Options:
- # Session Start: Sun Feb 10 00:00:00 2008
- # Session Ident: #whatwg
- # [00:00] <kig> aah, perl html parser
- # [00:00] <kig> nm
- # [00:01] <gsnedders> kig: no, a perl parser that creates an OCaml HTML parser
- # [00:01] <gsnedders> (the perl parser uses regex to parse the HTML5 spec, IIRC)
- # [00:03] <Philip`> It's a Perl script that parses the HTML5 spec to generate an OCaml representation of the script, which can be executed directly in OCaml or can (soon) be compiled down into Perl code to implement an HTML5 parser (and also C++ and JS etc)
- # [00:03] <Philip`> s/of the script/of the parser algorithm/
- # [00:04] <Philip`> It's basically just http://lists.w3.org/Archives/Public/public-html/2007Jul/1103.html but for the tree construction stage too
- # [00:30] * Quits: Ketsuban (n=ketsuban@cpc2-oxfd8-0-0-cust335.oxfd.cable.ntl.com) ("all I want to do is be a full time online furry")
- # [00:32] * Joins: webben (n=benh@82.152.229.45)
- # [00:56] * Quits: psa (n=yomode@71.93.19.66) (Remote closed the connection)
- # [01:03] * Quits: virtuelv_ (n=virtuelv@ti132110a341-0704.bb.online.no) ("Leaving")
- # [01:11] <Philip`> Hmm, is html5.org dead?
- # [01:14] <Philip`> http://canvex.lazyilluminati.com/misc/insertion_modes.svg (red = error transition; blue = non-error reprocess-as-if transition; black = non-error permanent transition)
- # [01:14] <Philip`> with only a small number of known bugs in there
- # [01:14] <Hixie> i love anne's comment on <canvas>:
- # [01:15] <Hixie> "The section should be more clear what it means by image. ..."
- # [01:15] <Hixie> which section?
- # [01:15] <Hixie> that's how the e-mail starts. which fricking section???
- # [01:15] <Philip`> The canvas section? :-)
- # [01:16] <Hixie> that doesn't help much :-P
- # [01:16] <Hixie> maybe he means 3.14.11.3. Security with canvas elements
- # [01:16] <Hixie> i think i must have fixed this comment already
- # [01:18] <Hixie> maybe he means the origin section itself?
- # [01:19] <Philip`> (Aha, html5.org is back, hence http://philip.html5.org/misc/insertion-modes.svg )
- # [01:20] <Hixie> safari fails at that image.
- # [01:20] <Hixie> hat's red?
- # [01:20] <Hixie> parse error?
- # [01:20] <Hixie> how abotu blue?
- # [01:20] <Philip`> red = error transition; blue = non-error reprocess-as-if transition; black = non-error permanent transition
- # [01:21] <Hixie> brb, intermission shift.
- # [01:34] * Joins: jgraham (n=james@81-86-208-197.dsl.pipex.com)
- # [01:38] * Quits: jgraham (n=james@81-86-208-197.dsl.pipex.com) (Client Quit)
- # [01:39] * Joins: tantek (n=tantek@pool-71-105-213-62.lsanca.dsl-w.verizon.net)
- # [01:40] <Hixie> Philip`: cool
- # [01:41] <Hixie> Philip`: looks like you have some missing. e.g. EOF in a number of the main phase cases
- # [01:41] <Hixie> in fact _BeforeHead has only one exiting arrow
- # [01:41] <Hixie> which seems unlikely
- # [01:42] <Philip`> EOF doesn't explicitly transition to any insertion mode, which is why it isn't shown
- # [01:42] <Hixie> ah ok
- # [01:43] <Philip`> It might do transitions while generating implied end tags, but those will be a subset of the transitions that are already shown
- # [01:43] <Hixie> the transitions for a single character "X" seem wrong
- # [01:43] <Hixie> initial phase -> root element -> _beforehead -> ?
- # [01:44] <Philip`> ...and it might do transitions when acting as if there were new start/end tags
- # [01:44] <Hixie> aaah
- # [01:44] <Hixie> you should show those too :-)
- # [01:45] <Philip`> In BeforeHead it does some internal magic (like pretending there's a <head>) and then performs the only possible transition to InHead
- # [01:46] <Hixie> makes sense
- # [01:46] <Philip`> Duplicate the "Start tag [head]" arrow and call it "Character not [...]" etc for each act-as-if-a-start-tag-named-head bit?
