Re: Removing xml:base
On 2013-08-09 15:32, Boris Zbarsky wrote: There is a proposal in https://bugzilla.mozilla.org/show_bug.cgi?id=903372 to remove xml:base support. Do we actually use this for anything? I thought we used to set it for xbl stuff, but I don't see obvious code doing that. If we can, it would be great to rip this out: it would significantly simplify a bunch of things. -Boris For what it's worth, I find xml:base very useful in my extension. It is a feed reader and it displays content from many third-party sources on a single page, so there's a need for multiple base URIs in order to resolve relative URIs correctly. The arguments so far have focused on code simplicity, lack of support in other browsers, and Mozilla itself not using the feature. I haven't seen anyone address the arguably most important question: is the feature useful for the web at large? Perhaps we should improve our implementation and push for its adoption, rather than jump on the bandwagon? In principle, functionality provided by xml:base seems useful for web applications that deal with third-party content. Maybe someone more knowledgeable can estimate how much need there is in practice, though. - Adam ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Removing xml:base
On 2013-08-09 15:32, Boris Zbarsky wrote: There is a proposal in https://bugzilla.mozilla.org/show_bug.cgi?id=903372 to remove xml:base support. Do we actually use this for anything? I thought we used to set it for xbl stuff, but I don't see obvious code doing that. If we can, it would be great to rip this out: it would significantly simplify a bunch of things. -Boris For what it's worth, I find xml:base very useful in my extension. It is a feed reader and it displays content from many third-party sources on a single page, so there's a need for multiple base URIs in order to resolve relative URIs correctly. The arguments so far have focused on code simplicity, lack of support in other browsers, and Mozilla itself not using the feature. I haven't seen anyone address the arguably most important question: is the feature useful for the web at large? Perhaps we should improve our implementation and push for its adoption, rather than jump on the bandwagon? In principle, functionality provided by xml:base seems useful for web applications that deal with third-party content. Maybe someone more knowledgeable can estimate how much need there is in practice, though. - Adam ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Removing xml:base
On 2013-08-09 15:32, Boris Zbarsky wrote: There is a proposal in https://bugzilla.mozilla.org/show_bug.cgi?id=903372 to remove xml:base support. Do we actually use this for anything? I thought we used to set it for xbl stuff, but I don't see obvious code doing that. If we can, it would be great to rip this out: it would significantly simplify a bunch of things. -Boris For what it's worth, I find xml:base very useful in my extension. It is a feed reader and it displays content from many third-party sources on a single page, so there's a need for multiple base URIs in order to resolve relative URIs correctly. The arguments so far have focused on code simplicity, lack of support in other browsers, and Mozilla itself not using the feature. I haven't seen anyone address the arguably most important question: is the feature useful for the web at large? Perhaps we should improve our implementation and push for its adoption, rather than jump on the bandwagon? In principle, functionality provided by xml:base seems useful for web applications that deal with third-party content. Maybe someone more knowledgeable can estimate how much need there is in practice, though. - Adam ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Removing xml:base
On Mon, Sep 16, 2013 at 5:06 PM, Adam Kowalczyk adam-kowalcz...@o2.pl wrote: For what it's worth, I find xml:base very useful in my extension. It is a feed reader and it displays content from many third-party sources on a single page, so there's a need for multiple base URIs in order to resolve relative URIs correctly. The arguments so far have focused on code simplicity, lack of support in other browsers, and Mozilla itself not using the feature. I haven't seen anyone address the arguably most important question: is the feature useful for the web at large? Perhaps we should improve our implementation and push for its adoption, rather than jump on the bandwagon? In principle, functionality provided by xml:base seems useful for web applications that deal with third-party content. Maybe someone more knowledgeable can estimate how much need there is in practice, though. I think that using xml:base for content aggregation is a good indication that the application should be reworked to use iframe sandbox. If one don't feel confident enough in the application's ability to sanitize/rewrite the third-party content so that all the links become absolute (a good bet for pretty much any application), then one shouldn't be injecting it into the page, IMO. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Removing xml:base
On 2013-09-17 02:52, Boris Zbarsky wrote: On 9/16/13 8:06 PM, Adam Kowalczyk wrote: and it displays content from many third-party sources on a single page You probably want iframes for that I'm using a resource:// URI loaded in a browser with type=content, so the content is unprivileged and untrusted. Putting each feed entry into its own iframe would probably carry a significant performance penalty. Websites don't have the means to do it safely, though... I haven't seen anyone address the arguably most important question: is the feature useful for the web at large? It's not if we're the only one who ever supports it... Alright then, *would* be useful if supported more widely, is what I should have said. Perhaps we should improve our implementation and push for its adoption The other UAs have flat our refused to ever implement something like this. I can understand why. I wouldn't implement it in a new UA either (e.g. servo). If there's no hope for getting traction with other vendors, then it pretty much settles it. But what were their motivations? It it was lack of good use cases, then see below. In principle, functionality provided by xml:base seems useful for web applications that deal with third-party content. I think using seamless/sandboxed iframes is the right way to deal with third-party content. Certainly pulling in untrusted third-party content directly is a security hole. Unless something like Content Security Policy is implemented, which would make it possible to inject untrusted content without XSS risks, thus making the above use case more legitimate. - Adam ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Removing xml:base
On 9/16/13 10:36 PM, Adam Kowalczyk wrote: Alright then, *would* be useful if supported more widely, is what I should have said. My point is the counterfactual has been given a chance and failed If there's no hope for getting traction with other vendors, then it pretty much settles it. But what were their motivations? Wanting to avoid the insane complexity, largely. -Boris ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Removing xml:base
On Fri, Aug 9, 2013 at 2:32 PM, Boris Zbarsky bzbar...@mit.edu wrote: There is a proposal in https://bugzilla.mozilla.org/show_bug.cgi?id=903372 to remove xml:base support. Do we actually use this for anything? I thought we used to set it for xbl stuff, but I don't see obvious code doing that. If we can, it would be great to rip this out: it would significantly simplify a bunch of things. Seems like we can do this? Would be nice to simplify the base URL story a bit. -- http://annevankesteren.nl/ ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Removing xml:base
There is a proposal in https://bugzilla.mozilla.org/show_bug.cgi?id=903372 to remove xml:base support. Do we actually use this for anything? I thought we used to set it for xbl stuff, but I don't see obvious code doing that. If we can, it would be great to rip this out: it would significantly simplify a bunch of things. -Boris ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform