Re: [whatwg] input type=password... restrict reading value from JS?

[Sean Connelly]

As a web developer, if I wanted access to the password, I would then avoid
using the input type=password field, and create my own field that reads
characters (perhaps via onkeyup), and fakes a password field visually.

I also think it's a bad idea to change the behavior of input
type=password because it will break websites that assumed they could read
the value.  Perhaps a website checks against a user's past 10 passwords to
see if they are using the same one, via XHR.  Or perhaps the entire login
process is XHR.  Who knows.

I think there is definite room for improvements in security when it comes to
input type=password, and I've also been trying to make it more secure by
designing some sort of client-side hashing.  But I don't think restricting
JavaScript from reading the value is a security benefit... in my opinion, it
would just be a hassle for developers who need to read the value, and force
them to use another means of password entry where they can read the value.

~Sean



On Sun, Jul 10, 2011 at 4:38 PM, Aryeh Gregor simetrical+...@gmail.comwrote:

 On Sun, Jul 10, 2011 at 4:08 AM, Alex Vincent ajvinc...@gmail.com wrote:
  This is just an idea.
 
  For the last 10+ years, password inputs have been accessible from
 scripts,
  with nary a complaint.  If I have this code:
 
   form action=javascript:void
 div
   input type=password id=pw
   button onclick=alert(document.getElementById('pw').value)Show
  password!/button
 /div
   /form
 
  I can extract the password by clicking on the button.  More to the point,
  with a XHR I can send that password somewhere it shouldn't go... (well,
 with
  cross-domain security code, maybe not, but that's not the point.)

 You can send it anyway by changing the action attribute on the form
 and calling submit().  So what attack scenario are you actually
 avoiding here?  You'd need a really strong security benefit for it to
 be possible to even contemplate breaking so many websites.

Re: [whatwg] input type=password... restrict reading value from JS?

[Tom O'Connor]

We would likely end up with some more of these lovely interfaces: 
https://online.westpac.com.au/


Try using that without a mouse and not going insane/grossly disclosing 
your input to anyone paying mild attention to your screen.


Tom

On 11/07/2011 23:29, Sean Connelly wrote:

As a web developer, if I wanted access to the password, I would then avoid
using theinput type=password  field, and create my own field that reads
characters (perhaps via onkeyup), and fakes a password field visually.

I also think it's a bad idea to change the behavior ofinput
type=password  because it will break websites that assumed they could read
the value.  Perhaps a website checks against a user's past 10 passwords to
see if they are using the same one, via XHR.  Or perhaps the entire login
process is XHR.  Who knows.

Re: [whatwg] Call for Clarification of the Menu Element Et Al.

[Bjartur Thorlacius]

Þann lau  9.júl 2011 04:29, skrifaði Hugh Guiney:

6.1 On that note, why is the spec enabling the use of unstyled spans
to achieve alternative rendering? Doesn't this give meaning (however
contextual) to an element that is supposed to be semantically neutral?

Can you think of any other uses for spans? Theoretically you could just 
want to identify text for later reference, but this need is better 
served by divs. If you want to reference a few words, you're probably 
better off quoting them (and citing a greater resource containing those 
words and context).

Re: [whatwg] input type=password... restrict reading value from JS?

[Bjartur Thorlacius]

Þann sun 10.júl 2011 08:08, skrifaði Alex Vincent:

/**
  * Check if a password field's value matches another.
  *
  * @param otherPassword Another password element.
  *
  * @throws Error if this.type != password
  * @throws Error if other.type != password
  *
  * @returns Boolean True if the fields match.
  */
boolean passwordEquals(in HTMLInputElement otherPassword);

I believe this to belong to CSS. User agents could either ask or require 
users to input error-prone and important fields twice, without 
submitting the same value twice. This could be the default rendering (in 
some UAs) for strong inputs (i.e. input descendants of strong). This 
has the potential benefit of allowing media-aware prefixes for locales 
where that makes sense (as in 'Retype Password' vs 'Confirm Password'). 
Note that the confirmation input in 
http://www.whatwg.org/specs/web-apps/current-work/multipage/common-input-element-attributes.html#the-required-attribute 
is optional.


