#whatwgon 26th November 2008 (Real Data)
Wednesday 26th November 2008, 1:43pm CET.
Session Start: Wed Nov 26 00:00:00 2008
Session Ident: #whatwg
00:01 : also a "preview" button, and buttons that do server-side filling of fields without submitting the whole thing
00:01 : i guess i'll add novalidate
00:01 : you have about an hour to come up with a better name than "novalidate". :-)
00:01 : bbl
00:15 nessy joins (firstname.lastname@example.org)
00:16 erlehmann quits (email@example.com) ("Ex-Chat")
00:18 arve__ joins (firstname.lastname@example.org)
00:24 roc quits (email@example.com)
00:30 smerp quits (firstname.lastname@example.org) (Read error: 110 (Connection timed out))
00:34 aaronlev quits (email@example.com) (Read error: 110 (Connection timed out))
00:35 virtuelv_ quits (firstname.lastname@example.org) (Read error: 110 (Connection timed out))
00:36 MikeSmith joins (n=MikeSmit@EM114-48-12-131.pool.e-mobile.ne.jp)
00:40 dglazkov quits (email@example.com)
00:44 MikeSmith quits (n=MikeSmit@EM114-48-12-131.pool.e-mobile.ne.jp) ("sex break")
00:46 arve__ quits (firstname.lastname@example.org) ("Leaving")
00:53 weinig quits (email@example.com)
00:56 aroben quits (n=adamrobe@unaffiliated/aroben)
00:58 : Hixie, calling it skipvalidity (which could be authored as
skipValidity in the document) seems more consistent with the use of "validity" and "
fooValidity()" and "
ValidityFoo" for things in The Constraint Validation API: http://www.whatwg.org/specs/web-apps/current-work/multipage/forms.html#the-constraint-validation-api
01:01 : ignorevalidity (
ignoreValidity) fits the above and fits the naming of "
ignoreCase" and the convention for saying "UAs must ignore foo"
01:03 tndH quits (n=Rob@james-baillie-pc083-058.student-halls.leeds.ac.uk) ("ChatZilla 0.9.84-rdmsoft [XULRunner 184.108.40.206/2008072406]")
01:05 tantek joins (firstname.lastname@example.org)
01:11 Hish quits (email@example.com) (Read error: 104 (Connection reset by peer))
01:11 Hish__ joins (firstname.lastname@example.org)
01:11 Hish__ is now Hish
01:11 MikeSmith joins (n=MikeSmit@EM114-48-37-67.pool.e-mobile.ne.jp)
01:12 tantek quits (email@example.com)
01:12 Hish__ joins (n=chatzill@p5B382A65.dip0.t-ipconnect.de)
01:15 tantek joins (firstname.lastname@example.org)
01:18 : i think i prefer
novalidate, for consistency with
nowrap (though the irony that all four of those are obsolete in html5 is not lost on me)
01:23 : so many conventions to choose from :P
01:23 : I'm unlikely to use the feature so I don't mind what you call it
01:28 Hish___ joins (email@example.com)
01:29 Hish quits (firstname.lastname@example.org) (Read error: 110 (Connection timed out))
01:29 Hish___ is now Hish
01:32 weinig joins (email@example.com)
01:32 : BenMillard: :-)
01:35 Hish__ quits (n=chatzill@p5B382A65.dip0.t-ipconnect.de) (Read error: 60 (Operation timed out))
01:41 ojan parts (n=ojan@nat/google/x-c6af13b38918cc27) ("Leaving")
01:54 Hish___ joins (n=chatzill@p5B382A65.dip0.t-ipconnect.de)
01:58 Hish quits (firstname.lastname@example.org) (Read error: 60 (Operation timed out))
01:58 Hish___ is now Hish
02:02 svl quits (email@example.com) ("And back he spurred like a madman, shrieking a curse to the sky.")
02:02 Hish___ joins (firstname.lastname@example.org)
02:08 weinig is now weinig|HOUSE
02:11 KevinMarks quits (n=KevinMar@nat/google/x-9c47188beed8039c)
02:22 Hish quits (n=chatzill@p5B382A65.dip0.t-ipconnect.de) (Read error: 110 (Connection timed out))
02:26 KevinMarks joins (n=KevinMar@220.127.116.11)
02:43 : ew
02:43 : MouseEvent makes a mess of the
02:44 dglazkov joins (email@example.com)
02:52 smerp joins (firstname.lastname@example.org)
02:53 smerp_ joins (email@example.com)
03:01 smerp quits (firstname.lastname@example.org) (Read error: 145 (Connection timed out))
03:03 tantek quits (email@example.com)
03:04 tantek joins (firstname.lastname@example.org)
03:06 : hmm
03:06 : so
03:06 : should it be possible for the user to set it to no color?
03:06 tantek quits (email@example.com) (Client Quit)
03:09 : transparent?
03:18 : no, nothing at all
03:19 : like,
type=number allows any number, as well as
03:19 : Can it have no color as initial value?
03:19 : but
type=range doesn't allow
03:19 : Dashiva: that's another way of phrasing the same question, effectively
03:20 : what are the use cases for colour selection that we're trying to address and which ones are we not?
03:21 : in: selecting the colour of a label in gmail, selecting a color in a paint program
03:21 : can't think of any that are "out" offhand, but i'm sure there are many
03:22 : http://images.google.com/images?client=safari&rls=en-us&q=color%20pickers&ie=UTF-8&oe=UTF-8&um=1&sa=N&tab=wi suggests that color pickers don't have a "no color" mode
03:22 : ok, so this is basically a simple RGB colour palette
03:23 : Hixie: But many of them have a cancel button
03:24 : Dashiva: yeah but that doesn't unset the previously selected color
03:24 : I'd assume things like paint colour selectors on interior decoration sites wouldn't be adequately covered by this, so that'd be out
03:25 : right
03:26 : out: pantone color selector
03:27 : I suppose we aren't addressing "How do you ensure the user selects a color and doesn't just go ahead with the default without considering it" either
03:29 rillian quits (firstname.lastname@example.org) (Read error: 54 (Connection reset by peer))
03:30 : not really
03:36 billyjackass joins (n=MikeSmit@dhcp-246-124.mag.keio.ac.jp)
03:37 : yes, I think no colour should be possible, because if someone wants to make a paint application, that's one way of letting the user select transparent
03:40 : Hixie, I think Word has a no colour mode.
