#whatwg
2008-05-22
plaintext logs
prev next
source on github
08:08
<MikeSmith>
yay, krijnh is back
08:17
<krijnh>
Yay :)
08:17
<krijnh>
Sorry for being down
08:17
<krijnh>
Are the logs reachable from the outside?
08:26
<krijnh>
Grr
08:27
<MikeSmith>
annevk, krijnh: I have incomplete logs from last few days
08:27
<krijnh>
MikeSmith: can you mail them to me?
08:28
krijnh
hopes they're in the same format
08:28
<MikeSmith>
krijnh: OK, but I reckon probably Hixie or another screen user has more complete ones
08:28
<MikeSmith>
anyway, will send you what I have for now
08:28
<krijnh>
My connection is pretty shitty btw.. I think I'll disconnect a lot today
08:30
<MikeSmith>
krijnh: can I send you the complete logs and let you figure out which parts are needed? my logs are cumulative XChat logs
08:30
<krijnh>
Depends on the format
08:30
<MikeSmith>
e.g., whatwg one is 8.1MB
08:30
<MikeSmith>
or I can just post them at URL for you to download
08:31
<MikeSmith>
xchat format
08:31
<krijnh>
No idea what that is ;)
08:31
<krijnh>
You can also ftp it to me
08:32
<krijnh>
User: up / Pass: load
08:32
<MikeSmith>
krijnh: example of format:
08:32
<MikeSmith>
May 22 16:36:08 <krijnh> No idea what that is ;)
08:32
<krijnh>
One moment, I'll see how that's handled
08:33
<MikeSmith>
will ftp them to you
08:33
<krijnh>
http://krijnhoetmer.nl/irc-logs/whatwg/20080520
08:34
<krijnh>
Probably acceptable :)
08:34
<MikeSmith>
[[
08:34
<Hixie>
hsivonen: i agree with raman and would go even further and require that the <input> element be used to make checkboxes, so... i don't plan to reply to the e-mail in question
08:34
<MikeSmith>
mput 01_freenode-#whatwg.log? y
08:34
<MikeSmith>
421 Service not available, remote server has closed connection
08:34
<MikeSmith>
]]
08:35
<krijnh>
Huh
08:36
<krijnh>
Shitty connection, shitty ftp software, sorry :)
08:36
<annevk>
I didn't quite get raman, the <span> example is quite different from the <input> one
08:37
<annevk>
The <input> one represents a control where the <span> example represents something that fakes a control to AT
08:37
<krijnh>
MikeSmith: mail then?
08:42
<MikeSmith>
krijn: http://people.w3.org/mike/logs/
08:42
<hsivonen>
Hixie: I agree that <input type=checkbox> is preferable. ARIA just seems necessary considering what people out there do (including GWT it seems)
08:43
<Hixie>
annevk: (re xhr/ac) ah. i recommend just making a decision and replying to the e-mail -- not replying leaves people without the ability to help you since we don't know that you're stuck :-)
08:43
<Hixie>
othermaciej: what on that list (http://lists.w3.org/Archives/Public/www-tag/2008May/0087.html) isn't architectural?
08:44
<othermaciej>
Hixie: " The use of imperative definitions rather than abstract definitions with the requirement of black-box equivalence in implementations"
08:45
<Hixie>
othermaciej: ah, yeah, i figured i should include that since it seems like the kind of thing the tag would complain about
08:45
<annevk>
i replied to raman
08:45
<hsivonen>
Hixie: as I understand it, people want to make checkboxes that look like they want and they don't like the way the native ones look
08:45
<othermaciej>
Hixie: ok I will grant they may mistake it for architecture
08:45
<hsivonen>
Hixie: and they want to do it in a way that doesn't require all browser vendors to participate for the solution to work
08:46
<hsivonen>
Hixie: it's pretty ironic that with ARIA, the top 4 vendors *are* participating all of a sudden
08:46
<Hixie>
othermaciej: my goal here is to preclude the tag from coming back in 2 years and telling us we have to do X and that it's ok that they are sending the feedback late because we didn't ask for feedback earlier (as they recently did with aria)
08:47
<annevk>
othermaciej, the TAG has in fact given comments on imperative definitions to quite some extent on the Access Control specification
08:47
<Hixie>
hsivonen: seems to me the assumptions underlying the ARIA work have been invalidated
08:47
<hsivonen>
Hixie: so better CSS and XBL2 don't fit the requirements
08:47
<annevk>
othermaciej, it went so far that one of them started drafting text for doing it in a different way
09:05
<hsivonen>
Hixie: actually, it may be that all browser vendors participated precisely because ARIA was set up in such a way that no vendor could block it by not participating
09:05
<Hixie>
annevk: i hope they try to do that with the "navigate" algorithm
09:05
<othermaciej>
annevk: the TAG seems to be a force of randomness
09:05
<Hixie>
hsivonen: maybe
09:05
<annevk>
implementation ARIA is much more trivial than finding a solution for customizing form controls
09:05
<annevk>
And also more short term as authors can use it directly without having to worry about legacy
09:05
<Hixie>
i can't wait for people to start using aria on pages that don't need it
09:05
<annevk>
To be clear, I agree that it's far from optimal. At this point it just seems sort of convenient for everyone...
09:05
<othermaciej>
I feel like for every part of ARIA we implement, we have to tithe by adding appropriate equivalent HTML5 functionality and/or needed additional form control stylability
09:05
<othermaciej>
but I think even with the right high-level semantic elements, a low-level accessibility feature like ARIA makes sense
09:05
<annevk>
Hixie, so I think AC is good as is, apart from the warning for IIS servers which I will add today
09:05
<othermaciej>
back shortly
09:05
<Hixie>
annevk: cool
09:05
<annevk>
Hixie, XHR2 has some of the issues XHR1 has which makes it more problematic
09:05
<Hixie>
annevk: solve the xhr1 issues. :-)
09:05
<annevk>
I initially thought we needed the method/header whitelist from the server but Bjoern convinced me that Jonas didn't make sense...