- # [01:48] <Hixie> or just put an asterisk next to the transitions that happen due to other cases
- # [01:48] <Hixie> labelled "* Also happens due to other tokens" or something
- # [01:48] <Hixie> or "* May be implied"
- # [01:49] * Joins: othermaciej (n=mjs@mbc0f36d0.tmodns.net)
- # [01:52] <Philip`> http://philip.html5.org/misc/insertion-modes-2.svg handles act-as-if-start-tag
- # [01:54] <Philip`> Hmm, stack overflow if I try it with end tags
- # [01:57] <Philip`> ...because </p> can create a <p>, and <p> can create a </p>
- # [01:57] <Philip`> (in body)
- # [01:59] <Hixie> heh
- # [02:07] <Philip`> http://philip.html5.org/misc/insertion-modes-3.svg handles act-as-if-(start|end)-tag
- # [02:07] <Philip`> and is getting a little ugly :-(
- # [02:08] <Philip`> (It's intentional that <noscript> isn't handled, because I haven't translated that bit yet)
- # [02:09] * Quits: MacDome (n=eric@c-69-181-78-198.hsd1.ca.comcast.net)
- # [02:09] <Hixie> i think my asterisk idea wins :-P
- # [02:10] <Hixie> found any errors in the spec yet? :-D
- # [02:10] <othermaciej> so the "please don't dereference these http URIs" post from the w3c made it to reddit
- # [02:10] <Philip`> If I added asterisks, I'd have to add some way to delete duplicates, and that would require lines of code :-(
- # [02:10] <othermaciej> I am amazed how many people support the concept of using http URIs as opaque identifiers not meant to be dereferenced
- # [02:10] <Hixie> i think we clearly should learn from this that using URIs for things that are opaque identifiers not meant to be dereferenced is dumb
- # [02:10] <othermaciej> barely a moment's thought given to whether that might be a dumb idea in the first place
- # [02:11] <Hixie> Philip`: heh
- # [02:12] <Philip`> You can just look at http://philip.html5.org/misc/insertion-modes.svg and imagine a "..., or may be implied" beside each transition
- # [02:15] <Philip`> Hixie: There's a few things that don't entirely seem sensible in there (so I've sent mail to public-html), but I haven't tried looking hard for errors yet :-)
- # [02:16] * Philip` wants to create hundreds of thousands of test cases to see if all the parsers interoperate
- # [02:16] * Joins: MacDome (n=eric@c-69-181-78-198.hsd1.ca.comcast.net)
- # [02:17] <Hixie> k
- # [02:25] <tantek> FWIW I'm quite firmly on the other side re: http URIs, in strong support of dereferenceable URLs (not a typo), e.g. for XMDP profiles.
- # [02:26] <othermaciej> a dereferencable URL for something meant to be dereferenced is fine
- # [02:26] <othermaciej> but an allegedly opaque identifier starting with "http:" and having the format of a URL is just dumb
- # [02:27] <tantek> IMHO a URI using the "http" protocol implies dereferencability.
- # [02:29] <othermaciej> that's certainly how it seems to most people
- # [02:30] <Dashiva> Any transfer protocol would be an odd choice for non-transfer, really
- # [02:32] <Philip`> <html xmlns="data:,w3.org XHTML"> - still a URI, still uses DNS for 'guaranteed' uniqueness and allows many distinct values for the same domain
- # [02:32] <tantek> agreed Dashiva. Any URI using a transfer protocol implies dereferenceability, and specs SHOULD NOT discourage dereferenceability of such URIs.
- # [02:33] <tantek> in fact, one might even say that specs which use URIs MUST NOT place additional such restrictions on the URIs, as that would be a layer violation.
