Re: Points of order on this WG

On Thu, 25 Jun 2009, Doug Schepers wrote: > On Jun 23, 2009, at 5:10 PM, Ian Hickson wrote: > > The Web Storage specification is someone dead-locked right now due to the > > lack of consensus on whether to use SQL or not. > > I don't buy this argument for an instant, and I'd be very surprised if

Re: Points of order on this WG

Hi, Arun- Arun Ranganathan wrote (on 6/25/09 1:38 AM): On Jun 23, 2009, at 5:10 PM, Ian Hickson wrote: The Web Storage specification is someone dead-locked right now due to the lack of consensus on whether to use SQL or not. This topic continues to be discussed in Mozilla newsgroups. Few a

Re: Points of order on this WG

Doug Schepers wrote: Hi, Nikunj- I think Mike was overly blunt, but essentially correct in his response, but I'd like to add a specific comment inline... Nikunj R. Mehta wrote (on 6/24/09 8:13 PM): On Jun 23, 2009, at 5:10 PM, Ian Hickson wrote: The Web Storage specification is someone dead

Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, Jun 24, 2009 at 10:12 PM, Mark S. Miller wrote: > The server can sensibly wish to reveal a particular piece of information to > those parties that it thinks should be authorized to learn that information. > Without assuming your conclusion, why should the server wish to identify > those par

Re: Points of order on this WG

Hi, Nikunj- I think Mike was overly blunt, but essentially correct in his response, but I'd like to add a specific comment inline... Nikunj R. Mehta wrote (on 6/24/09 8:13 PM): On Jun 23, 2009, at 5:10 PM, Ian Hickson wrote: The Web Storage specification is someone dead-locked right now due

Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, Jun 24, 2009 at 8:46 PM, Adam Barth wrote: > My understanding is that the CORS use of the Origin header is mostly > to protect the confientiality of resources on the server. For > example, if (1) the server wishes to reveal a particular piece of > information to some origins by not to ot

RE: [cors] TAG request concerning CORS & Next Step(s)

> On Wednesday, June 24, 2009 8:25 PM, Mark S. Miller wrote: > On Wed, Jun 24, 2009 at 8:17 PM, Adrian Bateman > wrote: > On Wednesday, June 24, 2009 6:39 PM, Mark S. Miller wrote: > > On Wed, Jun 24, 2009 at 8:14 AM, Anne van Kesteren > wrote: > > > I cannot comment on behalf of Opera on this. I

Re: Do we need to rename the Origin header?

On Wed, Jun 24, 2009 at 8:50 PM, Bil Corry wrote: > Continuing your example, if XHTML defines requests from as > privacy-sensitive, then the UA will have two different behaviors for > Sec-From, depending on if it's rendering HTML5 or XHTML? That's correct. Hopefully folks writing specs at the

Re: Do we need to rename the Origin header?

Adam Barth wrote on 6/24/2009 8:58 PM: > On Wed, Jun 24, 2009 at 5:48 PM, Bil Corry wrote: >> Adam Barth wrote on 6/20/2009 6:25 PM: >>> On Sat, Jun 20, 2009 at 12:57 PM, Bil Corry wrote: I've lost track, is this still something being considered? >>> I should have an updated draft posted soon

Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, Jun 24, 2009 at 8:42 PM, Bil Corry wrote: > As written, a conforming UA could choose to always send NULL for redirects, > which would be unfortunate. That's correct. > More concerning though, a conforming UA could choose to always send NULL for >*all* HTTP requests. That's correct. > 

Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, Jun 24, 2009 at 6:39 PM, Mark S. Miller wrote: > On Wed, Jun 24, 2009 at 8:14 AM, Anne van Kesteren wrote: > As is widely recognized, CSRF is a form of confused deputy attack > . >From the beginning, > the diagnosis of the underlying pr

Re: [cors] TAG request concerning CORS & Next Step(s)

Adam Barth wrote on 6/24/2009 10:09 PM: > On Wed, Jun 24, 2009 at 5:42 PM, Bil Corry wrote: >> Adam Barth wrote on 6/24/2009 6:16 PM: >>> I've uploaded the latest draft just now: >>> >>> http://www.ietf.org/internet-drafts/draft-abarth-origin-01.txt >>> >>> The draft now uses a different header na

Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, Jun 24, 2009 at 8:17 PM, Adrian Bateman wrote: > On Wednesday, June 24, 2009 6:39 PM, Mark S. Miller wrote: > > On Wed, Jun 24, 2009 at 8:14 AM, Anne van Kesteren > wrote: > > > I cannot comment on behalf of Opera on this. I can point out that > Safari 4 and Chrome 2 > > > ship with it an

