Re: [whatwg] MTU Size PeerConnection send method (was RE: PeerConnection feedback)
On 04/28/11 20:55, Stefan Håkansson LK wrote: Wouldn't it be possible to abstract this away for the web developer? I.e. the send method should, like for WebSockets, not have a max size. Instead the sending UA would be responsible for chopping up (the receiving UA for re-assembling) the message into packets not larger than the minimum path MTU. Depending on the UA (and how integrated with the IP stack of the device it is) different levels of implementation sophistication could be used (e.g. max 576 byte, or select 576/1280 depending on IP version, or even using MTU path discovery to find out max size). Yes, we could reimplement UDP's defragmentation mechanism at the higher level. There are a few things to keep in mind if you do that (for instance, there's a well known resource exhaustion attack where an attacker sends you the first part of UDP packets and never sends you the rest of it, until you run out of reassembly buffers, and of course the chance of losing a packet goes up significantly when all the fragments need to make it in order to achieve correct reassembly). The attacker in this case would be a (hacked) browser as the web developer can do no such thing. Of course larger data chunks increases the risk of not getting it over. This may be problematic: how can you explain this to the web developer in an understandable way? The attacker can be anyone who is able to convince your web browser to make a PeerConnection to a machine they control. The attacker isn't limited to running web browsers that obey protocol. The defense is well known - you simply limit the number of reassembly buffers, and throw away packets that haven't been reassembled for a while when you run out of buffers to reassemble them in. And the defense can be implemented wholly within the browser - no need to explain it to a web developer. It's just one example of things one has to think about when implementing this kind of thing.
Re: [whatwg] MTU Size PeerConnection send method (was RE: PeerConnection feedback)
Harald Alvestrand skrev 2011-04-27 14:42: I'm happy to change this, but I'd like solid data to base the decision on. Wouldn't it be possible to abstract this away for the web developer? I.e. the send method should, like for WebSockets, not have a max size. Instead the sending UA would be responsible for chopping up (the receiving UA for re-assembling) the message into packets not larger than the minimum path MTU. Depending on the UA (and how integrated with the IP stack of the device it is) different levels of implementation sophistication could be used (e.g. max 576 byte, or select 576/1280 depending on IP version, or even using MTU path discovery to find out max size). Yes, we could reimplement UDP's defragmentation mechanism at the higher level. There is no fragmentation mechanism at UDP level. Either one uses IP level fragmentation which has issues when it comes to NAT and F/W traversal or you implement something on top of UDP. I think one do need to consider the need for a Path MTU discovery mechanism. If one has framing and sequencing of data parts, then one can consider to implement a application level PMTU discovery mechanism. I think one do needs to consider at least enabling tie in to lower layer MTU mechanisms. As you already raised there is no lower limit on IPv4 packet size other than that IPv4 fragments with any payload needs to be 56 bytes or so. 576 is a more realistic lower limit but still pretty darn small. In general I think people should review RFC 5405 Unicast UDP Usage Guidelines for Application Designers which is very applicable to this discussion. It does discuss a number of issue of doing things on top of UDP. http://www.rfc-editor.org/rfc/rfc5405.txt Cheers Magnus Westerlund -- Multimedia Technologies, Ericsson Research EAB/TVM -- Ericsson AB| Phone +46 10 7148287 Färögatan 6| Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden| mailto: magnus.westerl...@ericsson.com --
Re: [whatwg] PeerConnection feedback: RTP SSRC and data over RTP
Ian Hickson skrev 2011-04-22 00:27: On Mon, 11 Apr 2011, Justin Uberti wrote: On Tue, 29 Mar 2011, Harald Alvestrand wrote: multiplexing of multiple data streams on the same channel using SSRC, I don't follow. What benefit would that have? If you are in a conference that has 10 participants, you don't want to have to set up a new transport for each participant. Instead, SSRC provides an excellent way to multiplex multiple media streams over a single RTP session (and network transport). Could you elaborate on this? I have tried finding information on how SSRC works but cannot find anything useful. Can you point to the relevant parts of the RFCs that describe this mechanism maybe? I'm having trouble understanding how it works even for audio/video streams, let alone whether it would actually be appropriate for data. Lets first disregard the question of data over