), she also sends some `Foo` request header: `fetch('//alice.com', {headers: {'Foo': 'Foo'}})`. Obviously, CORS preflight then fails because the `Foo` header isn't allowed in Alice's CORS config. But most middleware libraries would omit the ACAO header altogether from the response. When debugging the CORS error in the browser, Alice would be confronted with an error message saying ACAO is missing, which is true but a bit misleading about the actual reason why the server didn't respond with the required CORS headers. [07:19:39.0957] * One example: Alice configures CORS on `https://alice.com` to allow `https://example.com` with request headers `Authorization`. However, in her client (running on `https://example.com`), she also sends some `Foo` request header: `fetch('//alice.com', {headers: {'Foo': 'Foo'}})`. Obviously, CORS preflight then fails because the `Foo` header isn't allowed in Alice's CORS config. But most middleware libraries would omit the ACAO header altogether from the response. When debugging the CORS error in the browser, Alice would be confronted with an error message saying ACAO is missing, which is true but a bit misleading about the actual reason why the server didn't respond with the required CORS headers. [07:20:03.0605] * One example: Alice configures CORS on `https://alice.com` to allow `https://example.com` with request headers `Authorization`. However, in her client (running on `https://example.com`), she also sends some `Foo` request header: `fetch('//alice.com', {headers: {'Foo': 'Foo'}})`. Obviously, CORS preflight then fails because the `Foo` header isn't allowed in Alice's CORS config. But most middleware libraries, according to the resource-processing model (as I understand it) would omit the ACAO header altogether from the response. When debugging the CORS error in the browser, Alice would be confronted with an error message saying ACAO is missing, which is true but a bit misleading about the actual reason why the server didn't respond with the required CORS headers. [07:20:37.0249] * One example: Alice configures CORS on `https://alice.com` to allow `https://example.com` with request headers `Authorization`. However, in her client (running on `https://example.com`), she also sends some `Foo` request header: `fetch('//alice.com', {headers: {'Foo': 'Foo'}})`. Obviously, CORS preflight then fails because the `Foo` header isn't allowed in Alice's CORS config. But most middleware libraries, according to the resource-processing model (as I understand it) would omit the ACAO header altogether from the response. When debugging the CORS error in the browser, Alice would be confronted with an error message saying ACAO is missing, which is true but a bit misleading about the actual reason why the server didn't respond with the required CORS headers (i.e. that request header `Foo` is not allowed). [07:23:36.0847] In my experience, many CORS-related questions asked on Stack Overflow stem from this design decision. But that's not inevitable. A CORS middleware library could reply with `ACAO: https://example.com` and no ACAH header (or simply `ACAH: authorization`). Then the browser's error message would be more useful for debugging purposes: > Request header field Foo is not allowed by Access-Control-Allow-Headers in preflight response. [07:23:44.0143] From a theoretical perspective it does seem better to not reveal any information though in such a scenario. [07:24:22.0585] What are you concerned about, specifically? Some side channel? [07:25:42.0834] Yeah. But you're right that it would make specialized error messages harder. Either way browsers could do more than they are doing and list all the required headers. And middleware could probably offer debug and strict modes. [07:25:45.0316] * One example: Alice configures CORS on `https://alice.com` to allow `https://example.com` with request headers `Authorization`. However, in her client (running on `https://example.com`), she also sends some `Foo` request header: `fetch('//alice.com', {headers: {'Foo': 'Foo'}})`. Obviously, CORS preflight then fails because the `Foo` header isn't allowed in Alice's CORS config. But most middleware libraries, according to the resource-processing model (as I understand it) would omit the ACAO header altogether from the response. When debugging the CORS error in the browser, Alice would be confronted with an error message like which is true but a bit misleading about the actual reason why the server didn't respond with the required CORS headers (i.e. that request header `Foo` is not allowed). [07:25:58.0300] * One example: Alice configures CORS on `https://alice.com` to allow `https://example.com` with request headers `Authorization`. However, in her client (running on `https://example.com`), she also sends some `Foo` request header: `fetch('//alice.com', {headers: {'Foo': 'Foo'}})`. Obviously, CORS preflight then fails because the `Foo` header isn't allowed in Alice's CORS config. But most middleware libraries, according to the resource-processing model (as I understand it) would omit the ACAO header altogether from the response. When debugging the CORS error in the browser, Alice would be confronted with an error message like > Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. which is true but a bit misleading about the actual reason why the server didn't respond with the required CORS headers (i.e. that request header `Foo` is not allowed). [07:27:36.0699] I've thought about offering debug/strict modes in my CORS middleware, but I'm not 100% convinced. People would have to think about activating it and then redeploy. [07:29:06.0764] Since nothing much happens during preflight server side (as the CORS middleware should handle the preflight request rather than passing it on to next handler in the chain), I'm wondering whether worrying about side-channel attacks is justified. Do you know of such attacks? [07:30:01.0636] * Since nothing much happens during preflight server side (as the CORS middleware should handle the preflight request rather than passing it on to next handler in the chain), I'm wondering whether worrying about side-channel attacks is justified. Do you know of such attacks? [07:30:31.0673] * Since nothing much happens during preflight on the server side (as the CORS middleware should handle the preflight request rather than passing it on to next handler in the chain), I'm wondering whether worrying about side-channel attacks is justified. Do you know of such attacks? [07:31:07.0944] * Since nothing much happens during preflight on the server side (as the CORS middleware should handle the preflight request rather than passing it on to next handler in the chain), I'm wondering whether worrying about side-channel attacks is justified. Do you know of such attacks? I know the Fetch standard mentions that possibility, but has it ever been an issue in practice? [07:31:22.0133] * Since nothing much happens during preflight on the server side (as the CORS middleware should handle the preflight request rather than passing it on to next handler in the chain), I'm wondering whether worrying about side-channel attacks