09:05
<annevk>
Hixie, indeed :)
09:14
<hsivonen>
can anyone think of notable legacy HTML attributes that aren't conforming in either of HTML 4.01 Transitional or HTML5?
09:14
<Hixie>
hsivonen: <marquee speed>
09:14
<hsivonen>
Hixie: thanks
09:14
<Hixie>
actually that's not a valid attribute
09:14
<Hixie>
wikipedia says <marquee scrolldelay>
09:14
hsivonen
tries to find Philip`'s marquee stats
09:14
<Hixie>
<img lowsrc> probably was never valid either
09:14
<Lachy__>
hsivonen, <table height>
09:14
<hsivonen>
Lachy__: height is a conforming name in other contexts
09:14
<hsivonen>
I'm looking for unique strings
09:14
<hsivonen>
Hixie: yeah, I need to add lowsrc
09:14
<Hixie>
what's this for?
09:14
<Hixie>
if it's for ui, you probably just should look at common attribute names in stats
09:14
<Hixie>
i expect <Script languaje=""> is used more than <img lowsrc>
09:14
<hsivonen>
Hixie: for efficient magic handling of attribute names
09:14
<hsivonen>
in the parser
09:14
<annevk>
http://www.eskimo.com/~bloo/indexdot/html/tagpages/attributes/data.htm
09:14
<annevk>
http://www.eskimo.com/~bloo/indexdot/html/tagpages/attributes/editing.htm
09:14
<Hixie>
given the effort you're expending on optimisation work, i expect your parser to be able to parse the html5 spec in milliseconds :-P
09:14
<hsivonen>
Hixie: so far benchmarking suggests that having magic knowledge of element names was a win
09:14
<annevk>
onbounce, onfinish, etc.
09:15
<annevk>
from http://www.eskimo.com/~bloo/indexdot/html/tagpages/attributes/events.htm
09:15
<hsivonen>
Hixie: I need this code for some attributes anyway in order not to make the common cases suck
09:15
<hsivonen>
Hixie: once the code is there, I might as well put less common cases on the fast track, too
09:15
<Hixie>
cool
09:16
<annevk>
Hixie, add <ruby> support if you don't want to do parsing :)
09:17
<Hixie>
<ruby> support is going to be a pain because the css side doesn't support what i need
09:18
<Hixie>
iirc
09:18
<Hixie>
either that or i couldn't work out how to do IE compat on parsing, or something
09:18
<Hixie>
there was some complication
09:19
<hsivonen>
but doing this attribute work in a way that isn't very naïve is surprisingly tedious
09:19
<hsivonen>
I think I'm going to suspend this task in order to avoid starving higher-layer conformance checking work
09:20
<annevk>
Hixie, I thought it was the parsing and that you decided an approximation would be enough
09:20
<Hixie>
probably
09:21
<Hixie>
ruby is on my list
09:21
<krijn>
MikeSmith: downloaded your logs, will put them online today
09:22
<Hixie>
it's about half way down my priority list, whether i sort by number of e-mails, number of e-mails per thread, age of feedback, or whatever
09:24
<MikeSmith>
krijn: OK
09:25
<hsivonen>
annevk: thanks for the bloo links. is anyone actually using the IE4 dataformatas stuff?
09:25
<krijn>
And still 855 mails behind on public-html :/
09:26
<hsivonen>
I hope we could go back in time and make SVG use hyphens instead of camelCase
09:28
<hsivonen>
getting attributes right is such a mess
09:28
<hsivonen>
and most of the mess is due to Namespaces and xml:lang
09:28
<hsivonen>
compared to those, the camelCase fixup is a lesser mess
09:28
<roc_>
hmm
09:29
<roc_>
SVG *does* use hyphens
09:29
<roc>
I guess it uses both :-(
09:29
<hsivonen>
roc: SVG uses many things
09:29
<Hixie>
SVG is as bad as HTML
09:29
<hsivonen>
roc: the hyphen is benign
09:29
<Hixie>
it uses runtogether, camelCase, hyphen-ated, and mixtures of those
09:29
<roc>
I actually prefer camelCase
09:29
<hsivonen>
xlink:foo and the camelCase suck really badly for me
09:30
<Hixie>
oh and with:namespace, too
09:30
<hsivonen>
I mean if I end up writing lot of corner case code *anyway* I think I should make it performant, too.
09:30
<Hixie>
html at least has the defence of having been designed by many people
09:30
<Hixie>
svg is inconsistent for no good reason
09:30
<hsivonen>
but then there are so many situations that need different handling
09:30
<hsivonen>
aargh
09:31
<hsivonen>
I've decided I'm going to drop some marginal elegance and correctness
09:31
<roc>
hyphens in names need to be mangled when you convert them to DOM attribute names etc
09:31
<hsivonen>
roc: good point. But *my* code doesn't deal with that. :-)
09:32
<Hixie>
html is case-insensitive, so anything with uppercase letters becomes a mess
09:32
<annevk>
hsivonen, dunno
09:32
<annevk>
Hixie, SVG is designed by many people too I think :(
09:33
<Hixie>
yeah but they're in one wg, so that's no excuse
09:33
<roc>
yeah, not so much
09:33
<annevk>
Hixie, hmm, maybe Policy-Path is a bigger issue, do you think it would still be worth it if it was only for the entire domain?