RTP which I will comet to below. I am sorry that RTP on a general level is not more easily understood without some in depth reading. I have an Internet draft which is targeted towards people intended to write RTP payload formats it contains an RTP overview initially, I would read from start until end of section 3, one can skip 3.1.1. https://datatracker.ietf.org/doc/draft-ietf-payload-rtp-howto/?include_text=1 RFC 3550 is designed with the following layers of multiplexing: Different purposes of the media streams, like audio or video are supposed to be multiplexed using different RTP sessions. Within an RTP session each media source, i.e. a camera or mixed audio stream, or microphone is its own media stream thus have its own SSRC. The RTP sequence number and timestamp space are scoped by the SSRC. The SSRC is also used by receivers only end-points so that they have an identity when providing feedback. In the below examples it becomes relevant to take the topologies the RTP can be used into account as discussed in RFC 5117. Some examples: 1. Peer to peer with multiple sources at one end. A connects directly with B. A has two video cameras which he both wants to have active at the same time. Because one is showing him and the other is showing something he wants to show to B. This would look like: A: SSRC1, SSRC2 -- Video RTP session - B:SSRC3 2. Audio Conference using transport relaying bridge. So in this session you have 4 participants A, B, C ,D each having one audio stream. There is also a transport relay (R) which will forward what it receives from one participant to all the others. A:SSRC1 -- B:SSRC2 | | | | +--+ | Relay| +--+ | | | | C:SSRC3 -- D:SSRC4 So in this case C will receive RTP flows from A with SSRC1, B with SSRC2 and D with SSRC4 all over the unicast UDP flow that it has with the relay. C will send its RTP flow and RTCP feedback on all of the received flows. Each of A to D decides locally if they send their audio stream or not. If one wants to transport optimize this one can change the relay into an RTP mixer that then needs to actively mix the audio content. Whats is more efficient and possible depends both on the number of session participants and the availability of mixers. 3. RTP retransmission using SSRC multi-plexing RTP retransmission is defined in RFC 4588 and is an RTP robustification mechanism that allows the receiver to request retransmission and the sender to retransmit the most important packets and only the ones that will be received within some boundaries of time that make them still useful. It really intended for semi-reliability in sessions with not super strict delay requirements. In this case any RTP packet that needs to be retransmitted needs to be sent over a new SSRC as transmitting the same packet twice with the same SSRC and sequence number destroys the transport feedback in RTCP one uses a encapsulating RTP payload format and a new SSRC either in second RTP session or in this case in the same RTP session. There are good arguments why both models makes sense for different applications. I hope this gives some insight into how SSRCs are used and I think reading the chapter 2 in RFC 3550 gives some insight in the design choices. Having a clear mind on that RTP is multi-party protocol and review the topologies that might occur in RFC 5117 gives understanding of that angle. Data over RTP - When it comes to data over RTP I am hesitant to it. RTP has a model of real-time constraints are much more important that reliability. It is also designed around Application Level Framing, where the higher layer creating RTP payloads is capable of creating data fragments that to as high degree as possible is usable on its own. As currently discussed on the rtc...@ietf.org mailing list there is clearly things beyond audio and video that makes sense to define RTP payload formats for. We
[whatwg] Proposal for a web application descriptor
Hello everyone, I have read a lot in the last month about the future of html and web applications and I am very impressed by the progress this makes. However, I have come across some thing that annoys me: Permissions. I know they are important and I know they are needed but currently I find this quite inconvenient. And with more and more permissions coming up this might get worse so I spent some time thinking about it. I have written a short document covering my proposal: www.simonheckmann.de/download/Proposal.pdf (3 pages, ~200KB) It should just take only a few minutes to read and includes examples and screenshots. I am really looking forward to hearing your thoughts on this. Please feel free to share this idea with whomever you want to. If you think I should post this proposal somewhere else please say so. Kind regards, Simon Heckmann
Re: [whatwg] Proposal for a web application descriptor
On Fri, Apr 29, 2011 at 9:39 AM, Simon Heckmann si...@simonheckmann.de wrote: I have written a short document covering my proposal: www.simonheckmann.de/download/Proposal.pdf (3 pages, ~200KB) I can't open this PDF in Preview. -- Benjamin Hawkes-Lewis