during preflight is justified. Do you know of such attacks? I know the Fetch standard mentions that possibility, but has it ever been an issue in practice? [07:33:17.0076] * Since nothing much happens during preflight on the server side (as the CORS middleware should handle the preflight request rather than passing it on to next handler in the chain), I'm wondering whether worrying about side-channel attacks during preflight is justified. Do you know of such attacks? I know the Fetch standard mentions that possibility: > Any other kind of HTTP response is not successful and will either end up not being shared or fail the CORS-preflight request. Be aware that any work the server performs might nonetheless leak through side channels, such as timing. If server developers wish to denote this explicitly, the 403 status can be used, coupled with omitting the relevant headers. But has it ever been an issue in practice? [07:35:44.0891] * Since nothing much happens during preflight on the server side (as the CORS middleware should handle the preflight request rather than passing it on to the next handler in the chain), I'm wondering whether worrying about side-channel attacks during preflight is justified. Do you know of such attacks? I know the Fetch standard mentions that possibility: > Any other kind of HTTP response is not successful and will either end up not being shared or fail the CORS-preflight request. Be aware that any work the server performs might nonetheless leak through side channels, such as timing. If server developers wish to denote this explicitly, the 403 status can be used, coupled with omitting the relevant headers. But has it ever been an issue in practice? [07:39:12.0563] * I've thought about offering debug/strict modes in my CORS middleware, but I'm not 100% convinced. People would have to think about activating it and then redeploy. And I'm not sure whether (or how quickly) browser vendors could be convinced to produce more informative error messages, to be honest... [07:51:23.0775] * I've thought about offering debug/strict modes in my CORS middleware, but I'm not 100% convinced. My users would have to know the option exists, activate it, redeploy, then deactivate it and redeploy once more. And I'm not sure whether (or how quickly) browser vendors could be convinced to produce more informative error messages, to be honest... [07:51:43.0719] * I've thought about offering debug/strict modes in my CORS middleware, but I'm not 100% convinced. My users would have to know the option exists, activate it, redeploy, test, then deactivate it and redeploy once more. And I'm not sure whether (or how quickly) browser vendors could be convinced to produce more informative error messages, to be honest... [08:02:33.0917] I'm not sure what you mean. The side channel is there whether you use a 403 or not. [08:07:06.0796] True, the status code is irrelevant. But what kind of useful information could be gleaned by an attacker if the server included the ACAO header (and possibly ACAM and ACAH with "partial" values) in the response despite a failure of CORS preflight? [08:16:04.0402] * True, the status code is irrelevant. But what kind of useful information could be gleaned by an attacker if the server included the ACAO header (and possibly ACAM and ACAH with "partial" values) in the response despite a failure of CORS preflight? Or is the side-channel attack you're worried about something else entirely? [08:33:43.0278] It's separate, but maybe it would be better to remove it as for preflights it doesn't matter too much as you say. [08:48:48.0839] Thanks for clarifying. That's great. [08:50:33.0582] annevk: https://github.com/whatwg/infra/issues/518 -- I'm mentioning that here mostly in case other folks are following along [08:52:00.0184] @annevk I'm currently writing a blog post about my design philosophy for my CORS middleware library. Do you mind if I mention your name (along with Jake's, who also helped me understand a few subtleties) in the acknowledgements? I intend to specify that such an acknowledgement does count as an endorsement of my library on your part πŸ˜‡ [09:12:43.0897] * Since nothing much happens during preflight on the server side (as the CORS middleware should handle the preflight request rather than passing it on to the next handler in the chain), I'm wondering whether worrying about side-channel attacks during preflight is justified. Do you know of such attacks? I know the Fetch standard mentions that possibility: > Any other kind of HTTP response is not successful and will either end up not being shared or fail the CORS-preflight request. Be aware that any work the server performs might nonetheless leak through side channels, such as timing. If server developers wish to denote this explicitly, the 403 status can be used, **coupled with omitting the relevant headers**. But has it ever been an issue in practice? [09:31:42.0424] * annevk: I'm currently writing a blog post about my design philosophy for my CORS middleware library. Do you mind if I mention your name (along with Jake's, who also helped me understand a few subtleties) in the acknowledgements? I intend to specify that such an acknowledgement does count as an endorsement of my library on your part πŸ˜‡ [09:40:41.0996] jub0bs: sure [09:40:44.0514] jugglinmike: ta [09:42:31.0057] Yes. I think this passage deserves at least some clarification: > Be aware that any work the server performs might nonetheless leak through side channels, such as timing. If server developers wish to denote this explicitly, the 403 status can be used, coupled with omitting the relevant headers. In particular, I'm not sure myself what "denote this" refers to... [09:43:05.0766] * annevk: I'm currently writing a blog post about my design philosophy for my CORS middleware library. Do you mind if I mention your name (along with Jake's, who also helped me understand a few subtleties) in the acknowledgements? I intend to specify that such an acknowledgement does _not_ count as an endorsement of my library on your part πŸ˜‡ [09:43:21.0457] * annevk: I'm currently writing a blog post about my design philosophy for my CORS middleware library. Do you mind if I mention your name (along with Jake's, who also helped me understand a few subtleties) in the acknowledgements? I intend to specify that such an acknowledgement does **not** count as an endorsement of my library on your part πŸ˜‡ [09:44:04.0068] > <@annevk:matrix.org> It's separate, but maybe it would be better to remove it as for preflights it doesn't matter too much as you say. * Yes. I think this passage deserves at least some clarification: > Be aware that any work the server performs might nonetheless leak through side channels, such as timing. If server developers wish to denote this explicitly, the 403 status can be used, coupled with omitting the relevant headers. In particular, I'm not sure myself what "denote this" refers to... [09:45:13.0063] jub0bs: can you file an issue? [09:45:33.0769] I can fix, but not today [10:22:11.0307] annevk: I sure can! There's no rush for you to fix it, though. [10:22:27.0081] * I sure can! There's