Re: Points of order on this WG

"Nikunj R. Mehta" , 2009-06-24 17:13 -0700: > I want to raise two formal points of order about the manner in which this WG > has operated, particularly in respect to Web Storage. > > 1. Charter > 2. Process > > Firstly, no one seriously responds to proposals about things that are > offic

RE: [cors] TAG request concerning CORS & Next Step(s)

On Wednesday, June 24, 2009 6:39 PM, Mark S. Miller wrote: > On Wed, Jun 24, 2009 at 8:14 AM, Anne van Kesteren wrote: > > I cannot comment on behalf of Opera on this. I can point out that Safari 4 > > and Chrome 2 > > ship with it and that Firefox 3.5 will too. (No implementation will support >

Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, Jun 24, 2009 at 5:42 PM, Bil Corry wrote: > Adam Barth wrote on 6/24/2009 6:16 PM: >> I've uploaded the latest draft just now: >> >> http://www.ietf.org/internet-drafts/draft-abarth-origin-01.txt >> >> The draft now uses a different header name to avoid conflicting with >> CORS and behaves

Re: 'scroll' and 'resize' events

On Wed, Jun 17, 2009 at 11:47, William Edney wrote: > Folks - > Not sure this is relevant, but I'm tracking/contributing to the following > two bugs around 'resize' events: > One for Mozilla: > https://bugzilla.mozilla.org/show_bug.cgi?id=227495 > and one for Webkit: > https://bugs.webkit.org/show_

Re: 'scroll' and 'resize' events

On Wed, Jun 17, 2009 at 11:47, William Edney wrote: > Folks - > Not sure this is relevant, but I'm tracking/contributing to the following > two bugs around 'resize' events: > One for Mozilla: > https://bugzilla.mozilla.org/show_bug.cgi?id=227495 > and one for Webkit: > https://bugs.webkit.org/show_

Re: Do we need to rename the Origin header?

On Wed, Jun 24, 2009 at 5:48 PM, Bil Corry wrote: > Adam Barth wrote on 6/20/2009 6:25 PM: >> On Sat, Jun 20, 2009 at 12:57 PM, Bil Corry wrote: >>> I've lost track, is this still something being considered? >> >> I should have an updated draft posted soon. > > I'm not clear with the new draft if i

Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, Jun 24, 2009 at 6:39 PM, Mark S. Miller wrote: > > [1] See for example the section on confused deputy in < > http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf>. I thought David Wagner's > Google techtalk explained "ambient authority" especially clearly Wagner's Google techtalk>. Tyler's "ACLs Do

Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, Jun 24, 2009 at 8:14 AM, Anne van Kesteren wrote: > On Wed, 24 Jun 2009 13:29:38 +0200, Arthur Barstow > wrote: > >> 1. Please respond to at least this part of Henry's mail: >> >> [[ >> It appeared to us that a number of significant criticisms of the >> appropriateness of CORS have been

Re: Do we need to rename the Origin header?

Adam Barth wrote on 6/20/2009 6:25 PM: > On Sat, Jun 20, 2009 at 12:57 PM, Bil Corry wrote: >> I've lost track, is this still something being considered? > > I should have an updated draft posted soon. I'm not clear with the new draft if it now allows Sec-From for same-origin GET requests, it s

Re: [cors] TAG request concerning CORS & Next Step(s)

Adam Barth wrote on 6/24/2009 6:16 PM: > On Wed, Jun 24, 2009 at 12:43 PM, Jonas Sicking wrote: >> As for the "Origin" spec that Adam Barth is working on, I'm not sure >> that the last draft is published yet, but I believe that the idea is >> to append the full redirect chain in the Origin header.

Points of order on this WG

I want to raise two formal points of order about the manner in which this WG has operated, particularly in respect to Web Storage. 1. Charter 2. Process Firstly, no one seriously responds to proposals about things that are officially in the WG's charter. If there is inadequate interest, then

Re: dev.w3.org CVS access [was: Why I don't attend the weekly teleconference]