03:41 BenMillard quits (email@example.com)
03:41 : Lachy: opacity should be separate from this anyway
03:45 KevinMarks quits (n=KevinMar@18.104.22.168) ("The computer fell asleep")
03:46 KevinMarks joins (n=KevinMar@22.214.171.124)
03:49 : Hixie, the colour palettes in apps like Adobe Fireworks allow the user to select a no-colour option. it's useful when, e.g., you want to set the border colour of a shape to one colour and leave the fill colour transparent
03:49 Amorphous quits (i=jan@unaffiliated/amorphous) (Read error: 113 (No route to host))
03:52 MikeSmith quits (n=MikeSmit@EM114-48-37-67.pool.e-mobile.ne.jp) (Read error: 110 (Connection timed out))
03:52 Amorphous joins (i=jan@unaffiliated/amorphous)
03:55 : Lachy: makes sense
03:56 dglazkov_ joins (firstname.lastname@example.org)
03:59 : hmm
03:59 : should we make the form
<input type=color> parse colors in a simple way, or using the wacky
<font color> algorithm?
04:00 : or using the css algorithm...
04:00 : so many options...
04:00 : can't use css, as it might return an alpha!=1.0 color
04:02 KevinMarks quits (n=KevinMar@126.96.36.199) (Connection timed out)
04:04 dimich quits (email@example.com) (Read error: 110 (Connection timed out))
04:06 : could you use a subset of the CSS colour, including
hsl(...), but excluding
04:06 billyjackass is now MikeSmith
04:06 : also, the colour keywords
04:09 : that seems unnecessarily complex given that we'd still want to serialise everything to #rrggbb for submission
04:09 dave_levin quits (firstname.lastname@example.org) (Read error: 110 (Connection timed out))
04:10 : that's pretty much the same as
fillStyle on the canvas context object though
04:10 : specifically, what conditions are you trying to address? Is this for when the user types in a colour manually or when the value is set by a script?
fillStyle are full CSS colors
04:11 : Lachy: value of the
04:11 : (and form submission)
04:12 : oh, ok.
04:17 dave_levin joins (email@example.com)
04:18 dglazkov quits (firstname.lastname@example.org) (Read error: 110 (Connection timed out))
04:18 dave_levin_ joins (email@example.com)
04:19 dglazkov_ is now dglazkov
04:22 weinig|HOUSE is now weinig
04:22 : with other input types, I don't think there is any precedent for the value of the value attribute being automatically normalised prior to submission, and so it would probably be best to require the format #rrggbb
04:23 : plus, if we allowed other types, then that would seem to create complications when the input.value property is set by scripts
04:24 : s/other types/other formats/
04:25 : i'm still normalising it before submission btw (from uppercase to lowercase)
04:25 : ok
04:34 dave_levin quits (firstname.lastname@example.org) (Read error: 110 (Connection timed out))
04:42 famicom joins (i=famicom@5ED2FF2D.cable.ziggo.nl)
04:59 dolske quits (n=dolske@firefox/developer/dolske) ("Leaving...")
05:00 dolske joins (n=dolske@firefox/developer/dolske)
05:09 : Hixie, is the order of the input types in the table in any particular order? It seems rather random. Could you put them into alphabetical order?
05:10 : well, I guess there sort of grouped by category
05:15 : the order is the order used so that there are the fewest differences from type to type in terms of what cells say "yes"
05:15 : except that password isn't before text
05:15 : Hixie, a valid simple colour should be A to F, not A to Z
05:16 : oops
05:16 dolske quits (n=dolske@firefox/developer/dolske) (Connection timed out)
05:18 : ok fixed
05:21 dolske joins (n=dolske@firefox/developer/dolske)
05:22 dbaron quits (email@example.com) ("8403864 bytes have been tenured, next gc will be global.")
05:34 doublec quits (firstname.lastname@example.org) ("Leaving")
05:39 xcombelle quits (n=chatzill@AToulouse-158-1-151-166.w90-60.abo.wanadoo.fr) (Remote closed the connection)
05:40 weinig is now weinig|away
05:40 dbaron joins (email@example.com)
05:53 smerp_ quits (firstname.lastname@example.org)
06:03 doublec joins (n=Chris_Do@118-92-214-173.dsl.dyn.ihug.co.nz)
06:11 heycam quits (email@example.com) ("bye")
06:13 dimich joins (firstname.lastname@example.org)
06:15 dglazkov quits (email@example.com)
06:21 dimich quits (firstname.lastname@example.org)
06:39 famicom quits (i=famicom@5ED2FF2D.cable.ziggo.nl) ("Leaving")
06:42 harig joins (email@example.com)
06:49 sayrer joins (firstname.lastname@example.org)
06:50 : Hixie, so, I thought there was a feature freeze? but now we have this new 401 form...
06:57 tantek joins (email@example.com)
06:59 : sayrer: i said i wasn't adding anything new that hadn't already been requested as of the feature freeze (last december)
06:59 : the recent additions are from requests from 2006/2007
07:00 : that doesn't seem like a useful freeze to me
07:00 : thanks
07:00 : (or, in the case of workers, from requests from browser vendors who said that without a spec they'd just make up stuff)
07:00 : well the freeze is only intended to land us on schedule
07:00 : well, you are a browser vendor just making stuff up :)
07:00 : i mean implementors
07:05 dave_levin_ quits (firstname.lastname@example.org)
07:06 dave_levin joins (email@example.com)
07:19 tantek quits (firstname.lastname@example.org) (Read error: 110 (Connection timed out))
07:27 tantek joins (email@example.com)
07:34 sayrer quits (firstname.lastname@example.org) (Read error: 110 (Connection timed out))
07:42 heycam joins (email@example.com)
07:49 maikmerten joins (firstname.lastname@example.org)
07:52 : Hixie: seems more like a suggestion freeze than a feature freeze :-)
07:56 : yeah, that'd be a better term
07:56 : i don't recall exactly how i phrased it
08:04 : http://intertwingly.net/blog/2008/11/20/Half-Full#c1227667144
08:05 : Is there a definition for
08:06 : (and are there URIs to bind hixie and w3c to?)
08:18 KevinMarks joins (n=KevinMar@c-98-207-134-151.hsd1.ca.comcast.net)
08:22 : Hixie: btw, what happened to the OpenID integration idea that sicking mentioned at TPAC?
08:24 : i wonder how
08:24 : hsivonen: no idea
08:25 : what's zcorpan's e-mail address?
08:25 : specifically, his webkit bugzilla account address
08:26 : I'd try searching webkit bugzilla for zcorpan and simonp
08:27 : tried that
08:28 BenMillard joins (email@example.com)
08:31 aaronlev joins (firstname.lastname@example.org)
08:32 dbaron quits (email@example.com) ("8403864 bytes have been tenured, next gc will be global.")
08:41 theanxy quits (firstname.lastname@example.org) (zelazny.freenode.net irc.freenode.net)
08:42 theanxy joins (email@example.com)
08:45 tndH joins (n=Rob@james-baillie-pc083-058.student-halls.leeds.ac.uk)
08:47 erlehmann joins (firstname.lastname@example.org)
08:50 BenMillard parts (email@example.com)
08:51 Maurice joins (firstname.lastname@example.org)
08:51 : Hixie: was "no idea" to the OpenID idea? that is, did you examine the feasibility of moving bits of the OpenID experience to browser chrome in a backwards-compatible way?