no rush for you to fix it, though. [10:22:52.0030] * @annevk I sure can! There's no rush for you to fix it, though. [10:23:03.0655] * annevk: I sure can! There's no rush for you to fix it, though. [10:54:32.0738] * annevk: I sure can! There's no rush for you to fix it, though. Done: https://github.com/whatwg/fetch/issues/1588 2023-01-10 [00:01:28.0744] Domenic: you didn't hit submit for your Infra PR review (at least I'm not seeing it) [00:04:41.0928] > <@annevk:matrix.org> Domenic: you didn't hit submit for your Infra PR review (at least I'm not seeing it) Thanks, done. [03:43:34.0941] Ran into a web compat report yesterday where apparently if a domain looks like punycode (i.e. starts `xn--`) but isn't valid punycode, Chromium will just treat it as an ascii domain, but Gecko will refuse to resolve it. That seems like the kind of thing annevk probably knows about :) [04:05:18.0761] jgraham: yeah, ASCII fast paths, let me look up the issue number [04:07:06.0166] jgraham: https://github.com/whatwg/url/issues/438 [04:08:43.0404] Thanks! [04:11:03.0630] jgraham: the last comment by timothygu can probably be turned into a WPT [04:11:34.0962] Also pinged the UTS46 experts just now to see if we can move it forward a tiny bit [04:31:26.0050] In case anyone is interested in some ToASCII spelunking: https://github.com/whatwg/url/issues/603#issuecomment-1377190876 I had forgotten how complicated it is (my write up skips a lot of steps) [04:54:05.0739] jgraham: it might be that `toascii.window.js` covers those cases already btw [05:05:17.0172] jgraham: pretty sure they do, e.g., there's `xn--a` there [05:05:57.0204] jgraham: only Chromium-based browsers fail tests there [05:22:31.0457] annevk: https://github.com/webcompat/web-bugs/issues/116505 was the bug report, which is about Chrom[e|ium] allowing access to a site that Gecko does not. [05:25:00.0284] Note that Safari also cannot access that domain [05:25:38.0936] https://github.com/whatwg/url/issues/543 is a further subtle difference that exists between Gecko and WebKit, whereby Gecko doesn't seem to check the bidi rules, but WebKit does [05:25:56.0270] I don't think that's tested currently [05:26:37.0856] Yeah, not saying it's a high priority issue; I don't recall seeing another similar bug report (and no one else did either), just that there's a non-zero number of sites relying on Chromium-specific behaviour here. [05:27:48.0309] (although it's also hard to tell how common it is because we probably get way fewer bug reports from users in regions that are likely to actually use non-ascii domains vs North America / Western Europe) [05:48:52.0529] jgraham: it's part of Interop 2022 and soonish 2023 so hopefully that'll help. [05:49:45.0842] jgraham: it seems there is existing test coverage, except perhaps for the bidi stuff which I just wrote a comment on. I think that's the last of the IDNA issues. Not as much as I feared really so hopefully this national nightmare will soon be over. [07:41:37.0316] jgraham: I'd like to blame you for my "The Bidi Rule" day [07:57:00.0623] (On the flipside, if we finally solve the ToASCII side of IDNA due to this I probably owe you something.) [08:02:36.0701] Haha. I'm going to suggest it's your own fault that you're known as "the person who will be interested in IDNA issues" ;) [08:38:50.0019] api.csswg.org is down TabAtkins [08:59:27.0575] Sanity check wanted (annevk or others). The following algorithm style feels wrong to me, do you agree? 1. 2. Let |returnVar| be null 3. Fetch and in the fetch callback set |returnVar|. 4. In parallel, wait for |returnVar| to become non-null, and return it. Imagine some more rigorous wording, but it's the structure that I'm concerned with. The author is looking for a way to do something like async/await in spec prose, but I think the above is broken because you can't return something while in-parallel, from an algorithm that is not running in-parallel. The second you go off-thread you have a post a task back to the main thread, in which case you're now dealing with callbacks, not a linear return sequence from the same algorithm that returns something asyncly. Does that sound right? [09:00:03.0848] As I mentioned the motivation I'm gathering here, is that the author wanted to do something like async/await in spec, instead of having a long chain of callbacks all the time. It seems like nothing like that is actually possible though? [09:00:52.0196] The various module and script fetching algorithms are written in an async/await-like style [09:01:19.0314] * The various module and script fetching algorithms are written in an async/await-like style [09:01:26.0069] you could look into those [09:05:01.0592] I think a key question is whether it's actually doing something where the ordering is observable from content. If it is (and I assume something running on the DOM manipulation task source would be) it should probably explicitly use `queue a microtask` or some other integration. [09:05:32.0996] (but uh, I'm also not an expert here, and so I'd wait for an actual HTML editor to give an opinion) [09:11:03.0309] annevk: reported [09:38:14.0359] The approach there seems to be: 1. Do something on the main thread 2. Wait in parallel for some result 3. Queue a main thread task to continue these steps, with result That seems doable and nice. Keeps it linear, but is explicit about posting tasks which are sort of the "callbacks" [09:43:27.0765] Although now thinking about it more, I'm not really sure if that works for the spec changes I'm reviewing, just because the algorithms that would be broken up by the step 2 all return a specific value, and I don't know if that really makes sense here, since the caller would have to know that the algorithm doesn't return its value synchronously. Like that's the only reason async/await actually works... because async functions always return promises, and there doesn't seem to be a spec infra equivalent [09:53:54.0213] jgraham: would you mind ack your support for the text about the custom handler automation ? Thanks. https://github.com/whatwg/html/pull/8267#issuecomment-1340331151 [10:08:14.0619] annevk: When you get a chance https://github.com/whatwg/html/pull/8447 is ready for review again. Thanks. [10:08:55.0167] wanderview: ta, hopefully tomorrow [10:10:17.0093] Dominic Farolino: yeah that initial algorithm doesn't work; the second approach kinda works but I wouldn't recommend it as it's rather confusing [10:10:26.0518] Dominic Farolino: just break up the algorithm [10:18:51.0544] annevk: you mean into a series of algorithms and explicitly defined callbacks? [10:19:20.0352] I guess people are wondering if there is some async/await spec prose equivalent to avoid the chain of callbacks etc. Seems like no, though [10:31:27.0889] Dominic Farolino: yeah not really. At some point we tried to use promises, but that has all kinds of issues as well. We could perhaps define Infra-promises at some point, maybe. [10:32:25.0216] there used to be an informal async/await-like syntax for some of the script and module fetching algorithms in HTML, but it's now been replaced with fetch callbacks [10:33:47.0063] Dominic