- # [02:35] * Quits: tantek (n=tantek@pool-71-105-213-62.lsanca.dsl-w.verizon.net)
- # [02:58] * Quits: othermaciej (n=mjs@mbc0f36d0.tmodns.net)
- # [03:03] * Quits: MacDome (n=eric@c-69-181-78-198.hsd1.ca.comcast.net)
- # [03:30] * Quits: tndH (i=Rob@87.102.19.44) ("ChatZilla 0.9.80-rdmsoft [XULRunner 1.8.0.9/2006120508]")
- # [03:51] * Joins: MacDome (n=eric@c-69-181-78-198.hsd1.ca.comcast.net)
- # [04:41] * Joins: dglazkov (n=dglazkov@adsl-074-229-248-021.sip.bhm.bellsouth.net)
- # [05:06] <jruderman> will <video> work well for streaming formats?
- # [05:06] * Quits: Kuruma (n=Kuruman@h123-176-107-050.catv01.catv-yokohama.ne.jp) (Read error: 104 (Connection reset by peer))
- # [05:06] <jruderman> such as real-time porn cams
- # [05:07] * Joins: Kuruma (n=Kuruman@h123-176-107-050.catv01.catv-yokohama.ne.jp)
- # [05:07] * Quits: MacDome (n=eric@c-69-181-78-198.hsd1.ca.comcast.net)
- # [05:10] * Quits: dglazkov (n=dglazkov@adsl-074-229-248-021.sip.bhm.bellsouth.net) ("durr...")
- # [05:11] * Joins: MacDome (n=eric@c-69-181-78-198.hsd1.ca.comcast.net)
- # [05:11] * Joins: heycam (n=cam@ppp232-187.static.internode.on.net)
- # [05:11] * heycam is now known as heycam|sydney
- # [05:16] * Joins: roc (n=roc@121-72-11-14.dsl.telstraclear.net)
- # [06:43] * Quits: roc (n=roc@121-72-11-14.dsl.telstraclear.net)
- # [07:09] * Quits: enn (i=eli@dsl253-036-017.chi1.dsl.speakeasy.net) (Read error: 104 (Connection reset by peer))
- # [07:10] * Joins: enn (i=eli@dsl253-036-017.chi1.dsl.speakeasy.net)
- # [08:13] * Quits: csarven (n=nevrasc@modemcable130.251-202-24.mc.videotron.ca) ("http://www.csarven.ca/")
- # [09:08] * Joins: roc (n=roc@121-72-16-46.dsl.telstraclear.net)
- # [09:08] * Quits: wakaba (n=w@77.137.148.210.dy.bbexcite.jp) (Read error: 104 (Connection reset by peer))
- # [09:08] * Joins: wakaba (n=w@77.137.148.210.dy.bbexcite.jp)
- # [09:26] * Quits: DxSadEagle (n=maksim@kde/orlovich) (Remote closed the connection)
- # [09:26] * Quits: wakaba (n=w@77.137.148.210.dy.bbexcite.jp) (Read error: 104 (Connection reset by peer))
- # [09:38] * Joins: virtuelv (n=virtuelv@ti132110a341-2025.bb.online.no)
- # [09:40] * Quits: jwalden (n=waldo@RANDOM-THREE-O-EIGHT.MIT.EDU) (Remote closed the connection)
- # [09:42] * Joins: heycam (n=cam@ppp232-187.static.internode.on.net)
- # [09:54] * Quits: heycam|sydney (n=cam@ppp232-187.static.internode.on.net) (Read error: 110 (Connection timed out))
- # [09:54] * heycam is now known as heycam|sydney
- # [09:55] * Joins: mpt (n=mpt@222-155-10-198.jetstream.xtra.co.nz)
- # [10:17] <hsivonen> the idea of using URIs as identifiers rather than locators ignores the main affordance of URIs
- # [10:18] <hsivonen> in that sense, we should have stayed with URLs and the URI thing was a mistake
- # [10:19] * Joins: peepo (n=Jay@host86-129-186-34.range86-129.btcentralplus.com)
- # [10:22] * Quits: peepo (n=Jay@host86-129-186-34.range86-129.btcentralplus.com) (Client Quit)
- # [10:28] * Joins: ROBOd (n=robod@89.122.216.38)
- # [10:53] * Joins: jgraham (n=james@81-86-208-197.dsl.pipex.com)
- # [10:57] * Quits: jgraham (n=james@81-86-208-197.dsl.pipex.com) (Client Quit)
- # [11:31] * Quits: mpt (n=mpt@222-155-10-198.jetstream.xtra.co.nz) ("Leaving")
- # [12:01] * Quits: bzed (n=bzed@devel.recluse.de) (Remote closed the connection)
- # [12:23] * Joins: maikmerten (n=maikmert@Lba69.l.pppool.de)
- # [12:36] * Joins: bzed (n=bzed@devel.recluse.de)
- # [12:43] * Joins: franksalim (n=franksal@cpe-72-130-134-143.san.res.rr.com)
- # [12:48] * Joins: tndH_ (i=Rob@87.102.19.44)
- # [12:48] * tndH_ is now known as tndH
- # [13:44] <annevk> Philip`, is your parser faster than the Java parser?