09:02 : http://lists.w3.org/Archives/Public/www-validator/2008Nov/0044.html
09:03 : no idea was to openid. not really sure what to do about it.
09:05 pesla joins (email@example.com)
09:13 hdh quits (firstname.lastname@example.org) (Read error: 110 (Connection timed out))
09:13 ap joins (email@example.com)
09:24 MikeSmith quits (n=MikeSmit@dhcp-246-124.mag.keio.ac.jp) ("sex break")
09:33 : when you substitute a for b in c, which one is left in c? a, or b?
09:34 : a?
09:43 virtuelv joins (firstname.lastname@example.org)
09:44 Hish____ joins (n=chatzill@p3EE221D1.dip0.t-ipconnect.de)
09:44 Hish____ is now Hish
09:47 weinig|away quits (email@example.com)
09:47 Hish___ quits (firstname.lastname@example.org) (Read error: 60 (Operation timed out))
09:49 famicom joins (i=famicom@5ED2FF2D.cable.ziggo.nl)
09:50 tthorsen joins (email@example.com)
09:53 : a
09:53 : a is a substitue for b
09:58 tndH quits (n=Rob@james-baillie-pc083-058.student-halls.leeds.ac.uk) (Read error: 110 (Connection timed out))
10:04 Hish____ joins (firstname.lastname@example.org)
10:04 harig quits (email@example.com) (Read error: 110 (Connection timed out))
10:07 : wikitionary agrees
10:09 Hish quits (n=chatzill@p3EE221D1.dip0.t-ipconnect.de) (Read error: 60 (Operation timed out))
10:09 Hish____ is now Hish
10:11 doublec_ joins (n=Chris_Do@118-92-214-173.dsl.dyn.ihug.co.nz)
10:11 doublec quits (n=Chris_Do@118-92-214-173.dsl.dyn.ihug.co.nz) (Read error: 113 (No route to host))
10:11 doublec_ is now doublec
10:12 : why are SVG and Canvas "extensions"? http://www.extremetech.com/article2/0,2845,2335251,00.asp
10:16 : Why am I reading a thread about 'the login/logout problem' ?
10:17 : there isn't a problem.. it works fine
10:17 : hsivonen: that article is, in general, rather uninformed
10:19 : ie8 is adding svg and canvas?
10:19 : that's news to me
10:21 tthorsen quits (firstname.lastname@example.org) ("Leaving")
10:24 mpt joins (n=mpt@canonical/launchpad/mpt)
10:25 : wtf, screen sharing just doesn't work anymore to this computer
10:25 : i don't get it
10:26 : no error message, nothing
10:26 : afp, too
10:26 : just doesn't connect
10:34 jruderman quits (email@example.com)
10:37 : have you tried restarting the machine?
10:37 : I mean the one you're trying to connect to
10:38 : yes
10:38 doublec quits (n=Chris_Do@118-92-214-173.dsl.dyn.ihug.co.nz) (Read error: 104 (Connection reset by peer))
10:38 doublec_ joins (n=Chris_Do@118-92-214-173.dsl.dyn.ihug.co.nz)
10:38 doublec_ quits (n=Chris_Do@118-92-214-173.dsl.dyn.ihug.co.nz) (Remote closed the connection)
10:41 : hsivonen: the telltale sign in that article would be
10:41 : «What's notable here is the margin. Chrome's winning margin is huge, even though Firefox 3.04, Opera and Safari have incorporated V8»
10:41 : o_O
10:42 : virtuelv: whoa
10:42 didn't actually read the whole article
10:43 Lachy quits (n=Lachlan@188.8.131.52) ("This computer has gone to sleep")
10:43 : «We tested the version of Firefox (called Minefield) that does include the V8 code and listed those results below our "official" findings.»
10:46 : if I add
remainingSpacePercentage, should I add it to
Database, or should I add it to
Navigator and assume shared storage?
10:47 : Hixie: is the percentage really relevant?
10:48 : microsoft want a feature to say how much space is remaining, and bytes don't work
10:48 : Does it make sense on
sessionStorage? I'd assume that'd be stored in RAM, and browsers don't have fixed limits on how much RAM a page can use
10:48 : a percentage is equally useless
10:49 : if I'm trying to store a
DOMString of length 1231, a percentage isn't going to help me
10:49 : virtuelv: Bytes wouldn't help you either, since you don't know how many bytes it'll take to store that string
10:49 : the only thing that it would allow is showing a UI saying how close you are to running out
10:49 : but i guess the UA could do that better anyway
10:50 : virtuelv: so you should just try to store it, and watch for exceptions
10:51 aaronlev quits (firstname.lastname@example.org) ("ChatZilla 0.9.83-rdmsoft [XULRunner 184.108.40.206/2008072406]")
10:51 aaronlev joins (email@example.com)
10:52 yecril71 joins (firstname.lastname@example.org)
10:52 ROBOd joins (email@example.com)
10:53 Hish____ joins (n=chatzill@p3EE221D1.dip0.t-ipconnect.de)
10:57 Hish_____ joins (firstname.lastname@example.org)
10:58 Hish quits (email@example.com) (Read error: 104 (Connection reset by peer))
10:58 Hish_____ is now Hish
11:01 : Allowing to execute hidden commands from the keyboard does not seem to be a good idea at all.
11:01 Lachy joins (n=Lachlan@pat-tdc.opera.com)
11:01 : Although it would make implementing Vi in HTML pretty hard,
11:01 : I do not think HTML should explicitly provide for that.
11:02 jruderman joins (firstname.lastname@example.org)
11:02 : zcorpan needs to be online more. someone hook him up with
irssi(1), please. :-P
11:03 : the HTML article in wikipedia gets vandalized all the time and isn't protected. the XHTML article is semi-protected, though.
11:04 : Should I bring up the issue with fieldsets and HTMLControlsCollection to the list?
11:09 : what's the issue?
11:15 Hish____ quits (n=chatzill@p3EE221D1.dip0.t-ipconnect.de) (Read error: 110 (Connection timed out))
11:16 aaronlev quits (email@example.com) ("ChatZilla 0.9.83-rdmsoft [XULRunner 220.127.116.11/2008072406]")
11:16 aaronlev joins (firstname.lastname@example.org)
11:19 : The issue is a fieldset is not a control.
11:19 : And it does not belong to
form.elements, as of HTML4.
11:20 : So there is a major incompatibility and a semantical flaw.
11:20 : browsers put fieldsets in
form.elements, so there's not much we can do about that
11:20 : html5 defines it in a way that solves the "semantical flaw"
11:20 : i.e. it doesn't have a contradiction as best i can tell
11:20 : According to MSDN, a fieldset does not have a name.
11:20 : msdn is rarely accurate
11:21 : i wouldn't pay much attention to it
11:22 : Thanks, I shall evaluate it and leave a note there if it works anyway.
