IRC Logs for #whatwg on 26th November 2008 (Real Data)

Wednesday 26th November 2008, 1:43pm CET.


Session Start: Wed Nov 26 00:00:00 2008

Session Ident: #whatwg

00:01 : also a "preview" button, and buttons that do server-side filling of fields without submitting the whole thing

00:01 : i guess i'll add novalidate

00:01 : you have about an hour to come up with a better name than "novalidate". :-)

00:01 : bbl

00:15 nessy joins (

00:16 erlehmann quits ( ("Ex-Chat")

00:18 arve__ joins (

00:24 roc quits (n=roc@

00:30 smerp quits (n=smerp@ (Read error: 110 (Connection timed out))

00:34 aaronlev quits ( (Read error: 110 (Connection timed out))

00:35 virtuelv_ quits ( (Read error: 110 (Connection timed out))

00:36 MikeSmith joins (

00:40 dglazkov quits (n=dglazkov@

00:44 MikeSmith quits ( ("sex break")

00:46 arve__ quits ( ("Leaving")

00:53 weinig quits (

00:56 aroben quits (n=adamrobe@unaffiliated/aroben)

00:58 : Hixie, calling it skipvalidity (which could be authored as skipValidity in the document) seems more consistent with the use of "validity" and "fooValidity()" and "ValidityFoo" for things in The Constraint Validation API:


01:01 : ignorevalidity (ignoreValidity) fits the above and fits the naming of "ignoreCase" and the convention for saying "UAs must ignore foo"

01:03 tndH quits ( ("ChatZilla 0.9.84-rdmsoft [XULRunner]")

01:05 tantek joins (n=tantek@

01:11 Hish quits ( (Read error: 104 (Connection reset by peer))

01:11 Hish__ joins (

01:11 Hish__ is now Hish

01:11 MikeSmith joins (

01:12 tantek quits (n=tantek@

01:12 Hish__ joins (

01:15 tantek joins (n=tantek@

01:18 : i think i prefer novalidate, for consistency with nohref, noresize, noshade, and nowrap (though the irony that all four of those are obsolete in html5 is not lost on me)

01:23 : so many conventions to choose from :P

01:23 : I'm unlikely to use the feature so I don't mind what you call it

01:28 Hish___ joins (

01:29 Hish quits ( (Read error: 110 (Connection timed out))

01:29 Hish___ is now Hish

01:32 weinig joins (

01:32 : BenMillard: :-)

01:35 Hish__ quits ( (Read error: 60 (Operation timed out))

01:41 ojan parts (n=ojan@nat/google/x-c6af13b38918cc27) ("Leaving")

01:54 Hish___ joins (

01:58 Hish quits ( (Read error: 60 (Operation timed out))

01:58 Hish___ is now Hish


02:02 svl quits ( ("And back he spurred like a madman, shrieking a curse to the sky.")

02:02 Hish___ joins (

02:08 weinig is now weinig|HOUSE

02:11 KevinMarks quits (n=KevinMar@nat/google/x-9c47188beed8039c)

02:22 Hish quits ( (Read error: 110 (Connection timed out))

02:26 KevinMarks joins (n=KevinMar@

02:43 : ew

02:43 : MouseEvent makes a mess of the init* methods

02:44 dglazkov joins (

02:52 smerp joins (

02:53 smerp_ joins (n=smerp@


03:01 smerp quits ( (Read error: 145 (Connection timed out))

03:03 tantek quits (n=tantek@

03:04 tantek joins (n=tantek@

03:06 : hmm

03:06 : so <input type=color>

03:06 : should it be possible for the user to set it to no color?

03:06 tantek quits (n=tantek@ (Client Quit)

03:09 : transparent?

03:18 : no, nothing at all

03:19 : like, type=number allows any number, as well as ""

03:19 : Can it have no color as initial value?

03:19 : but type=range doesn't allow ""

03:19 : Dashiva: that's another way of phrasing the same question, effectively

03:20 : what are the use cases for colour selection that we're trying to address and which ones are we not?

03:21 : in: selecting the colour of a label in gmail, selecting a color in a paint program

03:21 : can't think of any that are "out" offhand, but i'm sure there are many

03:22 : suggests that color pickers don't have a "no color" mode

03:22 : ok, so this is basically a simple RGB colour palette

03:23 : Hixie: But many of them have a cancel button

03:24 : Dashiva: yeah but that doesn't unset the previously selected color

03:24 : I'd assume things like paint colour selectors on interior decoration sites wouldn't be adequately covered by this, so that'd be out

03:25 : right

03:26 : out: pantone color selector

03:27 : I suppose we aren't addressing "How do you ensure the user selects a color and doesn't just go ahead with the default without considering it" either

03:29 rillian quits (n=giles@ (Read error: 54 (Connection reset by peer))

03:30 : not really

03:36 billyjackass joins (

03:37 : yes, I think no colour should be possible, because if someone wants to make a paint application, that's one way of letting the user select transparent

03:40 : Hixie, I think Word has a no colour mode.

03:41 BenMillard quits (

03:41 : Lachy: opacity should be separate from this anyway

03:45 KevinMarks quits (n=KevinMar@ ("The computer fell asleep")

03:46 KevinMarks joins (n=KevinMar@

03:49 : Hixie, the colour palettes in apps like Adobe Fireworks allow the user to select a no-colour option. it's useful when, e.g., you want to set the border colour of a shape to one colour and leave the fill colour transparent

03:49 Amorphous quits (i=jan@unaffiliated/amorphous) (Read error: 113 (No route to host))

03:52 MikeSmith quits ( (Read error: 110 (Connection timed out))

03:52 Amorphous joins (i=jan@unaffiliated/amorphous)

03:55 : Lachy: makes sense

03:56 dglazkov_ joins (n=dglazkov@

03:59 : hmm

03:59 : should we make the form <input type=color> parse colors in a simple way, or using the wacky <font color> algorithm?


04:00 : or using the css algorithm...

04:00 : so many options...

04:00 : can't use css, as it might return an alpha!=1.0 color

04:02 KevinMarks quits (n=KevinMar@ (Connection timed out)

04:04 dimich quits (n=dimich@ (Read error: 110 (Connection timed out))

04:06 : could you use a subset of the CSS colour, including #FFF, #FFFFFF, rgb(...) and hsl(...), but excluding rgba() and hsla()?

04:06 billyjackass is now MikeSmith

04:06 : also, the colour keywords

04:09 : that seems unnecessarily complex given that we'd still want to serialise everything to #rrggbb for submission

04:09 dave_levin quits (n=dave_lev@ (Read error: 110 (Connection timed out))

04:10 : that's pretty much the same as strokeStyle/fillStyle on the canvas context object though

04:10 : specifically, what conditions are you trying to address? Is this for when the user types in a colour manually or when the value is set by a script?

04:11 : strokeStyle and fillStyle are full CSS colors

04:11 : Lachy: value of the value="" attribute

04:11 : (and form submission)

04:12 : oh, ok.

04:17 dave_levin joins (

04:18 dglazkov quits ( (Read error: 110 (Connection timed out))

04:18 dave_levin_ joins (n=dave_lev@

04:19 dglazkov_ is now dglazkov

04:22 weinig|HOUSE is now weinig

04:22 : with other input types, I don't think there is any precedent for the value of the value attribute being automatically normalised prior to submission, and so it would probably be best to require the format #rrggbb

04:23 : plus, if we allowed other types, then that would seem to create complications when the input.value property is set by scripts

04:24 : s/other types/other formats/

04:25 : i'm still normalising it before submission btw (from uppercase to lowercase)

04:25 : ok

04:34 dave_levin quits ( (Read error: 110 (Connection timed out))

04:42 famicom joins (

04:59 dolske quits (n=dolske@firefox/developer/dolske) ("Leaving...")


05:00 dolske joins (n=dolske@firefox/developer/dolske)

05:09 : Hixie, is the order of the input types in the table in any particular order? It seems rather random. Could you put them into alphabetical order?

05:10 : well, I guess there sort of grouped by category

05:15 : the order is the order used so that there are the fewest differences from type to type in terms of what cells say "yes"

05:15 : except that password isn't before text

05:15 : Hixie, a valid simple colour should be A to F, not A to Z

05:16 : oops

05:16 dolske quits (n=dolske@firefox/developer/dolske) (Connection timed out)

05:18 : ok fixed

05:21 dolske joins (n=dolske@firefox/developer/dolske)

05:22 dbaron quits ( ("8403864 bytes have been tenured, next gc will be global.")

05:34 doublec quits (n=chris@ ("Leaving")

05:39 xcombelle quits ( (Remote closed the connection)

05:40 weinig is now weinig|away

05:40 dbaron joins (

05:53 smerp_ quits (n=smerp@


06:03 doublec joins (

06:11 heycam quits ( ("bye")

06:13 dimich joins (

06:15 dglazkov quits (n=dglazkov@

06:21 dimich quits (

06:39 famicom quits ( ("Leaving")

06:42 harig joins (n=harig_in@

06:49 sayrer joins (

06:50 : Hixie, so, I thought there was a feature freeze? but now we have this new 401 form...

06:57 tantek joins (

06:59 : sayrer: i said i wasn't adding anything new that hadn't already been requested as of the feature freeze (last december)

06:59 : the recent additions are from requests from 2006/2007


07:00 : that doesn't seem like a useful freeze to me

07:00 : thanks

07:00 : (or, in the case of workers, from requests from browser vendors who said that without a spec they'd just make up stuff)

07:00 : well the freeze is only intended to land us on schedule

07:00 : well, you are a browser vendor just making stuff up :)

07:00 : i mean implementors

07:01 shrugs

07:05 dave_levin_ quits (n=dave_lev@

07:06 dave_levin joins (n=dave_lev@

07:19 tantek quits ( (Read error: 110 (Connection timed out))

07:27 tantek joins (

07:34 sayrer quits ( (Read error: 110 (Connection timed out))

07:42 heycam joins (

07:49 maikmerten joins (

07:52 : Hixie: seems more like a suggestion freeze than a feature freeze :-)

07:56 : yeah, that'd be a better term

07:56 : i don't recall exactly how i phrased it


08:04 :

08:05 : Is there a definition for hixie:LC, hixie:CR, w3c:LC and w3c:CR?

08:06 : (and are there URIs to bind hixie and w3c to?)

08:18 KevinMarks joins (

08:22 : Hixie: btw, what happened to the OpenID integration idea that sicking mentioned at TPAC?

08:24 : i wonder how hixie:LC, hixie:CR, w3c:LC and w3c:CR differ

08:24 : hsivonen: no idea

08:25 : what's zcorpan's e-mail address?

08:25 : specifically, his webkit bugzilla account address

08:26 : I'd try searching webkit bugzilla for zcorpan and simonp

08:27 : tried that

08:28 BenMillard joins (

08:31 aaronlev joins (

08:32 dbaron quits ( ("8403864 bytes have been tenured, next gc will be global.")

08:41 theanxy quits ( (

08:42 theanxy joins (

08:45 tndH joins (

08:47 erlehmann joins (

08:50 BenMillard parts (

08:51 Maurice joins (

08:51 : Hixie: was "no idea" to the OpenID idea? that is, did you examine the feasibility of moving bits of the OpenID experience to browser chrome in a backwards-compatible way?

09:02 :


09:03 : no idea was to openid. not really sure what to do about it.

09:05 pesla joins (

09:13 hdh quits (n=hdh@ (Read error: 110 (Connection timed out))

09:13 ap joins (n=ap@

09:24 MikeSmith quits ( ("sex break")

09:33 : when you substitute a for b in c, which one is left in c? a, or b?

09:34 : a?

