2021-01-01
[05:47:57.0000] <cyber-hagen>
hi there

[06:01:10.0000] <cyber-ha_>
hi there

[06:01:39.0000] <cyber-ha_>
a

[06:08:42.0000] <cyber-hagen_>
l


2021-01-02
[01:38:22.0000] <outloudvi>
Hello. I have collected some supporting data wouldd like to comment on whatwg/url §4.8.1. I'm curious if there's already discussion, or, shall I open an seperate issue?

[03:25:17.0000] <annevk>
outloudvi: if you cannot find one, feel free to file one

[05:26:15.0000] <outloudvi>
annevk: Okay, thanks :-)


2021-01-03
[04:55:45.0000] <joas>
http://www.tizag.com/javascriptT/javascript-innerHTML.php

[04:55:55.0000] <joas>
i am trying to execute this code

[04:56:05.0000] <joas>
<script type="text/javascript">function changeText(){	document.getElementById('boldStuff').innerHTML = 'Fred Flinstone';}</script><p>Welcome to the site <b id='boldStuff'>dude</b> </p> <input type='button' onclick='changeText()' value='Change Text'/>

[04:56:08.0000] <joas>
it is not working, any idea?


2021-01-04
[23:43:25.0000] <annevk>
MikeSmith: hey so looking at https://dom.spec.whatwg.org/review-drafts/ I wonder if we should order by filename desc instead

[23:43:43.0000] <MikeSmith>
/me looks

[23:43:50.0000] <annevk>
MikeSmith: in particular to avoid W3C-marked snapshots from ending up higher

[23:44:16.0000] <MikeSmith>
ah

[23:44:23.0000] <MikeSmith>
yeah

[23:44:51.0000] <MikeSmith>
shall we change it to that then?

[23:45:00.0000] <MikeSmith>
for just review-drafts, right?

[23:45:05.0000] <annevk>
MikeSmith: yeah

[23:45:06.0000] <MikeSmith>
not commit-snapshots

[23:45:08.0000] <MikeSmith>
OK

[23:45:12.0000] <MikeSmith>
will raise a PR for it

[23:45:57.0000] <MikeSmith>
will be a couple hours from now

[23:46:25.0000] <annevk>
MikeSmith: cool thanks


2021-01-05
[23:33:43.0000] <annevk>
MikeSmith: seems to work great now

[11:08:11.0000] <Domenic>
MikeSmith: when you have a chance, could you regenerate https://github.com/w3c/mdn-spec-links ?


2021-01-06
[20:26:53.0000] <MikeSmith>
Domenic: yes, sorry for not having gotten to it yet

[20:27:53.0000] <MikeSmith>
since December 14 launch of mdn/content, have not had much free cycles

[20:29:23.0000] <MikeSmith>
to regenerate mdn-spec-links, I still need to rewrite my MDN-consuming code to consume the different (better) JSON format that’s now exposed

[20:31:15.0000] <MikeSmith>
in the mean time, been working today on https://github.com/mdn/content/pull/893

[20:31:35.0000] <MikeSmith>
updating https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/getTimezoneOffset

[20:32:14.0000] <MikeSmith>
and, at the risk of embarrassing myself, I have to admit I don’t think I understand date.getTimezoneOffset()

[20:35:07.0000] <MikeSmith>
I *thought* I did — I thought it was simple: regardless of what Date instance the getTimezoneOffset() method is called from, the result isn’t calculated based on the value of the particular Date instance, but is instead always just the difference between UTC time and local time

[20:36:04.0000] <MikeSmith>
but https://github.com/mdn/content/pull/893/files#r551959459 suggests that ain’t so

[20:37:59.0000] <MikeSmith>
however, from reading https://tc39.es/ecma262/#sec-date.prototype.gettimezoneoffset I find no indication how the behavior could be anything other than one what I described — that is, it’s not calculated by looking at he instance

[20:39:57.0000] <MikeSmith>
but I had anyway already been wondering, if that’s so, why then is getTimezoneOffset() an instance method rather than being a static method of Date?

[21:41:49.0000] <Domenic>
MikeSmith: LocalTime(t), and in particular LocalTZA(t), is a function of t, I guess? And t = the time value of the particular instance

[21:42:24.0000] <Domenic>
https://tc39.es/ecma262/#sec-local-time-zone-adjustment seems to have an example

[21:42:51.0000] <MikeSmith>
Domenic: yeah, I have since read through the spec to get to some of that

[21:42:52.0000] <MikeSmith>
https://tc39.es/ecma262/#sec-local-time-zone-adjustment

[21:43:10.0000] <MikeSmith>
> When tlocal represents local time repeating multiple times at a negative time zone transition (e.g. when the daylight saving time ends or the time zone offset is decreased due to a time zone rule change) or skipped local time at a positive time zone transitions (e.g. when the daylight saving time starts or the time zone offset is increased due to a time zone rule change), tlocal must be interpreted

[21:43:16.0000] <MikeSmith>
using the time zone offset before the transition.

[21:43:23.0000] <MikeSmith>
this “time zone transition” stuff

[21:43:40.0000] <MikeSmith>
https://tc39.es/ecma262/#sec-time-values-and-time-range

[21:43:50.0000] <MikeSmith>
> A time value that is a multiple of 24 × 60 × 60 × 1000 = 86,400,000 (i.e., is equal to 86,400,000 × d for some integer d) represents the instant at the start of the UTC day that follows the epoch by d whole UTC days (preceding the epoch for negative d). Every other finite time value t is defined relative to the greatest preceding time value s that is such a multiple, and represents the instant

[21:43:56.0000] <MikeSmith>
that occurs within the same UTC day as s but follows it by t − s milliseconds.

[21:43:59.0000] <MikeSmith>
...

[21:46:56.0000] <MikeSmith>
so I think that means, if a Date instance’s value is a multiple of 86,400,000, then calling getTimezoneOffset() from that instance will give the time zone offset prior to DST transition

[21:47:00.0000] <MikeSmith>
Right?

[21:48:00.0000] <Domenic>
That much, I cannot answer at 1am, sorry :)

[21:48:09.0000] <Domenic>
I can try to help out tomorrow!

[21:48:54.0000] <MikeSmith>
hai :)

[22:50:01.0000] <MikeSmith>
Domenic: (when you’re back) found https://esdiscuss.org/topic/override-localtza

[22:50:04.0000] <MikeSmith>
> I understand that an implementation of ECMAScript is expected to determine the local time zone adjustment [1].

[22:50:07.0000] <MikeSmith>
> This is really convenient -- most of the time. However, it would be great to override this for a given Date object.

[23:00:53.0000] <MikeSmith>
OK from testing I’ve managed to glean that it depends on whether the date of the instance is/was during DST

[23:01:18.0000] <MikeSmith>
basically

[23:04:09.0000] <MikeSmith>
only “basically” because I guess there is probably some more complicated checking of the https://www.iana.org/time-zones tzdb

[23:09:03.0000] <MikeSmith>
(end monologue; apologies to channel; /me heads off to try to document this in MDN)


2021-01-07
[13:58:24.0000] <Soni>
can we have a Strict-Content-Type that replaces nosniff?

[13:58:43.0000] <Soni>
"replaces"

[13:58:59.0000] <Soni>
anyway the idea is that it'd actually be strict

[13:59:02.0000] <Soni>
and apply to images and whatnot


2021-01-08
[21:50:14.0000] <annevk>
Soni: what’s the upside?

[01:57:23.0000] <Soni>
annevk: catch broken servers

[01:58:13.0000] <annevk>
Soni: I'm not sure how it would as the server would have to set the header

[01:58:50.0000] <Soni>
well somehow servers were sending the wrong content type with nosniff on


2021-01-11
[08:24:53.0000] <Domenic>
annevk: I sent out an internal call for someone on the implementation side to take point and coordinate on cleaning up embed/object/plugins. We already have a thread on general Flash cleanup so I hope someone is interested in carrying it further and actually making changes to embed/object to achieve interop.

[08:25:25.0000] <annevk>
Domenic: sounds good, happy to work with whoever volunteers; I have some ideas 🙂

[08:27:04.0000] <annevk>
I wish it was part of disabling Flash as getting people to take initiative now is undoubtedly harder, but alas

[08:40:48.0000] <Domenic>
I want to update https://developer.mozilla.org/en-US/docs/Web/API/Window/isSecureContext to point to HTML but the edit button has disappeared on MDN I guess

[08:47:04.0000] <gsnedders>
Domenic: the "Found a problem with this page?

[08:47:16.0000] <gsnedders>
Domenic: " section links to the source on GitHub?

[08:47:42.0000] <Domenic>
Oh, I see, I was able to find that after Ctrl+Fing... but it was not in my line of sight

[08:49:07.0000] <gsnedders>
I mean I'd argue that's a sensible thing to file a bug for :)

[08:49:42.0000] <Domenic>
Filed https://github.com/mdn/content/issues/1192 instead of doing a PR... seems easier.

[10:42:15.0000] <Domenic>
annevk: https://bugs.chromium.org/p/chromium/issues/detail?id=1163588 for PDF + click events... you may want to subscribe, or maybe we should open a spec-side issue. I guess it's a UI events issue technically?