Re: [whatwg] Proposal for a web application descriptor
Fixed! Am 29.04.2011 um 10:52 schrieb Benjamin Hawkes-Lewis: On Fri, Apr 29, 2011 at 9:39 AM, Simon Heckmann si...@simonheckmann.de wrote: I have written a short document covering my proposal: www.simonheckmann.de/download/Proposal.pdf (3 pages, ~200KB) I can't open this PDF in Preview. -- Benjamin Hawkes-Lewis Sorry for the inconveniences! I tried it in Acrobat and it worked flawlessly. I uploaded it again and it now displays in Preview as well. I hope this fixes it for you, too! Kind regards, Simon Heckmann
Re: [whatwg] Proposal for a web application descriptor
Hello again, As requested I updated the proposal to contain screenshots from English browser versions now. You can always find the latest version on http://www.simonheckmann.de/download/Proposal.pdf. Additionally, I created an HTML version of the file which might come in handy for some readers: http://www.simonheckmann.de/proposal/. Kind regards, Simon Heckmann Am 29.04.2011 um 11:03 schrieb Simon Heckmann: Fixed! Am 29.04.2011 um 10:52 schrieb Benjamin Hawkes-Lewis: On Fri, Apr 29, 2011 at 9:39 AM, Simon Heckmann si...@simonheckmann.de wrote: I have written a short document covering my proposal: www.simonheckmann.de/download/Proposal.pdf (3 pages, ~200KB) I can't open this PDF in Preview. -- Benjamin Hawkes-Lewis Sorry for the inconveniences! I tried it in Acrobat and it worked flawlessly. I uploaded it again and it now displays in Preview as well. I hope this fixes it for you, too! Kind regards, Simon Heckmann
Re: [whatwg] Proposal for a web application descriptor
You may also want to look at the ideas being floated by Mozilla and others for installed web apps to request extra privileges. This is expected to lead to a new W3C Working Group within a few months from now, and I am hoping to see progress on being able to run the browser in a locked down mode that is more secure than is the default for web pages today (e.g. no eval, constrained innerHTML), and to then make a single request for a list of privileges: http://dougt.org/wordpress/2011/03/device-api-permission-management/ http://groups.google.com/group/mozilla-labs/browse_thread/thread/e592b27e54b7f857 http://dev.w3.org/2009/dap/docs/feat-perms/feat-perms.html http://dev.w3.org/2009/dap/docs/feat-perms/feat-perms.html#capability Some challenges include: * how to justify the request to the user being asked to grant the privileges starting with a text string and a link to more information * white and black lists for well behaved and evil applications - which leads on to the role of trust delegation for improved usability and whether crowd based recommendations are practical We should think how to work together with Mozilla, Google and others on a joint proposal as this is likely to have greater chance of widespread adoption than doing something in isolation. On 29/04/11 13:00, Simon Heckmann wrote: Hello again, As requested I updated the proposal to contain screenshots from English browser versions now. You can always find the latest version on http://www.simonheckmann.de/download/Proposal.pdf. Additionally, I created an HTML version of the file which might come in handy for some readers: http://www.simonheckmann.de/proposal/. Kind regards, Simon Heckmann Am 29.04.2011 um 11:03 schrieb Simon Heckmann: Fixed! Am 29.04.2011 um 10:52 schrieb Benjamin Hawkes-Lewis: On Fri, Apr 29, 2011 at 9:39 AM, Simon Heckmannsi...@simonheckmann.de wrote: I have written a short document covering my proposal: www.simonheckmann.de/download/Proposal.pdf (3 pages, ~200KB) I can't open this PDF in Preview. -- Benjamin Hawkes-Lewis Sorry for the inconveniences! I tried it in Acrobat and it worked flawlessly. I uploaded it again and it now displays in Preview as well. I hope this fixes it for you, too! Kind regards, Simon Heckmann -- Dave Raggettd...@w3.org http://www.w3.org/People/Raggett
Re: [whatwg] INCLUDE and links with @rel=embed
On 4/28/11, Ian Hickson i...@hixie.ch wrote: On Thu, 28 Apr 2011, Bjartur Thorlacius wrote: All current UAs would understand the link (and most probably present it to the user). Inline presentation is an optional luxury: the important thing is getting the media across. I, for one, can't find any sign of source support in wget, and a few other non-mainstream UAs. Well for video fallback people are likely to use a as well, but I don't think it makes sense to force every source to be a link. Writing both source and a for every source seems like unnecessary duplication to me. The primary difference between the two is that the resource referenced by the former is to be displayed inline, but the resource referenced by the latter is to be accessible interactively. a style=content: url(attr(href)); href=/usr/videos/lolcatzFunny cats jumping around/a. Ok, this isn't valid CSS, but you get my thinking (I hope).