09:34
<Hixie>
probably not
09:35
<hsivonen>
so we have: 1) plain attribute foo, 2) camelCase in no namespace fooBar, 3) legacy colons: xlink:href, 4) lang vs. xml:lang, 5) default namespace talisman: xmlns, 6) XLink talisman xmlns:xlink, 7) other prefix cruft: xmlns:foo, 8) the id attribute
09:35
<hsivonen>
that's pretty insane
09:35
<hsivonen>
and then some of those have contextual XML mappability constraints
09:36
<hsivonen>
I think the count goes up to at least 11 different situations
09:37
<hsivonen>
and only 3 of them aren't the fault of Namespaces
09:38
<Hixie>
so i have an e-mail here saying that GBK should be treated like GB2312
09:38
<hsivonen>
every time I write code that touches this area, I can't but think that Namespaces was a huge mistake
09:38
<Hixie>
but wikipedia says GBK is a superset of 2312
09:38
<Hixie>
*confused*
09:38
<hsivonen>
Hixie: GB2312 should be treated as GBK
09:38
<Hixie>
ok that makes more sense
09:39
<hsivonen>
Hixie: Gecko does something a bit weirder which amounts to that as a black box and WebKit simply aliases it, IIRC
09:39
<gsnedders>
hsivonen: yeah, that's right
09:40
<Hixie>
i wonder how to test if euc-kr and win-949 are being treated the same
09:41
<hsivonen>
Hixie: I'm so glad you didn't add xml:id to the fixups
09:41
<Hixie>
that was intentional
09:41
<hsivonen>
it would raised the case count from 11 to 13
09:41
<hsivonen>
oops. 14 actually
09:41
<krijn>
hsivonen: is there a way to use validator.nu on a page with http authentication?
09:42
<hsivonen>
krijn: not directly.
09:42
<krijn>
Tried putting in the uri, but that's deprecated :)
09:42
<hsivonen>
krijn: but you can retrieve the bytes and the HTTP header yourself and POST it to V.nu
09:43
<Philip`>
hsivonen: If this is just for performance, why do you care about specified / legacy attributes rather than about the most commonly used attributes?
09:43
<hsivonen>
I don't want to ask people to send credentials to my server
09:43
<krijn>
hsivonen: I understand
09:44
<hsivonen>
Philip`: you are right. I should also care about the most commonly used
09:44
<Philip`>
hsivonen: Why "also", rather than "only"?
09:45
<annevk>
so access control could help with validating authenticated sites (though you'd still be sharing data with henri one way or another)
09:45
<hsivonen>
Philip`: theory, I guess
09:46
<Philip`>
hsivonen: http://www.dia.wa.gov.au/ has a dataformatas attribute (though it doesn't seem to be used correctly or usefully)
09:48
<Philip`>
hsivonen: I could get a list of the most commonly used attribute names, if that'd be useful
09:48
<hsivonen>
Philip`: it would be useful, yes
09:48
<Philip`>
(http://www.oyak.com.tr/ uses a dataformatas too)
09:52
<hsivonen>
Hixie: making xmlns talismans allowed contextually adds to the attribute craziness pain
09:53
<Hixie>
i imagine
09:56
<annevk>
actually, Hixie, how is Policy-Path vulnerable in the cases Jonas and Bjoern mention?
09:56
<hsivonen>
Namespaces is such a white elephant
09:57
<annevk>
I don't quite get it, because it requires value equivalence it should be more safe
09:57
<hsivonen>
makes things harder for authors to grok and makes thing harder to implement
09:57
<Hixie>
annevk: if you OPTIONS http://example.com/foo/ and it says that there is a policy-path for all of /foo/
09:58
<Hixie>
annevk: and you then do a POST to http://example.com/foo/bar and due to a misconfiguration on the server that is treated as equivalent to http://example.com/baz
09:58
<annevk>
oh right, it's about the requests after that, never mind :(
09:59
<hsivonen>
Hixie: I'm so glad you aren't trying to emulate the AVNormalize stuff
09:59
<Hixie>
annevk: of course you could similarly argue that HTTP in general is a security risk because what happens if when you do a GET to http://example.com/test, the server, being misconfigured, instead does an rm -rf of all the data in the directory for example.org which happens to be hosted on the same virtual host
09:59
<Hixie>
hsivonen: ?
09:59
<hsivonen>
Hixie: making the attribute *value* change contextually, too
09:59
<Hixie>
hsivonen: o_O
10:00
hsivonen
referst to XML spec fragment ids: http://www.w3.org/TR/REC-xml/#AVNormalize
10:00
<annevk>
true
10:00
<annevk>
grmbl
10:00
<annevk>
i don't like having to resolve these issues as i don't really know the right answer
10:01
<Hixie>
well someone has to resolve them :-)
10:01
Hixie
has this problem all the time with html5
10:01
<Hixie>
hsivonen: oh, attribute value normalisation
10:01
<Hixie>
hsivonen: yeah, screw that, who cares :-)
10:02
<Hixie>
annevk: in practice if you make the wrong choice, someone tells you, and you change it
10:02
<Hixie>
annevk: it's pretty simple :-)
10:03
<annevk>
well, if only one person speaks up, such as Julian, it's more tricky, because i often disagree with him :)
10:03
<annevk>
but the XHR issues are more trivial anyway
10:03
<annevk>
except for dealing with him
10:03
<Philip`>
hsivonen: Is it more useful to know the number of pages each attribute appears on, or the total number of times the attribute appears on all pages?
10:04
<hsivonen>
Philip`: I suppose the latter in principle but the former may be better in order to avoid weird selection biases
10:10
<Philip`>
http://canvex.lazyilluminati.com/survey/2007-07-17/analyse.cgi/attr/t gets somewhat skewed by Topix
10:11
<hsivonen>
Philip`: should I add csobj to the element list?
10:12
<Hixie>
annevk: well, if you need backup don't hesitate to let me know you want a reply
10:13
<Hixie>
and i'll deal with it :-)
10:13
<annevk>
heh, thanks
10:15
<Philip`>
hsivonen: http://philip.html5.org/data/attr-count-pages.txt http://philip.html5.org/data/attr-count-total.txt
10:15
<Hixie>
aw man
10:15
<Hixie>
marginheight
10:15
<hsivonen>
Philip`: thanks
10:15
<Hixie>
totally didn't think of that
10:16
<hsivonen>
Hixie: if you make it conforming, it's easier to remember :-)
10:16
<Hixie>
i've already made style="" conforming, don't push your luck :-P
10:18
<Philip`>
hsivonen: http://philip.html5.org/data/tag-count-pages.txt http://philip.html5.org/data/tag-count-total.txt if you want to see where csobj is
10:18
<hsivonen>
Philip`: thank you
10:19
<Philip`>
(The page counts are still strongly biased by a few sites that have thousands of pages in the list)
10:19
<hsivonen>
I know the Web is weird and still these stats tend to surprise me in some ways
10:20
<Philip`>
(but most of the pages are still from sites with only one page in the list, if I remember correctly)
10:21
<Hixie>
hsivonen: how so?