!DOCTYPE html
titleRegister a FooBar account/title
form action=register method=POST
labelUsername   input name=user required/label
stronginput type=password name=pass required/strong
/form


/**
  * Check the strength of the password.
  *
  * @param type The type of check to execute.
  *
  * @returns 0 if dangerously low security
  * @returns 1 if soon-to-be-deprecated low security
  * @returns 2 if adequate security
  * @returns 3 if good security
  * @returns 4 if strong security
  * @returns 5 if entropy-death-of-the-universe security :-)
  */
unsigned octet passwordStrength(in DOMString type);

I don't think this is a good idea. Can't user-agents warn about insecure 
passwords without the help of author-supplied scripts?

Re: [whatwg] The blockquote element spec vs common quoting practices

[Bjartur Thorlacius]

On 7/8/11, Jeremy Keith jer...@adactio.com wrote:

Bjartur wrote:

Citation will most likely contain the cited resource (@cite), the title
of the cited resource (@title) and the date and optionally time of the
quote (@datetime?).


All three of which are invisible and so do not match the use cases that Oli
has outlined.

At least @title has a tooltip but the @cite attribute has proven to be a
complete disaster, unsupported by user agents and ignored by authors,

I'd like to reemphasize that:

*unsupported by user agents*
So you're saying that because attributes aren't rendered by default, 
user agents will ignore them and thus we should not use them? Why can't 
we fix UAs? Putting attribution inside blockquotes seems like a hack 
around lax support for attributes. That what's CSS is for.




precisely because it is *hidden* metadata.
http://www.well.com/~doctorow/metacrap.htm
Yes, people lie. Unless you're arguing that using attribute syntax will 
encourage misquoting, I'll regard this article as interesting, 
correcting and unrelated. The article argues against searching for 
information in uncensored repositories of structured data prone to 
spamming, not typing footerasdf/footer instead of title=asdf.



So I think that we can learn from the history of the @cite attribute in that
it shows us how *not* to do it.


But is it really possible to mark such citations up without presentational
elements?


I'm not sure I understand the question. Do you mean presentational as in
not conveying semantics or presentational as in visible?

Not conveying semantics. I'm not arguing against rendering attribution. 
On the contrary, IMO user agents should render at least the title of the 
cited resource. Interactive user agents should additionally make the 
cited resource available in manner similar to how they present other 
hyperlinked resources. Additionally user agents with superfluous screen 
space may render the datetime. Handheld renderings should of course not 
display the datetime without user interaction, but reserve the screen 
estate for more critical information, such as the quotation itself.


It's simply a question of
blockquote
Lorem ipsum
footer
a href=kennitala:2112952019 title=Bjartur ThorlaciusBjartur/a
on time datetime=1997-4-2the second April, 1997/time
/footer
/blockquote
vs
blockquote title=Bjartur Thorlacius datetime=1997-4-2 
cite=kennitala:2112952019

Lorem ipsum
/blockquote

Re: [whatwg] Call for Clarification of the Menu Element Et Al.

[Tab Atkins Jr.]

On Fri, Jul 8, 2011 at 9:29 PM, Hugh Guiney hugh.gui...@gmail.com wrote:
 Hey All,

 I was in the process of coding a prototype for a site I'm working on
 when I decided that certain nav's should actually be menu's.

 While the basic concept is apparent, unfortunately, with zero browser
 implementation at this time, it is impossible to actually know what my
 markup is doing (or rather, would do).

Really, since there are no browser implementations yet, it's best to
*not* use it yet.  Without any feedback in the form of actually seeing
it work, there's a good chance you'll accidentally get it wrong.  As
well, your early use of it counts as legacy usage if we decide that,
upon attempting to implement it, it needs to be changed.

I'll go ahead and answer the rest of your email as if you were
speaking from a hypothetical position, but take what I said into
account.  Using something pre-implementation doesn't help you, and it
has a chance of hurting the feature in the future.


 So I looked to the spec for guidance, but ultimately it leaves me very
 confused. These are some points I feel could be addressed, in no
 particular order:


 1. How does one know whether to wrap a nested menu in li or leave it
 as a direct child element? Are these semantically-equivalent coding
 styles or is there a difference?

 1.1. When marking up a menu specifically with *multiple* menu items,
 is menu/li the only way to do it or would menu/menu also be
 appropriate?

 2. What is the difference between a menu containing command elements
 and a menu containing form controls? Do they merely favor future and
 legacy UAs respectively?