11:22 : Hixie: what is all this stuff abuot forms?
11:22 : mookid: ?
11:22 : which stuff?
11:23 : Now that
OBJECT is submittable, the note about legacy reasons should go.
11:23 : Because it is a full member of the
11:24 : could you provide more context? i'm not psychic, i've no idea what note you are talking about
11:24 : "
OBJECT belongs to
FORM.elements for legacy reasons".
11:25 : (quoting from memory)
11:25 : could you quote from the spec?
11:25 : i can't find that string anywhere
11:25 : Have to find it again first.
11:26 hdh joins (email@example.com)
11:27 : For historical reasons, the object element, which is not otherwise considered to be related to forms, is also a form-associated element.
11:27 : That is the text.
11:28 : I would also note that IE7 gets awfully slow when displaying the specification,
11:28 : event the multipage version.
11:28 : And the section headers are not visible at all.
11:28 : They are hidden under the green background.
11:29 : That makes it somehow hard to know what you are reading about.
11:29 : yeah, IE has all kinds of bugs
11:29 : i recommend using another browser
11:29 fixes the line in question
11:30 : Thats all right, except that the cost of maintenance doubles.
11:31 : And you cannot get rid of IE7 in Windows.
11:31 : Of course, you can get rid of Windows, but that is quite an operation.
11:32 : I think it would be best for everybody to take that into account.
11:32 : cost of maintenance doubles? Firefox, Chrome and Safari autoupdate themselves on Windows
11:33 : Only if run with administrative privileges, something I shall never do.
11:33 : ok, fixed the object/form line
11:35 : I think it would not be so much harm to get rid of the negative top margin for now.
11:36 : A browser window is not short of sheet space, and PDF can be used for printing.
11:38 : Borrowing the header backround from the following element seems like a dirty hack.
11:38 : it's pretty. and standards compliant. If IE can't handle it, that's not my problem or the spec's problem.
11:39 : You can make the PDF as pretty as you wish.
11:39 : i don't read the pdf
11:39 : This is not a beauty contest.
11:40 : I think that Ubuntu is a better solution against Windows malware than running a personal Windows box without admin privileges
11:40 : It is better to be ugly than to be unreadable.
11:40 : so don't use IE
11:41 : making it slightly more readable isn't going to make the spec work in IE anyway
11:41 : IE doesn't handle the size of the page
11:41 : not much we can do about that
11:41 : It can read the multipage version.
11:41 : I do.
11:42 : Basically, the problem is with IE, not the spec. The solution is to have IE be fixed, not have the spec work around bugs in IE.
11:42 : I cannot have the IE fixed.
11:42 : yecril71: doesn't IE8 work, either?
11:42 : You have to ask Philip`.
11:42 : you can't have the spec fixed either. :-)
11:43 : And borrowing the backround for the next element is far from being good markup.
11:43 : it's quite acceptable css
11:43 : http://www.w3.org/TR/mobile-bp/#d0e704
11:44 : If you want the backround to be green, you have to choices:
11:44 : 2 choices:
11:44 : wrap in a common ancestor, which does not apply here,
11:44 : hsivonen: as someone who has worked on browser vendors, i hate it when sites work around bugs in browsers
11:44 : or use the same class.
11:44 : or use a negative margin :-)
11:44 : which is fine :-)
11:45 : Hixie: well, the mobile-bp doc doesn't acknowledge people from the companies you've worked for...
11:46 : I think it's quite telling that Opera and Apple aren't acked in the Mobile BP stuff
11:47 : chaals wrote part of it
11:47 : iirc
11:47 : The only workaround for Internet Explorer is to disable CSS.
11:48 : That makes the page readable and the performance is much better.
11:48 : Hixie: whoa. indeed. I was looking at the acks and thought the editor was from vodafone
11:48 erlehmann quits (firstname.lastname@example.org) ("Ex-Chat")
11:48 : I must have mixed up the editorships of different docs
11:49 : actually i thought a googler worked on that doc too, but i don't see that in the acks anywhere
11:49 : might be another one
11:49 : there are so many
11:49 : However, even if I add whatwg.org to restricted sites, that will not disable CSS by default.
11:50 : And I am sorry to see Hixie behave so arrogantly.
11:51 : if there was a bug in the spec's style sheet, would you ask the browsers to work around it?
11:51 : simple software engineering. you fix the bug, you don't work around the bug.
11:52 : Not a single browser is fully CSS-compliant.
11:53 : Your attitude is unrealistic, however you may not like it.
11:53 : The publisher should aim at the intersection of what is supported.
11:53 : It's still baffling that a W3C REC doesn't include PNG support as part of the assumed image format support
11:54 : how did *that* get past *principles*?
11:54 : but then the markup language support is specced as XHTML Basic 1.1 [XHTML-Basic] delivered with content type application/xhtml+xml.
11:56 : And I cannot fix the bug in IE, as I already said.
11:56 : you also cannot fix the spec, so i don't see how that is different or relevant
11:57 : Well, but you can.
11:57 : With a very tiny amount of work.
11:57 : if you insist on using IE, then i recommend using http://dev.w3.org/html5/spec/Overview.html instead.
11:59 : That document does not have a multipage version.
12:00 : ah well, i tried
12:01 : Hixie: Then why have work-arounds for IE at all?
12:01 : like the
/* that last decl is for IE6. Try removing it, it's hilarious! */ one
12:02 : i thought i'd gotten rid of that one
12:02 : Hixie’s theory about
fieldset.name does not hold.
12:02 : The MSDN is correct here.
12:02 : I don't see it in <http://www.whatwg.org/specs/web-apps/current-work/header-whatwg>, but I see it in <http://www.whatwg.org/specs/web-apps/current-work/>
12:03 ap is now ap|away
12:03 : gsnedders: fixed
12:03 : So it is not really "already implemented", and it is different from HTML4.
12:03 heads off
12:05 : yecril71: do you have a testcase demonstrating the error in the spec?
12:05 : i'm pretty sure i tested this
12:05 : but i could be wrong!
12:05 : Just a minute.
12:06 : (That is, I have it, but I have to publish it.)
12:08 : I think a lot of this mobile "best" practice stuff could go away if Opera Mini had serious competition
12:08 : so that vendors of devices that can't host a self-contained browser didn't feel they have to commit to a single vendor if they want a decent browser
12:09 : unfortunately, working around browser bugs is an essential job that web developers must do for commercial sites. But for web standards, where people reading the spec are expected to use modern browsers, fixing such bugs is an unnecessary hassle
12:09 : I would say that I think a lot of this mobile "best" practice stuff could go away if Mobile Safari had serious competition. :-)
12:09 : yecril71, I have to agree with Hixie. I have no sympathy for IE users
12:09 : not just IE users
12:10 : users of any browser with pretty fundamental bugs
12:10 : yeah, all browsers have bugs. But IE is the worst.