[whatwg] Fwd: Proposal for a web application descriptor
Oops I did it again !!! A direct Reply which did not include the whatgw list Thanx Simon for pointing it out, the direct response was not done intentionally ;-) So here my comments: Am 29.04.2011 um 11:34 schrieb Alexandre Morgaut: Hi Simon, The user interface proposal looks interesting. Please, think to turn your system into english for your screenshoots ;-) I'm just not sure it should be handled via an external xml file, but why not... Note that the XML format is actually used for sitemaps and rss feeds, openSearch descriptions, ... so it is still an option Other solutions could be: 1 - Robots.txt like file With a simpler syntax, as it has been chosen for the Offline cache manifest ex: LOCATION: on CAMERA: on MICROPHONE: on STORAGE: 100MB NOTIFICATIONS: on Of course, as Simon replied to me, robots.txt, the offline cache manifest, and this application manifest may even be merged 2 - Simple Meta elements Via multiple meta tags meta name=Permission content=location meta name=Permission content=storage; size=100MB meta name=Permission content=notifications Potentially grouped into a single meta tag meta name=Permission content=location, camera, storage; size=100MB, notifications 3 - HTTP headers with Meta http-equiv support Via multiple headers Webapp-Permission: location Webapp-Permission: storage; size=100MB Potentially grouped into a single header Webapp-Permission: location, camera, storage; size=100MB, notifications with the Meta element equivalent meta http-equiv=Webapp-Permission content=location, camera, storage; size=100MB, notifications 4 - and/or a JavaScript method window.requestPermissions( { location: true, storage: 10 } ); Alexandre Morgaut Product Manager 4D SAS 60, rue d'Alsace 92110 Clichy France Standard : +33 1 40 87 92 00 Email :alexandre.morg...@4d.com Web : www.4D.com
Re: [whatwg] navigation shouldn't abort if canceled
On Sun, 26 Dec 2010, Mike Wilson wrote: http://www.whatwg.org/specs/web-apps/current-work/#navigating-across-documents (as of December 26, 2010) | When a browsing context is navigated to a new resource, the | user agent must run the following steps: ... | 9. Abort the active document of the browsing context. ... | 11. Prompt to unload the Document object. If the user refused | to allow the document to be unloaded, then these steps | must be aborted. Might this be a bug? (It seems more consistent with other parts of the html5 spec, and with browsers, to do the abort after the user has allowed the document to unload.) These tests suggest that it's what WebKit does but isn't what Firefox does. I tried testing Opera and IE but other bugs prevented me from getting conclusive results from them. http://www.hixie.ch/tests/adhoc/html/navigation/beforeunload/005.html http://www.hixie.ch/tests/adhoc/html/navigation/interrupts/012.html On Tue, 1 Feb 2011, Mike Wilson wrote: Consequences of the current text are that resource fetches are canceled for a document when navigating away from it, even if the user then chooses to cancel the navigation at a beforeunload prompt and returns to the document. Fair point. Fixed. The spec now matches Firefox on this. On Wed, 2 Feb 2011, Boris Zbarsky wrote: On 2/2/11 3:22 PM, Michael Nordman wrote: That does sound like a bug? I'd be curious to know what the reasoning was for the existing sequence of steps. From what I can tell, current browser behavior. Step 10 looks out of place too... 10. If the new resource is to be handled using a mechanism that does not affect the browsing context, e.g. ignoring the navigation request altogether because the specified scheme is not one of the supported protocols, then abort these steps and proceed with that mechanism instead. Aborting the active document sounds like an undesirable side affect on the browsing context for mailto links. I suspect that again this is current browser behavior. Note that in some cases mailto: links will load a web page (and thus abort the document they were in). So it may be worthwhile to have them always abort it, for consistency. Maybe. I could change this back, but it doesn't seem like a huge issue. I mean, opening a link in a background tab doesn't stop a page loading, but opening the same link in the same tab does, which seems equivalent to this mailto: case. So consistency is never going to be perfect. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] Proposal for a web application descriptor
Am 29.04.2011 um 16:47 schrieb Dave Raggett: You may also want to look at the ideas being floated by Mozilla and others for installed web apps to request extra privileges. This is expected to lead to a new W3C Working Group within a few months from now, and I am hoping to see progress on being able to run the browser in a locked down mode that is more secure than is the default for web pages today (e.g. no eval, constrained innerHTML), and to then make a single request for a list of privileges: http://dougt.org/wordpress/2011/03/device-api-permission-management/ http://groups.google.com/group/mozilla-labs/browse_thread/thread/e592b27e54b7f857 http://dev.w3.org/2009/dap/docs/feat-perms/feat-perms.html http://dev.w3.org/2009/dap/docs/feat-perms/feat-perms.html#capability Thank you! I read through these articles and I like what