10:21
<hsivonen>
Hixie: like claris cruft
10:21
<Hixie>
ah
10:22
<Hixie>
NYT is a big enough site that i see NYT-specific cruft in my data
10:22
<Hixie>
<nyt_copyright> and the like
10:22
<Hixie>
and ebay is big enough that it skews certain things, like the most common absolute url for <img src=""> is a 1x1 pixel GIF on ebay
10:23
<hsivonen>
I wonder what CDN load that gif causes
10:29
<Philip`>
Most EBay pages seem to only get a dozen viewers, so it shouldn't be as much load as the occurrence count would suggest
10:30
Philip`
realises that when he said "start tag" he was totally wrong, since he forgot the distinction between the tokeniser and the SAX-mode parser
10:32
<Philip`>
Hixie: s/occurance/occurrence/ in latest checkin
10:33
<Hixie>
thx
11:16
<zcorpan>
styles on html and body in the outer document would apply to each seamless iframe
11:19
<zcorpan>
perhaps doc='' should be an "in body" fragment
11:20
<zcorpan>
<iframe innerhtml=''>
11:20
<Philip`>
<iframe body=''>
11:22
<zcorpan>
yeah body is better
11:22
<zcorpan>
optionally used together with type=''
11:23
<zcorpan>
wonder if there's a case where one'd want to have a full html document and not just in body
11:23
<zcorpan>
and not the xml syntax
11:25
<Philip`>
Seamless framesets!
11:25
<hsivonen>
zcorpan: style sheet link?
11:25
<hsivonen>
that's something from outside the body
11:25
<hendry>
can't one assume utf-8 nowadays? http://googleblog.blogspot.com/2008/05/moving-to-unicode-51.html
11:26
<zcorpan>
hsivonen: <style scoped>@import works though
11:26
<zcorpan>
hsivonen: but yeah
11:26
<hendry>
i was just thinking why <meta charset="UTF-8"> is really needed
11:26
<hsivonen>
hendry: nope
11:26
<hendry>
hsivonen: reasoning? :)
11:26
<hsivonen>
hendry: we are talking about parsing a DOMString that is already UTF-16
11:26
<zcorpan>
hendry: i have set my browser to fall back to utf-8 and it breaks a number of pages
11:27
<hendry>
zcorpan: for example?
11:29
<hendry>
another silly question. how do I track the actual HTML rendering of this change? http://html5.org/tools/web-apps-tracker?from=1660&to=1661 in http://www.whatwg.org/specs/web-apps/current-work/multipage/
11:29
<Hixie>
how do you spell "cyclable"? As in, something that can be cycled.
11:29
<hsivonen>
Re: earlier ODF links: I think Adobe made a mistake when it tried to protect its direct Acrobat sales by asking MS not to build PDF export into Office by default
11:30
<Hixie>
hendry: how do you mean?
11:30
<Philip`>
Hixie: You look on Google to see if many other people have spelt it that way, and if they have then it's probably adequately legitimate :-)
11:31
<Hixie>
doesn't work
11:31
<hendry>
Hixie: i want a link of that diff to the particular section of http://www.whatwg.org/specs/web-apps/current-work. so i can get more context.
11:31
<Hixie>
"cyclable" is a common french word
11:31
<Hixie>
hendry: oh
11:31
<Hixie>
hendry: just search for the added text
11:32
<zcorpan>
hendry: e.g. https://ladda.telenor.se/topup.asp
11:33
<Philip`>
Hixie: Alternatively, you spell it whatever way you think looks sensible and then see if anyone suggests that's wrong and justifies an alternative :-)
11:34
<hendry>
Hixie: searching around http://www.whatwg.org/specs/web-apps/current-work/ is hard work for my Thinkpad ;) but OK. Another silly question. How do I see the revision number on http://www.whatwg.org/specs/web-apps/current-work/
11:34
<annevk>
hendry, svn.whatwg.org/webapps/
11:35
<Philip`>
hendry: You can use http://html5.org/tools/web-apps-tracker?from=1660&to=1661&context=20 if you want more context
11:37
<hendry>
was expecting a little SVN r1663 printed somewhere on the spec
11:37
<Hixie>
hendry: use a better browser :-)
11:37
<hendry>
Philip`: ah thanks. though I still prefer to read er "rendered HTML".
11:39
<annevk>
since Hixie makes markup mistakes about every week, reading the diffs is easier :p
11:39
<hsivonen>
markup is tough :-)
11:41
<Hixie>
hendry: the one on the site isn't in subversion
11:41
<Hixie>
hendry: it's the working copy
11:41
<Hixie>
hendry: so it's always rX where X = N+1 where N is rHEAD
11:45
<gsnedders>
Hixie: http://trac.webkit.org/browser/trunk/WebCore/platform/text/TextCodecICU.cpp#L61 if you haven't already see that
11:47
<Hixie>
gsnedders: anything specific?
11:47
<gsnedders>
Hixie: No, just the general list of encodings there
11:47
<Hixie>
seems to match basically what's in the spec now
11:48
<Hixie>
except for TIS-620
11:55
<annevk>
has anyone checked whether this alias stuff also applies to text/plain and text/xml ?
11:56
<Hixie>
i imagine it applies to text/plain, yes
11:56
<Hixie>
really we should just get IANA updated
11:57
<annevk>
that's what i was getting at
11:57
<Hixie>
i'm happy to remove this stuff once IANA is updated. :-)
11:58
<gsnedders>
But are we going to get it updated? Unlikely.