- # [13:45] <Philip`> annevk: My C++ tokeniser was faster than the Java tokeniser (at least in the particular case that I was testing)
- # [13:46] <annevk> you haven't converted the OCaml parser to C++ yet?
- # [13:48] <Philip`> No, and the tree constructor part doesn't quite work in OCaml yet either
- # [13:51] <annevk> k
- # [14:17] * Quits: bzed (n=bzed@devel.recluse.de) ("leaving")
- # [14:17] * Joins: bzed (n=bzed@devel.recluse.de)
- # [14:46] * Quits: virtuelv (n=virtuelv@ti132110a341-2025.bb.online.no) ("Leaving")
- # [14:59] * Joins: zcorpan_ (n=zcorpan@c-cb21e353.1451-1-64736c12.cust.bredbandsbolaget.se)
- # [15:00] <zcorpan_> http://www.sitepoint.com/forums/showthread.php?t=531009
- # [15:28] * Quits: zcorpan_ (n=zcorpan@c-cb21e353.1451-1-64736c12.cust.bredbandsbolaget.se) (Read error: 110 (Connection timed out))
- # [15:46] * Joins: myakura (n=myakura@p2098-ipbf4207marunouchi.tokyo.ocn.ne.jp)
- # [15:51] * Quits: jruderman (n=jruderma@c-67-180-15-227.hsd1.ca.comcast.net) (Read error: 110 (Connection timed out))
- # [15:53] * Joins: csarven (n=nevrasc@modemcable130.251-202-24.mc.videotron.ca)
- # [16:08] * Joins: met_ (n=Hassman@r5bx220.net.upc.cz)
- # [16:09] * met_ just testing postMessage http://ejohn.org/apps/message/
- # [16:09] <gsnedders> the spec gen truly is bizarre.
- # [16:09] <met_> anyone knows why it doesn't work in opera?
- # [16:09] * met_ thougt Opera implemented postMessage already
- # [16:10] * Quits: maikmerten (n=maikmert@Lba69.l.pppool.de) (Remote closed the connection)
- # [16:12] <annevk> Opera implemented it on document instead of window
- # [16:12] <met_> oh
- # [16:12] <annevk> (this is changing)
- # [16:12] <met_> ok, I have missed thaht
- # [16:24] <gsnedders> Hixie: playing around with various concepts I have for implementing the spec-gen clone, it's gonna be quick. really quick.
- # [16:24] <gsnedders> (and by playing around I mean playing around with a DOM tree of the HTML 5 spec, so a really large doc)
- # [16:36] * Joins: myakura_ (n=myakura@p2098-ipbf4207marunouchi.tokyo.ocn.ne.jp)
- # [16:40] * Joins: jgraham (n=james@81-86-208-197.dsl.pipex.com)
- # [16:47] * Quits: myakura (n=myakura@p2098-ipbf4207marunouchi.tokyo.ocn.ne.jp) (Read error: 110 (Connection timed out))
- # [17:04] * Joins: wakaba (n=w@77.137.148.210.dy.bbexcite.jp)
- # [17:06] <annevk> Hixie, in http://lists.w3.org/Archives/Public/www-archive/2008Jan/0078.html you said you changed test 43 but it seems that you did not do that
- # [17:14] * Joins: SadEagle (n=maksim@cpe-69-202-89-106.twcny.res.rr.com)
- # [17:46] * Joins: zcorpan_ (n=zcorpan@c-cb21e353.1451-1-64736c12.cust.bredbandsbolaget.se)
- # [18:15] * Joins: DxSadEagle (n=maksim@cpe-69-202-89-106.twcny.res.rr.com)
- # [18:15] * Quits: SadEagle (n=maksim@cpe-69-202-89-106.twcny.res.rr.com) (Read error: 104 (Connection reset by peer))
- # [18:20] * Quits: met_ (n=Hassman@r5bx220.net.upc.cz) ("Chemists never die, they just stop reacting.")