they are proposing. I also think it is a good idea to tackle this with a joint proposal. While some of the suggestions made in the documents relate to querying the permission through javascript I still see room for my idea to ask for permissions on start-up. I am not yet sure if this all only holds true for super-applications, as even normal websites would want to access my camera or address book and therefore need permission. Anyway, I am looking forward to giving input to a larger scope proposal. Some challenges include: * how to justify the request to the user being asked to grant the privileges starting with a text string and a link to more information Well, this is what I thought of: The users visit a website they have never visited before. A notifications pops up allowing them to set all permissions required for this page. The users might not trust the site yet so they do not grant all permissions immediately. As the users continue to use the page, the web site could check the status of the permission using javascript and remind the user to rethink his permission settings: This site would like to access your camera to scan for a barcode. If you want to use this feature, please use the global permissions dialog to set them. * white and black lists for well behaved and evil applications - which leads on to the role of trust delegation for improved usability and whether crowd based recommendations are practical I agree! But in the end this is similar to desktop applications. It pretty much depends on the users which applications they run and which they do not trust. I think this is where web app stores might come into play. A central place where user can share their experience. We should think how to work together with Mozilla, Google and others on a joint proposal as this is likely to have greater chance of widespread adoption than doing something in isolation. Great idea! Is there another mailing list where this should be posted on? On 29/04/11 13:00, Simon Heckmann wrote: Hello again, As requested I updated the proposal to contain screenshots from English browser versions now. You can always find the latest version on http://www.simonheckmann.de/download/Proposal.pdf. Additionally, I created an HTML version of the file which might come in handy for some readers: http://www.simonheckmann.de/proposal/. Kind regards, Simon Heckmann Am 29.04.2011 um 11:03 schrieb Simon Heckmann: Fixed! Am 29.04.2011 um 10:52 schrieb Benjamin Hawkes-Lewis: On Fri, Apr 29, 2011 at 9:39 AM, Simon Heckmannsi...@simonheckmann.de wrote: I have written a short document covering my proposal: www.simonheckmann.de/download/Proposal.pdf (3 pages, ~200KB) I can't open this PDF in Preview. -- Benjamin Hawkes-Lewis Sorry for the inconveniences! I tried it in Acrobat and it worked flawlessly. I uploaded it again and it now displays in Preview as well. I hope this fixes it for you, too! Kind regards, Simon Heckmann -- Dave Raggettd...@w3.org http://www.w3.org/People/Raggett
Re: [whatwg] Form element invalid message
On Wed, 29 Dec 2010, Mounir Lamouri wrote: On 12/29/2010 07:41 AM, Ian Hickson wrote: One way to do this would be to make the invalid event implement an interface with a function like setCustomErrorMessage(in DOMString message). This string would then be displayed by the UA in its UI wherever it displays validation error messages. I actually think that the customerrormessage attribute that has been suggested is a decent solution too. It does mean that you have to do some trickery if you want to display different error messages for different types of errors, but nothing too bad. All you'd need to do is install an event handler for the invalid event, and in that handler do something like element.setAttribute(customerrormessage, myMessage); If you're setting an error message, what's wrong with setCustomValidity()? setCustomValidity() means this element is invalid for custom reasons and the argument is the error message. I think the use case of setCustomValidity() is *checking* something on oninput, onchange or other events and, if the condition is not fulfilled, call the method to make the element invalid. For example, two passwords fields have to be the same. The customerrormessage attribute would have different use cases. It would be when the element has known reasons to be invalid but when the author want to override the UA string. I see two reasons for that: 1. the element has very complex rules like: input type='email' name='username' required maxlength=100 pattern=[^@]*@company.com. It sounds hard for a UA to give one simple sentence for this situation but the author can try something like Please, enter your corporate email address (max 100 chars). That's why the title= attribute is used for the pattern message. 