11:58
<gsnedders>
annevk: text/xml certainly
12:20
Philip`
disapproves of the Americanization like s/serialise/serialize/ :-p
12:21
<hsivonen>
annevk: should the "I've read the changes!" button take me to the next diff?
12:22
<Hixie>
could someone who has an implementation of the encoding sniffer let me know if my latest checkin is correct?
12:23
<Hixie>
Philip`: me too, but i have to be consistent at least
12:25
<annevk>
hsivonen, no
12:25
<hsivonen>
ok.
12:25
<annevk>
hsivonen, maybe someone could add a "next diff" thingie...
12:25
<hsivonen>
reading diff from my mailbox then
12:25
<annevk>
hsivonen, it stores a cookie for your next visit
12:30
hsivonen
finds that feature additions aren't always annotated [c]
12:32
<hsivonen>
apparently <script charset> and data-* escaped my script for this reason
12:32
<Hixie>
yeah i'm pretty flaky
12:33
<Hixie>
i often don't really know what to annotate things with
12:33
<Hixie>
sorry about that
12:35
hsivonen
notes language attribute participates in processing but is not conforming
12:36
<hsivonen>
I wonder if I've missed anything else
12:36
<hsivonen>
my cursory reading suggests no
12:38
<hsivonen>
Hixie: did you make type attribute required for inline scripts? http://bugzilla.validator.nu/show_bug.cgi?id=186
12:40
<annevk>
if he did, it's a bug
12:40
<Hixie>
not intentionally, why?
12:40
<Hixie>
oh
12:40
<Hixie>
i made it required if it's not javascript
12:40
<Hixie>
or something like that
12:40
<hsivonen>
Hixie: "When used to include script data, the script data must be embedded inline, the format of the data must be given using the type attribute"
12:40
<Hixie>
shouldn't affect you
12:40
<Hixie>
right
12:41
<hsivonen>
Hixie: not as clear as it could be
12:41
<hsivonen>
I take it that there's no actionable change in http://bugzilla.validator.nu/show_bug.cgi?id=186 then?
12:41
<Hixie>
send mail saying what's confusing :-)
12:41
<hsivonen>
ok
12:41
<Hixie>
hsivonen: depends what you are testing
12:42
<Hixie>
hsivonen: if the type="" is application/xml or some such, you should probably test xml well-formedness or something, if you want to be perfect and cool
12:42
<Hixie>
but if you're treating script as a black box for now, then no, probably not
12:43
<hsivonen>
Hixie: black box for now
12:43
<hsivonen>
Hixie: except it is a text-based black box
12:44
<hsivonen>
Hixie: I don't support theoretical XML tree-based languages
12:46
hsivonen
sees Hixie defined iWeb as legitimate
12:48
<Hixie>
hm?
12:48
<Hixie>
iWeb does a lot of bad things
12:48
<Hixie>
i doubt i've made its output valid
12:48
<hsivonen>
"However, WYSIWYG tools are legitimate. WYSIWYG tools should use elements they know are appropriate, and should not use elements that they do not know to be appropriate. This might in certain extreme cases mean limiting the use of flow elements to just a few elements, like div, b, i, and span and making liberal use of the style attribute."
12:49
<Hixie>
something to that effect has always been there, no?
12:50
<hsivonen>
not sure
12:50
<Hixie>
i mean, we used to have a whole _section_ justifying wysiwyg editors
12:50
<annevk>
yeah, before it was <font>
12:50
<hsivonen>
I wasn't complaining :-)
12:55
<Philip`>
Hmm, IE has much stricter charset parsing than other browsers
12:57
<Hixie>
ok i'm going to bed now
12:57
<Hixie>
nn
14:22
Lachy
regrets jumping in to the alt debate again :-(
14:24
<hsivonen>
I'm so glad I promised myself that I stay out of it
15:05
<takkaria>
I love Rob Burns
15:06
<takkaria>
he appears to be applying literary deconstruction to Namespces in XML
15:06
<Dashiva>
We'll just redefine everything and have a wizard handle the backwards compatability problems
15:07
<MikeSmith>
yes
15:07
<MikeSmith>
Dashiva: there you have stumbled upon the solution to all our problems
15:07
<MikeSmith>
a wizard or magic fairy
15:09
Philip`
grabs the fairy and bites its head off
15:12
<Dashiva>
I think a message saying "Can we please keep the 'how to represent missing alt data' and 'is missing alt data conforming' issues separate, and not start arguing about one in a thread actually making progress on the other?"
15:12
<Dashiva>
would be in order about now...
15:13
<annevk>
i like it how RB puts the blame for everything on these horrible implementors
15:13
takkaria
bingles Philip TAYLOR (Ret'd) for his latest opine
15:13
<Dashiva>
takkaria: Feel free the write the mail outlined above ;)
15:15
<takkaria>
Dashiva: the three-line posts that he makes are often not replied to, so I'll just sit and hope that's the case here
15:18
MikeSmith
is nostalgic for Philip TAYLOR (Webmaster) .. and for that brief moment in time when we had Philip TAYLOR (Webmaster, Ret'd)
15:21
<takkaria>
I think he's very often wrong, but at least he's short and to the point. :)
15:26
<Lachy>
The wizard and magic fairy solution is intriguing.
15:48
<Lachy>
hmm. It looks like the machine-checkable vs. non-machine-checkable conformance criteria debate is yet another bikeshed to avoid.
15:49
<Philip`>
It's not a bikeshed, since it's a significant issue
15:49
<annevk>
someone just mentioned the semantic web in that context
16:42
<takkaria>
I'm not quite sure how JJ's machine-checkable idealism would be implemented, even after his previous posts on the issue
16:42
<takkaria>
cos it seems to me that if he had his way, HTML5 would require much more verbosity and have little default styling, such that no-one would actually write it over HTML4
16:49
<gsnedders>
takkaria: Implication is that it has to have _no_ default styling
16:49
<gsnedders>
takkaria: Thereby going against the principle of backwards compat.