Farolino: to be clear, inside "in parallel" it's perfectly fine to wait on stuff that's happening "in parallel" to that. Gets complicated fast though. [10:44:42.0637] Yeah that makes sense. The issue is when an algorithm that suspends itself before returning a value.... actually wants to return a value. That doesn't seem valid. At that point you have to "return" the value by calling a callback with said value. In my mind, once the control flow of an algorithm is interrupted by something "in parallel" you can no longer return concrete values from it without some sort of async/await infra [15:31:19.0207] how do i coax people to review and merge wpt prs https://github.com/web-platform-tests/wpt/pull/36733 2023-01-11 [18:51:38.0174] > <@devsnek:matrix.org> how do i coax people to review and merge wpt prs https://github.com/web-platform-tests/wpt/pull/36733 They are merged after the corresponding spec change is merged, generally. [18:52:22.0922] > <@domenicdenicola:matrix.org> They are merged after the corresponding spec change is merged, generally. feeling very chicken and egg rn [18:52:30.0483] I need to get safari or Firefox to implement this [18:52:32.0897] and they want tests [18:52:37.0329] and tests want spec [18:52:43.0902] and spec wants safari or firefox [18:53:31.0478] Well they should be able to express interest in shipping, which unlocks the spec, which unlocks the tests, which unlocks the ability to actually land code. [18:53:52.0906] hmm [18:54:01.0791] then we should be able to merge the spec I guess [18:54:36.0496] do I need them to like comment on the spec pr or something to make the interest official [19:39:15.0719] Yeah exactly [19:39:36.0195] Or some public indication of willingness to ship [00:02:41.0728] Dominic Farolino: it works if the algorithm can be invoked inside "in parallel" only; but yeah, if you want to run it on the main thread that's a no-go [00:05:07.0807] snek: https://whatwg.org/working-mode#changes is the process for a change. All of these things can be prepared in parallel or in sequence, but typically any kind of merging happens only after they are all deemed in order by the editor. [01:22:03.0300] > <@annevk:matrix.org> snek: https://whatwg.org/working-mode#changes is the process for a change. All of these things can be prepared in parallel or in sequence, but typically any kind of merging happens only after they are all deemed in order by the editor. indeed I had gone through this and tried to do all of them, I have opened a pr against the spec, I got google and mozilla to admit interest, I wrote tests, I wrote the implementation for the change in all 3 browsers. it might be helpful to clarify the finer details of these requirements. I will reach out to the person at mozilla and ask them to comment their interest on the issue or pr itself so it can move forward... [01:29:34.0427] snek: it looked to me like the PR was still a draft? [01:30:49.0792] hmm so it is [01:30:54.0895] I'll mark it as ready to review [01:31:16.0841] too used to the tc39 process of tests first [08:20:04.0547] > <@annevk:matrix.org> wanderview: ta, hopefully tomorrow Thanks for the review! I've tried to address your comments. When you have time please take another look. Thanks. 2023-01-12 [00:26:02.0726] Domenic: what defines that `:root, :--blah { background:lime }` suddenly works if not a change to Selectors? [00:28:26.0652] annevk: My understanding is any time anyone s a pseudo-class, it now works. There's no master list of pseudo-classes; even Selectors is just a bunch of s. [00:30:21.0769] https://w3c.github.io/csswg-drafts/selectors/#invalid a must requirement in a note, beautiful [08:00:27.0416] Domenic: would still like a new take on https://github.com/whatwg/html/pull/8496 from you [08:07:25.0378] The Steering Group is considering making a change with regards to which changes require signing the Participant Agreement. In particular allowing "trivial changes" to go through. https://github.com/whatwg/sg/issues/63#issuecomment-1377827797 has a draft definition. (Probably best to engage here first if you have any feedback as that issue thread is already pretty long.) [08:13:16.0141] Can you throw DOMExceptions from in parallel? I didn't think so, since I thought they had to be constructed on the "main thread", but now I[m not sure [08:30:09.0537] Dominic Farolino: you cannot [08:30:21.0422] Dominic Farolino: you cannot do any IDL/JS in parallel [08:31:18.0132] Dominic Farolino: as I discussed with someone else earlier today, if you imagine a browser consisting of one or more website processes, and a browser process, "in parallel" is the browser process [09:35:57.0814] annevk: my first thought on the draft definition of trivial changes is that an automated correction of broken links might easily run up against the idea that the change should be a few dozen characters at most. [09:41:12.0597] Yeah that's how I've always envisioned it, browser == in parallel [09:44:08.0998] My understanding is that dictionaries are not platform objects though, and can be manipulated in parallel in ways that normal IDL objects cannot be, is that correct? [10:08:47.0092] Dominic Farolino: they map to Infra maps, but the values can definitely be IDL objects that cannot cross the boundary [10:09:55.0365] I thought since dictionaries always convert to/from objects without referencing them, it's fine for them to cross the boundary [10:10:21.0229] as long as they don't include a JS or platform object as a field, ofc [10:10:33.0974] * as long as they don't include a JS or platform object, ofc [10:10:42.0115] * as long as they don't include a JS or platform object as a field, ofc [10:11:14.0019] Right, what you call field, I called values as per https://infra.spec.whatwg.org/#map-value [10:11:34.0423] oh, I misunderstood/misread that [10:12:21.0634] "value" is a very overloaded term [10:12:27.0865] But yeah, most Infra data structures seem harmless. Ideally we'd formalize it more, but that's also a bunch of work [10:12:37.0738] Thanks Alan Stearns 2023-01-13 [16:23:15.0782] > <@annevk:matrix.org> Domenic: would still like a new take on https://github.com/whatwg/html/pull/8496 from you Yep, on the queue. Today is pretty busy and it's last working day, but I'll try. [21:44:58.0790] PSA relayed from TabAtkins : Bikeshed's reference database has changed. https://lists.w3.org/Archives/Public/spec-prod/2023JanMar/0004.html . I suspect some of our specs may need small updates and will break on the next build. [21:45:26.0156] Also this means the JavaScript spec is in the database now which is huge!!! [21:46:10.0986] I've done some checks on whatwgv specs and preemptively fixed some obvious data issues, but I didn't try building all of them, so yeah just let me know if there are issues [23:33:45.0646] Domenic: if you're going on vacation please leave it [23:34:00.0693] Sorry no I just meant that it's Friday, I don't know why I phrased it a weird way :) [23:35:47.0131] 🫣 [02:00:45.0301] > <@domenicdenicola:matrix.org> Also this means the JavaScript spec is in the database now which is huge!!! Has anyone gotten this to work? My first attempt (`CreateDataProperty`) seems to only be known as a heading and not as an aop [07:16:00.0081] Thus far I only noticed implementation-defined conflicting [11:02:02.0293] Ms2ger: Yeah we're still dependent on ES marking things up usefully, so if an aop is solely present as a heading and not a dfn they need to fix it [11:05:02.0233] annevk: Hm, "implementation-defined" exists in Infra and ES, and appear to be essentially the same definition. I'm inclined to default that to Infra, unless you object? [11:32:10.0539] > <@tabatkins:matrix.org> Ms2ger: Yeah we're still dependent on ES marking things up usefully, so if an aop is solely present as a heading and not a dfn they need to fix it I bet the JS editors (Shu, Bakkot and Michael Ficarra) would be interested in getting these issues addressed at some level or other if you raise it to them; they have done a lot of work in getting various spec elements' metadata improved so that things can be mechanized. 