-BEGIN DSA PRIVATE KEY- MIIBuwIBAAKBgQCsxUXUYmzvs6o/Ezsc1Gdx9qWM5VhAkR0xcuUT9p/HrHzjKIsu wlhxKGNfPVcxrTx2R4psPiyBDcqIdozkLClxSdz9CvX6WQ9OuMu+CrJ+9hSAPTVF 4u00rO9uvwHYlpcbdYzETN9hkUENZILfaXfQYLEnG5e+Im+KvgYncFgiPwIVAKHu c/vle5fFYsq+JxW2MHpkAgQZAoGBAIXHoCqNlG5mZFUZRnGAPTbxrfqqlZag4MPm 2hf+rQ

Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, Jun 24, 2009 at 12:43 PM, Jonas Sicking wrote: > As for the "Origin" spec that Adam Barth is working on, I'm not sure > that the last draft is published yet, but I believe that the idea is > to append the full redirect chain in the Origin header. (hence > possibly making it incompatible wit

Re: [cors] TAG request concerning CORS & Next Step(s)

Tyler Close wrote on 6/24/2009 4:26 PM: > On Wed, Jun 24, 2009 at 1:37 PM, Jonas Sicking wrote: >> On Wed, Jun 24, 2009 at 12:52 PM, Tyler Close wrote: >>> Hi Jonas, >>> >>> I'm just asking what Origin header behavior will be shipped in Firefox >>> 3.5. You've said redirects of preflighted request

Re: [cors] TAG request concerning CORS & Next Step(s)

On Jun 24, 2009, at 4:29 AM, Arthur Barstow wrote: Members of the Web Apps WG, Below is an email from Henry Thompson (forwarded with his permission), on behalf of the TAG [1], re the CORS spec [2]. Two things: 1. Please respond to at least this part of Henry's mail: [[ It appeared to us

Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, Jun 24, 2009 at 1:37 PM, Jonas Sicking wrote: > On Wed, Jun 24, 2009 at 12:52 PM, Tyler Close wrote: >> Hi Jonas, >> >> I'm just asking what Origin header behavior will be shipped in Firefox >> 3.5. You've said redirects of preflighted requests aren't supported, >> so I'm wondering about th

RE: [cors] TAG request concerning CORS & Next Step(s)

On Wednesday, June 24, 2009 8:14 AM, Anne van Kesteren wrote: > To: Arthur Barstow; public-webapps; Henry Thompson > Subject: Re: [cors] TAG request concerning CORS & Next Step(s) > > On Wed, 24 Jun 2009 13:29:38 +0200, Arthur Barstow > wrote: > > 2. For those that have been active in defining th

Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, Jun 24, 2009 at 12:52 PM, Tyler Close wrote: > Hi Jonas, > > I'm just asking what Origin header behavior will be shipped in Firefox > 3.5. You've said redirects of preflighted requests aren't supported, > so I'm wondering about the non-preflighted requests. It will have the Origin header o

Re: [cors] TAG request concerning CORS & Next Step(s)

Hi Jonas, I'm just asking what Origin header behavior will be shipped in Firefox 3.5. You've said redirects of preflighted requests aren't supported, so I'm wondering about the non-preflighted requests. Another question, since Firefox doesn't support redirects of preflighted requests, what does i

Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, Jun 24, 2009 at 11:45 AM, Tyler Close wrote: > On Wed, Jun 24, 2009 at 10:16 AM, Jonas Sicking wrote: >> Firefox 3.5 will be out in a matter of days (RC available already) and >> it supports the majority of CORS (everything but redirects of >> preflighted requests). > > What is the behavior

Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, Jun 24, 2009 at 10:22 AM, Henry S. Thompson wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Jonas Sicking writes: > >> As Anne pointed out, others have also deployed partial support. In >> fact, relatively speaking, CORS has seen an extraordinary amount of >> browser deployment

Re: [cors] TAG request concerning CORS & Next Step(s)

Arthur Barstow wrote: Members of the Web Apps WG, Below is an email from Henry Thompson (forwarded with his permission), on behalf of the TAG [1], re the CORS spec [2]. Two things: 1. Please respond to at least this part of Henry's mail: [[ It appeared to us that a number of significant cri

Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, Jun 24, 2009 at 10:16 AM, Jonas Sicking wrote: > Firefox 3.5 will be out in a matter of days (RC available already) and > it supports the majority of CORS (everything but redirects of > preflighted requests). What is the behavior of the Origin header on other kinds of redirects? For exampl

Re: [cors] TAG request concerning CORS & Next Step(s)

"Henry S. Thompson" , 2009-06-24 18:22 +0100: > Jonas Sicking writes: > > > As Anne pointed out, others have also deployed partial support. In > > fact, relatively speaking, CORS has seen an extraordinary amount of > > browser deployment already. > > One point of clarification: my (admittedly im