12:10 : it's entirely possible to build a professional website for Firefox, Opera and Safari without using any hacks. But only the most basic sites work in IE without hacks
12:11 : which reminds me that Validator.nu has a script error in IE (including 8)
12:18 : hmm. the login thing may be a deep rathole
12:22 : http://www.2a.pl/~ne01026/test.htm
12:22 : Hixie: regarding your email "
Database section feedback": didn't Nikunj already volunteer? your email makes it look as though you are ignoring that he volunteered. (unless he volunteered only on the condition that he edits *all* the pieces he volunteered for)
12:23 : i have seen no evidence that he has volunteered other than him actually saying that he has volunteered
12:23 : (Note that the document is deliberately invalid now)
12:23 : Hixie: I think I see what you mean.
12:23 : (It is supposed to be valid HTML5)
12:24 : could you rewrite that in JS so i can test it in other browsers?
12:25 : What for? I do not contend it does not work in other browsers.
12:25 doesn't understand what you are trying to show with that test
12:25 : That a
fieldset is not a
12:25 : (what's important is compatibility with all browsers, not just IE)
fieldset is not a
form control, correct
12:26 : All browsers, including IE.
12:26 : But HTML5 says it belongs to form.elements.
12:26 : the spec doesn't have a concept of "form control", though, so that seems academic
12:26 : The collection is named
12:26 : Or something like that.
12:27 : That means it bears the concept of a form control.
12:27 erlehmann joins (email@example.com)
12:27 : You have said you had to add this because that is what all browsers do.
12:27 : I have demonstrated it is not the case.
12:28 : the collection name is a historical artefact of little importance
12:28 : With that attitude, HTML5 is likely to become a historical artefact of little importance.
12:28 : it may be that it is not all browsers but just some browsers, then
12:29 : i expect one day it will be, yes
12:29 : I do not think that "some browsers" is a good argument to break logic and backward compatibility.
12:30 : according to http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E...%3Cform%3E%3Cfieldset%3E%3C%2Ffieldset%3E%3C%2Fform%3E%0A%3Cscript%3Ew%28document.forms.elements.length%29%3C%2Fscript%3E
12:30 : IE, Firefox, and Opera all put
12:30 : I would rather ask those browsers to fix their implementations, because it is a bug.
12:30 : Hixie: do I read correctly that the new http auth stuff doesn't ask browsers to change anything in their behavior?
12:31 : correct
12:31 : ok.
12:31 drry quits (firstname.lastname@example.org) (zelazny.freenode.net irc.freenode.net)
12:32 drry joins (email@example.com)
12:39 zcorpan joins (firstname.lastname@example.org)
12:39 : zcorpan!
12:39 : hey Hixie
12:40 : now i wish i had said on irc what i wanted to tell you, for i have forgotten it
12:40 : :(
12:40 : oh one was that i invented
QUOTA_EXCEEDED_ERR with code 22, and wanted to ask you if you could add it along with codes 1-21 to web dom core
12:41 : ok, will do
12:41 : All right, I give up.
12:41 : <http://msdn.microsoft.com/en-us/library/ms537449(VS.85).aspx#ctl00_rs1_WikiContent_2_Container>
12:43 : I still can't figure out why Pentasis is having such a difficult time comprehending the purpose of the time element, nor why he's suggesting such ridiculous changes.
12:43 : I guess he's just interested in some kind of theoretical purity, rather than trying to address any serious practical issues
12:43 : theoretical purity isn't a bad thing in and of itself
12:44 : if the people who extended html over the years had slightly more concern over theoretical purity, we'd be in a much better state
12:44 : Hixie: added
12:44 : wow that was quick
12:44 : i need to ask you to do web dom core changes more often
12:44 : :-D
12:44 : :)
12:45 : did i ask you what the eta was on a fpwd yet?
12:45 : not sure but there's no eta yet
12:45 : k
12:45 : i'm trying to get the spec moved to a w3c wg
12:46 : won't webapps take it?
12:46 : haven't approached them yet
12:46 : oh one of the other things was a webkit bug i came across that was about weird (but compat-required)
getElementById() behavior, iirc
12:47 : i tried cc'ing you but you didn't seem to have an account
12:47 : i forget which bug now
12:47 : i think i'm still using the
@hotmail account on b.w.o :S
12:47 : Hixie, true. But when your theory is suggesting that an element for marking up dates using ISO-8601 isn't adequate because it still can't accurately represent historical dates from centuries ago, rather than just worrying about the use cases it was designed for, then it's being taken too far
12:47 : i guess i should change that
12:48 : I think we should define input
type=date to apply to booking of hotels & transport
12:48 : Lachy: i think he ended up actually saying the opposite -- that we should limit it further (e.g. not allow 2AD) because that was too historical and wasn't accurate either
12:48 : and we should define
<time> as a piece for microformats meant for scheduling secular civilian meetings
12:48 : is there a use case for
<input type=url multiple>?
12:49 : I've generally found the things he's said to be confusing
12:49 : i think
validator.nu has such a field doesn't it?
12:49 : zcorpan: i'm sure one could be invented
12:49 : whether it's a common enough case to worry about is another question
12:49 : nobody has asked for it yet
12:49 : afaik
12:50 : for the
v.nu use case,
<input type=url multiple> would be backwards-incompatible with Opera
12:50 : I guess
<input type=email multiple> isn't nice for Opera, either
12:50 : right
12:51 : Why are
SCRIPT elements not allowed inside
12:51 : yecril71: legacy
12:51 : and keeping things simple
12:52 : sure, we could limit it more, but picking cut-off point at the unix epoch 1970-01-01 wouldn't given enough range for people to mark up, e.g. birthdates, and anywhere else would be just arbitrary
12:52 : Simple for whom?
12:52 : me
12:52 : and authors in general
12:52 : It is not simple that, once I need to produce a part of a table with a script,
12:52 : Lachy: I think anything but 1970-01-01 and 0001-01-01 would be arbitrary
12:52 : Lachy: yeah
12:52 : I have to produce the whole table.
12:52 : hsivonen: but
<script>s aren't foster parented, right?
12:53 : zcorpan: oh? I don't remember.
12:53 : yecril71: just use DOM manipulation
12:54 : (IE7 handles this use case cleanly)
12:54 : hsivonen: yep. "A start tag whose tag name is one of: "
12:55 : ok
<input type=hidden> is magical too
12:55 : and
<script> needs to be made magical in
<select>, which is going to be a pain
12:56 : That means it should be supported but the document is still nonconforming?
12:56 : yecril71: I withdraw what I said about legacy
12:57 : Why?
TABLE elements cannot contain
SCRIPT elements directly in HTML4 either.
12:57 : the restriction is one we inherited from html4 and one we will keep because allowing script in the middle of the table model encourages bad authoring practices (such as using
12:58 : yecril71: I thought there was a parser legacy issue there. I wasn't referring to validation legacy.