[10:47:01.0000] <annevk>
Domenic: yeah I guess, though HTML should prolly define PDF documents

[10:47:26.0000] <Domenic>
Yeah

[10:48:10.0000] <annevk>
I think we need to accept that PDF is a thing that’ll stick around and define the observable aspects. Prolly don’t wanna go into the format though

[10:58:03.0000] <Domenic>
I wonder how much we will gain from making it PDF-specific vs. defining some much smaller version of "plugins" with more rules. (E.g.: content type must match, <param> does nothing, clearly-defined interaction with sandbox, etc.)

[10:58:20.0000] <Domenic>
PDF-specific seems like the right place to start though

[11:02:04.0000] <andreubotella>
is there any difference, though, between a PDF in an object and, say, a network error in an iframe?

[11:02:15.0000] <andreubotella>
both are presumably resources "without a Document"

[11:03:05.0000] <Domenic>
Well, object and iframe are needlessly different in lots of ways

[11:03:44.0000] <Domenic>
But indeed in terms of what comes out of the navigation algorithm I think they're very similar

[11:04:20.0000] <Domenic>
Some discussion of observability at https://github.com/web-platform-tests/wpt/pull/27129

[11:04:28.0000] <Domenic>
Also I don't remember what the latest is on error events on network errors

[11:04:57.0000] <Domenic>
Oh right fallback content, as Anne mentioned in that thread, is probably the biggest answer to your question, andreubotella

[11:05:31.0000] <andreubotella>
I'll take a look

[11:06:50.0000] <andreubotella>
annevk: on another note, how big of a faux pas would it be to open a new PR to tackle the same issue as https://github.com/whatwg/html/pull/3276?

[11:07:12.0000] <andreubotella>
since the OP seems to be AWOL for years and the PR needs updating other than the merge conflicts

[11:49:55.0000] <annevk>
andreubotella: totally fine

[11:50:29.0000] <andreubotella>
ok

[11:51:02.0000] <andreubotella>
I figured it'd be better to raise one single Firefox issue for both that PR and https://github.com/whatwg/html/issues/6247

[12:31:14.0000] <smaug____>
Is there a spec term for the about:blank which is created synchronously?

[12:34:17.0000] <Domenic>
"initial about:blank"

[12:45:31.0000] <smaug____>
aha, thanks


2021-01-12
[23:33:41.0000] <domfarolino>
annevk: If you could take a look at https://github.com/whatwg/html/pull/6249 that would be great!

[23:35:38.0000] <annevk>
domfarolino: will do

[23:37:34.0000] <annevk>
domfarolino: I just realized that the first paragraph that's added is between two paragraphs about the document's URL

[23:37:53.0000] <annevk>
domfarolino: so you either want to put it after the warning or a paragraph earlier

[23:38:29.0000] <domfarolino>
annevk: hah, whoops. I'll take a look now

[23:39:53.0000] <domfarolino>
annevk: Done

[23:41:25.0000] <annevk>
domfarolino: thanks, I guess we can prefix this with Editorial, right?

[23:41:38.0000] <annevk>
I'll merge it once the build bot gets back to us

[23:42:13.0000] <domfarolino>
annevk: yeah I think that's right

[23:42:37.0000] <domfarolino>
done

[23:44:59.0000] <annevk>
Oh, no need to change the title in the future

[23:45:17.0000] <annevk>
I thought you meant the bot was done, but it seems even GitHub Actions isn't that fast

[23:47:12.0000] <annevk>
Well' it's all done now, it was pretty fast

[23:47:19.0000] <domfarolino>
Ah, haha. Indeed, thanks!

[23:47:35.0000] <domfarolino>
I'm glad that's properly defined now

[23:52:29.0000] <annevk>
Yeah, it's great improvement that adds a lot of clarity

[23:53:24.0000] <annevk>
It's so surprising that old API specs hand-waved all private state and you had to infer it somehow

[00:03:26.0000] <domfarolino>
Ugh, I know :/

[00:46:58.0000] <annevk>
lol Domenic that PR from you against Secure Contexts was the majority of the open issues

[07:38:56.0000] <Domenic>
Nice

[07:39:06.0000] <Domenic>
Hmm https://github.com/whatwg/html/pull/6282 ended up much shorter than I expected given all the surrounding discussion

[07:42:20.0000] <andreubotella>
Domenic: that PR deals with escapes and it's intended to replace https://github.com/whatwg/html/pull/3276

[07:43:07.0000] <andreubotella>
I'm still waiting for feedback from some of the folks at whatwg/forms before I open the one dealing with newline normalization

[07:43:20.0000] <Domenic>
Ah I see

[07:43:20.0000] <andreubotella>
https://github.com/whatwg/html/issues/6247

[07:44:44.0000] <annevk>
I think in the end we should define the full format, but I'm all for small incremental steps as that makes reviewing a lot easier

[07:45:24.0000] <andreubotella>
indeed

[07:46:18.0000] <andreubotella>
in the WPT tests I've written and modified, all browsers act the same other than the few bugs related to escapes or newlines

[07:46:35.0000] <andreubotella>
but I'll take a look at hixie's test suite after I'm done with this

[07:47:46.0000] <andreubotella>
the test suite at https://github.com/masinter/multipart-form-data/tree/master/test-cases, rather

[08:39:23.0000] <annevk>
Domenic: what do you think about creating historical tests for <object><param name=src+friends> and filing a bug against Chrome and Safari each? The spec never supported it and it seems like it should matter even less today

[09:57:27.0000] <Domenic>
annevk: in the absence of anyone on the Chrome side stepping up to take ownership of this stuff (I sent out a message yesterday but no responses), that seems reasonable. Maybe eventually when the bug gets triaged there will be some pushback and desire to add it to the spec, I dunno.

[10:05:09.0000] <annevk>
Domenic: yeah, I mean, that's also fine, it's not like something we couldn't add to Fx, I just rather not

[10:06:36.0000] <Domenic>
Yeah, I'd definitely prefer it in the abstract if we could just make <param> totally do nothing, I just am not personally willing to sign up for the work of adding use counters/doing outreach to any pages we find/potentially dealing with angry enterprise customers when the change makes it to stable. I hope someone is though :)

[10:12:40.0000] <annevk>
Domenic: did you see https://github.com/whatwg/html/pull/6281 btw?

[10:13:20.0000] <Domenic>
annevk: yep, it generally looks good, I wanted to do a pass to make sure there wasn't more to delete. I'll do that now.

[10:13:41.0000] <annevk>
no rush, I'll be out until tomorrow most likely

[10:13:54.0000] <annevk>
was just wondering since you checked the more recent PR


2021-01-13
[02:02:18.0000] <annevk>
TIL: Chrome/Safari block style sheets without an ok status...

[02:55:33.0000] <MikeSmith>
annevk: non-2xx status you mean?

[02:55:51.0000] <MikeSmith>
they won’t follow 3xx’s?

[02:56:29.0000] <annevk>
MikeSmith: at the point where the relevant algorithm gets a response, redirects have been handled

[05:51:00.0000] <croraf>
When rendering an <object> element I would need to set the Authorization header to be used for fetching its data. Is this possible to do "directly"?

[05:52:21.0000] <annevk>
I'm not sure I understand the question, but I'm pretty sure the answer is no

[05:54:07.0000] <croraf>
What is not clear in the question? annevk

[05:54:50.0000] <croraf>
I have <object data='https://my.url.com/path' />

[05:55:17.0000] <croraf>
This will make a request for the object (a pdf) to this url. But the url won't allow unauthorized requests.

[05:55:35.0000] <croraf>
So in the request additional headers should be specified.

[05:56:21.0000] <croraf>
The <image src='...' >  is a similar example that I saw people are struggling with.

[05:56:49.0000] <croraf>
Is this possible? If it is not possible why not add this capability to the standard?

[05:58:28.0000] <annevk>
I think everyone removed that (you could use the username/password fields of a URL) because it would allow for dictionary attacks

[06:01:03.0000] <MikeSmith>
annevk: so what does “without an ok status” mean? what other status is there that would not also cause all browsers to not load the stylesheet either?

[06:02:39.0000] <annevk>
MikeSmith: Firefox applies a style sheet whose status is 600

[06:02:54.0000] <annevk>
MikeSmith: can I rename the default branch on whatwg/misc-server?

[06:10:05.0000] <croraf>
annevk, what do you mean by "everyone removed that", you mean every browser? does this mean some browsers supported something like that?

[06:13:42.0000] <annevk>
yes

[06:50:32.0000] <croraf>
Why not add to the standard to add some header fields to the img or object elements?

[06:50:52.0000] <croraf>
would really come handy in situations like this, and a lot of people are wondering this over the internet

[06:55:09.0000] <andreubotella>
As annevk said, letting some script on some random website manipulate the Authentication header would be a big security risk

[06:55:12.0000] <gsnedders>
annevk: IIRC Opera blocked everything !ok as part of the cross-origin stylesheet snooping fixes, IIRC

[06:55:51.0000] <annevk>
gsnedders: well, they didn't standardize it

[06:55:54.0000] <gsnedders>
annevk: hence WebKit/Blink (quite possibly pre-fork) blocking them doesn't seem super surprising?