Mostly, yes, though in some cases using form elements lets you define
certain types of commands more easily.  For example, you can use
select to define a group of type=radio commands more easily/tersely
than if you used input type=radio name=foo or command type=radio
radiogroup=foo:


 3. The spec should provide examples demonstrating when it is better to
 use context vs. toolbar vs. list, as these are very similar in
 concept. I could easily see them being misappropriated.

context is meant for right-click menus, hooked to an element by
specifying the @contextmenu attribute on an element and pointing it to
the menu.  Note that the default CSS of a menu type=context is
display:none.

I don't really understand the difference between toolbar and list.


 4. In the first example, what renders the button UI? Is it
 menu[@type=toolbar]/li, or li/menu? Or is it implied CSS?

Implied CSS or UA magic.


 4.1. Furthermore, should this example even depict a button UI, given
 that most graphical interfaces display top-level toolbars as
 text/icons against a [mostly] solid background Were a UA to render the
 example as demonstrated, would designers not have to style away the
 button appearance in order to achieve a look  feel that matches user
 expectation?

 Obviously, this would not be the case in secondary (or n-ary)
 toolbars, for instance as in word processors, where everything below
 the initial row are usually buttons. Could there be a way, then,
 whether in markup or CSS, to denote whether a toolbar is displayed as
 a primary/top-level toolbar or not?

This is something that'll be worked out as browsers actually implement things.


 5. Provide more/graphical/clearer examples, to aid both browser
 vendors in deciding how to implement the elements, and authors in
 having an idea of what result they can expect from using them. The NPC
 form, for instance, does not say exactly what it is or does, nor does
 it represent a common UI convention. The only thing I can think of
 that comes close is Spotlight in OS X (if I'm interpreting it
 correctly), which I don't think I've ever seen in a [presumed] game
 before.

Patches welcome.  ^_^  Any suggested examples?


 6. How is the command element rendered within a menu context when
 JavaScript is disabled? Is it meant only for non-essential actions? If
 it isn't, shouldn't it be able to be non-empty, so it can fallback to
 links or buttons? Or is the only possible fallback replicating every
 command with form controls that aren't direct children of the parent
 menu?

If you're designing something to be a context menu, it likely won't
work at all without Javascript.  You'd need a significantly different
UI.


 6.1 On that note, why is the spec enabling the use of unstyled spans
 to achieve alternative rendering? Doesn't this give meaning (however
 contextual) to an element that is supposed to be semantically neutral?

Slightly.  I don't think it's a big deal, but shrug.  Note that *any*
element would work there to hide the submit button from the build a
menu algorithm.


 7. Is the menu element always to be rendered in-page or could it be
 displayed within the OS itself? Kroc Camen
 (suggests)[http://camendesign.com/blog/stop_this_madness] the latter
 but at present there is nothing in the spec about such an
 implementation. If this is left up to the UA how will 

Re: [whatwg] input type=password... restrict reading value from JS?

[Tab Atkins Jr.]

On Sun, Jul 10, 2011 at 3:44 AM, Alex Vincent ajvinc...@gmail.com wrote:
 On Sun, Jul 10, 2011 at 3:21 AM, Michal Zalewski lcam...@coredump.cxwrote:
  For the last 10+ years, password inputs have been accessible from
 scripts,
  with nary a complaint.  If I have this code:

 Unfortunately, the problem is not that easy to fix: denying access to
 the field does not prevent the attacker from changing the form
 submission URL after autocompletion to achieve the same...


 Or even simpler, changing the type attribute to something like hidden for
 an instant.

 I hate it when I don't think things through.

To be fair, we already protect input type=file from vaguely similar
type-changing attacks.  (You can't make an input type=text, fill it
with a filename as the value, then switch to type=file and submit it
to steal files from the user.)

However, as noted, doing this wouldn't help in any way.  The script
can redirect the form submission, or just swap out the input entirely
for an input type=text that they manually intercept clicks on and
insert * for each keypress (or more deviously, set the font-family for
the text input to a font where every glyph is an asterisk, and then
just read out the value normally).

~TJ

Re: [whatwg] input type=password... restrict reading value from JS?

[Aryeh Gregor]

On Mon, Jul 11, 2011 at 9:29 AM, Sean Connelly s...@pbwhere.com wrote:
 As a web developer, if I wanted access to the password, I would then avoid
 using the input type=password field, and create my own field that reads
 characters (perhaps via onkeyup), and fakes a password field visually.