2. the author want a specific string to match the context of the website. For example, when you want to log on Foo website, the author might want to be sure you see Please enter you Foo ID. instead of a generic Please, fill this field. for input name='username' required Currently, Web sites rarely do more than simply focus the field and mark it in red or some such. Why would Please enter your Foo ID be so much better than Please fill this field or even just a big red arrow? The field presumably has a label right next to it, it's not like there's any ambiguity about what the user is going to need to type in there. For sure, you can use setCustomValidity() for both use cases but there is a small semantic difference and a bigger work to do. Using setCustomValidity() for these use cases would be a pain while using a customerrormessage attribute would be quite straightforward. I don't understand how such an attribute would work. Take input type=number for example, with an explicit min, max, step, etc. How would you know what value to put in the attribute? There are going to be different needs when the control's value is too low, too high, not aligned to a step, missing, etc. Do you have an example of how this attribute would be used in a non-trivial situation? On Wed, 29 Dec 2010, Jonas Sicking wrote: I should also mention that we have implemented such an attribute in Firefox 4 named x-moz-errormessage. We encourage authors to use this and provide feedback regarding it's usefulness. Do you know of any pages that use it? I would love to see this in the real world, it would help me understand the use case better. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] Fwd: Proposal for a web application descriptor
As far as I am concerned, I am fine with all of these solutions. I was just thinking that an application descriptor could be extended over time with additional information and maybe even contain the files required for offline caching. Of course this could also be done the other way around and the offline cache manifest could be turned into a web application manifest containing all the information about the application. Maybe we could even include the robots.txt information into the manifest? Am 29.04.2011 um 17:33 schrieb Alexandre Morgaut: Oops I did it again !!! A direct Reply which did not include the whatgw list Thanx Simon for pointing it out, the direct response was not done intentionally ;-) So here my comments: Am 29.04.2011 um 11:34 schrieb Alexandre Morgaut: Hi Simon, The user interface proposal looks interesting. Please, think to turn your system into english for your screenshoots ;-) I'm just not sure it should be handled via an external xml file, but why not... Note that the XML format is actually used for sitemaps and rss feeds, openSearch descriptions, ... so it is still an option Other solutions could be: 1 - Robots.txt like file With a simpler syntax, as it has been chosen for the Offline cache manifest ex: LOCATION: on CAMERA: on MICROPHONE: on STORAGE: 100MB NOTIFICATIONS: on Of course, as Simon replied to me, robots.txt, the offline cache manifest, and this application manifest may even be merged 2 - Simple Meta elements Via multiple meta tags meta name=Permission content=location meta name=Permission content=storage; size=100MB meta name=Permission content=notifications Potentially grouped into a single meta tag meta name=Permission content=location, camera, storage; size=100MB, notifications 3 - HTTP headers with Meta http-equiv support Via multiple headers Webapp-Permission: location Webapp-Permission: storage; size=100MB Potentially grouped into a single header Webapp-Permission: location, camera, storage; size=100MB, notifications with the Meta element equivalent meta http-equiv=Webapp-Permission content=location, camera, storage; size=100MB, notifications 4 - and/or a JavaScript method window.requestPermissions( { location: true, storage: 10 } ); Alexandre Morgaut Product Manager 4D SAS 60, rue d'Alsace 92110 Clichy France Standard : +33 1 40 87 92 00 Email :alexandre.morg...@4d.com Web : www.4D.com
Re: [whatwg] Form element invalid message
On Fri, Apr 29, 2011 at 3:42 PM, Ian Hickson i...@hixie.ch wrote: On Wed, 29 Dec 2010, Mounir Lamouri wrote: On 12/29/2010 07:41 AM, Ian Hickson wrote: One way to do this would be to make the invalid event implement an interface with a function like setCustomErrorMessage(in DOMString message). This string would then be displayed by the UA in its UI wherever it displays validation error messages. I actually think that the customerrormessage attribute that has been suggested is a decent solution too. It does mean that you have to do some trickery if you want to display different error messages for different types of errors, but nothing too bad. All you'd need to do is install an event handler for the invalid event, and in that handler do something like element.setAttribute(customerrormessage, myMessage); If you're setting an error message, what's wrong with setCustomValidity()? setCustomValidity() means this element is invalid for custom reasons and the argument is the error message. I think the use case of setCustomValidity() is *checking* something on oninput, onchange or other events and, if the condition is not fulfilled, call the method to make the element invalid. For example, two passwords fields have to be the same. The customerrormessage attribute would have different use cases. It would be when the element has known reasons to be invalid but when the author want to override the UA string. I see two reasons for that: 1. the element has very complex rules like: input type='email' name='username' required maxlength=100 pattern=[^@]*@company.com. It sounds hard for a UA to give one simple sentence for this situation but the author can try something like Please, enter your corporate email address (max 100 chars). That's why the title= attribute is used for the pattern message. 