[06:56:33.0000] <gsnedders>
annevk: none of that cross-origin protection stuff was standardised for a long time after, AFAIK :|

[06:58:00.0000] <gsnedders>
and wasn't there some quirks mode scoping of some of it, at least the text/css check, originally?

[06:58:05.0000] <annevk>
The main things about being strict on text/css has been standardized for a long time

[06:58:29.0000] <gsnedders>
(this is CVE-2010-0654 I'm referring to)

[06:58:41.0000] <annevk>
So if !ok was part of that I would have expected that to have come up, but it hasn't and Firefox doesn't implement it

[07:04:48.0000] <croraf>
andreubotella, annevk how would it be a security risk, and what does it have to do with dictionary attacks?

[07:05:16.0000] <croraf>
What does allowing Authentication header have anything to do with a dictionary attack?

[07:07:20.0000] <andreubotella>
croraf: https://gist.github.com/andreubotella/04e617f15af88125597d842c40e2edba

[07:08:12.0000] <andreubotella>
I'm not actually sure that img.decode works that way – this is an example, not a proof of concept

[07:13:32.0000] <croraf>
And what possible workaround offers protection by such attacks?

[07:13:48.0000] <andreubotella>
I always confuse atob and btoa

[07:14:20.0000] <croraf>
This is silly I think. Why is having Authorization header in the image making site less secure than not having.

[07:14:49.0000] <andreubotella>
croraf: the point is not having the header, it's letting scripts from other sites modify it

[07:14:49.0000] <croraf>
An attacker can try dictionary attacks on everything, it can try to access the same resource using fetch and with dictionary attack.

[07:15:07.0000] <andreubotella>
huh, right

[07:15:28.0000] <andreubotella>
with fetch probably not because of cors

[07:15:53.0000] <andreubotella>
but an attacker could use any non-browser http client

[07:16:00.0000] <Domenic>
This is the usual problem

[07:16:15.0000] <Domenic>
You cannot use fetch to access internal (e.g. intranet) resources, because of CORS

[07:16:18.0000] <Domenic>
You can use <img> to do so

[07:16:23.0000] <croraf>
I see.

[07:16:25.0000] <Domenic>
So <img> with arbitrary headers can be used for attacks on intranets

[07:17:03.0000] <croraf>
Why is cors not applied to images?

[07:17:12.0000] <Domenic>
Because it wasn't in Netscape 1.0 :(

[07:17:49.0000] <andreubotella>
"don't break the web" is an important principle, and that means if something used to work, it must keep working unless the risks would be huge

[07:18:19.0000] <Domenic>
Arguably the risks are pretty bad these days, but we've gone with less strict mitigations than full CORS. E.g. CORB is such a mitigation.

[07:18:32.0000] <gsnedders>
annevk: oh, https://trac.webkit.org/changeset/72743/webkit might be the change that made this happen in WebKit, which makes it look accidental?

[07:20:11.0000] <annevk>
gsnedders: isn't that for images? Pretty sure that it's important to ignore status there

[07:21:38.0000] <gsnedders>
annevk: it changes WebCore/loader/cache/CachedResource.h and WebCore/loader/loader.cpp to make < 400 a failure by default, except where things opt-in to it being okay (like images)

[07:22:17.0000] <andreubotella>
Domenic: with "these days" you mean because of Spectre, right?

[07:22:18.0000] <gsnedders>
annevk: basically anywhere that didn't explicitly check "has an error occured" started being strict about this

[07:23:14.0000] <annevk>
gsnedders: I guess that means I should check media as well, at least for ORB purposes

[07:23:16.0000] <Domenic>
andreubotella: indeed

[07:23:34.0000] <annevk>
gsnedders: there's a bunch of other things like text tracks that might then also need to be checked, but I care less about those

[07:25:04.0000] <croraf>
I still need slight clarification. So scripts on website A loaded from any origin can access the <image>. Or the issue is that scripts from any origin can create the <image> element with some URL and access that data?

[07:26:48.0000] <andreubotella>
croraf: some of the CORS-related restrictions that were put on the <img> element means you can't access the contents of the image from a website in a different origin, because those capabilities were only added after CORS, but you can see if the image loads or not

[07:27:23.0000] <andreubotella>
so if you can change the Authorization header, just create an <img> element in any origin that points to a resource in the intranet, and see if it loads

[07:28:16.0000] <annevk>
Domenic: are there server aspects that depend on the default branch name? Or would that all be documented in misc-server in which case I should find it shortly?

[07:28:57.0000] <Domenic>
annevk: my guess is if you do a full-text search on misc-server for "master" you'll find all such dependencies.

[07:29:04.0000] <annevk>
great

[07:29:07.0000] <Domenic>
(assuming you are only talking about renaming misc-server)

[07:29:32.0000] <annevk>
Domenic: I'm talking about renaming all repos, but I'm also grepping all repos

[07:29:46.0000] <annevk>
Domenic: so the main question is if we have stuff that's outside repos I suppose

[07:29:47.0000] <croraf>
andreubotella, how can you see that it loads?

[07:30:23.0000] <Domenic>
annevk: OK, I can't think of anything outside repos then. We'll see...

[07:30:36.0000] <andreubotella>
croraf: my example was using the img.decode() method, that I believe returns a promise that rejects if the image doesn't load. but you can also listen for an "error" event

[07:30:44.0000] <annevk>
If anything breaks down it should be easy to fix, not planning on switching today though

[07:31:12.0000] <annevk>
Maybe Tuesday would be a good day after we get the RDs out

[07:32:37.0000] <croraf>
andreubotella, I see

[07:33:36.0000] <croraf>
I'm also confused now with this <object> element, it loads a document in my example, but I cannot apply Network latency in Chome devtools to it.

[07:35:20.0000] <croraf>
<object type='application/pdf' data={url} />

[07:36:30.0000] <croraf>
I'm so confused with this <object_

[07:38:09.0000] <andreubotella>
croraf: <object> and <embed> used to be elements that allowed you to integrate plugins like flash into a page

[07:38:26.0000] <croraf>
So I should use Iframe for pdf's?

[07:38:51.0000] <andreubotella>
yeah

[07:39:02.0000] <croraf>
:thumbs-up:

[07:39:18.0000] <croraf>
I mean I know there are subtle differences between the three.

[07:39:26.0000] <andreubotella>
see https://github.com/whatwg/html/issues/6003, which will make object and embed more similar to iframe now that flash is deprecated

[07:40:22.0000] <croraf>
I'm wondering if the latency will be applied on the iframe

[07:40:41.0000] <croraf>
it is not :(

[07:41:14.0000] <andreubotella>
that sounds like a chrome devtools issue, rather than something the spec would require

[07:41:21.0000] <croraf>
yes

[07:41:37.0000] <croraf>
Can I apply custom headers to Iframe, I guess not :( ?

[07:43:00.0000] <croraf>
https://bugs.chromium.org/p/chromium/issues/detail?id=1113722&q=devtools%20latency%20iframe&can=2 I guess that's the bug

[07:46:28.0000] <croraf>
Damn, thats from 2012, and still open

[07:48:06.0000] <croraf>
But even on FF it is not throttled

[07:59:58.0000] <andreubotella>
annevk: I think I'll file a PR for https://github.com/whatwg/html/issues/6247 and see what the folks from the different browsers think

[08:00:56.0000] <annevk>
andreubotella: sounds reasonable, unfortunate that people are not more proactive, but that's pretty common I'm afraid

[08:01:01.0000] <annevk>
/me hits that all the time

[08:23:47.0000] <annevk>
Domenic: if you're okay with it I think I'm also happy to switch tomorrow

[08:24:17.0000] <annevk>
Domenic: it doesn't seem like we have many dependencies on the default branch name so all the PRs have been rather straightforward

[08:24:51.0000] <annevk>
Domenic: misc-server doesn't need updating at all; participate.whatwg.org does though

[08:25:03.0000] <annevk>
And whatwg.org of course

[08:32:54.0000] <Domenic>
annevk: sounds good to me

[08:34:00.0000] <annevk>
Domenic: cool, I think I'll do it around this time and then watch the fireworks for a one or two hours, assuming you don't find anything problematic

[08:50:58.0000] <croraf>
Is there any way to put <iframe> into loading state?


2021-01-14
[04:31:25.0000] <annevk>
Domenic: I asked for review on a bunch of PRs; once I have those, I'll rename the branches everywhere and start landing the PRs, starting with whatwg.org and participate.whatwg.org. I guess I'll also have to rerun all checks somehow everywhere so they account for the branch change

[06:17:05.0000] <Domenic>
annevk: I think foolip is probably a better reviewer here? He's been looking into this stuff for a while, and would catch other missing things like build.yml more likely.

[06:54:54.0000] <annevk>
Domenic: I get the feeling he's OOO

[07:09:22.0000] <annevk>
Domenic: that is, I pinged foolip yesterday morning (mine) and he didn't get back to me yet

[07:36:06.0000] <Domenic>
annevk: I just had a meeting with him; he's definitely in-office :)

[07:38:56.0000] <annevk>
Domenic: I dunno then, but I guess if we're gating on that it won't happen now

[12:43:47.0000] <smaug____>
hmm, was there searchfox instance for chromium somewhere?