16:51
<takkaria>
gsnedders: that too :)
16:52
<takkaria>
my point is really that the increased verbosity it would require would mean that you need more bytes to get the same effect so no one would actually use it
16:53
<Dashiva>
And someone would then implement <body default-style> to use HTML4 styles :)
16:53
<Philip`>
That's why browsers have to remove support for HTML4 features so that everyone will rapidly transition into the exciting new world of the semantic web
16:56
<takkaria>
someone should probably point him towards XHTML2...
16:57
<annevk>
HT doesn't seem to be willing to accept reality just yet... :(
17:02
<annevk>
I wonder if HT is suggesting that browsers dispatch on nodeName rather than localName + namespaceURI
17:03
<annevk>
That's near insane
17:05
<Philip`>
Seems kind of odd to throw out the whole namespace URI thing just so you can keep something that looks the same as the colon syntax
17:06
<Dashiva>
It's to preserve the integrity of namespaces that we're rewriting namespaces
17:06
<Dashiva>
Isn't that obvious?
17:07
<takkaria>
the first rule of namespaces is that you do not follow Namespaces
17:07
<Dashiva>
What's the second rule?
17:07
<Lachy>
there is no second rule
17:08
<Dashiva>
Is that a rule?
17:09
<Philip`>
It's more of a guideline
17:12
<takkaria>
except for the evil implementors
17:15
<Dashiva>
The vast browser-wing conspiracy
17:17
<Philip`>
Does there exist a list of conspiracies that were actually real, and worked successfully for quite a while?
17:17
<Dashiva>
Yes
17:17
<Dashiva>
I read an article about it yesterday, actually
17:17
<Philip`>
It'd be interesting to see how vast a conspiracy could get, and how the probability of keeping it secret varies with size
17:19
<takkaria>
Mozilla is especially to blame for the browser conspiracy. they only look like they're open
17:20
<Philip`>
But Opera is closed source and for-profit so it must be transmitting all your browsing details to the NSA
17:21
<Dashiva>
Don't forget that they all send your browsing data to these so-called "anti-phising" services
17:21
<Philip`>
Firefox doesn't (by default) :-p
17:22
<Dashiva>
That's what they want you to think
17:22
Philip`
assumes Opera does, but isn't sure
17:22
<Dashiva>
It just means they hide it
17:22
<Philip`>
Dashiva: Where do they hide it?
17:22
<Dashiva>
ICMP
17:22
<Philip`>
...
17:22
<takkaria>
they actually install a trojan network stack on Windows machines so you can't detect it
17:22
<Dashiva>
The payload of PING can be used for data transfer just fine
17:22
<Philip`>
takkaria: I'm running Linux
17:23
<takkaria>
Philip`: they don't do so well there
17:24
<Philip`>
Also I'll claim that I'm running Gentoo and compiled Firefox from source, so I wouldn't be affected by secret hidden code in the distributed binary
17:24
<Dashiva>
And you read the source? :)
17:25
<Philip`>
No, but millions of other eyes have
17:26
<Dashiva>
Yeah, and those millions of eyes totally caught that debian vuln last week ;)
17:26
<Philip`>
(Actually I used Gentoo's mozilla-firefox-bin package which downloads the official Mozilla binary instead, because I didn't fancy waiting an hour for it to compile after every minor version upgrade...)
17:26
<Philip`>
Dashiva: Indeed, they did catch it last week, which proves that vulnerabilities always get noticed :-)
17:26
<Dashiva>
In other news, Henry is quite optimistic about HTML5 it seems
21:03
<Dashiva>
"Oh, sure, everyone on the entire internet uses flickr, but it's only one site so we'll ignore it"
21:04
<Lachy>
I would respond, but I don't want to fuel the fire any more
21:05
<Lachy>
John just doesn't realise there is a difference between choosing not to optimise for a situation and choosing not to deal with it at all
21:05
<Dashiva>
I guess specs are an edge case too, then :)
21:06
<Lachy>
every site is an edge case, since it's only one out of billions :-)
21:07
<jgraham>
Hey it's marginally more sane that Rob Burns explaining why the sky is green if you squint at it just right
21:07
<Lachy>
but it's not just Flickr. It's photobucket, my opera, .mac and every other site that publishes user generated content
21:07
<jgraham>
I should emphasise the *marginally* there :)
21:07
<Lachy>
jgraham, it depends on the defintion of "green".
21:08
<Dashiva>
Don't come here with your fancy "facts", Lachy. We don't need any of those.
21:09
<Lachy>
and it also depends on whether you're referring to the whole sky at all times during the day, or the brief moment it transistions from blue to orange at sunset
21:09
<hober>
yes, we all need to mind the /topic :)
21:13
<jgraham>
Well didn't his last email basically say that the fact that the sky is blue should be ignored because the process for deciding sky colour should favour whatever colour he likes and he likes green therefore the sky is green
21:15
<Lachy>
I haven't read that mail yet. Is it a recent one or old one?
21:19
<Philip`>
Lachy: I think it's several of them
21:22
<tndH>
apparently Boris Zbarsky is underestimating implementors...
21:24
<gavin_>
Boris Zbarsky is an implementor
21:25
<tndH>
yeah, not sure if Robert Burns is taking that into account though.
21:25
<Philip`>
It's not impossible for people to underestimate themselves :-)
21:27
<othermaciej>
maybe Boris is just being humble
21:27
<jwalden>
I don't think so
21:30
<syp_>
jwalden: hello, did you see my reply to your mail about the browser tests?
21:30
<jwalden>
syp_: I noticed it when skimming through email, problem being it got caught at the end of an existing thread and thus didn't show up as visible -- sec, I'll read
21:31
<syp_>
yes, I replied on the implementors list while the original was on the other list
21:38
<Hixie>
am i totally misunderstanding cwilson's attack vector in waf
21:39
<Hixie>
or is he just describing something that's a subset of a much bigger problem
21:40
<annevk>
he is, and that was already pointed out some time ago when Maciej brought that issue up
21:41
<annevk>
having said that, I'm not too comfortable yet with DNS rebinding / man-in-the-middle / etc.