09:43 virtuelv joins (

09:44 Hish____ joins (

09:44 Hish____ is now Hish

09:47 weinig|away quits (

09:47 Hish___ quits ( (Read error: 60 (Operation timed out))

09:49 famicom joins (

09:50 tthorsen joins (

09:53 : a

09:53 : a is a substitue for b

09:58 tndH quits ( (Read error: 110 (Connection timed out))


10:04 Hish____ joins (

10:04 harig quits (n=harig_in@ (Read error: 110 (Connection timed out))

10:07 : wikitionary agrees

10:09 Hish quits ( (Read error: 60 (Operation timed out))

10:09 Hish____ is now Hish

10:11 doublec_ joins (

10:11 doublec quits ( (Read error: 113 (No route to host))

10:11 doublec_ is now doublec

10:12 : why are SVG and Canvas "extensions"?,2845,2335251,00.asp

10:16 : Why am I reading a thread about 'the login/logout problem' ?

10:17 : there isn't a problem.. it works fine

10:17 : hsivonen: that article is, in general, rather uninformed

10:19 : ie8 is adding svg and canvas?

10:19 : that's news to me

10:21 tthorsen quits ( ("Leaving")

10:24 mpt joins (n=mpt@canonical/launchpad/mpt)

10:25 : wtf, screen sharing just doesn't work anymore to this computer

10:25 : i don't get it

10:26 : no error message, nothing

10:26 : afp, too

10:26 : just doesn't connect

10:34 jruderman quits (

10:37 : have you tried restarting the machine?

10:37 : I mean the one you're trying to connect to

10:38 : yes

10:38 doublec quits ( (Read error: 104 (Connection reset by peer))

10:38 doublec_ joins (

10:38 doublec_ quits ( (Remote closed the connection)

10:41 : hsivonen: the telltale sign in that article would be

10:41 : «What's notable here is the margin. Chrome's winning margin is huge, even though Firefox 3.04, Opera and Safari have incorporated V8»

10:41 : o_O

10:42 : virtuelv: whoa

10:42 didn't actually read the whole article

10:43 Lachy quits (n=Lachlan@ ("This computer has gone to sleep")

10:43 : «We tested the version of Firefox (called Minefield) that does include the V8 code and listed those results below our "official" findings.»

10:46 : if I add remainingSpacePercentage, should I add it to sessionStorage, localStorage, and Database, or should I add it to Navigator and assume shared storage?

10:47 : Hixie: is the percentage really relevant?

10:48 : microsoft want a feature to say how much space is remaining, and bytes don't work

10:48 : Does it make sense on sessionStorage? I'd assume that'd be stored in RAM, and browsers don't have fixed limits on how much RAM a page can use

10:48 : a percentage is equally useless

10:49 : if I'm trying to store a DOMString of length 1231, a percentage isn't going to help me

10:49 : virtuelv: Bytes wouldn't help you either, since you don't know how many bytes it'll take to store that string

10:49 : the only thing that it would allow is showing a UI saying how close you are to running out

10:49 : but i guess the UA could do that better anyway

10:50 : virtuelv: so you should just try to store it, and watch for exceptions

10:51 aaronlev quits ( ("ChatZilla 0.9.83-rdmsoft [XULRunner]")

10:51 aaronlev joins (

10:52 yecril71 joins (

10:52 ROBOd joins (n=robod@

10:53 Hish____ joins (

10:57 Hish_____ joins (

10:58 Hish quits ( (Read error: 104 (Connection reset by peer))

10:58 Hish_____ is now Hish


11:01 : Allowing to execute hidden commands from the keyboard does not seem to be a good idea at all.

11:01 Lachy joins (

11:01 : Although it would make implementing Vi in HTML pretty hard,

11:01 : I do not think HTML should explicitly provide for that.

11:02 jruderman joins (

11:02 : zcorpan needs to be online more. someone hook him up with screen(1) and irssi(1), please. :-P

11:03 : the HTML article in wikipedia gets vandalized all the time and isn't protected. the XHTML article is semi-protected, though.

11:04 : Should I bring up the issue with fieldsets and HTMLControlsCollection to the list?

11:09 : what's the issue?

11:15 Hish____ quits ( (Read error: 110 (Connection timed out))

11:16 aaronlev quits ( ("ChatZilla 0.9.83-rdmsoft [XULRunner]")

11:16 aaronlev joins (

11:19 : The issue is a fieldset is not a control.

11:19 : And it does not belong to form.elements, as of HTML4.

11:20 : So there is a major incompatibility and a semantical flaw.

11:20 : browsers put fieldsets in form.elements, so there's not much we can do about that

11:20 : html5 defines it in a way that solves the "semantical flaw"

11:20 : i.e. it doesn't have a contradiction as best i can tell

11:20 : According to MSDN, a fieldset does not have a name.

11:20 : msdn is rarely accurate

11:21 : i wouldn't pay much attention to it

11:22 : Thanks, I shall evaluate it and leave a note there if it works anyway.

11:22 : Hixie: what is all this stuff abuot forms?

11:22 : mookid: ?

11:22 : which stuff?

11:23 : Now that OBJECT is submittable, the note about legacy reasons should go.

11:23 : Because it is a full member of the FORM.

11:24 : could you provide more context? i'm not psychic, i've no idea what note you are talking about

11:24 : "OBJECT belongs to FORM.elements for legacy reasons".

11:25 : (quoting from memory)

11:25 : could you quote from the spec?

11:25 : i can't find that string anywhere

11:25 : Have to find it again first.

11:26 hdh joins (n=hdh@

11:27 : For historical reasons, the object element, which is not otherwise considered to be related to forms, is also a form-associated element.

11:27 : That is the text.

11:28 : I would also note that IE7 gets awfully slow when displaying the specification,

11:28 : event the multipage version.

11:28 : And the section headers are not visible at all.

11:28 : They are hidden under the green background.

11:29 : That makes it somehow hard to know what you are reading about.

11:29 : yeah, IE has all kinds of bugs

11:29 : i recommend using another browser

11:29 fixes the line in question

11:30 : Thats all right, except that the cost of maintenance doubles.