2021-01-15
[20:22:42.0000] <Guest94189>
Hi, how can whatwg make me a better web developer?

[02:06:35.0000] <andreubotella>
I suppose the WPT file FormDataEvent.window.js is only for testing the Event subclass, and I should make another formdata-event.window.js for the event itself

[02:08:35.0000] <andreubotella>
oh, I just realized the formdata tests are in constructing-form-data-set.html

[02:29:53.0000] <annevk>
FYI: all WHATWG repositories have had their default branch renamed. PRs will have to be rebased (against main). Let me know if you need help or notice something that is broken.

[05:41:19.0000] <annevk>
JakeA: I ran into https://github.com/whatwg/html/pull/2814#pullrequestreview-48087763 today, if you have thoughts they'd be most appreciated

[05:42:19.0000] <JakeA>
oh wow, kinda dropped that ball

[05:42:28.0000] <JakeA>
"Will pick this up again soon." 2017

[05:43:13.0000] <annevk>
JakeA: heh yeah that happens, but turns out this stuff is really valuable for ORB

[05:45:08.0000] <annevk>
https://github.com/annevk/orb/pull/16 in particular

[07:01:22.0000] <JakeA>
annevk: solving this in a general algorithm would be great, but I think the media element still needs additional checks, as it needs state around its previous responses

[07:01:37.0000] <JakeA>
(and that state needs to reset when the media changes)

[07:27:16.0000] <annevk>
JakeA: this also needs that, for the same reason (request's opaque media identifier)

[07:27:44.0000] <annevk>
JakeA: but yeah, the media element would need the same check as this only applies to cross-origin stuff

[07:30:41.0000] <JakeA>
annevk: in terms of blocking stuff, the media element wouldn't care about non-opaque stuff

[07:31:19.0000] <JakeA>
aside from the basic "did I get roughly what I asked for" bits in https://wicg.github.io/background-fetch/#validate-partial-response-algorithm

[07:31:48.0000] <JakeA>
but opaque and non-opaque content can't be mixed in a media element

[07:34:13.0000] <JakeA>
I think you want a media element to have a "allowed opaque final response url", which can be null, 'none' or a URL

[07:34:19.0000] <annevk>
Can we chat more next week? I gotta go, but I think I'll have more questions and it looks like we might need to collaborate on putting the validation of partial responses in Fetch

[07:34:31.0000] <JakeA>
yeah, absolutely

[07:34:34.0000] <JakeA>
have a good weekend!

[07:34:54.0000] <JakeA>
I'll put some thoughts in the PR while it's in my head

[07:35:09.0000] <annevk>
appreciate it

[12:35:27.0000] <Domenic>
So nice 😍 https://github.com/whatwg/html/pull/6296

[13:56:37.0000] <MikeSmith>
annevk: https://stackoverflow.com/questions/65736231/cors-policy-on-google-chrome-version-87-0-4280-141


2021-01-16
[22:07:27.0000] <annevk>
MikeSmith: that seems very confused

[02:27:53.0000] <MikeSmith>
annevk: yeah sounds like an XY problem


2021-01-17
[22:56:25.0000] <howdoi>
et.addEventListener('foo', (e) => {}, { signal } ); // This will run the event once and remove the listener?

[23:01:16.0000] <howdoi>
Aborting from a listener does not call future listeners, that's interesting

[23:40:27.0000] <howdoi>
Enable seamless transitions across navigations with Portals, is it every gona happen?


2021-01-18
[04:07:47.0000] <annevk>
JakeA: I still need to look into this more, but I just realized that if we put the valid opaque response URL on the request we don't need to have a side table in the network layer anymore, that's a lot cleaner

[04:08:35.0000] <annevk>
JakeA: and I guess we do want to merge the two efforts somehow, although I'm not sure if I want to sign up for fixing media element loading

[04:09:58.0000] <JakeA>
annevk: yeah, I agree that data could go onto the request, and a future 'fix' to media elements could use it

[04:10:43.0000] <annevk>
JakeA: did browsers ever implement your fixes?

[04:13:11.0000] <JakeA>
annevk: The big security issues are handled by preventing redirects that go to different places, but I don't think it's interoperable

[04:13:28.0000] <annevk>
Putting it on a request also makes it scoped to a single media element, which seems a lot cleaner. I guess there is an assumption that service workers would always do pass through for these though.

[04:14:09.0000] <annevk>
But maybe the Cache API deals poorly with 206 anyway?

[04:14:37.0000] <JakeA>
annevk: the request would only have its "valid opaque response URL" set if the response has to come from that location, so the service worker would need to do pass-through in that case

[04:15:46.0000] <JakeA>
If a media element only uses non-opaque responses then the service worker can get the data from wherever it wants

[04:15:51.0000] <annevk>
Yeah, I mean that's an implication of doing it that way and not having the network layer track these responses in some way...

[04:16:09.0000] <JakeA>
ahh ok

[04:16:46.0000] <annevk>
But that also relied on a media element doing the initiation so never mind

[07:01:30.0000] <annevk>
JakeA: since the HTML PR never went anywhere, do you know if bugs got filed against all browsers?

[07:02:39.0000] <JakeA>
annevk: I only filed bugs for the actual security issues I found. I didn't file bugs to converge behaviour. In some ways it's good I didn't, since my proposal in that PR wasn't solid enough.

[07:03:33.0000] <annevk>
JakeA: if you still have those somewhere I'd love the Fx bug

[07:04:12.0000] <annevk>
JakeA: also, is this something you are willing to spend more time on? Perhaps the HTML part only and I'll do the Fetch part as part of ORB?

[07:04:33.0000] <JakeA>
annevk: https://bugzilla.mozilla.org/show_bug.cgi?id=1441153

[07:05:42.0000] <JakeA>
annevk: I'll put it on my TODO list, although there are more folks waiting on me to do the browser session & session history stuff first

[07:07:56.0000] <annevk>
JakeA: ah yeah, that's important too

[07:09:01.0000] <annevk>
JakeA: okay, maybe I'll make time for it, but this ORB thing is becoming quite the yak shave with embed/object/media elements

[07:36:39.0000] <annevk>
JakeA: reading https://bugs.chromium.org/p/chromium/issues/detail?id=532569 I also wonder if we need changes to CORS to allow for Range to be set and not cause a preflight

[07:37:24.0000] <annevk>
what a mess

[07:41:05.0000] <annevk>
Ah, https://github.com/whatwg/fetch/issues/145 mentions this at least

[08:53:00.0000] <JakeA>
I wonder if https://fetch.spec.whatwg.org/#privileged-no-cors-request-header-name helps there?

[09:02:44.0000] <annevk>
JakeA: yeah I think so, we just need to use that as a way to bypass the preflight

[09:02:54.0000] <annevk>
JakeA: but more annoyingly it'll need tests

[09:03:17.0000] <annevk>
Hopefully I'll have some time this week to look into all that


2021-01-19
[02:00:14.0000] <andreubotella>
annevk: w.r.t https://github.com/whatwg/html/pull/6287#issuecomment-762646151, see https://github.com/whatwg/html/issues/6247#issuecomment-753997698

[02:00:45.0000] <andreubotella>
I might have done a poor job explaining, but although "string/File-sourced entries" include programmatic inputs (such as some FACE inputs), "FormData-sourced entries" are all programmatic

[02:02:51.0000] <andreubotella>
so my initial idea was to keep things as they were in the spec, other than normalizing FormData-sourced entries for urlencoded and text/plain since Firefox and Chrome already do that

[02:06:48.0000] <annevk>
andreubotella: I might not have been clear enough either, I think I meant to not normalize them at all

[02:07:42.0000] <annevk>
andreubotella: it's kinda moot without implementer input though and I suspect it might be hard to get a quick take from someone given all the intricacies

[02:07:56.0000] <andreubotella>
annevk: true

[02:09:11.0000] <annevk>
andreubotella: I think you had a summary comment somewhere about the current state of things in implementations, perhaps that can be updated with the proposed state and then we get feedback on that?

[02:09:40.0000] <annevk>
andreubotella: pretty sure I can reach someone from Chrome; I think for Mozilla it doesn't matter much as long as we end up with interop

[02:11:57.0000] <andreubotella>
annevk: turns out that for Firefox, doing it some other way than the current state of https://github.com/whatwg/html/pull/6287 would need fixing https://bugzilla.mozilla.org/show_bug.cgi?id=1651887 first

[02:12:22.0000] <andreubotella>
but sure, I'll write that up

[02:13:54.0000] <annevk>
andreubotella: that bug is a good indicator that folks don't want their FormData "magically" changed

[02:14:51.0000] <annevk>
(though more likely is that it's anecdata that reinforces my biases 🙂)

[02:17:38.0000] <andreubotella>
annevk: Firefox and Chrome agree on normalizing FormData-sourced entries on urlencoded and text/plain, though

[02:18:16.0000] <andreubotella>
and Safari only doesn't because it can only create a payload from FormData-sourced entries with Request/Response.body

[02:20:03.0000] <andreubotella>
so if we don't want to normalize FormData entries on Request.body, the shortest path to interoperability would probably going with Chrome for multipart/form-data

[02:23:05.0000] <annevk>
andreubotella: I'm sorry, but I no longer know what that means

[02:23:52.0000] <annevk>
Interop matters, but if everyone has to do a little more and we end up with something a lot simpler that's valuable too, esp. long term

[02:55:25.0000] <annevk>
andreubotella: what does (names and filenames N/A) mean?