2023-01-14 [18:09:24.0718] there is a machine readable biblio published at https://www.npmjs.com/package/@tc39/ecma262-biblio whenever the spec is updated [22:54:00.0448] TabAtkins: that would be great actually [23:18:02.0529] TabAtkins: I don't think that's quite right. dontcallmedom did a lot of work to manually categorize everything in the ES spec. I think AOs should work. [23:18:06.0169] Let me find the thread... [23:19:19.0929] https://github.com/w3c/reffy/pull/732 [23:20:06.0221] I think the problem is the linking text that's extracted includes argument names [23:20:50.0113] So you'd need to do `[$CreateDataProperty(O, P, V)$]` [23:21:02.0466] We should probably fix that. I don't think there are any AO overloads? [08:42:07.0200] Ah, I automatically fix up css functions and js methods into an argless form; I can do the same for AOs [08:42:25.0932] * Ah, I automatically fix up css functions and js methods into an argless form; I can do the same for AOs 2023-01-16 [23:54:24.0812] annevk: Domenic given that https://github.com/whatwg/html/pull/6360 is resolved, I wonder if that also means the related Wattsi patch would no longer be relevant? I mean https://github.com/whatwg/wattsi/pull/149 β€” Since apparently maybe Webref makes it unnecessary? [23:56:13.0104] sideshowbarker: I suspect we no longer need it, but would be could if Dominique could confirm [23:57:16.0087] sideshowbarker: although maybe he already confirmed enough times that his system doesn't do heuristics; I'm pretty sure we're good now [00:16:13.0535] OK β€”Β thanks, I guess I’ll post a comment to the patch itself, so that Francois or Dom can reply there [00:36:22.0143] Domenic: can you have a quick look at the final two paragraphs of https://github.com/whatwg/infra/pull/520? If they look good I'll merge [02:20:52.0944] * Domenic: can you have a quick look at the final two paragraphs of https://github.com/whatwg/infra/pull/520? If they look good I'll merge. (I went ahead and merged it. Feel free to PR final nits.) [02:50:19.0426] Hi, i cannot find information on this: what are the default size limits of OPFS (origin private file system) in current browsers? any pointers? thanks! [03:23:27.0677] * Hi, i cannot find information on this: what are the default size limits of OPFS (origin private file system) in current browsers? any pointers? thanks! appears to be a secret nobody is talking about [03:54:08.0419] * Hi, i cannot find information on this: what are the default size limits of OPFS (origin private file system) in current browsers? any pointers? thanks! appears to be a secret nobody is talking about. Ok seems there is some quota management behind this, https://developer.chrome.com/docs/apps/offline_storage/ sorry for disturbing here as this is probably off topic. [07:48:04.0839] I vaguely recall we had a "hard" reload discussion at some point and potentially defining behavior. Anyone remember more than me? [07:50:16.0761] https://github.com/whatwg/fetch/issues/289 might be it. [14:52:37.0375] annevk: https://github.com/whatwg/html/issues/5222 and https://github.com/whatwg/html/issues/6718 2023-01-17 [00:28:31.0650] Domenic: sorry about the churn on the domain label PR, "nailed it" was not quite correct after all πŸ˜… [00:28:47.0022] All good [00:29:09.0854] I think I'm going to morph https://github.com/whatwg/html/pull/8712 into "nested navigable" -> "navigable" [00:29:11.0097] Glad we have CI [00:31:44.0536] Hmm, OK, immediately yak-shaved into getting https://github.com/domfarolino/specfmt compiled and working on my work laptop, cuz this is gonna involve a lot of rewrapping [01:49:00.0057] when revising a spec, I noticed that it does variable shadowing. E.g., an algorithm is being passed a document fragment called `fragment` and a later step is collecting some nodes in a temporary variable also called `fragment`. Can we assume a separate variable scope for the inner of a loop or is that bad practice? I'll call it `tempfragment` or such for now.. [01:49:57.0705] If you're not immediately sure how it works, maybe you should clarify anyway :) [01:49:58.0566] I didn't know about "node navigable". In that light I guess "content navigable" is reasonable. [01:51:24.0805] freddy: they are block scoped, but we also don't want you to initialize the same variable multiple times in a single algorithm to avoid such confusion; see https://infra.spec.whatwg.org/#variables [01:54:15.0895] uh, is a "for each" loop its own block? [01:54:29.0180] * uh, is a "for each" loop its own block? [02:06:02.0033] freddy: it's somewhat fuzzy as sometimes you can put it on a single line and sometimes not, but it also shouldn't matter in practice [02:06:17.0838] /me nods [02:06:30.0840] Noam Rosenthal: nice work on getting prefetch done \o/ [02:07:23.0281] > <@annevk:matrix.org> Noam Rosenthal: nice work on getting prefetch done \o/ Thanks! Was a bigger task than I thought [04:55:41.0527] I didn't realize this, but `
` essentially scopes variables and if you then end up with a single unscoped variable elsewhere due to an example, it gets flagged. This is rather nice, but also surprising as the error can be in a completely different place from where you expect. [04:56:22.0326] TabAtkins: is there something we could do to make Bikeshed from api.csswg.org output the warning/error location, if a location is known? [10:46:41.0012] annevk: the error message automatically includes line numbers when I can track what element is causing an error, but I can't always do so easily; iirc the stray-variables spot is one such place. I think I *could* track it, it would just require a little bit of work. [10:50:13.0631] TabAtkins: ah okay, I do recall sometimes seeing them yeah [11:30:54.0092] annevk: okay it actually was super easy to refactor that function to track the elements, pushed live now. (I'm p sure the server version is always trunk, not pip, so it should show up in a few minutes.) 