11:31 : And you cannot get rid of IE7 in Windows.

11:31 : Of course, you can get rid of Windows, but that is quite an operation.

11:32 : I think it would be best for everybody to take that into account.

11:32 : cost of maintenance doubles? Firefox, Chrome and Safari autoupdate themselves on Windows

11:33 : Only if run with administrative privileges, something I shall never do.

11:33 : ok, fixed the object/form line

11:35 : I think it would not be so much harm to get rid of the negative top margin for now.

11:36 : A browser window is not short of sheet space, and PDF can be used for printing.

11:38 : Borrowing the header backround from the following element seems like a dirty hack.

11:38 : it's pretty. and standards compliant. If IE can't handle it, that's not my problem or the spec's problem.

11:39 : You can make the PDF as pretty as you wish.

11:39 : i don't read the pdf

11:39 : This is not a beauty contest.

11:40 : I think that Ubuntu is a better solution against Windows malware than running a personal Windows box without admin privileges

11:40 : It is better to be ugly than to be unreadable.

11:40 : so don't use IE

11:41 : making it slightly more readable isn't going to make the spec work in IE anyway

11:41 : IE doesn't handle the size of the page

11:41 : not much we can do about that

11:41 : It can read the multipage version.

11:41 : I do.

11:42 : Basically, the problem is with IE, not the spec. The solution is to have IE be fixed, not have the spec work around bugs in IE.

11:42 : I cannot have the IE fixed.

11:42 : yecril71: doesn't IE8 work, either?

11:42 : You have to ask Philip`.

11:42 : you can't have the spec fixed either. :-)

11:43 : And borrowing the backround for the next element is far from being good markup.

11:43 : it's quite acceptable css

11:43 :

11:44 : If you want the backround to be green, you have to choices:

11:44 : 2 choices:

11:44 : wrap in a common ancestor, which does not apply here,

11:44 : hsivonen: as someone who has worked on browser vendors, i hate it when sites work around bugs in browsers

11:44 : or use the same class.

11:44 : or use a negative margin :-)

11:44 : which is fine :-)

11:45 : Hixie: well, the mobile-bp doc doesn't acknowledge people from the companies you've worked for...

11:46 : I think it's quite telling that Opera and Apple aren't acked in the Mobile BP stuff

11:47 : chaals wrote part of it

11:47 : iirc

11:47 : The only workaround for Internet Explorer is to disable CSS.

11:48 : That makes the page readable and the performance is much better.

11:48 : Hixie: whoa. indeed. I was looking at the acks and thought the editor was from vodafone

11:48 erlehmann quits ( ("Ex-Chat")

11:48 : I must have mixed up the editorships of different docs

11:49 : actually i thought a googler worked on that doc too, but i don't see that in the acks anywhere

11:49 : might be another one

11:49 : there are so many

11:49 : However, even if I add to restricted sites, that will not disable CSS by default.

11:50 : And I am sorry to see Hixie behave so arrogantly.

11:51 : if there was a bug in the spec's style sheet, would you ask the browsers to work around it?

11:51 : simple software engineering. you fix the bug, you don't work around the bug.

11:52 : Not a single browser is fully CSS-compliant.

11:53 : Your attitude is unrealistic, however you may not like it.

11:53 : The publisher should aim at the intersection of what is supported.

11:53 : It's still baffling that a W3C REC doesn't include PNG support as part of the assumed image format support

11:54 : how did *that* get past *principles*?

11:54 : but then the markup language support is specced as XHTML Basic 1.1 [XHTML-Basic] delivered with content type application/xhtml+xml.

11:56 : And I cannot fix the bug in IE, as I already said.

11:56 : you also cannot fix the spec, so i don't see how that is different or relevant

11:57 : Well, but you can.

11:57 : With a very tiny amount of work.

11:57 : if you insist on using IE, then i recommend using instead.

11:59 : That document does not have a multipage version.


12:00 : ah well, i tried

12:01 : Hixie: Then why have work-arounds for IE at all?

12:01 : like the /* that last decl is for IE6. Try removing it, it's hilarious! */ one

12:02 : i thought i'd gotten rid of that one

12:02 : Hixie’s theory about does not hold.

12:02 : The MSDN is correct here.

12:02 : I don't see it in <>, but I see it in <>

12:03 ap is now ap|away

12:03 : gsnedders: fixed

12:03 : So it is not really "already implemented", and it is different from HTML4.

12:03 heads off

12:05 : yecril71: do you have a testcase demonstrating the error in the spec?

12:05 : i'm pretty sure i tested this

12:05 : but i could be wrong!

12:05 : Just a minute.

12:06 : (That is, I have it, but I have to publish it.)

12:08 : I think a lot of this mobile "best" practice stuff could go away if Opera Mini had serious competition

12:08 : so that vendors of devices that can't host a self-contained browser didn't feel they have to commit to a single vendor if they want a decent browser

12:09 : unfortunately, working around browser bugs is an essential job that web developers must do for commercial sites. But for web standards, where people reading the spec are expected to use modern browsers, fixing such bugs is an unnecessary hassle

12:09 : I would say that I think a lot of this mobile "best" practice stuff could go away if Mobile Safari had serious competition. :-)

12:09 : yecril71, I have to agree with Hixie. I have no sympathy for IE users

12:09 : not just IE users

12:10 : users of any browser with pretty fundamental bugs

12:10 : yeah, all browsers have bugs. But IE is the worst.

12:10 : it's entirely possible to build a professional website for Firefox, Opera and Safari without using any hacks. But only the most basic sites work in IE without hacks

12:11 : which reminds me that has a script error in IE (including 8)

12:18 : hmm. the login thing may be a deep rathole

12:22 :

12:22 : Hixie: regarding your email "Database section feedback": didn't Nikunj already volunteer? your email makes it look as though you are ignoring that he volunteered. (unless he volunteered only on the condition that he edits *all* the pieces he volunteered for)

12:23 : i have seen no evidence that he has volunteered other than him actually saying that he has volunteered

12:23 : (Note that the document is deliberately invalid now)

12:23 : Hixie: I think I see what you mean.