21:42
<annevk>
I should put a filter in place for RB
21:43
<annevk>
I get annoyed when reading his e-mails and that's not good
21:43
<Hixie>
hehe
21:44
<othermaciej>
from last time I don't think there is a DNS rebinding vulnerability but I guess I'll have to slog through his email
21:44
<Hixie>
he's not very detailed and i already replied
21:44
<Hixie>
but if you can find something i missed, pelase let me know
21:45
<annevk>
though Chris understanding of the vulnarability is different from Maciej's
21:45
<annevk>
Maciej's was about being able to do POST after a DNS rebinding attack on the OPTIONS
21:46
<annevk>
Chris seems to be talking about exposing credentials which seems to imply he didn't even read the proposal carefully
21:46
<Hixie>
yeah
21:47
<othermaciej>
I think Chris is describing what I described, but in a more vague and handwavey way
21:47
<othermaciej>
"This enables the vector of DNS attacks - the idea being that between those two connections, an attacker could insert themselves in to the stream. (Actually, more likely it would be the other way around - an attacker would insert themselves into the stream, give back "it's okay to do x-domain", then release and let the real site give back data."
21:47
<othermaciej>
I don't remember how we concluded that this was not a real vulnerability
21:48
<othermaciej>
Hixie: DNS rebinding works in reverse
21:48
<othermaciej>
Hixie: the DNS infrastructure does not have to be compromised to do a DNS rebinding attack
21:48
jgraham
considers replying to Justin James, realises that insanity is doing the same thing over and over but expecting different results, decides not to bother
21:48
<Hixie>
it does against HTTP 1.1 servers
21:49
<Hixie>
Host: safeguards against DNS rebinding from other names
21:49
<othermaciej>
checking the Host header is indeed a full defense against DNS rebinding
21:49
<othermaciej>
if you check it
21:49
<othermaciej>
which many (most) existing servers don't
21:49
<Hixie>
if you don't check it, XHR is the _least_ of your problems
21:49
<annevk>
"RE: Work that would be required to revert Internet Explorer 8 to 'aria:'" wtf!
21:49
<othermaciej>
checking the Host header is indeed a defense against the DNS rebinding attack against the preflight chec
21:49
<annevk>
why is the W3C so fucked up?
21:50
<Hixie>
if you don't check Host:, the simplest attack vector is just to serve the JS file from hostile.com and the rest of the resource from victim.hostile.com
21:50
<Hixie>
no need for XHR
21:52
<annevk>
(fortunately Chris is not interested in the idea)
21:52
<Lachy>
how does checking Host: prevent an attacker from intercepting a request and serving a hostile JS file?
21:53
<othermaciej>
ok let me do the short lecture on DNS Rebinding
21:53
<othermaciej>
DNS rebinding works like this
21:53
<othermaciej>
you access http://attacker.com/
21:53
<othermaciej>
attacker.com has a very short DNS expiration time
21:54
<othermaciej>
a little while after access, a DNS change propagates so that attacker.com points to the same IP as victim.com
21:54
<othermaciej>
attacker.com loads some victim.com resources
21:54
<othermaciej>
in general this only works when the only access control to victim.com is network position (for example it is behind a firewall)
21:54
<othermaciej>
since you end up sending attacker.com cookies, not victim.com cookies
21:55
<othermaciej>
if victim.com checks the Host header, then even this is ineffective
21:55
<othermaciej>
for the same reason, a DNS rebinding attack against the method check preflight would be ineffective, because attacker.com cookies would be sent for the POST, not victim.com cookies
21:55
<othermaciej>
so you could only do what XDR would always let you do (POST without credetials)
21:56
<jwalden>
Host: checking is required by HTTP/1.1 -- are servers just non-compliant?
21:56
<Dashiva>
You can have a * host that catches everything
21:57
<Hixie>
it's not so much that com cookies would be sent for the POST, so much as a DNS rebinding attack against the method check preflight would not grant you any more access than simply doing a 1995-era cross-site <form> submit
21:57
<annevk>
jwalden, are browsers just non-compliant? madness!
21:57
<othermaciej>
is anything compliant to anything?
21:57
<Lachy>
othermaciej, I thought the problem was if attacker.com impersonated victim.com. So that when a user loads victim.com in their browser and then attacker.com uses DNS rebinding to intercept some of the requests and send back malicious files
21:57
<jwalden>
well, browsers didn't have a spec
21:57
<jwalden>
and you have to check to do vhosting correctly
21:58
<jwalden>
when you have it set up to serve many origins from one server
21:58
<annevk>
everything is probably inherently imperfect due to human nature
21:58
<othermaciej>
Lachy: yeah, that's not DNS Rebinding
21:58
<Lachy>
ok
21:58
<annevk>
that's man-in-the-middle iirc
21:59
<othermaciej>
Lachy: that would require compromising DNS itself, and if you have that, you don't need any form of cross-site access
21:59
<othermaciej>
(running a malicious DNS server on an open wireless network would be one form of this attack)
21:59
<Hixie>
if you can mitm the last router, you can just inject whatever you want straight into the http stream
21:59
<othermaciej>
generally SSL protects against that, unless the user blindly clicks through on invalid certs
21:59
<Hixie>
(poking with dns would be far more complicated)
22:00
<annevk>
oh, i guess man-in-the-middle is more a malicious proxy
22:00
<Lachy>
othermaciej, the problem is the users do blinding accept invalid certs
22:00
<Lachy>
*blindly
22:00
<Hixie>
ff3 makes it nigh on impossible to click through an invalid cert
22:00
<othermaciej>
Lachy: I'd really like to make Safari always reject self-signed certs but I am not sure marketing would agree
22:00
<Hixie>
othermaciej: just do what ff3 does :-)
22:00
<jwalden>
it's just five clicks or so :-)
22:01
<jwalden>
through arcane security UI :-)
22:01
<Hixie>
five pretty unobvious clicks
22:01
<Hixie>
yeah
22:01
<Hixie>
i've had to do it numerous times :-)
22:01
<jwalden>
"feature, not bug" :-)
22:03
<annevk>
if it happens often for the user he'll make a habbit out of it and you'll have the same problem
22:03
<gsnedders>
othermaciej: I've got a couple of bug reports through SP not accepting self-signed certs, but something like Saf has the advantage of being able to prompt the user at least
22:03
<othermaciej>
we do prompt
22:03
<othermaciej>
prompts are kinda useless
22:05
<gsnedders>
othermaciej: Yeah, well all something like SP can do is either outright accept it or outright refuse it.