2. the author want a specific string to match the context of the website. For example, when you want to log on Foo website, the author might want to be sure you see Please enter you Foo ID. instead of a generic Please, fill this field. for input name='username' required Currently, Web sites rarely do more than simply focus the field and mark it in red or some such. Why would Please enter your Foo ID be so much better than Please fill this field or even just a big red arrow? The field presumably has a label right next to it, it's not like there's any ambiguity about what the user is going to need to type in there. It's quite common for webpages to display an error message in red along with a red border or whatever. For example, if I go to www.google.com and click on the sign in link at the top, then without entering anything press the sign in button. At this point the page displays a error message in red that says Enter your email address. This is a better message than we as a browser could ever display. All we could know is that it's a required field and that it's an email address. We have no idea that it the users address that is requested. In general it makes a lot of sense to want to display a different message when the user has failed to enter a valid value in a field. Clearly the user failed to enter what was requested the first time, and so the context around the field was not enough for the user to enter what was requested. Hence a more detailed description is appropriate. For sure, you can use setCustomValidity() for both use cases but there is a small semantic difference and a bigger work to do. Using setCustomValidity() for these use cases would be a pain while using a customerrormessage attribute would be quite straightforward. I don't understand how such an attribute would work. Take input type=number for example, with an explicit min, max, step, etc. How would you know what value to put in the attribute? There are going to be different needs when the control's value is too low, too high, not aligned to a step, missing, etc. Consider the example above from googles login page. Here there are two possible errors: 1. The field is empty 2. The field doesn't contain an email address In both cases the message Enter your email address. seems appropriate. And it seems better than what we as a browser could generate. In general, it's often nice to provide the full set of constraints once the user has failed to enter what was requested. Consider markup like input type=number min=3 max=7. It's very frustrating for a user to enter the value 1 and be told The minimum allowed value is 3 and then once the user adjust it to 10 get the message 10 is too high. A much nicer experience is A number between 3 and 7 is required. In other words, often times a single static message which describes all constraints works, no matter what constraint the user has failed to fulfill. Certainly, this isn't always the case. But if you do want something more complex, you can always attach a oninvalid listeners which dynamically sets the attribute to something
Re: [whatwg] Mechanism to find available events
On Wed, 29 Dec 2010, Jorge wrote: On 29/12/2010, at 08:27, Ian Hickson wrote: On Mon, 20 Sep 2010, Biju wrote: We need HTMLNode.getSupportedEvents() == returns a text array of event names HTMLNode.isSupportedEvent(eventName) == returns true/false Many times in particular version of browser we dont know whether an HTMLNode/window support particular event. Or what are the alternate events available, so that we can refer some document or do some test to find how it can be used. So I wish we had above methods available. What do you mean by supports an event? You can dispatch any event you want to any event target. It's not you, it's whether *the*browser* dispatches it. Say, oncontextmenu : The code specified by this attribute is called when the associated element is right-clicked or when the mouse button is held down long enough to generate a contextual menu. How could your program detect, unequivocally, that the browser it's running in would dispatch an oncontextmenu when the element is right-clicked or when the mouse button is held down long enough to generate a contextual menu ? We need a mechanism to detect accurately the features of the browser our code's running in, without relying to UA sniffing madness. No such mechanism can exist without actually using the feature, because there's no way to guarantee that a browser will accurately report what it supports. Every time we've had such a feature (e.g. DOM hasFeature()) vendors have ended up returning inaccurate values. On Wed, 29 Dec 2010, Garrett Smith wrote: However, how can a program determine if a particular event is generated by the browser and fired at a particular object? The `(onhashchange in window)` test should theoretically work, but as mentioned, that isn't interoperable at this point. Neither is a mechanism to find out if an event is going to be fired. :-) Let's get what we have already got implemented correctly before adding new features that do more or less the same thing. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] Exposing spelling/grammar suggestions in contentEditable