12:23 : (It is supposed to be valid HTML5)

12:24 : could you rewrite that in JS so i can test it in other browsers?

12:25 : What for? I do not contend it does not work in other browsers.

12:25 doesn't understand what you are trying to show with that test

12:25 : That a fieldset is not a form control.

12:25 : (what's important is compatibility with all browsers, not just IE)

12:26 : fieldset is not a form control, correct

12:26 : All browsers, including IE.

12:26 : But HTML5 says it belongs to form.elements.

12:26 : the spec doesn't have a concept of "form control", though, so that seems academic

12:26 : The collection is named HTMLFormControlsCollection.

12:26 : Or something like that.

12:27 : That means it bears the concept of a form control.

12:27 erlehmann joins (

12:27 : You have said you had to add this because that is what all browsers do.

12:27 : I have demonstrated it is not the case.

12:28 : the collection name is a historical artefact of little importance

12:28 : With that attitude, HTML5 is likely to become a historical artefact of little importance.

12:28 : it may be that it is not all browsers but just some browsers, then

12:29 : i expect one day it will be, yes

12:29 : I do not think that "some browsers" is a good argument to break logic and backward compatibility.

12:30 : according to!DOCTYPE%20html%3E...%3Cform%3E%3Cfieldset%3E%3C%2Ffieldset%3E%3C%2Fform%3E%0A%3Cscript%3Ew%28document.forms[0].elements.length%29%3C%2Fscript%3E

12:30 : IE, Firefox, and Opera all put <fieldset> in form.elements

12:30 : I would rather ask those browsers to fix their implementations, because it is a bug.

12:30 : Hixie: do I read correctly that the new http auth stuff doesn't ask browsers to change anything in their behavior?

12:31 : correct

12:31 : ok.

12:31 drry quits ( (

12:32 drry joins (

12:39 zcorpan joins (

12:39 : zcorpan!

12:39 : hey Hixie

12:40 : now i wish i had said on irc what i wanted to tell you, for i have forgotten it

12:40 : :(

12:40 : oh one was that i invented QUOTA_EXCEEDED_ERR with code 22, and wanted to ask you if you could add it along with codes 1-21 to web dom core

12:41 : ok, will do

12:41 : All right, I give up.

12:41 : <>

12:43 : I still can't figure out why Pentasis is having such a difficult time comprehending the purpose of the time element, nor why he's suggesting such ridiculous changes.

12:43 : I guess he's just interested in some kind of theoretical purity, rather than trying to address any serious practical issues

12:43 : theoretical purity isn't a bad thing in and of itself

12:44 : if the people who extended html over the years had slightly more concern over theoretical purity, we'd be in a much better state

12:44 : Hixie: added

12:44 : wow that was quick

12:44 : i need to ask you to do web dom core changes more often

12:44 : :-D

12:44 : :)

12:45 : did i ask you what the eta was on a fpwd yet?

12:45 : not sure but there's no eta yet

12:45 : k

12:45 : i'm trying to get the spec moved to a w3c wg

12:46 : won't webapps take it?

12:46 : haven't approached them yet

12:46 : oh one of the other things was a webkit bug i came across that was about weird (but compat-required) getElementById() behavior, iirc

12:47 : i tried cc'ing you but you didn't seem to have an account

12:47 : i forget which bug now

12:47 : i think i'm still using the @hotmail account on b.w.o :S

12:47 : Hixie, true. But when your theory is suggesting that an element for marking up dates using ISO-8601 isn't adequate because it still can't accurately represent historical dates from centuries ago, rather than just worrying about the use cases it was designed for, then it's being taken too far

12:47 : i guess i should change that

12:48 : I think we should define input type=date to apply to booking of hotels & transport

12:48 : Lachy: i think he ended up actually saying the opposite -- that we should limit it further (e.g. not allow 2AD) because that was too historical and wasn't accurate either

12:48 : and we should define <time> as a piece for microformats meant for scheduling secular civilian meetings

12:48 : is there a use case for <input type=url multiple>?

12:49 : I've generally found the things he's said to be confusing

12:49 : i think has such a field doesn't it?

12:49 : zcorpan: i'm sure one could be invented

12:49 : whether it's a common enough case to worry about is another question

12:49 : nobody has asked for it yet

12:49 : afaik

12:50 : for the use case, <input type=url multiple> would be backwards-incompatible with Opera

12:50 : I guess <input type=email multiple> isn't nice for Opera, either

12:50 : right

12:51 : Why are SCRIPT elements not allowed inside TABLE elements?

12:51 : yecril71: legacy

12:51 : and keeping things simple

12:52 : sure, we could limit it more, but picking cut-off point at the unix epoch 1970-01-01 wouldn't given enough range for people to mark up, e.g. birthdates, and anywhere else would be just arbitrary

12:52 : Simple for whom?

12:52 : me

12:52 : and authors in general

12:52 : It is not simple that, once I need to produce a part of a table with a script,

12:52 : Lachy: I think anything but 1970-01-01 and 0001-01-01 would be arbitrary

12:52 : Lachy: yeah

12:52 : I have to produce the whole table.

12:52 : hsivonen: but <script>s aren't foster parented, right?

12:53 : zcorpan: oh? I don't remember.

12:53 : yecril71: just use DOM manipulation

12:54 : (IE7 handles this use case cleanly)

12:54 : hsivonen: yep. "A start tag whose tag name is one of: "style", "script""

12:55 : ok

12:55 : <input type=hidden> is magical too

12:55 : and <script> needs to be made magical in <select>, which is going to be a pain

12:56 : That means it should be supported but the document is still nonconforming?

12:56 : yecril71: I withdraw what I said about legacy

12:57 : Why? TABLE elements cannot contain SCRIPT elements directly in HTML4 either.

12:57 : the restriction is one we inherited from html4 and one we will keep because allowing script in the middle of the table model encourages bad authoring practices (such as using document.write())

12:58 : yecril71: I thought there was a parser legacy issue there. I wasn't referring to validation legacy.


13:00 : Correct me if I am wrong, but there is no way to ask the document to add more rows to the preceding table, unless that table has an ID.

13:01 : While it is possible inside.

13:01 nessy quits ( ("This computer has gone to sleep")

13:01 : (supposing I place the SCRIPT right after the TABLE, that is.)

13:02 : just grab the last table from document.getElementsByTagName('table')

13:02 : Thanks.

13:05 sverrej joins (

13:09 : Hixie: is it ?

13:09 : yes

13:09 : wow

13:09 : good call

13:10 : first on a search for getelementbyid :)

13:12 virtuelv quits ( ("Leaving")

13:12 : :-)

13:12 erlehmann quits ( ("Ex-Chat")

13:14 : it seems we have lots of bugs saying that getElementById works with name=''

13:14 : which we dropped in 9.5

13:15 : and no bugs on it not working with name='', afaict

13:15 : also, i think ie8 doesn't look at name='' (in ie8 mode)

13:17 : i'll trust you to spec something that matches the web and that browsers are willing to converge on

13:17 : I think if a statement needs an in-transaction callback and an after-transaction callback, that amounts to two callbacks.

13:17 : i'm just glad it's not my problem for once :-)

13:17 tthorsen joins (

13:17 : So the most straightforward thing to do would be to allow two as required.

13:18 : You could also provide for a callback to figure out whether the transaction has finished

13:18 : and report that it needs to be called afterwards if not.

13:19 looks at feedback from anne about %-encoding in name="" attributes and #fragids, and decides to call it a night

13:47 tndH joins (n=Rob@

13:53 smerp joins (

13:58 smerp_ joins (n=smerp@


14:04 smerp quits ( (Read error: 60 (Operation timed out))

14:10 ap|away is now ap

14:12 smerp_ quits (n=smerp@

14:18 maikmerten quits ( (Client Quit)

14:22 mpt_ joins (n=mpt@canonical/launchpad/mpt)

14:24 mpt_ quits (n=mpt@canonical/launchpad/mpt) (Remote closed the connection)

14:25 tndH quits (n=Rob@ ("ChatZilla 0.9.84-rdmsoft [XULRunner]")

14:51 weinig joins (

14:55 smerp joins (

14:56 svl joins (

14:58 smerp quits ( (Client Quit)


15:17 tthorsen quits ( ("Leaving")

15:17 sayrer joins (

15:31 hdh quits (n=hdh@ ("Leaving.")

15:47 tndH joins (

15:49 sverrej quits ( (Read error: 110 (Connection timed out))

15:52 myakura joins (

15:54 : hmm. interesting. Gecko and HTML5 deal with noframes and noembed in very different ways

15:54 : in terms of implementation

15:54 : not necessarily from the POV of pages

15:57 : hsivonen: how are they different?

15:57 : Gecko keeps track of a nesting depth in noXXX elements and turns off <base> and form control handling when depth > 0

15:58 : HTML5 treats noXXX as CDATA elements

15:59 : hmm, my copy of firefox seems to insert a single text node in <noembed> -- not elements


16:00 : zcorpan: it's possible that the tokenizer has changed and the depth tracking is now dead code

16:00 : I was looking at the tree builder code

16:00 : hsivonen: yeah, i remember dbaron saying there was similar dead code for <iframe> a while back

16:01 : that disabled scripts or something

16:01 : I should have that the tree builder code looks like that--not that Firefox does it :-)

16:01 : can't really trust the looks of the Gecko parser code

16:02 : is that code used for xhtml?

16:02 : no

16:06 myakura quits ( ("Leaving...")

16:08 : if it's dead code, whats the point of keeping it around? Is it just that no-one has thought to remove it yet, and verify that it really is dead?

16:13 : Lachy: most likely it's dead and forgotten and now no one wants to touch the parser more than absolutely necessary

16:17 : ok. I suppose it won't matter too much since I assume they'll be replacing the parser entirely with a new HTML5 parser soon enough

16:17 : hopefully :-)

16:22 billmason joins (

16:27 jmb^ joins (

16:27 jmb quits ( (Read error: 131 (Connection reset by peer))

16:27 dglazkov joins (

16:28 dglazkov quits ( (Client Quit)

16:36 aaronlev_ joins (

16:49 mstange joins (

16:49 : hey punctation is allowed in encoding declarations

16:49 : you can make smileys out of encoding names

16:50 : ~u_^t^_f8

16:52 jmb^ quits ( (Remote closed the connection)

16:52 jmb joins (

16:53 : zcorpan, I can't see how that example you gave can be seen as a smiley?

16:54 Hish quits ( (Read error: 104 (Connection reset by peer))

16:56 : Lachy: dunno, come up with something better :)

16:56 aaronlev quits ( (Read error: 110 (Connection timed out))

16:56 sverrej joins (


17:00 : hey you could even have multiline ascii art

17:01 can't wait to debug input with multiline ascii art charsets

17:02 : w00t. the C++ version of the HTML5 parser *finally* links all the way

17:02 : Is newline allowed, though?

17:02 : any language that doesn't have C++-style linkage must give a huge productivity boost compared to C++

17:03 : zcorpan, where in the spec does it say punctation is allowed?

17:03 : is it that they're ignored for the parsing requirements, or that they're considered conforming too?

17:04 : "The value must be a valid character encoding name, and must be the preferred name for that encoding."

17:05 : hsivonen: doesn't complain about punctation

17:05 jmb quits ( (Remote closed the connection)

17:05 jmb joins (

17:06 : zcorpan, how do you interpret that as allowing punctuation?

17:06 : zcorpan: thanks. I filed

17:06 : Lachy: i don't :)

17:06 : wtf? You said "punctation is allowed in encoding declarations"

17:06 : yeah, i was mistaken

17:06 : i was just playing around in

17:06 : oh

17:07 : yecril71: The thread around discusses the IE heading CSS bug, and that post suggests a simple workaround, but I guess Hixie cares more about the theoretical purity of the spec's markup than about its impact on users :-)

17:08 Maurice quits ( ("Disconnected...")