13:00 : Correct me if I am wrong, but there is no way to ask the document to add more rows to the preceding table, unless that table has an ID.
13:01 : While it is possible inside.
13:01 nessy quits (email@example.com) ("This computer has gone to sleep")
13:01 : (supposing I place the
SCRIPT right after the
TABLE, that is.)
13:02 : just grab the last table from
13:02 : Thanks.
13:05 sverrej joins (firstname.lastname@example.org)
13:09 : Hixie: is it https://bugs.webkit.org/show_bug.cgi?id=6006 ?
13:09 : yes
13:09 : wow
13:09 : good call
13:10 : first on a search for getelementbyid :)
13:12 virtuelv quits (email@example.com) ("Leaving")
13:12 : :-)
13:12 erlehmann quits (firstname.lastname@example.org) ("Ex-Chat")
13:14 : it seems we have lots of bugs saying that
getElementById works with
13:14 : which we dropped in 9.5
13:15 : and no bugs on it not working with
13:15 : also, i think ie8 doesn't look at
name='' (in ie8 mode)
13:17 : i'll trust you to spec something that matches the web and that browsers are willing to converge on
13:17 : I think if a statement needs an in-transaction callback and an after-transaction callback, that amounts to two callbacks.
13:17 : i'm just glad it's not my problem for once :-)
13:17 tthorsen joins (email@example.com)
13:17 : So the most straightforward thing to do would be to allow two as required.
13:18 : You could also provide for a callback to figure out whether the transaction has finished
13:18 : and report that it needs to be called afterwards if not.
13:19 looks at feedback from anne about %-encoding in
name="" attributes and
#fragids, and decides to call it a night
13:47 tndH joins (n=Rob@18.104.22.168)
13:53 smerp joins (firstname.lastname@example.org)
13:58 smerp_ joins (email@example.com)
14:04 smerp quits (firstname.lastname@example.org) (Read error: 60 (Operation timed out))
14:10 ap|away is now ap
14:12 smerp_ quits (email@example.com)
14:18 maikmerten quits (firstname.lastname@example.org) (Client Quit)
14:22 mpt_ joins (n=mpt@canonical/launchpad/mpt)
14:24 mpt_ quits (n=mpt@canonical/launchpad/mpt) (Remote closed the connection)
14:25 tndH quits (n=Rob@22.214.171.124) ("ChatZilla 0.9.84-rdmsoft [XULRunner 126.96.36.199/2008072406]")
14:51 weinig joins (email@example.com)
14:55 smerp joins (firstname.lastname@example.org)
14:56 svl joins (email@example.com)
14:58 smerp quits (firstname.lastname@example.org) (Client Quit)
15:17 tthorsen quits (email@example.com) ("Leaving")
15:17 sayrer joins (firstname.lastname@example.org)
15:31 hdh quits (email@example.com) ("Leaving.")
15:47 tndH joins (n=Rob@james-baillie-pc083-058.student-halls.leeds.ac.uk)
15:49 sverrej quits (firstname.lastname@example.org) (Read error: 110 (Connection timed out))
15:52 myakura joins (email@example.com)
15:54 : hmm. interesting. Gecko and HTML5 deal with
noembed in very different ways
15:54 : in terms of implementation
15:54 : not necessarily from the POV of pages
15:57 : hsivonen: how are they different?
15:57 : Gecko keeps track of a nesting depth in noXXX elements and turns off
<base> and form control handling when depth > 0
15:58 : HTML5 treats noXXX as CDATA elements
15:59 : hmm, my copy of firefox seems to insert a single text node in
<noembed> -- not elements
16:00 : zcorpan: it's possible that the tokenizer has changed and the depth tracking is now dead code
16:00 : I was looking at the tree builder code
16:00 : hsivonen: yeah, i remember dbaron saying there was similar dead code for
<iframe> a while back
16:01 : that disabled scripts or something
16:01 : I should have that the tree builder code looks like that--not that Firefox does it :-)
16:01 : can't really trust the looks of the Gecko parser code
16:02 : is that code used for xhtml?
16:02 : no
16:06 myakura quits (firstname.lastname@example.org) ("Leaving...")
16:08 : if it's dead code, whats the point of keeping it around? Is it just that no-one has thought to remove it yet, and verify that it really is dead?
16:13 : Lachy: most likely it's dead and forgotten and now no one wants to touch the parser more than absolutely necessary
16:17 : ok. I suppose it won't matter too much since I assume they'll be replacing the parser entirely with a new HTML5 parser soon enough
16:17 : hopefully :-)
16:22 billmason joins (email@example.com)
16:27 jmb^ joins (firstname.lastname@example.org)
16:27 jmb quits (email@example.com) (Read error: 131 (Connection reset by peer))
16:27 dglazkov joins (firstname.lastname@example.org)
16:28 dglazkov quits (email@example.com) (Client Quit)
16:36 aaronlev_ joins (firstname.lastname@example.org)
16:49 mstange joins (email@example.com)
16:49 : hey punctation is allowed in encoding declarations
16:49 : you can make smileys out of encoding names
16:50 : ~u_^t^_f8
16:52 jmb^ quits (firstname.lastname@example.org) (Remote closed the connection)
16:52 jmb joins (email@example.com)
16:53 : zcorpan, I can't see how that example you gave can be seen as a smiley?
16:54 Hish quits (firstname.lastname@example.org) (Read error: 104 (Connection reset by peer))
16:56 : Lachy: dunno, come up with something better :)
16:56 aaronlev quits (email@example.com) (Read error: 110 (Connection timed out))
16:56 sverrej joins (firstname.lastname@example.org)
17:00 : hey you could even have multiline ascii art
17:01 can't wait to debug input with multiline ascii art charsets
17:02 : w00t. the C++ version of the HTML5 parser *finally* links all the way
17:02 : Is newline allowed, though?
17:02 : any language that doesn't have C++-style linkage must give a huge productivity boost compared to C++
17:03 : zcorpan, where in the spec does it say punctation is allowed?
17:03 : is it that they're ignored for the parsing requirements, or that they're considered conforming too?
17:04 : "The value must be a valid character encoding name, and must be the preferred name for that encoding."
17:05 : hsivonen: validator.nu doesn't complain about punctation
17:05 jmb quits (email@example.com) (Remote closed the connection)
17:05 jmb joins (firstname.lastname@example.org)
17:06 : zcorpan, how do you interpret that as allowing punctuation?
17:06 : zcorpan: thanks. I filed http://bugzilla.validator.nu/show_bug.cgi?id=337
17:06 : Lachy: i don't :)
17:06 : wtf? You said "punctation is allowed in encoding declarations"
17:06 : yeah, i was mistaken
17:06 : i was just playing around in v.nu
17:06 : oh
17:07 : yecril71: The thread around http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-June/014984.html discusses the IE heading CSS bug, and that post suggests a simple workaround, but I guess Hixie cares more about the theoretical purity of the spec's markup than about its impact on users :-)
17:08 Maurice quits (email@example.com) ("Disconnected...")