Then browsers wouldn't autofill it, which would defeat the nastiest
attack here (stealing passwords without user intervention).  But as
noted, you can always submit the form, so it really doesn't help that
much anyway.

[whatwg] Proposal for a MediaSource API that allows sending media data to a HTMLMediaElement

[Aaron Colwell]

Hi,

Based on comments in the File API Streaming
Blobshttp://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-January/029973.html
thread and
my Extending HTML 5 video for adaptive
streaminghttp://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-June/032277.html
thread,
I decided on taking a stab at writing a MediaSource API
spechttp://html5-mediasource-api.googlecode.com/svn/trunk/draft-spec/mediasource-draft-spec.html
for
streaming data to a media tag.

Please take a look at the
spechttp://html5-mediasource-api.googlecode.com/svn/trunk/draft-spec/mediasource-draft-spec.htmland
provide some feedback.

I've tried to start with the simplest thing that would work and hope to
expand from there if need be. For now, I'm intentionally not trying to solve
the generic streaming file case because I believe there might be media
specific requirements around handling seeking especially if we intend to
support non-packetized media streams like WAV.

If the feedback is generally positive on this approach, I'll start working
on patches for WebKit  Chrome so people can experiment with an actual
implementation.

Thanks,
Aaron

Re: [whatwg] Timing API proposal for measuring intervals

[Chris Rogers]

On Fri, Jul 8, 2011 at 4:37 PM, Robert O'Callahan rob...@ocallahan.orgwrote:

 , On Fri, Jul 8, 2011 at 2:54 PM, James Robinson jam...@google.com
 wrote:

  On Thu, Jul 7, 2011 at 7:36 PM, Robert O'Callahan rob...@ocallahan.org
 wrote:
 
 
  Using this value as a clock for media synchronization sounds appealing
 but
  is complicated by audio clock drift. When you play N seconds of audio,
 it
  might take slightly more or less time to actually play, so it's hard to
 keep
  media times perfectly in sync with another timing source. Just something
 to
  keep in mind.
 
 
  True.  On OS X, however, the CoreVideo and CoreAudio APIs are specified
 to
  use a unified time base (see
 
 http://developer.apple.com/library/ios/#documentation/QuartzCore/Reference/CVTimeRef/Reference/reference.html
 )
  so if we do end up with APIs saying play this sound at time X, like
 Chris
  Roger's proposed Web Audio API provides, it'll be really handy if we have
 a
  unified timescale for everyone to refer to.
 

 Is that unified time base in sync with the system clock, and how accurate
 is
 it? I'm concerned about the possibility that it's not feasible to keep the
 audio hardware clock in sync with the system clock, at least on some
 platforms. In that case, we probably need to keep media playback and
 animations in sync with the audio hardware clock, and we could even expose
 that via some DOM API, but you might not want to use the same clock for
 other purposes, such general performance timing for example ... I've heard
 the audio clock drift is often significant.

 I'm not sure if this is a real problem or not, I just want to make sure.

 Rob


Hi Robert, I think the clock that James is proposing is effectively the
system clock (such as mach_absolute_time() or QueryPerformanceCounter()).  I
completely agree with your concerns about clock drift of this type of clock
with the audio hardware clock, since they're almost always running off
different crystals.  That said, I still think it's useful to have a
high-resolution system clock which is monotonically increasing.  On Mac OS X
the mach_absolute_time() system clock is used extensively in the media APIs,
CoreVideo, CoreAudio, CoreMIDI, etc. to synchronize events according to a
common time base:

CoreAudio:
http://developer.apple.com/library/mac/#documentation/MusicAudio/Reference/CoreAudioDataTypesRef/Reference/reference.html#//apple_ref/c/tdef/AudioTimeStamp

CoreVideo:
http://developer.apple.com/library/ios/#documentation/QuartzCore/Reference/CVTimeRef/Reference/reference.html

CoreMIDI ( see MIDITimeStamp: A host clock time   typedef UInt64
MIDITimeStamp; )
http://developer.apple.com/library/ios/#documentation/CoreMidi/Reference/MIDIServices_Reference/Reference/reference.html#//apple_ref/doc/uid/TP40010316

mach_absolute_time():
http://developer.apple.com/library/mac/#qa/qa1398/_index.html

In the CoreAudio case, the AudioTimeStamp contains *both* the host-time
(system clock) and the sample time (based on audio hardware).  This creates
a relationship between the two clocks.  As an example of how these two
clocks can be used together for synchronization, audio applications use the
high-resolution timestamp of incoming MIDI messages to schedule audio
synthesis to happen with very low jitter by doing sample-accurate scheduling
when rendering the audio stream.