2023-01-18 [22:02:16.0282] You can still apply CSS using ?? Really? Amazing... https://www.w3.org/Style/Examples/001/doc.xml [00:09:09.0003] I attempted to define that in CSSOM at one point, it should maybe move to HTML [00:17:20.0765] Brings back memories... https://www.w3.org/TR/xml-stylesheet/ [00:17:59.0610] Wonder if xml-stylesheet in doctype internal subset is interoperable yet [00:54:15.0667] zcorpan: wait what? What does that look like? [00:57:29.0653] annevk: https://software.hixie.ch/utilities/js/live-dom-viewer/saved/11194 [00:59:12.0252] "For potential xml-stylesheet processing instructions that are in the [children] property of a document type declaration information item, xml-stylesheet processors may report to the application the parsing result of invoking the rules for parsing pseudo-attributes from a string, using the processing instruction information item's [content] property as the string. [Definition: If it is not reported to the application, the processing instruction information item is said to be ignored.]" [01:01:06.0140] I wanted to change that to "must not" but that was not allowed according to the WG because some processors didn't ignore them and we'd have to change the version to 2.0 to make such an incompatible change, and then we'd have to introduce versioning because how would processors know which version to use?? [01:02:12.0669] Ugh. Should probably have forked. [01:02:56.0158] Worked around it in CSSOM by only processing xml-stylesheets that are children of the document: https://w3c.github.io/csswg-drafts/cssom/#prolog [01:03:46.0627] But maybe we can drop CSS support completely, don't know how much it's used [01:04:41.0296] zcorpan: it seems to be supported in Chromium and WebKit btw, not Gecko [01:05:14.0464] https://bugs.chromium.org/p/chromium/issues/detail?id=929629 [04:30:11.0123] Ah nice, WebKit bug too. Perhaps it needs some WPT incentive [13:59:30.0535] https://www.w3.org/Style/Examples/001/doc.xml works in Gecko though? [14:00:40.0723] I guess you are talking about the ]> pattern specifically 2023-01-19 [23:25:42.0689] Yeah, I was. I don't care too much about getting rid of the normal PI variant, I don't think that allows for much simplification of the model. At least not as long as everyone does XSLT. [23:44:09.0050] Alan Stearns: heya, we revised the proposal for trivial changes to take into account the point you mentioned: https://github.com/whatwg/sg/issues/63#issuecomment-1387475350 [23:44:23.0384] (it's still very much tentative, but I thought I'd give an update) [00:36:01.0246] Domenic: did you wanna look at https://github.com/whatwg/url/pull/739 or happy to trust TRowbotham? [00:39:00.0403] > <@annevk:matrix.org> Domenic: did you wanna look at https://github.com/whatwg/url/pull/739 or happy to trust TRowbotham? I kinda do, but I think it'd have to be a weekend project... so happy to trust you if you two want to move forward with it sooner. [00:39:48.0251] > <@annevk:matrix.org> Yeah, I was. I don't care too much about getting rid of the normal PI variant, I don't think that allows for much simplification of the model. At least not as long as everyone does XSLT. The normal variant is just such a large piece of the platform to have around with zero spec. (Does it affect document.styleSheets? Load event timing? Render blocking? Whoooo knowssss) [00:42:36.0425] I might merge it later today then so I can complete the validation error codes PR and that can then wait on you [01:19:59.0455] Domenic: thanks to you I think I found a bug in https://url.spec.whatwg.org/#scheme-state [01:20:15.0634] Domenic: there's no EOF handling for the state override case [01:23:05.0544] Hmm... it would just validation error, return failure in that case right? [01:23:32.0339] Which is probably correct for `location.protocol = ""`? [01:26:12.0667] Domenic: well, how does the input "blah" terminate currently? [01:26:47.0407] I think the input always ends with a colon? [01:27:24.0744] No, we have tests that expect the opposite and implementations don't require that [01:27:44.0653] location.protocol input does [01:27:53.0068] Because the setter always appends ":" [01:28:04.0668] before hitting the parser [01:28:23.0469] Looks like URL's protocol setter does too [01:28:48.0663] Aaah, thanks! [09:43:00.0068] Karl: hey, I'm looking at IdnaTestV2.txt and I was wondering if you could help me out [09:43:36.0670] Karl: in particular I'm not sure I understand how `xn--0.pt` relates to _VerifyDnsLength_ [09:44:19.0556] Karl: it seems that when you don't enforce _VerifyDnsLength_ that should just stay as-is, but browsers reject it instead [09:48:31.0099] Anyway, I now also have something again with which I could add 6344 IDNA tests to WPT... Maybe this time I can actually get it landed, but needs a bit more work before I submit a PR. [11:05:35.0369] > <@annevk:matrix.org> Alan Stearns: heya, we revised the proposal for trivial changes to take into account the point you mentioned: https://github.com/whatwg/sg/issues/63#issuecomment-1387475350 LGTM. Thanks! 2023-01-20 [01:41:37.0086] Adam Rice: heya, I have a copy of Chromium that does faß.de the NonTransitional way, but it still has an order of magnitude more failures on the UTS46 test suite compared to WebKit (~2000 vs ~200) [03:27:34.0442] Sorry to hear about the layoffs at Google. Hope you all are doing okay. πŸ«‚ [04:40:37.0810] What's most fun is that those of us outside the US don't even know... [07:13:47.0022] Adam Rice: btw, follow-up for that message is in your GitHub notifications [11:10:53.0359] > <@annevk:matrix.org> Adam Rice: btw, follow-up for that message is in your GitHub notifications Thanks! It sounds like we have a lot of work to do. 2023-01-21 [19:05:42.0931] https://support.skype.com/tr/faq/FA34745/skype-profilimi-ve-iletisim-durumumu-kimler-gorebilir 2023-01-22 [00:05:05.0384] https://www.sithub.in/course/Web+Designing.php 2023-01-24 [19:55:56.0246] Thinking about a blanket policy of deleting "I want to work on this issue, please assign it to me" for whatwg/html at least... [19:56:16.0327] Not sure what's going on but there's probably something in the ecosystem that's incentivizing number of assigned issues. [22:23:45.0340] Yeah I'm afraid that "good first issue" is more of a spam vector at this point than actually helping. :-( [22:24:49.0362] E.g., https://github.com/whatwg/fetch/issues/1567 [23:57:11.0845] Domenic: did you want to look at https://github.com/web-platform-tests/wpt/pull/38080 before I land it? [23:57:51.0030] Or Adam Rice maybe? [00:17:59.0777] Jake Archibald: did you ever put your thoughts about not passing methods that currently take a single argument to methods that will end up invoking it with multiple in an article? [00:18:45.0747] Jake Archibald: I wanted to add arguments to `URLSearchParams`'s `has()` and `delete()`, but the pushback is that such code might break... [01:02:39.0548] > <@annevk:matrix.org> Domenic: did you want to look at https://github.com/web-platform-tests/wpt/pull/38080 before I land it? Probably best not to block on me. I'm interested in getting jsdom to pass them but it might take some weeks. (Heading on vacation next week and the week after...) [01:05:46.0450] Domenic: nice! We're taking a short break next week as well [01:07:07.0715] Domenic: also thanks for the validation error review, I'll give it another pass. The status quo is such that each instance of "validation error" has its own code, but maybe that's indeed not needed. I had independently found another case where it seemed a bit superfluous. [01:07:30.0256] Yeah, not sure how perfect we need it to be before merging, but I thought I'd do a pass [01:37:49.0333] annevk: I did! https://jakearchibald.com/2021/function-callback-risks/. Those `URLSearchParams` changes feel less likely to break since they need to be called with a `URLSearchParams` as `this` [01:38:24.0872] annevk: I guess the pattern to watch out for would be `params.has.bind(params)` [02:04:49.0143] Jake Archibald: thanks! 