17:10 Lachy quits (n=Lachlan@pat-tdc.opera.com) ("This computer has gone to sleep")
17:11 yecril71 quits (firstname.lastname@example.org) (Read error: 110 (Connection timed out))
17:16 jmb^ joins (email@example.com)
17:16 jmb quits (firstname.lastname@example.org) (Read error: 104 (Connection reset by peer))
17:19 aroben joins (email@example.com)
17:25 aaronlev_ quits (firstname.lastname@example.org) ("ChatZilla 0.9.83-rdmsoft [XULRunner 188.8.131.52/2008072406]")
17:27 Lachy joins (n=Lachlan@184.108.40.206)
17:38 pesla quits (email@example.com) ("( www.nnscript.com :: NoNameScript 4.21 :: www.esnation.com )")
17:44 smedero joins (firstname.lastname@example.org)
17:51 sbublava joins (email@example.com)
17:53 dglazkov joins (n=dglazkov@nat/google/x-6eb211a951f14c72)
17:58 zcorpan quits (firstname.lastname@example.org)
18:03 Maurice joins (i=copyman@5ED548D4.cable.ziggo.nl)
18:13 jmb^ is now jmb
18:37 BenMillard joins (email@example.com)
18:49 : Lachy, I sometimes manage to make graphical websites which support Fx2, Fx3, O9, most recent Safari, IE6 and IE7 without hacks (re: http://krijnhoetmer.nl/irc-logs/whatwg/20081126#l-395)
18:49 : usually, the show-stoppers aren't really CSS problems, it's fundamental breakage in the rendering engine :)
18:49 sbublava quits (firstname.lastname@example.org)
18:50 can't even make non-graphical sites without finding browser bugs :-(
18:50 : usually there are multiple ways of getting the same visual effect, like yecril71 points out
18:51 : and when the job has a requirement that it *must* look correct in that set of browsers before your client pays you, well, you learn to compromise :)
18:51 maikmerten joins (n=maikmert@L8127.l.pppool.de)
18:54 : yecril71, in applications on Windows, the equivalent of
<fieldset> is called Frame (at least in VB6) and you add it to a form (aka window) as a control (aka a form control)
18:54 : more specifically, it's a "container control" along with PictureBox, TabStrip and suchlike
18:55 dave_levin quits (email@example.com)
18:57 : krijnh, linkification stopped short by [ character: http://krijnhoetmer.nl/irc-logs/whatwg/20081126#l-424
18:58 aroben quits (n=adamrobe@unaffiliated/aroben)
19:04 erlehmann joins (firstname.lastname@example.org)
19:04 aroben joins (i=aroben@unaffiliated/aroben)
19:05 : Philip`, using
position:relative on elements with negative margins is how I thought it was supposed to work, because I'm so used to doing that for IE :P
19:06 : sometimes I use a negative top or left value instead of negative margin, due to margin bugs
19:14 mstange quits (email@example.com) ("ChatZilla 0.9.84 [Firefox 3.1b2pre/20081124033940]")
19:17 dave_levin joins (firstname.lastname@example.org)
19:17 ap quits (email@example.com)
19:19 gets down to 3.6MB for an animated visualisation of the internal links in every 5th revision of the HTML 5 spec since its history began, which doesn't seem too bad
19:19 aroben is now aroben|lunch
19:19 : BenMillard: Why does
position:relative help in those cases?
19:22 weinig quits (firstname.lastname@example.org)
19:23 wonders if that is danbri in one of his TPAC photos
19:24 : No, it isn't.
19:30 : Philip`, various strange things start working properly with
position:relative in IE...often inexplicably :)
19:30 : (like graphical bullets on list items in semi-arbitrary conditions)
19:32 virtuelv joins (email@example.com)
19:39 mpt quits (n=mpt@canonical/launchpad/mpt) ("Leaving")
19:44 kangax joins (firstname.lastname@example.org)
19:54 dbaron joins (email@example.com)
19:54 : do I read the html5lib correctly when I think it sanizes by discarding tokens before the tree builder?
19:54 : s/html5lib/html5lib source/
19:55 KevinMarks quits (n=KevinMar@c-98-207-134-151.hsd1.ca.comcast.net) ("The computer fell asleep")
19:55 KevinMarks joins (n=KevinMar@c-98-207-134-151.hsd1.ca.comcast.net)
19:58 : hsivonen: Yes
19:59 : jgraham: does it discard
19:59 : hsivonen: I believe so
20:00 : (but I guess there may be bugs)
20:03 : It seems that the dominant design of HTML sanitizers is to throw stuff away between the tokenizer and the tree builder
20:04 : Hixie: looks like different rules are called for here compared to the infoset coercion stuff
20:04 : (not to suggest that HTML5 should prescribe the rules, but anyway)
20:05 : hsivonen, have you tested the new IE8 method?
20:06 : sayrer: nope. What's the new IE8 method?
20:06 : hsivonen,
toSafeHTML or some such
20:06 : hsivonen, yeah, that's it
20:08 : "Update 11/20/08: changed reference to
toStaticHTML" says IE blog
20:09 : hmm. string to string method
20:10 : sayrer: this is mail&news stuff, isn't it: http://mxr.mozilla.org/mozilla-central/source/content/base/src/mozSanitizingSerializer.cpp
20:10 : hsivonen, yeah. I decided I couldn't use that, way back when. Don't remember why.
20:10 : sayrer: ok
20:11 : I should test
toStaticHTML to see what it actually does
20:11 : thanks
20:12 KevinMarks quits (n=KevinMar@c-98-207-134-151.hsd1.ca.comcast.net) (Read error: 110 (Connection timed out))
20:13 dimich joins (firstname.lastname@example.org)
20:17 : http://www.flickr.com/photos/gsnedders/3061950334/
20:17 : http://www.flickr.com/photos/gsnedders/3061106047/
20:17 : who are those someones?
20:17 : gsnedders: in 3061950334 Felix Sasaki
20:17 : gsnedders: in 3061106047 Steve Zilles
20:25 : hsivonen, I may have run screaming from http://mxr.mozilla.org/mozilla-central/source/content/base/src/mozSanitizingSerializer.cpp#4
20:26 : and also the pref parsing
20:27 : sayrer: seems to be the wrong way round...
20:34 KevinMarks joins (n=KevinMar@220.127.116.11)
20:40 : hsivonen: ah, thx
20:56 Lachy quits (n=Lachlan@18.104.22.168) ("This computer has gone to sleep")
20:58 kangax quits (email@example.com)
21:17 aroben|lunch is now aroben
21:19 : http://groups.google.com/group/mozilla.dev.planning/msg/f2dd45413cc68413
21:20 BenMillard quits (firstname.lastname@example.org)
21:24 : Hixie: am reading the spec correctly that it's OK to have an event loop spin between
document.close() and the tokenizer emitting the EOF?