[02:56:07.0000] <andreubotella>
annevk: Firefox turns newlines into spaces in the MIME headers in multipart/form-data

[02:56:54.0000] <andreubotella>
with https://github.com/whatwg/html/pull/6282, that's no longer conforming to the spec

[02:56:59.0000] <annevk>
andreubotella: that might be worth noting

[02:57:05.0000] <andreubotella>
right

[02:57:58.0000] <annevk>
andreubotella: I hadn't really considered that names would become headers; can you even reliably parse that format if those contain newlines?

[02:58:22.0000] <andreubotella>
https://github.com/whatwg/html/pull/6282 makes them percent-escaped

[02:58:31.0000] <annevk>
I see

[02:58:47.0000] <annevk>
That should work

[02:59:09.0000] <andreubotella>
That's why I waited to file both PRs together in the same Firefox bug

[03:01:44.0000] <annevk>
andreubotella: I still like the idea of normalizing for String/File and not normalizing for FormData

[03:03:50.0000] <andreubotella>
annevk: I'd prefer normalizing everything for urlencoded and text/plain and going the Chrome way on multipart/form-data

[03:03:59.0000] <andreubotella>
but let's wait to hear from the implementers

[03:04:07.0000] <annevk>
andreubotella: why is that your preference?

[03:06:57.0000] <andreubotella>
annevk: I'm not sure; the other options are definitely simpler

[03:07:33.0000] <andreubotella>
I don't care too much which way we end up going for multipart/form-data

[03:51:51.0000] <andreubotella>
annevk: I was thinking that for urlencoded and text/plain, it might not be simpler to not normalize for FormData, spec-wise and for implementations like Chrome

[03:52:05.0000] <andreubotella>
I'll try to put my words in order and write a post about it

[05:52:47.0000] <annevk>
JakeA: so how do you trick a media element into making multiple range requests?

[06:03:37.0000] <JakeA>
annevk: give it back less than it wants. If it asks for 0-, give it 0-100 or whatever

[06:03:47.0000] <JakeA>
it'll make another request for the rest

[06:03:51.0000] <JakeA>
either that, or seek the media

[07:47:08.0000] <annevk>
JakeA: so both Chrome and Firefox seem to give up for cross-origin audio, even without redirects, not sure what to make of this yet (perhaps DevTools is broken)

[07:48:05.0000] <JakeA>
annevk: give up, as in don't make a second range request?

[07:48:23.0000] <annevk>
JakeA: yeah, and Firefox doesn't even show the first request

[07:48:35.0000] <annevk>
JakeA: get a single progress event in Chrome, two in Fx

[07:50:49.0000] <JakeA>
annevk: https://github.com/jakearchibald/range-request-test might be useful, as this logs the requests the server receives

[07:51:12.0000] <annevk>
JakeA: yeah, looking at WPT stashes now

[07:52:16.0000] <JakeA>
annevk: https://github.com/web-platform-tests/wpt/blob/master/fetch/range/general.window.js here's what I did for the range stuff in wpt

[07:52:33.0000] <annevk>
JakeA: yeah I'm using some of that 🙂

[07:52:47.0000] <annevk>
JakeA: if I get somewhere you might even get a review request

[07:52:55.0000] <annevk>
but prolly not today at this rate

[07:53:01.0000] <JakeA>
😀 happy to

[08:20:15.0000] <annevk>
JakeA: it's really weird, if I append a uuid it doesn't happen anymore; maybe it hits some cache somewhere

[08:55:59.0000] <JakeA>
annevk: hmm, it's possible. Does no-store produce the same effect?

[09:01:45.0000] <annevk>
JakeA: does not seem to matter; I've also "disable cache" enabled

[09:01:58.0000] <JakeA>
huh, that is odd

[09:01:59.0000] <annevk>
JakeA: anyway, not investigating that too much, looking more at redirects and such now

[09:02:58.0000] <annevk>
JakeA: it seems that Chrome might stop at the first redirect, Firefox at the first cross-to-same-origin redirect, Safari keeps trucking, I guess I need to test cross-to-cross origin

[09:03:53.0000] <JakeA>
annevk: I seem to remember that Chrome would 'remember' the redirect, and consult the redirected-to URL for subsequent parts, whereas Firefox would go back to the original URL

[09:03:59.0000] <JakeA>
Or the other way around

[09:06:32.0000] <annevk>
JakeA: I can reproduce Firefox continuing with the original URL, but Chrome stops after it gets the 206 response from the redirect

[09:07:37.0000] <annevk>
Which is admittedly weird and maybe a sign I'm doing something wrong as it would make more sense for Chrome to just abort upon seeing a redirect after the initial fetch

[09:08:28.0000] <annevk>
JakeA: ah, if the initial request redirected I can reproduce that behavior in Chrome

[09:08:36.0000] <annevk>
JakeA: but not if the second request redirects

[09:09:04.0000] <annevk>
/me basically branches of a request counter to try to make browsers do stupid stuff

[09:09:05.0000] <JakeA>
ohhhh! I think that behaviour is new to me

[09:10:34.0000] <annevk>
JakeA: maybe it still follows redirects in the hope that the final URL is identical and it will continue in that case? That does kinda match what mkwst described

[09:12:09.0000] <JakeA>
annevk: As in redirects to another origin and back again? That would surprise me, but everything about this stuff surprises me

[09:41:15.0000] <annevk>
JakeA: as in, if the first request ends up at /x and the second request thus goes to /x but then is redirected to various places including https://y/test but ends up at /x, it's okay (not verified though, will likely do so tomorrow)

[13:10:54.0000] <smaug____>
Are some directories in wpt magical, so that files in them aren't run?

[13:11:22.0000] <smaug____>
Or do all the .html files with 	<script src="/resources/testharness.js"></script> or <script src="/resources/testharnessreport.js"></script> or something get run as  a test

[13:25:20.0000] <Domenic>
The latter


2021-01-20
[01:38:45.0000] <jgraham>
smaug____: There are also magical directories

[01:40:16.0000] <smaug____>
jgraham: is there a list of those directories somewhere?

[01:40:33.0000] <jgraham>
smaug____: support, resources, and tools

[01:40:41.0000] <jgraham>
I'm not sure if that's in the docs

[01:41:13.0000] <jgraham>
(but if you are trying to add testharness.js to a non-test file, I'm interested in what the use case is)

[01:45:28.0000] <smaug____>
jgraham: this is a patch in my review queue. Some test file will do location.href = resource/foo.html

[02:00:11.0000] <jkt_>
annevk: In https://github.com/whatwg/html/issues/2635 you mentioned it would be easier with COOP is there anything else blocking this?

[02:05:03.0000] <annevk>
jkt_: I don't think so, apart from us not really having formalized user-initiated navigations

[02:13:32.0000] <annevk>
JakeA: so Chrome's behavior is a bit weird; it doesn't follow redirects across origins, but it does follow them within the same origin and as long as the final URL is identical to the URL determined to be the final URL in the initial request it will continue doing range requests

[02:14:14.0000] <annevk>
JakeA: it would be a lot easier I think if we just forbid redirects, but maybe some site really does rely on that Chrome oddity?

[02:34:42.0000] <jkt_>
annevk: right makes sense :)

[02:35:21.0000] <JakeA>
annevk: Hmm, the Chrome behaviour allows for content negotiation on the server then redirecting to the appropriate media file

[02:35:28.0000] <JakeA>
Although I don't know if this is used in the wild

[02:36:35.0000] <JakeA>
Allowing redirects after the first response seems unnecessary though

[03:32:16.0000] <JakeA>
annevk: I'm working on speccing 'navigable', a thing that can be navigated. When describing "parent navigable", would it be better to write it as a getter, something like "the parent navigable is navigable that contains a session history item that has a document which contains an iframe which uses this navigable", or is it better to give the navigable a "parent navigable" concept, and manage this state as it changes?

[03:32:37.0000] <JakeA>
I usually do the latter, but it seems like the HTML spec does a lot of the former

[03:32:42.0000] <JakeA>
but maybe that's legacy

[03:34:15.0000] <JakeA>
It's kinda hand-waved for browsing contexts "A browsing context child may have a parent browsing context. This is the unique browsing context that has child as a child browsing context, if any such browsing context exists. Otherwise, the browsing context has no parent browsing context."

[04:30:28.0000] <annevk>
JakeA: I would prefer the latter

[04:31:27.0000] <annevk>
JakeA: I don't think Chrome allows for that, because if you redirect to the appropriate file you'd have a mismatched URL with the initial final URL and Chrome would error at that point

[04:31:47.0000] <annevk>
JakeA: ah yeah, this is primarily about redirects after the first response

[04:32:21.0000] <JakeA>
ta!