2023-01-25 [00:49:53.0960] I know that we recently (within the last 5 years πŸ‘΄) started disallowing navigations to `data:` URLs because of spoofing risks. Has this ever made into the spec? What's the situation for nested contexts here? [01:14:03.0715] annevk: ping on https://github.com/whatwg/html/pull/8392 [01:15:41.0402] > <@fbraun:mozilla.org> I know that we recently (within the last 5 years πŸ‘΄) started disallowing navigations to `data:` URLs because of spoofing risks. Has this ever made into the spec? What's the situation for nested contexts here? Redirects to data: URLs are specced as outlawed in https://html.spec.whatwg.org/#create-navigation-params-by-fetching step 21 . Not sure about straight-up navigations, I think they're still allowed? [01:17:50.0108] https://github.com/whatwg/html/pull/5279 [01:18:34.0695] After https://github.com/whatwg/html/pull/8502 we should have the spec infrastructure to differentiate browser UI URL-bar navigations, vs. page-initiated navigations. So we could finish that. 2023-01-26 [16:24:35.0542] Is it specced that adding a fetch event listener in the service worker after first run will do something weird? https://dom.spec.whatwg.org/#add-an-event-listener just says "might not have expected results" but I can't find any spec mechanism that could generate those wrong results. [16:26:09.0540] Ah I think I found it: https://w3c.github.io/ServiceWorker/#run-service-worker-algorithm step 17.1 [22:22:17.0915] Domenic: yeah, service workers violates the don't look at events thingie :-/ [22:28:54.0093] I've come to peace with it, service workers are weird. [00:50:53.0305] Domenic: did you have a chance to look at https://github.com/web-platform-tests/wpt/pull/38150 again? [00:51:48.0672] Domenic: I also found that we have `url-setters-stripping.any.js` which might make some of these a bit redundant [01:03:16.0490] Hello! Could I get an invite for the HTML issue triage meeting (https://github.com/whatwg/html/issues/8723) at nribaudo@igalia.com? (or even just the link to join!) [01:28:44.0825] * Hello! Could I get an invite for the HTML issue triage meeting (https://github.com/whatwg/html/issues/8723) at nribaudo@igalia.com? (or even just the link to join!) EDIT: got it, thanks! [01:41:34.0769] Hey all. I built a toy a while ago: https://foolip.github.io/spec-reactions/ [01:41:57.0954] Sorting by recent reactions and filtering to WHATWG gives this: [01:42:42.0733] > <@annevk:matrix.org> Domenic: did you have a chance to look at https://github.com/web-platform-tests/wpt/pull/38150 again? I did not sadly; I am content with the new tests but I do wish I had time to investigate why we were passing before. [01:42:43.0581] Does that seem like it could correspond with things that are worth extra attention? [01:43:37.0205] I like it, foolip! I've been rooting for observables in particular for some time :) [01:44:52.0476] Ah yes, https://github.com/whatwg/dom/issues/544 wins the total reactions battle, but seems to have fallen quite lately. [01:48:51.0048] Domenic: I'm going to merge to not block other implementers (and given the other existing tests); I can file an issue on jsdom if you want? [01:49:06.0867] Sounds good, and yeah a tracking issue would be quite lovely. [04:08:54.0796] annevk: What is supposed to make the iframes not inherit UTF-8 from the same-origin parent harness in WebKit and Blink in https://wpt.fyi/results/encoding/unsupported-labels.window.html?label=experimental&label=master&aligned&view=subtest ? [04:50:57.0631] hsivonen: I think Firefox might have a different default encoding maybe due to your work? [04:51:20.0967] hsivonen: if that's not it I guess I need to take a longer look [04:52:45.0604] annevk: but Chrome uses utf-8 in the parent document too, and I assume so does Safari [04:53:19.0010] annevk: Without inheritance, if the content is ASCII, Firefox defaults to windows-1252. However, in the test case, the parent declares UTF-8, so that's inheritable within the same origin. [04:53:26.0484] Interesting, so these always failed in Gecko? [04:54:07.0667] annevk: Yes, it looks like this test has failed since it synced to m-c in October. It's unfortunate that we don't have automated notifications for new tests that fail. [04:57:27.0580] hsivonen: you were the reviewer! πŸ˜€ [04:57:46.0746] I can take a look later today most likely [09:13:53.0076] smaug: hsivonen: it seems that once Content-Type charset is involved there's no more cross-document inheritance, regardless of whether that charset value is correct, in Chromium and WebKit [09:14:16.0609] https://github.com/web-platform-tests/wpt/pull/38199 demonstrates this, though it could test more [09:16:45.0887] smaug: hsivonen: I guess I clean those tests up, and also make the `encoding/` tests use `` instead for now so we don't run into this particular issue. And then file bugs against Chromium/WebKit or open a spec issue to see if we want to collectively reconsider given that more sites might rely on Chromium/WebKit behavior at this point... [09:17:26.0614] annevk: ok, thanks! [12:33:03.0464] Anybody here know much about Chrome's use-counter data? I'm looking for numbers on the CSS `:has` pseudoselector, but I can't find a use counter. That seems surprising for such a popular and difficult-to-implement feature, so I'm wondering if I'm looking in the wrong place. https://chromestatus.com/metrics/css/popularity [12:41:05.0852] jugglinmike: search for "cssselectorpseudohas" in https://chromestatus.com/metrics/feature/popularity (not so appropriately named "JS/HTML" in the menu) [12:41:26.0314] There are several and I don't know the difference between them [12:41:44.0266] But you can look up how they're implemented in https://source.chromium.org/chromium [12:43:13.0258] Excellent; thanks, zcorpan ! [12:44:08.0944] Maybe snapshot profile means querySelector{,All}() and live profile means CSS [12:48:37.0731] Filed https://github.com/GoogleChrome/chromium-dashboard/issues/2694 [14:11:17.0421] > <@zcorpan:mozilla.org> Maybe snapshot profile means querySelector{,All}() and live profile means CSS yes, that's roughly correct (also Element.matches and Element.closest); these used to be distinguished in the CSS Selectors spec but no longer are [15:04:59.0852] Jeremy Roman: Thanks for clarifying. It seems like binning the data like that makes it difficult to answer the question, "how often is :has used?" since there's no telling how many pages use it in both contexts. Is that right? [15:17:18.0264] Ah, scratch that--"CSSSelectorPseudoHas" is a dedicated flag! [15:19:09.0925] Except, it