- # [18:22] * Parts: zcorpan_ (n=zcorpan@c-cb21e353.1451-1-64736c12.cust.bredbandsbolaget.se)
- # [18:31] * Joins: D2xSadEagle (n=maksim@cpe-69-202-89-106.twcny.res.rr.com)
- # [18:37] * Quits: DxSadEagle (n=maksim@cpe-69-202-89-106.twcny.res.rr.com) (Read error: 110 (Connection timed out))
- # [18:47] * Joins: tndH_ (i=Rob@adsl-77-86-99-71.karoo.KCOM.COM)
- # [18:51] * Joins: maikmerten (n=maikmert@T76c0.t.pppool.de)
- # [18:59] * Joins: roc_ (n=roc@121-72-16-46.dsl.telstraclear.net)
- # [19:00] * Quits: roc (n=roc@121-72-16-46.dsl.telstraclear.net) (Read error: 104 (Connection reset by peer))
- # [19:06] * Quits: tndH (i=Rob@87.102.19.44) (Read error: 110 (Connection timed out))
- # [19:10] * Quits: maikmerten (n=maikmert@T76c0.t.pppool.de) (Remote closed the connection)
- # [19:11] * Joins: grimboy (n=grimboy@78-105-162-250.zone3.bethere.co.uk)
- # [19:17] * Joins: dbaron (n=dbaron@c-67-160-251-228.hsd1.ca.comcast.net)
- # [19:21] * Joins: csarven- (n=nevrasc@modemcable130.251-202-24.mc.videotron.ca)
- # [19:37] * Quits: csarven (n=nevrasc@modemcable130.251-202-24.mc.videotron.ca) (Read error: 110 (Connection timed out))
- # [19:38] * Joins: csarven (n=nevrasc@modemcable130.251-202-24.mc.videotron.ca)
- # [19:39] * Quits: csarven- (n=nevrasc@modemcable130.251-202-24.mc.videotron.ca) (Read error: 110 (Connection timed out))
- # [20:06] * Quits: csarven (n=nevrasc@modemcable130.251-202-24.mc.videotron.ca) (Read error: 110 (Connection timed out))
- # [20:12] * Joins: csarven (n=nevrasc@modemcable130.251-202-24.mc.videotron.ca)
- # [20:19] * Quits: roc_ (n=roc@121-72-16-46.dsl.telstraclear.net)
- # [20:25] * Quits: gsnedders (n=gsnedder@host86-151-228-75.range86-151.btcentralplus.com) ("Partying in teh intarwebs")
- # [20:26] * Quits: jgraham (n=james@81-86-208-197.dsl.pipex.com) ("I get eaten by the worms")
- # [20:28] * Joins: jgraham (n=james@81-86-208-197.dsl.pipex.com)
- # [20:30] * Quits: jgraham (n=james@81-86-208-197.dsl.pipex.com) (Client Quit)
- # [20:31] <Hixie> annevk: as far as i can tell i did; what's not fixed?
- # [20:35] <Philip`> Hmm... Opera has a feature to import bookmarks from Firefox
- # [20:36] <Philip`> Firefox 3 stores bookmarks in an SQLite database
- # [20:36] <Philip`> Hence, Opera will have to include SQLite so that it can continue to import from Firefox
- # [20:36] * D2xSadEagle can't say he blames FF people for using something like SQLite.