On Thu, 30 Dec 2010, Nils Dagsson Moskopp wrote: Ian Hickson i...@hixie.ch schrieb am Thu, 30 Dec 2010 01:47:51 + (UTC): I am skeptical about allowing Web pages decide what should be in the context menu. Adding things is ok, but removing things leads to a broken user experience. For example, as a user I frequently make use of view source, and I don't think it would be good for a page to be able to remove that feature. For the record, crippling context menus is in the wild already: Youtube has no “save to disk” (or any other of the standard options) on a HTML5 video, only „about HTML5“. Granted, but that doesn't mean we should make it worse. Better to remove such possibilities first (which is what menu is about enabling). On Wed, 29 Dec 2010, Glenn Maynard wrote: One possible UI: pushing options into a separate menu block. For example, XP's start menu does this; less-used items are hidden until you click an arrow at the bottom of the list to expand the full menu. This would allow sites to set up their own context menu items without a lot of clutter, but disallow them from completely disabling the existing one. I'm not sure whether pages hinting whether to do this would be meaningful, since context menu presentation varies wildly and the desired hint may be different for each browser. This may be better left to browser extensions. This is one of the possible ways to implement menu/contextmenu=. I look forward to implementation experience for these features to guide future work along these lines. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] Proposal for a web application descriptor
On Fri, Apr 29, 2011 at 6:40 PM, Simon Heckmann si...@simonheckmann.dewrote: Some challenges include: * how to justify the request to the user being asked to grant the privileges starting with a text string and a link to more information Well, this is what I thought of: The users visit a website they have never visited before. A notifications pops up allowing them to set all permissions required for this page. The users might not trust the site yet so they do not grant all permissions immediately. There's a more common issue: when you ask me for a bunch of permissions at once, I don't know why you want them. This happens constantly with Android apps: you install a simple notepad or clock app, and it'll ask for Internet access and the ability to make phone calls, and you don't know why. This is why--in general--I like the model so far: the user is asked for permission in response to actually doing something that uses a feature. In the notepad app, you're asked for permission to access the internet when you select sync notes to your desktop PC; it's immediately obvious why it's asking for it. (That's an Android example, of course, not a web app example.) Hopefully the ultimate solution will deal with both, allowing UAs the option of asking all at once or on-demand, depending on the situation. (Some permissions inherently have to be asked in advance, like Web Notifications, which doesn't happen in response to a user action.) -- Glenn Maynard
Re: [whatwg] Mechanism to find available events
On 4/29/11, Ian Hickson i...@hixie.ch wrote: [...] We need a mechanism to detect accurately the features of the browser our code's running in, without relying to UA sniffing madness. No such mechanism can exist without actually using the feature, because there's no way to guarantee that a browser will accurately report what it supports. Every time we've had such a feature (e.g. DOM hasFeature()) vendors have ended up returning inaccurate values. Is it possible to design something better than hasFeature? Method hasFeature can be expected to have the problems it has because it is not related to any specific object (Node, window, document). As such, this method requires the implementation (browser) to make an unreasonable generalization. Requiring the unreasonable is unreasonable. If instead, there were a method designed to check the object in question, it could be specified to require the implementation also check that object's capabilities. I'm not suggesting unequivocal (e.g. right click triggers a context menu) -- that seems too much. I'm suggesting a more closely related inference check. Is a mechanism such as this possible? Why rule it out? On Wed, 29 Dec 2010, Garrett Smith wrote: However, how can a program determine if a particular event is generated by the browser and fired at a particular object? The `(onhashchange in window)` test should theoretically work, but as mentioned, that isn't interoperable at this point. Neither is a mechanism to find out if an event is going to be fired. :-) The *proposed* mechanism isn't interoperable -- is that what you're hinting at? New events are what will need to be detected. Just like contextmenu was not interoperable at one point. Now if, prior to that, there had been a mechanism to determine if contextmenu events, the developer would not know exactly under which circumstances that would occur, but he would at least be in a better position to judge than using existence inference? Let's get what we have already got implemented correctly before adding new features that do more or less the same thing. Already got what? -- Garrett