Because of clock-drift, the system clock that James is proposing cannot
*directly* be the same clock as what I'm proposing in the Web Audio API
AudioContext .currentTime attribute.  But there are ways to translate
between the two in very useful ways.

I would be in favor of introducing a monotonically increasing
high-resolution system clock such as James is proposing, as long as we keep
in mind some of these subtleties.

Chris

Re: [whatwg] Proposal for a MediaSource API that allows sending media data to a HTMLMediaElement

[Robert O'Callahan]

It seems to me that the spec is written assuming only one media element is
consuming the MediaSource. But nothing stops multiple elements consuming the
same URL simultaneously. Maybe instead of going through a URL you should add
API directly to media elements.

bytesAvailable is for flow control? Instead of doing it this way, I would
follow WebSockets and use a bufferedAmount attribute to indicate how much
data is currently buffered up. That makes it easy for authors who don't want
to care about flow control to just append stuff without encountering errors,
while still allowing authors who care about flow control to do it.

Rob
-- 
If we claim to be without sin, we deceive ourselves and the truth is not in
us. If we confess our sins, he is faithful and just and will forgive us our
sins and purify us from all unrighteousness. If we claim we have not sinned,
we make him out to be a liar and his word is not in us. [1 John 1:8-10]

Re: [whatwg] Timing API proposal for measuring intervals

[Robert O'Callahan]

On Tue, Jul 12, 2011 at 7:23 AM, Chris Rogers crog...@google.com wrote:

 In the CoreAudio case, the AudioTimeStamp contains *both* the host-time
 (system clock) and the sample time (based on audio hardware).  This creates
 a relationship between the two clocks.  As an example of how these two
 clocks can be used together for synchronization, audio applications use the
 high-resolution timestamp of incoming MIDI messages to schedule audio
 synthesis to happen with very low jitter by doing sample-accurate scheduling
 when rendering the audio stream.

 Because of clock-drift, the system clock that James is proposing cannot
 *directly* be the same clock as what I'm proposing in the Web Audio API
 AudioContext .currentTime attribute.  But there are ways to translate
 between the two in very useful ways.


Thanks Chris, I thought you'd know the answer :-).

Suppose we wanted to sync animation (either scripted animation or CSS
animation) to audio. We'd want them to use the audio clock, right?

Rob
-- 
If we claim to be without sin, we deceive ourselves and the truth is not in
us. If we confess our sins, he is faithful and just and will forgive us our
sins and purify us from all unrighteousness. If we claim we have not sinned,
we make him out to be a liar and his word is not in us. [1 John 1:8-10]

Re: [whatwg] Timing API proposal for measuring intervals

[Glenn Maynard]

On Mon, Jul 11, 2011 at 8:57 PM, Robert O'Callahan rob...@ocallahan.orgwrote:

 Suppose we wanted to sync animation (either scripted animation or CSS
 animation) to audio. We'd want them to use the audio clock, right?


For that you need the play cursor of the actual audio sample you're
synchronizing against, which is typically not strongly tied to the
associated hardware audio clock.  For example, audio underruns may change
their alignment.

-- 
Glenn Maynard

[whatwg] RTC API Proposal

[Anant Narayanan]

Hi,

Mozilla and Cisco have been working on an API for real time 
communication, which we sent out today to the W3C WebRTC working group 
(http://lists.w3.org/Archives/Public/public-webrtc/2011Jul/0010.html). 
It builds on both the WHATWG RTC proposal by Ian Hickson as well as the 
MediaStream Processing API by Robert O'Callahan.


There are few differences though, and they are presented at:
http://lists.w3.org/Archives/Public/public-webrtc/2011Jul/0012.html

The proposal itself lives at:
https://github.com/mozilla/rainbow/wiki/RTC_API_Proposal

There is some discussion going on about the proposal on the W3C list but 
we would love to hear your feedback.


Thanks,
-Anant

Re: [whatwg] Timing API proposal for measuring intervals

[Robert O'Callahan]

On Tue, Jul 12, 2011 at 1:02 PM, Glenn Maynard gl...@zewt.org wrote:

 On Mon, Jul 11, 2011 at 8:57 PM, Robert O'Callahan 
 rob...@ocallahan.orgwrote:

 Suppose we wanted to sync animation (either scripted animation or CSS
 animation) to audio. We'd want them to use the audio clock, right?