22:06
<Hixie>
i'm pretty sure i just saw an e-mail on this alt thread claiming 50 years of experience
22:06
<Hixie>
the web has only been around for 18...
22:07
<Dashiva>
Accessible file cabinets, maybe?
22:08
<gsnedders>
I can't even claim 18 years of experience of life
22:08
<Dashiva>
Not even counting the pre-birth months?
22:08
gsnedders
wonders how many under 18 y/os there are
22:08
<gsnedders>
Dashiva: Not even
22:09
<gsnedders>
(I was born on 19920420)
22:09
<Dashiva>
Well, then... get off my lawn!
22:10
<gsnedders>
I'm not on a lawn, yet alone your lawn.
22:10
<Dashiva>
You're a young'un, you're always on my lawn
22:16
<Philip`>
Dashiva: I think you need to do some gardening, since lawns really shouldn't look like carpet tiles
22:16
<Dashiva>
I thought the British prided themselves on lawns that were suitable for any kind of activity
22:17
<Philip`>
Only croquet is permitted
22:17
<jgraham>
And even that only during the summer
22:19
<gsnedders>
Hahaha
22:19
<gsnedders>
See, that's why you to college that actually allows you to use the lawn.
22:19
<gsnedders>
(Apart from for croquet)
22:20
<Lachy>
he must have been referring to the time when the web was implemented over snail mail and alt text was written on the back of photos called "postcards"
22:21
<gsnedders>
Oh, the passage we had in the French exam stated something like (to translate the French): "She posts a blog on the internet…"
22:21
<gsnedders>
Unlike all these people who blog on paper
22:21
<Dashiva>
gsnedders: intranet
22:21
<Dashiva>
duh
22:22
<hendry>
 /away sssssssssleep
22:22
<gsnedders>
I should do that, too.
22:22
annevk
tries campaigning against <timerange>
22:22
<gsnedders>
Especially seeming I have a physics exam and Hixie is "suggesting" I do physics at uni
22:23
<Philip`>
Sleep is a waste of time that could be used for last-minute revision
22:23
<jgraham>
Last minute revision is a waste of time that could be used for sleep
22:23
<annevk>
what's up with all these linux security updates
22:23
<gsnedders>
Philip`: Apart from when you have CFS and would therefore fall asleep during the three hour exam
22:23
<gsnedders>
annevk: Linux is insecure?
22:24
<annevk>
tthe changelogs are also completely incomprehensible
22:24
<annevk>
i can't believe i talked my mom into this, though I guess Windows updates are just as bad
22:25
<Philip`>
The Windows updates just hide all the technical details, which isn't really an improvement
22:25
<gsnedders>
OS X is reporting 0KB free on /. I don't think that' good.
22:25
<Philip`>
gsnedders: Slashdot has run out of space?
22:25
<jgraham>
annevk: This is ubuntu, right? I think I have had three batches of security updates recently including the original SSL one
22:26
<annevk>
indeed
22:26
<gsnedders>
Philip`: No, on root, followed by full-stop
22:26
<jgraham>
Philip`: When slashdot runs out of space all the intertubes run out of space </bagpuss>
22:27
<annevk>
I wonder what my mom will think of it
22:27
<annevk>
if she even notices the difference :)
22:27
<jgraham>
annevk: I guess security updates tend to come in batches as one hole is noticed any then everyone else goes on a security audit for a bit
22:30
gsnedders
is rather amazed by the fact he's only ever got one security hole found in SP. There have to be more!
22:31
<jgraham>
gsnedders: Maybe you have too few users for anyone to care :)
22:31
<gsnedders>
jgraham: We have plenty of users :)
22:32
<Philip`>
gsnedders: Maybe you published the wrong email address for reporting security vulnerabilities, so all the reports are getting lost
22:32
<gsnedders>
Philip`: No
23:36
<Lachy>
re this post about fragment identifiers http://lists.w3.org/Archives/Public/public-html/2008May/0509.html ...
23:37
<Lachy>
couldn't xpointer just be fixed up and defined in terms of the DOM, so that it would work the same in HTML as it would with XHTML?
23:37
<Hixie>
xpointer is not resilient to changes
23:37
<Hixie>
which is imho a pretty important requirement for this idea
23:38
<Dashiva>
xpathref!
23:38
<annevk>
same issue
23:38
<Hixie>
hsivonen: i'm not replying to your mail "Re: A comment to character encoding declaration" earlier today since i've sent mail on those subjects already
23:38
<Hixie>
let me know if i missed something
23:38
<Hixie>
oh actually nevermind
23:38
<Hixie>
i'll just reply
23:41
<Lachy>
would it be possible to fix xpointer so that it is resilliant to changes? Since it already exists, and if this turns out to be a valid use case to address, wouldn't it be better to improve what we have instead of defining somethng totally new?
23:43
<annevk>
i don't think anything would be resilliant to changes other than id=
23:43
<annevk>
and even that isn't so maybe that point is moot
23:44
<annevk>
anyway, one university guy suggesting a feature does not a use case make
23:44
<Dashiva>
There is a userjs for it :)
23:47
<Hixie>
ok what spec defines the syntax of mime media types?
23:47
<Hixie>
rfc2045 doesn't seem to define them separate from cotent-type headers
23:47
<Hixie>
and doesn't seem to define quoted-string at all
23:48
<Hixie>
hmm, rfc2616 (http) seems to define them
23:48
<Hixie>
i can use that