[06:50:12.0000] <annevk>
yoav: hey I thought rel=prefetch was for navigations

[06:50:28.0000] <annevk>
yoav: I see google.com has a single rel=prefetch entry and it tries to obtain https://apis.google.com/js/api.js

[06:51:17.0000] <annevk>
oh wait, I guess it was also resources the next document might use

[06:52:56.0000] <yoav>
yeah, resources for the next document are also legit, although cross-site ones may not survive the cache partitioning

[06:54:55.0000] <annevk>
yoav: as long as the partition is the same cross-origin resources would work, but google.com prefetching the first three search result documents is not a thing that would work anymore, indeed

[06:56:05.0000] <yoav>
/me nods


2021-01-21
[22:14:52.0000] <MikeSmith>
https://scotthelme.co.uk/coop-and-coep/ is good

[01:28:43.0000] <annevk>
JakeA: I edited my comment on that session history a few times, but it should be good now

[01:29:02.0000] <annevk>
issue ^

[01:30:58.0000] <annevk>
/me edits once more

[02:23:22.0000] <annevk>
JakeA: you around?

[02:23:59.0000] <annevk>
If not I can continue on GitHub I suppose, but it's not as good as chat

[09:15:38.0000] <csarven>
Is the `align` attribute kept in the HTML spec because it is still widely-used in the wild? Or some other reason? Is there a recommendation somewhere stating that authors/authoring tools should use CSS's `text-align` instead for the purpose of presentation?

[09:22:23.0000] <andreubotella>
csarven: it's in the list of obsolete attributes which must not be used by authors: https://html.spec.whatwg.org/#attr-div-align

[09:22:50.0000] <Domenic>
csarven: the various align="" attributes are kept because browsers must implement them, because we don't want to break websites that use them, indeed. They are marked as obsolete: https://html.spec.whatwg.org/#attr-caption-align

[09:26:12.0000] <csarven>
Ah great! Thanks. I guess I should keep that section close by. I was originally looking into align on table

[09:42:55.0000] <a-ja>
csarven, iirc, there's table align css ua stylesheet hints in rendering, too


2021-01-22
[03:56:01.0000] <JakeA>
annevk: ah, sorry, irccloud had logged me out and I hadn't noticed

[03:58:24.0000] <annevk>
JakeA: wb 🙂

[03:58:50.0000] <annevk>
JakeA: so for that WPT PR I'm mainly looking for ideas

[03:59:51.0000] <annevk>
JakeA: one thing that came to mind is that I could create a Python file per scenario that imports the wav file somehow for the majority of the logic, if we don't want to put everything in the wav file, but none of it seems particularly elegant

[04:00:36.0000] <annevk>
JakeA: I'm also having trouble determining what state the media element should end up in once things fail or succeed, but perhaps observing the network traffic is sufficient for now...

[04:00:37.0000] <JakeA>
annevk: I've usually used query params to handle a lot of that stuff, but I don't know how that'd fit in this case

[04:01:28.0000] <annevk>
JakeA: so the problem with query params is that I need the URL to remain mostly static (unless I explicitly want to change it) as we (plan to) compare the URL in the spec

[04:01:49.0000] <annevk>
JakeA: one thought I had was to base64 a JSON object that encodes scenarios and put that in a param though

[04:02:17.0000] <annevk>
JakeA: that would work as it'd be the same as the token, just a static unchanging thing

[04:03:32.0000] <annevk>
But maybe I should just write some tests with a switch/case in the wav file and try to abstract things later...

[04:32:59.0000] <rigid>
hi

[04:33:18.0000] <rigid>
When linking to a HTML5 <video> with https://video.mp4#t=10,15 it works fine in recent popular browsers, but only when the video is not already playing.

[04:33:42.0000] <rigid>
Does anyone know if there's a standard emerging/planned to do this with videos already playing to do seek jumps? Something like href="#my-video-element-id?t=10,15" would be awesome. I couldn't find anything (just solutions that require javascript).

[04:36:02.0000] <annevk>
rigid: not aware of anything, you could propose it to https://wicg.io/

[04:37:39.0000] <rigid>
ehrm, i'm no expert. i'll probably do it wrong :)

[04:37:48.0000] <rigid>
annevk: but i'll try. thank you.

[04:38:16.0000] <annevk>
rigid: https://whatwg.org/faq#adding-new-features has tips

[04:38:31.0000] <rigid>
ah, was just about to search for that. awesome!

[04:40:06.0000] <JakeA>
rigid: The tricky part is figuring out how this would work without JavaScript. You'd need some kind of input/link that targets a particular media element.

[04:43:55.0000] <rigid>
JakeA: naively i'd think it would be quite easy to implement. with javascript, one just sets the "currentTime" attribute to "HH:MM:SS.MMM" of the <video> element. If a browser could replicate this by parsing href="#video_element?t=HH:MM:SS.MMM", it's done.

[04:44:11.0000] <rigid>
i could imagine that in practice it'd be _much_ more complex :)

[04:45:24.0000] <rigid>
and probably needs more parsing. Like als calling the "play()" method of the video element (or not) if the the video is paused. Not everyone would want to seek and play. Some might just want to seek and keep the video paused. Etc.

[04:46:07.0000] <JakeA>
yeah, maybe targeting the media by id is enough

[04:46:27.0000] <rigid>
in this case, something like href="#video_element?t=00:00:05.500&play=true" (or false) would be needed

[04:47:13.0000] <rigid>
also that would deviate from the current "t=X,Y" standard. Lots of issues. But i'll try to RFC anyway

[04:48:08.0000] <JakeA>
can't have something that works around current autoplay restrictions

[04:48:41.0000] <rigid>
JakeA: i think it'd be enough since targeting elements by id is already done for normal #section links

[04:50:09.0000] <rigid>
hm, javascript seems to work around against autoplay restrictions aswell? like: "var video = $('#myvideo').get(0); video.play()"

[04:50:29.0000] <rigid>
this in <a onclick=...> plays on click

[04:50:53.0000] <rigid>
ah, but it doesn't work around on external links

[04:51:01.0000] <rigid>
i think I get what you're saying

[04:51:04.0000] <JakeA>
rigid: `video.play()` only works if it was called after a user interaction

[04:51:27.0000] <JakeA>
(although in some cases muted videos can play)

[04:51:42.0000] <annevk>
JakeA: how did you test whether the user agent stopped doing requests for the media element?

[04:53:37.0000] <JakeA>
annevk: I think I assumed requests wouldn't happen after an error event on the media element

[04:53:39.0000] <rigid>
hm, clicking a link would also be a user interaction. I suppose links from external sites would be the issue. like <a href="//notmysite.com/#video?play=true"> would work around that restriction.

[04:54:41.0000] <JakeA>
rigid: right, or indeed links from a native app etc etc

[04:56:36.0000] <annevk>
JakeA: so I can't always get error to fire in Chrome, but it does stop doing requests...

[10:04:19.0000] <domfarolino>
annevk: Just for a sanity check, do you agree with https://github.com/w3c/webappsec-referrer-policy/pull/148#issuecomment-765590123 ?

[10:48:23.0000] <rigid>
just reading the FAQ for proposals annevk pasted. It mentions https://github.com/whatwg/html/issues ... where's the difference to https://wicg.io ?

[11:31:32.0000] <annevk>
domfarolino: that goes for all policies

[11:32:50.0000] <annevk>
rigid: the former is for stuff that’s a bit further along, we should prolly update the FAQ

[11:34:10.0000] <rigid>
oh, i just started writing the github issue :)

[11:34:21.0000] <domfarolino>
Ok just checking

[11:35:43.0000] <domfarolino>
Except srcdocs shouldn’t inherit the CSP of the initiator of a backwards history traversal I guess? But that’s not really considered a navigation I think.

[11:38:34.0000] <domfarolino>
Or I guess more generally policies shouldn’t be inherited from history traversal since they’re aren’t navigations...

[11:38:48.0000] <domfarolino>
Sorry, trying to page this all in my head 😅

[11:43:02.0000] <annevk>
domfarolino: good question how that would work without bfcache, might have to be stored in history, hmm

[11:43:39.0000] <annevk>
rigid: that’s fine as a starting point, you’ll get redirected if needed

[11:49:58.0000] <domfarolino>
annevk: Yeah so without bfcache my understanding is the document would have to be reloaded, and you're saying reloading it might not be enough to resurrect the same policy container that the original document would've had (that inherits policies from its container doc)? That is, we might need to store the container in history or something?

[12:15:12.0000] <annevk>
domfarolino: yeah maybe, not sure where else it would go if the entry was about:blank or some such


2021-01-23
[18:33:05.0000] <croraf>
Is it possible to add capturing events with HTML attribute?

[18:33:31.0000] <croraf>
Like <div onclick="...capturing event handler here..."></div>


2021-01-25
[20:20:50.0000] <derpadmin>
anyone here had success making phone notification with a web app that work across all browsers and on mobile phones too?

[20:21:09.0000] <derpadmin>
I am no web developer, but I think abandonning my project over this

[02:03:30.0000] <annevk>
So I'm trying to resurrect WHATWG's Twitter accounts and the majority of the time is reading a lot of documentation only to end up with 30 lines of npm cli code that allows associating Twitter accounts with a bot 😊

[05:51:12.0000] <croraf>
derpadmin, you talk about the PWA's feature?