17:10 Lachy quits ( ("This computer has gone to sleep")

17:11 yecril71 quits ( (Read error: 110 (Connection timed out))

17:16 jmb^ joins (

17:16 jmb quits ( (Read error: 104 (Connection reset by peer))

17:19 aroben joins (

17:25 aaronlev_ quits ( ("ChatZilla 0.9.83-rdmsoft [XULRunner]")

17:27 Lachy joins (n=Lachlan@

17:38 pesla quits ( ("( :: NoNameScript 4.21 :: )")

17:44 smedero joins (

17:51 sbublava joins (

17:53 dglazkov joins (n=dglazkov@nat/google/x-6eb211a951f14c72)

17:58 zcorpan quits (


18:03 Maurice joins (

18:13 jmb^ is now jmb

18:37 BenMillard joins (

18:49 : Lachy, I sometimes manage to make graphical websites which support Fx2, Fx3, O9, most recent Safari, IE6 and IE7 without hacks (re:

18:49 : usually, the show-stoppers aren't really CSS problems, it's fundamental breakage in the rendering engine :)

18:49 sbublava quits (

18:50 can't even make non-graphical sites without finding browser bugs :-(

18:50 : usually there are multiple ways of getting the same visual effect, like yecril71 points out

18:51 : and when the job has a requirement that it *must* look correct in that set of browsers before your client pays you, well, you learn to compromise :)

18:51 maikmerten joins (

18:54 : yecril71, in applications on Windows, the equivalent of <fieldset> is called Frame (at least in VB6) and you add it to a form (aka window) as a control (aka a form control)

18:54 : more specifically, it's a "container control" along with PictureBox, TabStrip and suchlike

18:55 dave_levin quits (n=dave_lev@

18:57 : krijnh, linkification stopped short by [ character:

18:58 aroben quits (n=adamrobe@unaffiliated/aroben)


19:04 erlehmann joins (

19:04 aroben joins (i=aroben@unaffiliated/aroben)

19:05 : Philip`, using position:relative on elements with negative margins is how I thought it was supposed to work, because I'm so used to doing that for IE :P

19:06 : sometimes I use a negative top or left value instead of negative margin, due to margin bugs

19:14 mstange quits ( ("ChatZilla 0.9.84 [Firefox 3.1b2pre/20081124033940]")

19:17 dave_levin joins (n=dave_lev@

19:17 ap quits (n=ap@

19:19 gets down to 3.6MB for an animated visualisation of the internal links in every 5th revision of the HTML 5 spec since its history began, which doesn't seem too bad

19:19 aroben is now aroben|lunch

19:19 : BenMillard: Why does position:relative help in those cases?

19:22 weinig quits (

19:23 wonders if that is danbri in one of his TPAC photos

19:24 : No, it isn't.

19:30 : Philip`, various strange things start working properly with position:relative in IE...often inexplicably :)

19:30 : (like graphical bullets on list items in semi-arbitrary conditions)

19:32 virtuelv joins (

19:39 mpt quits (n=mpt@canonical/launchpad/mpt) ("Leaving")

19:44 kangax joins (n=kangax@

19:54 dbaron joins (

19:54 : do I read the html5lib correctly when I think it sanizes by discarding tokens before the tree builder?

19:54 : s/html5lib/html5lib source/

19:55 KevinMarks quits ( ("The computer fell asleep")

19:55 KevinMarks joins (

19:58 : hsivonen: Yes

19:59 : jgraham: does it discard script content?

19:59 : hsivonen: I believe so


20:00 : (but I guess there may be bugs)

20:03 : It seems that the dominant design of HTML sanitizers is to throw stuff away between the tokenizer and the tree builder

20:04 : Hixie: looks like different rules are called for here compared to the infoset coercion stuff

20:04 : (not to suggest that HTML5 should prescribe the rules, but anyway)

20:05 : hsivonen, have you tested the new IE8 method?

20:06 : sayrer: nope. What's the new IE8 method?

20:06 : hsivonen, toSafeHTML or some such

20:06 : hsivonen, yeah, that's it

20:08 : "Update 11/20/08: changed reference to toSafeHTML to toStaticHTML" says IE blog

20:09 : hmm. string to string method

20:10 : sayrer: this is mail&news stuff, isn't it:

20:10 : hsivonen, yeah. I decided I couldn't use that, way back when. Don't remember why.

20:10 : sayrer: ok

20:11 : I should test toStaticHTML to see what it actually does

20:11 : thanks

20:12 KevinMarks quits ( (Read error: 110 (Connection timed out))

20:13 dimich joins (n=dimich@

20:17 :

20:17 :

20:17 : who are those someones?

20:17 : gsnedders: in 3061950334 Felix Sasaki

20:17 : gsnedders: in 3061106047 Steve Zilles

20:25 : hsivonen, I may have run screaming from

20:26 : and also the pref parsing

20:27 : sayrer: seems to be the wrong way round...

20:34 KevinMarks joins (n=KevinMar@

20:40 : hsivonen: ah, thx

20:56 Lachy quits (n=Lachlan@ ("This computer has gone to sleep")

20:58 kangax quits (n=kangax@


21:17 aroben|lunch is now aroben

21:19 :

21:20 BenMillard quits (

21:24 : Hixie: am reading the spec correctly that it's OK to have an event loop spin between document.close() and the tokenizer emitting the EOF?

21:25 aroben quits (i=aroben@unaffiliated/aroben) (Read error: 104 (Connection reset by peer))

21:25 wonders if he gets a VPS how quickly he'll screw it up

21:25 weinig joins (

21:26 : hsivonen: that is lovely.