21:25 aroben quits (i=aroben@unaffiliated/aroben) (Read error: 104 (Connection reset by peer))
21:25 wonders if he gets a VPS how quickly he'll screw it up
21:25 weinig joins (email@example.com)
21:26 : hsivonen: that is lovely.
21:29 weinig is now weinig|away
21:36 KrocCamen joins (firstname.lastname@example.org)
21:49 shepazu joins (email@example.com)
21:49 mpt joins (n=mpt@canonical/launchpad/mpt)
21:51 : gsnedders: You can always just reinstall it once you break everything
21:51 : Philip`: :P
21:52 discovered Ubuntu has "ufw", which makes firewall configuration actually sane - you say stuff like "ufw allow 80/tcp" and it does what you want, and you don't have to even know what iptables are
21:56 Lachy joins (n=Lachlan@22.214.171.124)
21:57 : wow
22:00 nessy joins (firstname.lastname@example.org)
22:02 maikmerten quits (n=maikmert@L8127.l.pppool.de) (Client Quit)
22:02 virtuelv quits (email@example.com) (Read error: 110 (Connection timed out))
22:06 epeus joins (n=KevinMar@nat/google/x-c7df243871ef63f8)
22:13 ROBOd quits (firstname.lastname@example.org) ("http://www.robodesign.ro")
22:13 KevinMarks quits (n=KevinMar@126.96.36.199) (Connection timed out)
22:29 shepazu quits (email@example.com)
22:30 : hsivonen: not only is it ok, it is required, because the tokeniser only emits stuff as part of the event loop
22:34 : Hixie: doesn't the tokenizer emit non-EOF tokens immediately on first-level
22:34 : yeah but that is still originally part of an event loop step
22:34 : Hixie: but it's good that a spin is OK with
22:35 : ok
22:36 dolske quits (n=dolske@firefox/developer/dolske) ("Leaving...")
22:55 nessy quits (firstname.lastname@example.org) ("This computer has gone to sleep")
23:05 : BenMillard: fixed, thanks
23:07 : That was a short-lived feature (
23:12 apologises for helping kill it
23:12 smedero quits (email@example.com)
23:15 : (Actually I'm blame Julian, for originally suggesting that there could be a security issue)
23:16 : Jonas would've picked up the slack anyhow, it seems :)
23:16 : off with its head!
23:19 : sicking: Do you have a secret new proposal that will rock our socks?
23:19 Maurice quits (i=copyman@5ED548D4.cable.ziggo.nl) ("Disconnected...")
23:19 : nothing secret
23:19 : i've argued for something like OpenID for a while, just not very heavily
23:20 : OpenID, the way it looks like now, with all its redirects and stuff, is no good though
23:20 : but there a lot that can be done if we build it into the browser
23:20 : basically we need something like microsofts CardSpace, but as a more open platform
23:22 hdh joins (firstname.lastname@example.org)
23:22 : Does cardspace avoid the "phishing enabling" of current openid?
23:23 doublec joins (email@example.com)
23:24 : that is my understanding
23:24 nessy joins (firstname.lastname@example.org)
23:24 : sicking, how so?
23:24 : however, i have not heard what all the complaints about neither cardspace nor openid are, so it's entirely possible that neither of them are very close to what we need
23:25 : sayrer, you don't type a password, you just click on an image to choose which identity to use
23:25 : that is good
23:25 : fwiw, I did like the idea of using the 401 body for this
23:25 : sicking: I think it would need to degrade gracefully into the current OpenID experience in browsers that don't implement the future thing
23:25 : Philip`, I find it difficult to believe that anyone would be stupid enough to introduce a XSS bug into a 401 page, especially because it's effectivly saying you need to log in before you can do anything
23:25 : only Safari is broken w.r.t. that extension point
23:26 : hsivonen, it needs to degrade into something for sure
23:26 : sicking: so in that sense, seeking to put the hook into the OpenID ID provider code might work
23:26 : and the XSS attack you outlined would need so many different bugs to occur in just the right way, it seems highly unlikely
23:26 : but that would mean users would have to enter a URI into a field still
23:26 : unless the field can be reliably autocompleted by the browser, too
23:26 : I had the idea that the 401 body should be the non-existant notion of svg static
23:27 : so browsers can create a difficult to simulte UI
23:27 : and show a little bit of branding next to it
23:27 weinig|away is now weinig
23:27 : what's svg static?
23:28 : svg with scripting, animation, fonts, etc
23:28 : er
23:28 : witout
23:28 : without
23:28 : ah
23:28 : there is no subset that matches that
23:28 : but I'm thinking full-screen shadowed / UI box
23:28 : I guess flash or quicktime might be coerced
23:28 : to do that
23:28 : but it would be much harder
23:29 : although I'm still glad the www-authenticate feature was removed, since it seemed quite useless in practice for all but a very niche market
23:30 : Lachy: It doesn't seem implausible that someone would have e.g.
login.php?return=... which gives you the login form with a
<a href="$return">Go back</a> and returns 401 and
WWW-Authenticate HTML because they want to tell bots to log in that way, and introduce the XSS hole that way
23:30 : Lachy: and I don't see what bugs the attack needs, other than the XSS one
23:30 heycam quits (email@example.com) ("bye")
23:31 : Lachy: Also, you shouldn't underestimate people's stupidity :-p
23:33 : it requires the bot to access the page via a URL which exploits the XSS attacks
23:34 : Bots follow links, and it's trivial to put a link onto most people's sites
23:34 : that may depend on the purpose of the bot, and where it was following links from
23:34 : (via blog comments, or referrer logs, or whatever)
23:34 : The purpose of the bot is to follow all the links it can find on the site :-)
23:35 : could just turn of scripts on 401 pages
23:35 : sayrer: There aren't any scripts involved here
23:35 : oh I see
23:36 : I suppose a such a link could occur on the site itself if it allowed user generated content of some kind
23:36 : and only used the 401 to prevent access to member areas
23:38 : it may not be a new problem though. If there are bots that perform this kind of log in already, by being manually configured with the form name, they would be vulnerable to the same attack
23:38 : although without the
www-authenticate header advertising that, it's less likely
23:39 : but the same attack could be used against users by getting them to follow the link
23:40 erlehmann quits (firstname.lastname@example.org) ("Ex-Chat")
23:41 : It's not a problem unique to
WWW-Authenticate was designed in a way that encourages behaviour that would encounter that problem
23:46 fakeolliej is now olliej
23:54 ginger joins (email@example.com)
23:54 heycam joins (firstname.lastname@example.org)
23:55 mpt quits (n=mpt@canonical/launchpad/mpt) ("Leaving")
23:59 : i hven't removed it yet btw
Session Close: Thu Nov 27 00:00:00 2008
A service by Krijn Hoetmer. Questions, improvements, suggestions & ideas are welcome! View the website statistics.