[05:54:21.0000] <derpadmin>
yes, but I answered my question last night I believe

[05:54:34.0000] <derpadmin>
it is unusable without an api call to a 3rd party

[07:55:54.0000] <croraf>
derpadmin, what do you mean by "an api call to a 3rd party"

[08:09:45.0000] <derpadmin>
croraf, a push endpoint

[10:18:37.0000] <timdream>
derpadmin: push by definition requires you to hit a third party to push the message for you.

[10:43:42.0000] <derpadmin>
yup, I figured that out

[10:44:01.0000] <derpadmin>
thanks all for your answers


2021-01-26
[23:28:12.0000] <annevk>
I published the code for that utility if anyone is curious: https://github.com/whatwg/whattweetbot-keys

[23:30:08.0000] <annevk>
Node seems quite nice, though I do worry about those dependencies 🙂

[03:03:24.0000] <zcorpan>
annevk: re https://github.com/whatwg/html/issues/4930#event-4218816381 - does COEP now require https to have an effect?

[03:06:40.0000] <annevk>
zcorpan: always did I think

[03:06:54.0000] <annevk>
zcorpan: or localhost

[03:08:40.0000] <zcorpan>
annevk: it didn't around a year ago: https://github.com/whatwg/html/issues/5164

[03:10:35.0000] <annevk>
Fair enough, though it wasn't exactly finished then either

[03:11:28.0000] <zcorpan>
annevk: indeed. where in the spec now is the check for COEP?

[03:15:52.0000] <annevk>
zcorpan: that is a good question, sigh

[03:17:14.0000] <annevk>
zcorpan: are you gonna file a new issue?

[03:17:27.0000] <zcorpan>
annevk: sure. thanks

[03:19:09.0000] <annevk>
zcorpan_: it should be fairly easy to fix by doing a check when obtaining COEP now

[07:34:28.0000] <Domenic>
"For x-shockwave-flash or x-test types, the element is shown as a transparent region with the size specified in its width and height attributes." from https://developer.mozilla.org/en-US/docs/Plugins/Roadmap#schedule interesting

[07:36:00.0000] <annevk>
Domenic: yeah I heard about that but hadn't followed up yet, reportedly Chrome/Safari might do that by default so we could align with that and not have to special case these

[07:36:26.0000] <Domenic>
Oh cool. I haven't heard anything on what we're doing myself.

[09:03:14.0000] <Domenic>
NYC is having widespread internet problems, fun. Not sure how much work I'll be doing today, even reviews...

[09:45:42.0000] <annevk>
That sucks, pretty weird we still have those outages tbh

[10:47:52.0000] <annevk>
Domenic: yeah, their placement on spec.whatwg.org is fairly prominent now hmm

[10:48:27.0000] <annevk>
Domenic: I guess I'll see if I can get used to it, perhaps an icon is better

[10:53:17.0000] <Domenic>
I tried making it a <dd>, not sure it's any better

[10:53:22.0000] <Domenic>
https://usercontent.irccloud-cdn.com/file/ZsNUjYJO/dd-spec.png

[10:54:13.0000] <Domenic>
We need a designer... although their first task would be improving our spec contrast ratios and then doing a dark mode, I guess.

[11:00:09.0000] <annevk>
Ask jst if we can get budget? 🙂


2021-01-27
[16:10:02.0000] <Domenic>
Oh, we already have /img/bird-webpage.svg which we could reuse, although we'd need to create a colored version

[02:32:24.0000] <JakeA>
annevk: Does this sound true to you: An auxiliary browsing context can only be created during the creation of a new browsing session (although not all new browsing sessions contain auxiliary contexts)

[02:36:49.0000] <annevk>
JakeA: yeah, because browsing session is 1:1 with top-level and top-level > auxiliary

[02:37:08.0000] <annevk>
(I'm not sure if > denotes superset, but let's assume it does.)

[02:38:27.0000] <JakeA>
annevk: although top-level browsing contexts can be created at other times, such as navigations that need to be in another context group

[02:39:05.0000] <JakeA>
But auxiliary contexts are always created at the same time as a browsing session

[02:39:53.0000] <annevk>
JakeA: oh, I see, yeah, I think that makes sense, though I still haven't explored when we want to split browsing session for those scenarios

[02:40:29.0000] <annevk>
JakeA: in particular, if the user really does a new navigation, should sessionStorage survive? should history.back()? I'm not sure

[02:42:47.0000] <annevk>
JakeA: we should probably explore that more as it seems those will be the XS-Leaks of the future

[02:42:49.0000] <JakeA>
annevk: I think the back button should work, but I'm less sure about `history.back`. But that doesn't need anything like a session swap, we can just have logic like "if the previous session history entry uses a different browsing context, do nothing"

[02:43:08.0000] <annevk>
JakeA: right, but that doesn't work for sessionStorage

[02:43:35.0000] <JakeA>
annevk: isn't session storage associated with the browsing context?

[02:43:52.0000] <annevk>
JakeA: in the current spec it's associated with the browsing session, maybe that's a bug

[02:44:02.0000] <JakeA>
(I guess it's confusing that session storage is associated with the browsing context, rather than the browsing session, but that seems to be the way it should work)

[02:44:53.0000] <annevk>
JakeA: if we associate it with the top-level bc (I don't think it ever makes sense to be associated with a nested one) COOP will "break" sessionStorage

[02:45:47.0000] <annevk>
So one question is whether it's okay for COOP to do that and if not, whether a user-driven navigation is different from COOP in that matter

[02:47:20.0000] <JakeA>
annevk: it'd be sad to have to add yet another layer, but yeah there's a strong case for having session storage survive one or both of those cases

[02:49:32.0000] <JakeA>
annevk: I guess I can either associate session storage with the browsing session (so it remains there after all session navigations), the context (so it changes with context changes) or associate it with session history entries, meaning we can choose to carry it over or not in different situations, independent of the context

[02:50:02.0000] <JakeA>
Not something we need to solve right now, thankfully

[02:51:47.0000] <annevk>
I think it needs to survive COOP so you can do site A -> site B -> site A and not lose your "session", but I'm less convinced if the user then navigated to site C (through the address bar) and that redirects to site A

[02:53:00.0000] <annevk>
Maybe it's reasonable to leave that up to the browser though, whether they start a new browsing session or not and what that means for their UI

[02:53:14.0000] <annevk>
I guess we should just call it out whenever we define address bar navigation

[02:53:30.0000] <annevk>
Does that seem like a reasonable resolution JakeA?

[02:54:33.0000] <JakeA>
annevk: I'd like to avoid switching the browsing session for a window/tab, unless the UA wants it to be equivalent to closing the tab and creating a new one

[02:54:51.0000] <JakeA>
But I think there are reasonable ways to achieve all the options here, so I'm not worried

[02:55:31.0000] <JakeA>
Cloning session history is also an option, but I don't think that achieves anything

[02:55:59.0000] <JakeA>
(unless it can be used as a communication channel)

[02:56:07.0000] <annevk>
JakeA: right, I think that's what I'm saying, a UA may treat it as closing the tab and creating a new one and since the UI is UA-controlled they can also carry over some back-button state

[02:56:40.0000] <annevk>
JakeA: although I guess if not all UAs do that you still get weird sessionStorage corner cases

[02:57:06.0000] <annevk>
but once the address bar is invoked that seems hard to avoid

[02:57:20.0000] <annevk>
invoked works, but I meant involved

[02:57:51.0000] <JakeA>
annevk: I guess I'm trying to explain the behavior of the back button too, but I suppose I don't need to do that

[03:00:41.0000] <JakeA>
sflhfbrelksjhf now I want to rename browsing session since it doesn't match up with session storage

[03:00:50.0000] <JakeA>
I can do that later if needed

[03:02:18.0000] <annevk>
JakeA: anything about the back button is a suggestion at most, it's UI and doesn't even have to exist in theory

[03:02:57.0000] <annevk>
JakeA: I think we should only rename it if they don't end up being 1:1, my suggestion above is that they are 1:1

[03:03:26.0000] <annevk>
JakeA: and that's also what we ended up specifying thus far (which is not much, admittedly)

[03:04:09.0000] <JakeA>
annevk: specing how session history works is kinda hard if the back button ends up undefined

[03:07:51.0000] <annevk>
JakeA: fair, I think it's valid to say that if UI is exposed it must act in this way, similar to address bar navigations

[03:08:20.0000] <annevk>
JakeA: we just can't dictate that it exists or that it exposes all the entries the spec might have found

[03:10:11.0000] <JakeA>
annevk: yeah that's fair. Certain kinds of JS-initiated history traversals will be disallowed due to browsing context changes, but the back button would be allowed to cross that boundary.

[03:10:54.0000] <JakeA>
annevk: It feels like session storage could be associated with the browsing context, and the reference could be shared by multiple contexts in cases where that's allowed (in-page COOP navigations)

[03:11:16.0000] <JakeA>
eh feels like we've got a lot of ways to do whatever we end up wanting to do

[03:17:19.0000] <annevk>
Yeah 😊

[06:06:00.0000] <JakeA>
annevk: https://html.spec.whatwg.org/multipage/browsers.html#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name "User agents are encouraged to provide a way for users to configure the user agent to always reuse current." - what is this referring to? An option to avoid creating new browser windows/tabs on navigations? Or specifically browsing contexts? I guess it's the former else it's COOP-breaky

[06:06:37.0000] <annevk>
JakeA: yeah, avoid new tab

[06:06:47.0000] <JakeA>
ta!