21:29 weinig is now weinig|away

21:36 KrocCamen joins (

21:49 shepazu joins (

21:49 mpt joins (n=mpt@canonical/launchpad/mpt)

21:51 : gsnedders: You can always just reinstall it once you break everything

21:51 : Philip`: :P

21:52 discovered Ubuntu has "ufw", which makes firewall configuration actually sane - you say stuff like "ufw allow 80/tcp" and it does what you want, and you don't have to even know what iptables are

21:56 Lachy joins (n=Lachlan@

21:57 : wow


22:00 nessy joins (

22:02 maikmerten quits ( (Client Quit)

22:02 virtuelv quits ( (Read error: 110 (Connection timed out))

22:06 epeus joins (n=KevinMar@nat/google/x-c7df243871ef63f8)

22:13 ROBOd quits (n=robod@ ("")

22:13 KevinMarks quits (n=KevinMar@ (Connection timed out)

22:29 shepazu quits (

22:30 : hsivonen: not only is it ok, it is required, because the tokeniser only emits stuff as part of the event loop

22:34 : Hixie: doesn't the tokenizer emit non-EOF tokens immediately on first-level document.write()?

22:34 : yeah but that is still originally part of an event loop step

22:34 : Hixie: but it's good that a spin is OK with document.close()

22:35 : ok

22:36 dolske quits (n=dolske@firefox/developer/dolske) ("Leaving...")

22:55 nessy quits ( ("This computer has gone to sleep")

23:05 : BenMillard: fixed, thanks


23:07 : That was a short-lived feature (@html-auth)

23:12 apologises for helping kill it

23:12 smedero quits (

23:15 : (Actually I'm blame Julian, for originally suggesting that there could be a security issue)

23:16 : Jonas would've picked up the slack anyhow, it seems :)

23:16 : off with its head!

23:19 : sicking: Do you have a secret new proposal that will rock our socks?

23:19 Maurice quits ( ("Disconnected...")

23:19 : nothing secret

23:19 : i've argued for something like OpenID for a while, just not very heavily

23:20 : OpenID, the way it looks like now, with all its redirects and stuff, is no good though

23:20 : but there a lot that can be done if we build it into the browser

23:20 : basically we need something like microsofts CardSpace, but as a more open platform

23:22 hdh joins (n=hdh@

23:22 : Does cardspace avoid the "phishing enabling" of current openid?

23:23 doublec joins (n=chris@

23:24 : that is my understanding

23:24 nessy joins (n=nessy@

23:24 : sicking, how so?

23:24 : however, i have not heard what all the complaints about neither cardspace nor openid are, so it's entirely possible that neither of them are very close to what we need

23:25 : sayrer, you don't type a password, you just click on an image to choose which identity to use

23:25 : that is good

23:25 : fwiw, I did like the idea of using the 401 body for this

23:25 : sicking: I think it would need to degrade gracefully into the current OpenID experience in browsers that don't implement the future thing

23:25 : Philip`, I find it difficult to believe that anyone would be stupid enough to introduce a XSS bug into a 401 page, especially because it's effectivly saying you need to log in before you can do anything

23:25 : only Safari is broken w.r.t. that extension point

23:26 : hsivonen, it needs to degrade into something for sure

23:26 : sicking: so in that sense, seeking to put the hook into the OpenID ID provider code might work

23:26 : and the XSS attack you outlined would need so many different bugs to occur in just the right way, it seems highly unlikely

23:26 : but that would mean users would have to enter a URI into a field still

23:26 : unless the field can be reliably autocompleted by the browser, too

23:26 : I had the idea that the 401 body should be the non-existant notion of svg static

23:27 : so browsers can create a difficult to simulte UI

23:27 : and show a little bit of branding next to it

23:27 weinig|away is now weinig

23:27 : what's svg static?

23:28 : svg with scripting, animation, fonts, etc

23:28 : er

23:28 : witout

23:28 : without

23:28 : ah

23:28 : there is no subset that matches that

23:28 : but I'm thinking full-screen shadowed / UI box

23:28 : I guess flash or quicktime might be coerced

23:28 : to do that

23:28 : but it would be much harder

23:29 : although I'm still glad the www-authenticate feature was removed, since it seemed quite useless in practice for all but a very niche market

23:30 : Lachy: It doesn't seem implausible that someone would have e.g. login.php?return=... which gives you the login form with a <a href="$return">Go back</a> and returns 401 and WWW-Authenticate HTML because they want to tell bots to log in that way, and introduce the XSS hole that way

23:30 : Lachy: and I don't see what bugs the attack needs, other than the XSS one

23:30 heycam quits ( ("bye")

23:31 : Lachy: Also, you shouldn't underestimate people's stupidity :-p

23:33 : it requires the bot to access the page via a URL which exploits the XSS attacks

23:34 : Bots follow links, and it's trivial to put a link onto most people's sites

23:34 : that may depend on the purpose of the bot, and where it was following links from

23:34 : (via blog comments, or referrer logs, or whatever)

23:34 : The purpose of the bot is to follow all the links it can find on the site :-)

23:35 : could just turn of scripts on 401 pages

23:35 : sayrer: There aren't any scripts involved here

23:35 : oh I see

23:36 : I suppose a such a link could occur on the site itself if it allowed user generated content of some kind

23:36 : and only used the 401 to prevent access to member areas

23:38 : it may not be a new problem though. If there are bots that perform this kind of log in already, by being manually configured with the form name, they would be vulnerable to the same attack

23:38 : although without the www-authenticate header advertising that, it's less likely

23:39 : but the same attack could be used against users by getting them to follow the link

23:40 erlehmann quits ( ("Ex-Chat")

23:41 : It's not a problem unique to WWW-Authenticate, but WWW-Authenticate was designed in a way that encourages behaviour that would encounter that problem

23:46 fakeolliej is now olliej

23:54 ginger joins (n=nessy@

23:54 heycam joins (

23:55 mpt quits (n=mpt@canonical/launchpad/mpt) ("Leaving")

23:59 : i hven't removed it yet btw

Session Close: Thu Nov 27 00:00:00 2008

A service by Krijn Hoetmer. Questions, improvements, suggestions & ideas are welcome! View the website statistics.