looks like it has never been used. Hinky [15:31:59.0960] Yeah, unfortunately I think you're right. It's at least max(CSSSelectorPseudoHasInLiveProfile, CSSSelectorPseudoHasInSnapshotProfile) [15:32:17.0379] and at most CSSSelectorPseudoHasInLiveProfile+CSSSelectorPseudoHasInSnapshotProfile [15:33:28.0484] which puts it somewhere between 2.9% and 5.1% [15:34:57.0219] wouldn't be hard to add a usecounter for either or, but I don't see one currently [15:52:08.0828] fwiw, i use it extensively in local tests now. i'd hope you're not seeing a lot of use where it's not wrapped within a "@supports selector" group...at least for the next few years, 2023-01-27 [16:14:17.0279] I'm thinking of blending them with the guess that half of the datapoints overlap [17:08:01.0313] annevk: I finally found some corroboration for my belief that "e.g." doesn't always need a comma after it: https://www.grammarly.com/blog/know-your-latin-i-e-vs-e-g/ talks about how it's important to add a comma when introducing a *list* of examples, but (implicitly) not for a single example. Also https://english.stackexchange.com/questions/16172/should-i-always-use-a-comma-after-e-g-or-i-e talks about how all the grammar guides hedge. That said, I'm happy to settle on consistent and easy-to-remember WHATWG style being always to use the comma. I just wanted to make sure I wasn't crazy. [19:05:22.0566] oxford commas...pick your style guide [22:36:24.0093] Domenic: oh sorry, I never thought you were wrong. I was mainly trying to keep us consistent with a style someone expressed preference for at some point. πŸ˜… [22:39:05.0154] Domenic: About the error check after enqueue in Fetch: ```js r = new ReadableStream({ async pull(c) { await new Promise(r => setTimeout(r, 100)); c.byobRequest.respond(512); }, type: "bytes" }); reader = r.getReader({mode: "byob"}); reader.read(new Uint16Array(1024)); setTimeout(() => reader.releaseLock(), 5); ``` This eventually hits https://streams.spec.whatwg.org/#abstract-opdef-readablebytestreamcontrollerenqueueclonedchunktoqueue which theoretically can error the stream. Can Fetch really ignore this? [01:11:11.0100] I wonder why the coalescing in popover was duplicated and not factored out, but maybe I can attempt to do that. [01:34:15.0642] > <@annevk:matrix.org> smaug: hsivonen: I guess I clean those tests up, and also make the `encoding/` tests use `` instead for now so we don't run into this particular issue. And then file bugs against Chromium/WebKit or open a spec issue to see if we want to collectively reconsider given that more sites might rely on Chromium/WebKit behavior at this point... Thanks. [01:37:27.0739] zcorpan: Do you happen to recall history around https://www.w3.org/Bugs/Public/show_bug.cgi?id=25168 ? IIRC, the `XMLSerializer` API was introduced in Gecko. How did non-Gecko behaviors around bogus XML get introduced? Context: https://bugzilla.mozilla.org/show_bug.cgi?id=1763779 [02:35:10.0724] hsivonen: I don't know the history. Guessing that maybe the serializer was only expecting input that has been parsed by an XML parser, and not HTML parser or DOM APIs [02:37:39.0994] hsivonen: I guess that bug depends on what `createElement` does for that case [02:43:55.0023] > <@zcorpan:mozilla.org> hsivonen: I don't know the history. Guessing that maybe the serializer was only expecting input that has been parsed by an XML parser, and not HTML parser or DOM APIs I'm pretty sure that as introduced in Gecko, `XMLSerializer` tried hard to skip over bogus stuff that might have been introduced via DOM Level 1 APIs. So where did contrary behavior come from? Anyway, it looks it's now 2 vs. 1 by the way of the 2 being whatever WebKit had before the Blink fork. [02:44:53.0614] :/ [03:11:46.0678] Jonas Sicking might recall the details. Not sure how to reach him though. My impression is that there have always been problematic corner cases. [09:13:26.0564] annevk I addressed the pointerevents comment in the popover PR [09:38:14.0989] jarhar: good morning! Thanks. I'll take a look in a bit and merge it assuming it looks alright [09:38:37.0642] Don't merge on a Friday and then go on vacation is the typical advice I think, but... [10:08:31.0133] jarhar: it's in \o/ [10:10:46.0547] thank you! [12:29:02.0216] PSA: Bikeshed was moved from my personal account to the `speced` org, at . Docs are now at . 2023-01-28 [21:32:09.0028] TabAtkins: consider https://gist.github.com/domenic/1f286d415559b56d725bee51a62c24a7 for redirecting the docs [07:26:18.0098] How would one go about acquiring implementer interest? And what exactly does implementer interest refer to? I assume "implementer" refers to browser vendors, or does it also refer to web developers who wish to use a proposed API? [07:31:51.0016] Implementers refers to browser vendors, since they're the ones who will have to implement the API [07:31:58.0668] Polyfills don't really count for that definition [07:32:21.0970] nor do non-browser runtimes like Node.js, Deno, Cloudflare Workers... [07:33:34.0563] Although I guess it would be more accurate to speak of browser _engine_ vendors, rather than browser vendors, since Edge isn't considered an implementer separate from Chrome [07:33:48.0268] * Although I guess it would be more accurate to speak of browser _engine_ vendors, rather than browser vendors, since Edge isn't considered an implementer separate from Chrome [07:42:05.0591] > <@abotella:igalia.com> Although I guess it would be more accurate to speak of browser _engine_ vendors, rather than browser vendors, since Edge isn't considered an implementer separate from Chrome I'm kind of confused why MDN even lists Microsoft Chrome and Chinese Chrome as separate browsers, they all have the same features. 2023-01-29 [09:14:46.0316] Edge, Chrome, Brave and other browsers based on the same Chromium codebase definitely have different features 2023-01-30 [17:16:48.0340] > <@npd:mozilla.org> Edge, Chrome, Brave and other browsers based on the same Chromium codebase definitely have different features Shouldn't we have different entries for firefox forks and webkit browsers then? [17:17:02.0141] librewolf, tor, GNOME web [17:17:06.0016] konqueror [17:17:23.0140] brave [17:17:32.0366] palemoon [17:17:38.0279] * palemoon [18:54:21.0090] * Shouldn't we have different entries for firefox forks and webkit browsers then? [07:11:31.0916] every listing site will make its own cut off on which browsers to include, but yeah, those can be separate implementers with different features. I think the trick is that for standards purposes we want to see different implementers, and sometimes that can be multiple browsers with the same underlying engine but with independent implementations of a piece of functionality, but othertimes it's just a single browser engine that has implemented something, and now that functionality appears across multiple browsers [15:58:34.0940] Domenic: thanks for the pointer to that gist; works great. What a funky little namespacing trick. 2023-01-31 [21:43:27.0686] TabAtkins: [21:43:39.0441] lpfreelance: [11:33:33.0845] So what would be the proper channels for gathering implementer interest?