 For that you need the play cursor of the actual audio sample you're
 synchronizing against, which is typically not strongly tied to the
 associated hardware audio clock.  For example, audio underruns may change
 their alignment.


OK, but it's the audio clock with some adjustments, right? Definitely not
the system clock.

Rob
-- 
If we claim to be without sin, we deceive ourselves and the truth is not in
us. If we confess our sins, he is faithful and just and will forgive us our
sins and purify us from all unrighteousness. If we claim we have not sinned,
we make him out to be a liar and his word is not in us. [1 John 1:8-10]

Re: [whatwg] Timing API proposal for measuring intervals

[Glenn Maynard]

On Mon, Jul 11, 2011 at 10:35 PM, Robert O'Callahan rob...@ocallahan.orgwrote:

 On Tue, Jul 12, 2011 at 1:02 PM, Glenn Maynard gl...@zewt.org wrote:

 On Mon, Jul 11, 2011 at 8:57 PM, Robert O'Callahan 
 rob...@ocallahan.orgwrote:

 Suppose we wanted to sync animation (either scripted animation or CSS
 animation) to audio. We'd want them to use the audio clock, right?


 For that you need the play cursor of the actual audio sample you're
 synchronizing against, which is typically not strongly tied to the
 associated hardware audio clock.  For example, audio underruns may change
 their alignment.


 OK, but it's the audio clock with some adjustments, right? Definitely not
 the system clock.


Right.

-- 
Glenn Maynard

Re: [whatwg] RTC API Proposal

[Jonas Sicking]

On Mon, Jul 11, 2011 at 7:01 PM, Anant Narayanan an...@mozilla.com wrote:
 Hi,

 Mozilla and Cisco have been working on an API for real time communication,
 which we sent out today to the W3C WebRTC working group
 (http://lists.w3.org/Archives/Public/public-webrtc/2011Jul/0010.html). It
 builds on both the WHATWG RTC proposal by Ian Hickson as well as the
 MediaStream Processing API by Robert O'Callahan.

 There are few differences though, and they are presented at:
 http://lists.w3.org/Archives/Public/public-webrtc/2011Jul/0012.html

 The proposal itself lives at:
 https://github.com/mozilla/rainbow/wiki/RTC_API_Proposal

 There is some discussion going on about the proposal on the W3C list but we
 would love to hear your feedback.

Some minor nits:

 constructor PeerListener(DOMString config, optional DOMString 
 negotiationServerURN)
 interface PeerListener {
 void listen();
 attribute Function onIncoming;
 };
 Window implements PeerListener;

The WebIDL syntax here is a bit wrong, I suspect you're looking for
something like:

[Constructor(in DOMString config, in optional DOMString negotiationServerURN)]
interface PeerListener {
void listen();
attribute Function onIncoming;
};
Window implements PeerListener;

You probably don't mean the last implements line. That line
currently says that Windows *are* PerrListeners. I.e. that you can do
window.listen() and window.onIncoming = function() { ... }, which is
likely not what you want. Simply remove the line as declaring the
constructor should be enough.

To keep consistent with all other onfoo listeners, you should use all
lowercase name: onincoming.

It seems like you are saying that the function assigned to onincoming
receives a Connection object as its first argument. However generally
onfoo attributes are EventListeners and so always receives an Event
object as its first and only argument. If your intent is to be
consistent with other onfoo attributes you should instead create a
PeerListenerEvent object which inherits Event and makes the Connection
available as a property on it. You should also make PeerListener an
EventTarget.

In the example where you create a PeerListener, it appears that you're
only passing the second negotiationServerURN argument
(stun:foobar.net:3476). But the constructor above says that the
first argument is a config string, and that it's not optional. I'm
in particular curious what the syntax for the config string is, and if
it would be better done as a Dictionary. Would love to see some
examples.

In the example you also create a PeerConnection object using |new
PeerConnection(stun:foobar.net:3476, sendToB);|. However the
interface declaration for PeerListener does not include a constructor.
I'm trying to figure out how the sendToB and gotFromB functions work
in the Simple Video Call example, but it the lack of description for
the PeerListener constructor is preventing that. It also seems like
the gotFromB is unused which I assume is a bug in the example.

/ Jonas