[06:06:50.0000] <annevk>
JakeA: it's really old text that could use some polish

[06:07:07.0000] <annevk>
JakeA: I think we also lack force new tab

[06:09:10.0000] <JakeA>
annevk: There's "If the user agent has been configured such that in this instance it will create a new browsing context"

[06:10:04.0000] <annevk>
ah

[06:10:14.0000] <JakeA>
but yeah I'll reword that

[09:01:54.0000] <MikeSmith>
TabAtkins: https://drafts.csswg.org/web-animations-1/ seems to now be missing its *.html

[09:02:23.0000] <MikeSmith>
and https://drafts.csswg.org/ homepage now has no index

[09:03:47.0000] <MikeSmith>
ah, all directories missing their *.html now, it looks like

[09:04:02.0000] <MikeSmith>
https://drafts.csswg.org/css-align-3/

[09:48:58.0000] <TabAtkins>
MikeSmith: yeah, fixed now. Ping plinss when this happens. It's been happening a bunch lately, I'm trying to get him to up priority of saving a statically-served version of the specs. (Right now there's a dynamic redirect to where the static version is saved, which can fall over.)

[09:49:17.0000] <MikeSmith>
TabAtkins: ah OK thanks

[09:49:39.0000] <MikeSmith>
will ping plinss if I run into it again

[09:50:10.0000] <MikeSmith>
this is the first time I have ever personally run into it, as far as I can can recall

[10:58:42.0000] <annevk>
Domenic and I restored tweeting: https://twitter.com/thedomstandard/status/1354496441859899400 (hopefully it works for other standards too)

[11:13:11.0000] <Domenic>
I really like that we now control the format and can trim lines and make the links into cards and such


2021-01-28
[03:22:18.0000] <annevk>
JakeA: if you're around could you look at https://github.com/whatwg/fetch/pull/1144?

[03:22:33.0000] <annevk>
JakeA: in onfetch, can you modify ev.request.headers?

[03:24:04.0000] <annevk>
per https://w3c.github.io/ServiceWorker/#on-fetch-request-algorithm at least that should be no

[03:25:22.0000] <JakeA>
I didn't think you could modify them

[03:25:24.0000] <JakeA>
I'll take a look

[03:26:04.0000] <annevk>
JakeA: thanks, the context is making Fetch and SW play nice for request streams

[04:42:07.0000] <annevk>
JakeA: "This may be the first time a single unit of session storage has been shared between a (process, origin) pair" is an astute observation that might well influence things; I don't actually know enough about how sessionStorage is implemented

[05:18:42.0000] <JakeA>
hopefully it's similar enough to localstorage so it doesn't matter

[09:32:48.0000] <Mek>
annevk/JakeA: not sure what the context of the discussion is here, but at least in the Chrome implementation of session storage we explicitly don't support sharing session storage across processes, and I think allowing that would be a non-trivial effort with how copy-on-write and change events are implemented in chrome...

[09:35:27.0000] <annevk>
Mek: say so in https://github.com/whatwg/storage/issues/119

[09:40:04.0000] <Mek>
will do

[09:43:39.0000] <annevk>
Mek: I guess that only really applies when within the same site you go from non-COOP to COOP, as otherwise the relevant processes could be the same. But none of that is really an ideal building block for a coherent model...

[09:44:12.0000] <annevk>
I guess the coherent model would be to always reset upon COOP

[09:44:53.0000] <Mek>
yeah, and for the navigation case it wouldn't be bad either since there would only be one process accessing it at a time anyway (i.e. it's changing processes, but still one at a time). The prerender case would be harder (and I thought was one of the reasons portals ended up blocking storage before activation)

[09:45:55.0000] <annevk>
Mek: ah okay, that's an important distinction, in that case there might not be a problem at all

[09:46:01.0000] <Domenic>
No blocking same-origin though for portals/prerendering.

[09:47:23.0000] <Mek>
oh, I guess I misunderstood where portals currently stands...


2021-01-29
[17:36:54.0000] <MikeSmith>
Web Crypto spec needs some updates but we have no editor for it

[17:37:37.0000] <MikeSmith>
is there somebody we can think of who might be motivated to work on it?

[21:52:37.0000] <annevk>
MikeSmith: what kind of updates?

[21:55:45.0000] <MikeSmith>
annevk: see the issues list

[21:55:47.0000] <MikeSmith>
https://github.com/w3c/webcrypto/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc

[21:56:52.0000] <MikeSmith>
there about 7 issues opened or upated in just the last 6 months

[21:59:08.0000] <MikeSmith>
and about 40 total opened since the time when the spec was last published

[21:59:42.0000] <MikeSmith>
some look like minor things that could be fixed with very little effort

[22:00:15.0000] <MikeSmith>
and others look like possible significant spec bugs/deficiencies that really ought to be fixed

[22:01:11.0000] <MikeSmith>
so the first task we need an editor to do is, triage and evaluate the open issues

[22:02:20.0000] <MikeSmith>
take https://github.com/w3c/webcrypto/issues/73 for example

[22:03:11.0000] <MikeSmith>
that is basically a new feature

[22:03:44.0000] <MikeSmith>
needs and editor to decided what the spec for it should actually be

[22:04:44.0000] <MikeSmith>
there are 13 open enhancements like that the tracker

[22:04:45.0000] <MikeSmith>
https://github.com/w3c/webcrypto/labels/enhancement

[22:05:33.0000] <MikeSmith>
and at least one outright spec bug

[22:05:34.0000] <MikeSmith>
https://github.com/w3c/webcrypto/issues/184

[22:26:28.0000] <annevk>
MikeSmith: my guess would be that there's no implementer interest so someone who does some basic maintenance would suffice

[01:07:52.0000] <annevk>
JakeA: one thing I noticed a few times recently is that procrastination pays off; if you wait long enough, fixing an issue in some standard that once seemed daunting is suddenly trivial

[01:08:55.0000] <JakeA>
annevk: haha yeah! Although in the case of the worklet import() thing, it's just waiting for someone else to do the hard work 😀

[01:11:31.0000] <JakeA>
Feel like I'm boiling the ocean with this browser session refactor, but it's bringing up lots of questions that haven't been answered yet, so I guess it's worth it

[01:13:17.0000] <JakeA>
One of the things about this kind of spec work is it's difficult to figure out if good progress is being made. It's such a niche thing it's difficult to judge if it's going well/badly in terms of time vs progress

[01:13:27.0000] <JakeA>
enjoying it at least

[01:15:02.0000] <annevk>
JakeA: I think it's very valuable, FWIW, and my comment wasn't at all about that

[01:16:04.0000] <annevk>
JakeA: there are basically countless questions and issues around history that this will give an answer to and or at least provide a solution foundation to get there,  that's massively useful

[01:16:19.0000] <annevk>
solid foundation, oops

[01:20:28.0000] <JakeA>
annevk: yeah, just hope I can continue to justify it in standups. Thankfully finding things like the session storage & popup issues feels more tangible to team leads than "I'm still moving words around in a spec" 😀

[01:26:24.0000] <MikeSmith>
annevk: OK so yeah, the task of even just making the “no implementor” interest on open feature/enhancement requests, we basically need an editor for that — or at least somebody, by whatever name/role, to take responsibility for making the assessements on the issues, and making the call

[01:27:22.0000] <MikeSmith>
JakeA: incidentally, I noticed you weighed in with a concrete proposal at https://github.com/w3c/webcrypto/issues/73#issuecomment-455065709

[01:27:48.0000] <MikeSmith>
..on that “Using the Subtle Crypto Interface with Streams” issue

[01:28:24.0000] <MikeSmith>
what is your sense of the level of implementor interest in actually implementing something there?

[01:29:24.0000] <MikeSmith>
(just taking this one issue as an example of an open Web Crypto issue, though it seems like it might actually happen to be the one with the highest/widest interest)

[01:30:01.0000] <JakeA>
MikeSmith: I'm kinda in the dark there. My comment was more as a developer than an implementer. I'll ask though

[01:30:45.0000] <MikeSmith>
JakeA: OK, thanks

[01:31:26.0000] <MikeSmith>
JakeA: about the general need, while you’re at it, please ask if anybody might be interested in stepping in to be the editor

[01:31:47.0000] <MikeSmith>
see https://github.com/w3c/webcrypto/issues/249

[01:32:36.0000] <MikeSmith>
I guess Ryan would be an obvious person to ask — I mean as far asking if he can think of anybody who might be a good fit

[01:32:42.0000] <MikeSmith>
Ryan Sleevi

[01:33:48.0000] <annevk>
He'll enjoy that :p

[01:49:48.0000] <MikeSmith>
heh

[11:10:01.0000] <annevk>
Domenic: marquee cleanup in 2021, nice

[11:10:23.0000] <Domenic>
Didn't want plugins feeling lonely

[11:11:01.0000] <annevk>
Good content for @htmlstandard 😛

[15:05:02.0000] <Domenic>
The "thanks" code works: https://mobile.twitter.com/htmlstandard/status/1355290810254819328


2021-01-30
[21:44:54.0000] <annevk>
Nice, I hope contributors like that