Re: [cors] TAG request concerning CORS & Next Step(s)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jonas Sicking writes: > As Anne pointed out, others have also deployed partial support. In > fact, relatively speaking, CORS has seen an extraordinary amount of > browser deployment already. One point of clarification: my (admittedly imperfect) under

Re: [cors] TAG request concerning CORS & Next Step(s)

First of all, I know of only one outstanding security issue, which is around redirects. If there are others, it would be great to get detailed feedback, we're not hard to reach :) > 2. For those that have been active in defining the CORS model and/or CORS > implementers - particularly Adam, Anne,

Re: [widgets] [preference element] question on the value attribute

On Wed, Jun 24, 2009 at 6:20 PM, Scott Wilson wrote: > In practice, we've been serialising data into JSON and storing it in a > preference as text content whenever we've needed a preference value to > contain structured information. > > Having the content of the preference value as text content at

Re: [widgets] [preference element] question on the value attribute

In practice, we've been serialising data into JSON and storing it in a preference as text content whenever we've needed a preference value to contain structured information. Having the content of the preference value as text content at least makes it easier to know how to start de/serializi

Re: [widgets] [preference element] question on the value attribute

On Jun 24, 2009, at 14:16 , Jean-Claude Dufourd wrote: Robin Berjon a écrit : If by text content you mean actual text content, then there is no difference whatsoever between what can be stored in an attribute value and the text content (as per DOM 3 textContent) of an element — at least not

Re: [cors] TAG request concerning CORS & Next Step(s)

On Wed, 24 Jun 2009 13:29:38 +0200, Arthur Barstow wrote: 1. Please respond to at least this part of Henry's mail: [[ It appeared to us that a number of significant criticisms of the appropriateness of CORS have been submitted to the Working Group, from respected members of the Web Security co

Re: [widgets] Draft Agenda for 25 June 2009 Voice Conference

Just a reminder that I'm still on vacation this week and have not had a chance to review many of the emails listed below. Personally, I would prefer if discussions about P&C were defered till next week. I return to work this coming Monday. However, if the WG wants to discuss the emails, that's ok w

Re: Exit criteria Re: [selectors-api] Transitioning to CR

Charles McCathieNevile wrote: Actually, based on feedback on the list (thanks Maciej and Robin), and talking to Lachy, we are thinking that we should seperate out the tests that *require* CSS 3 selectors, to make the test suite check implementation of the API, and then require at least two 100% c

Leaving WebApps (was RE: [widgets] Draft Agenda for 25 June 2009 Voice Conference)

Hi Art, All, Due to a recent change of roles within Vodafone I will no longer be able to participate in the WebApps working group. I'd like to take this opportunity to wish the group success with the completion of the Widget family of specifications - it was great being part of it! All the

Exit criteria Re: [selectors-api] Transitioning to CR

On Wed, 24 Jun 2009 14:58:17 +0200, Arthur Barstow wrote: Lachlan, On Jun 17, 2009, at 8:15 AM, ext Lachlan Hunt wrote: Hi, In order to complete the transition of Selectors API to CR, there were a number of things that needed to be done, following the call for consensus we had in April/

Re: [selectors-api] Transitioning to CR

Lachlan, On Jun 17, 2009, at 8:15 AM, ext Lachlan Hunt wrote: Hi, In order to complete the transition of Selectors API to CR, there were a number of things that needed to be done, following the call for consensus we had in April/May. http://lists.w3.org/Archives/Public/public-webapps/2009Ap

[widgets] Draft Agenda for 25 June 2009 Voice Conference

Below is the Draft agenda for the June 25 Widgets Voice Conference (VC). Inputs and discussion before the meeting on all of the agenda topics via public-webapps is encouraged (as it may result in a shortened meeting). Logistics: Time: 22:00 Tokyo; 16:00 Helsinki; 15:00 Paris; 14:00 Lond

Re: [widgets] [preference element] question on the value attribute

Robin Berjon a écrit : If by text content you mean actual text content, then there is no difference whatsoever between what can be stored in an attribute value and the text content (as per DOM 3 textContent) of an element — at least not semantically. JCD: I think I agree with you Robin, but Mar

[cors] TAG request concerning CORS & Next Step(s)

Members of the Web Apps WG, Below is an email from Henry Thompson (forwarded with his permission), on behalf of the TAG [1], re the CORS spec [2]. Two things: 1. Please respond to at least this part of Henry's mail: [[ It appeared to us that a number of significant criticisms of the appropr