On a practical point as a web developer, in this case CSS subgrid is a part
of the wider CSS grid feature. It seems odd to make parts of the CSS grid
feature available in insecure contexts while other parts (subgrid) are
unavailable. I would argue this decision should have been made for the CSS
gri
On 22/10/2019 00:07, L. David Baron wrote:
On Monday 2019-10-21 16:01 -0500, Mike Taylor wrote:
Hi David,
On 10/21/19 7:22 AM, L. David Baron wrote:
(That we haven't applied the policy that much because we've granted
exceptions because other browsers have shipped the features reduces
the effec
On Monday 2019-10-21 16:01 -0500, Mike Taylor wrote:
> Hi David,
>
> On 10/21/19 7:22 AM, L. David Baron wrote:
> > (That we haven't applied the policy that much because we've granted
> > exceptions because other browsers have shipped the features reduces
> > the effectiveness of the policy and it
Hi David,
On 10/21/19 7:22 AM, L. David Baron wrote:
(That we haven't applied the policy that much because we've granted
exceptions because other browsers have shipped the features reduces
the effectiveness of the policy and its ability to meet its goals.
This is the sort of policy that is most
Catching up on this thread after being on vacation, so I'd like to
reply to a few points.
I think the intent of the policy about exposing new features only to
secure contexts is that it should apply to CSS features. The
purpose of the policy is to push web developers towards secure
transports bec
Agreed with clarification. Declarative text/css stylesheets not
restricted. Imperative new APIs (like Houdini APIs) should be
restricted to secure contexts by default. Thanks, Tantek
On Fri, Oct 18, 2019 at 4:53 PM Daniel Veditz wrote:
>
> On Fri, Oct 18, 2019 at 4:27 PM Tantek Çelik wrote:
>>
>
On Fri, Oct 18, 2019 at 4:27 PM Tantek Çelik wrote:
> Based on your reasoning, and our consistent intent emails and shipping
> behavior, I think we should consider updating the blog post on this
> matter regarding all CSS features (cc: annevk), or posting a separate
> update post accordingly, usi
Thanks Dan. I concur with the priorities, impacts, and conclusions
you've outlined.
In practice I believe 100% of the CSS features we have shipped (Intent
to Implement/Ship emails) in the past year+ have been exposed to
insecure contexts.
Based on your reasoning, and our consistent intent emails
>From my (personal) security-team perspective this is a fine pragmatic
approach. Our overriding primary concern is whether exposing these new CSS
features over insecure transport puts our users at additional risk. I don't
see any meaningful privacy exposure here since these new features will be
in
On Fri, Oct 18, 2019, at 9:31 AM, ikilpatr...@chromium.org wrote:
> I'd argue that the color example is a "trivial" feature, unlike
> subgrid. But the original framer of the policy would have a better
> understanding of what that meant.
>
> FWIW most new CSS features are placed behind values/etc
On 10/18/19 12:31 AM, ikilpatr...@chromium.org wrote:
::marker (which seems like it was only shipped recently) probably should have
been restricted to secure contexts by this policy?
FWIW (regardless of my opinion about the policy which I've stated on
another post) Safari does ship ::marker s
On 10/18/19 12:31 AM, ikilpatr...@chromium.org wrote:
Again "multiple dipslay values" are probably in the "trivial" feature
bucket (if that exists).
FYI, those weren't just syntax changes - we also added layout support
for 'inline list-item' and 'block ruby' for example, which I wouldn't
call t
On 10/18/19 12:31 AM, ikilpatr...@chromium.org wrote:
I think one interesting part here is that (from my knowledge) this
policy actually hasn't been applied yet, due to the "other browsers
shipping insecurely" exception.
Do other vendors apply the same policy for new CSS features?
For example,
On 10/17/19 10:02 PM, ikilpatr...@chromium.org wrote:
On Thursday, October 17, 2019 at 12:47:27 PM UTC-7, Mats Palmgren wrote:
On 10/17/19 8:12 PM, ikilpatr...@chromium.org wrote:
On Thursday, October 17, 2019 at 11:06:48 AM UTC-7, Mats Palmgren
wrote:
As far as I know, we never constrain new
On Thursday, October 17, 2019 at 3:15:49 PM UTC-7, Sean Voisen wrote:
> On Thu, Oct 17, 2019 at 1:05 PM wrote:
>
> >
> > These features (broadly speaking) are different however. According to the
> > above policy:
> > "Exceptions to requiring secure contexts"
> > " - other browsers already ship th
On Thu, Oct 17, 2019 at 1:05 PM wrote:
>
> These features (broadly speaking) are different however. According to the
> above policy:
> "Exceptions to requiring secure contexts"
> " - other browsers already ship the feature insecurely"
>
> Most (all?) of the non-trivial features above have shipped
On Thursday, October 17, 2019 at 12:47:27 PM UTC-7, Mats Palmgren wrote:
> On 10/17/19 8:12 PM, ikilpatr...@chromium.org wrote:
> > On Thursday, October 17, 2019 at 11:06:48 AM UTC-7, Mats Palmgren
> > wrote:
> >> As far as I know, we never constrain new CSS features to secure
> >> contexts. At lea
On 10/17/19 8:12 PM, ikilpatr...@chromium.org wrote:
On Thursday, October 17, 2019 at 11:06:48 AM UTC-7, Mats Palmgren
wrote:
As far as I know, we never constrain new CSS features to secure
contexts. At least not on the property/value level.
According to
https://blog.mozilla.org/security/2018/
On Thursday, October 17, 2019 at 11:06:48 AM UTC-7, Mats Palmgren wrote:
> On 10/17/19 5:35 PM, ikilpatr...@chromium.org wrote:
> > On Wednesday, October 16, 2019 at 11:14:02 AM UTC-7, Mats Palmgren
> > wrote:
> >> *Secure contexts:* N/A
> >
> > Replying as requested from:
> > https://twitter.com/
On 10/17/19 5:35 PM, ikilpatr...@chromium.org wrote:
On Wednesday, October 16, 2019 at 11:14:02 AM UTC-7, Mats Palmgren
wrote:
*Secure contexts:* N/A
Replying as requested from:
https://twitter.com/ecbos_/status/1184690249324290048
Well, I just copy-pasted the email-template TYLin used in hi
On Wednesday, October 16, 2019 at 11:14:02 AM UTC-7, Mats Palmgren wrote:
> I intend to enable CSS subgrid by default for v71.
>
> *Summary: *
> The CSS Grid 2 subgrid feature allows nested grids to participate in the
> sizing of their parent's tracks, on a per-axis basis.
>
> *Bug to turn on by
21 matches
Mail list logo