- # [20:36] <D2xSadEagle> though don't they always run only one process? Cheaters :p
- # [20:37] <Philip`> Since it already has to pay the code-size and integration cost of SQLite, it will cost approximately nothing extra to support client-side database storage in a way that's compatible with Firefox
- # [20:37] <Philip`> And so the world will be happy and interoperable, which is good
- # [20:38] <Hixie> it frightens me that Julian is arguing that servers don't assume that a missing Referer means that the request should be allowed
- # [20:38] <Philip`> (And any other browser that wants to attract Firefox users will have to offer a similar import feature, and so will have to have SQLite too)
- # [20:39] <Dashiva> Philip`: Well, that all assumes FF3 will be released before DNF :)
- # [20:40] * Hixie wonders how to respond to someone who has such a feeble grasp of the realities of deployed content
- # [20:41] <Philip`> Hixie: If they do assume that, it should be easy to give some examples of open source code with that assumption
- # [20:42] <Philip`> It seems the much more common situation (mainly to avoid image hot-linking) is for servers to assume a non-missing different-origin Referer means the request should be denied
- # [20:42] <Philip`> (which isn't the same as assuming a missing Referer means the request should be trusted)
- # [20:43] <Hixie> right
- # [20:43] <Philip`> (because nothing particularly bad happens when someone hot-links an image and 1% of users don't send Referer and therefore don't get redirected to a rude message)
- # [20:44] <Hixie> feel free to point him to code doing this if you know of any
- # [20:44] <Philip`> I don't know of any
- # [20:44] <Hixie> yeah me either
- # [20:44] <Hixie> i just know it's very common :-)
- # [20:44] <Philip`> You're the one arguing that servers do make assumptions :-p
- # [20:45] <hsivonen> b.m.o at least used to block slashdot referers but allows no referer
- # [20:45] <Philip`> and arguing without evidence is not very convincing :-)
- # [20:45] <webben> What does Apache do by default?
- # [20:45] <hsivonen> webben: just logs the referer
- # [20:46] <webben> IIS?
- # [20:46] <Hixie> Philip`: indeed
- # [20:46] <Dashiva> Philip`: My image leech prevention script assumes a missing referer is local
- # [20:46] <Hixie> guess i'll have to do more research
- # [20:46] <Dashiva> It's not open source, though
- # [20:47] <Hixie> time to go to the rehearsal though
- # [20:47] <Hixie> bbl
- # [20:47] <Philip`> hsivonen: b.m.o isn't blocking certain referrers in order to avoid CSRF, so it's not really relevant to the argument about no-referrer pings being bad for security
- # [20:47] <Philip`> and the same for all the image leech prevention scripts
- # [20:48] <hsivonen> Philip`: using Referer for security purposes seems like a very brittle and RFC 2616-incompliant idea to me
- # [20:49] <Philip`> hsivonen: If we assumed people were sensible, then that would mean people wouldn't use Referer for security purposes, and so there's no danger in sending pings with no Referer
- # [20:50] <hsivonen> which one of Julian's messages are we talking about?
- # [20:50] <Philip`> I think the first paragraph of http://lists.w3.org/Archives/Public/public-html/2008Feb/0164.html
- # [20:57] <Philip`> http://google.com/codesearch?q=show:J2QBLfV3jjo:NRV5Vj3R4SI:1curwdNzfbk&cs_p=ftp://t3domains.de/pub/TYPO3-complete-package/current-version/yamlt3-V4.5.0.zip&cs_f=yamlt3/typo3/sysext/cms/tslib/class.tslib_fe.php#l2106
- # [20:57] <hsivonen> hmm. using Referer as an anti-CSRF mechanism still seems like a very bad idea unless it is merely used as an optimization in a mechanism that actuallly works
- # [20:57] <Philip`> That's something that prevents email form submission if the Referer is wrong or missing
- # [20:59] * tndH_ is now known as tndH
- # [21:00] * Quits: weinig (n=weinig@c-71-198-176-23.hsd1.ca.comcast.net)
- # [21:01] <tndH> Philip`: lucky for them, fx3 exports its bookmarks to an html file on shutdown ;)
- # [21:03] <Philip`> http://google.com/codesearch?q=show:H3ulLINfCo0:QkWYPi2-xVM:o8NYFfBdVkY&cs_p=http://freshmeat.net/redir/punbb/46741/url_tgz/punbb-1.2.15.tar.gz&cs_f=punbb-1.2.15/upload/include/functions.php#l671
- # [21:03] <Philip`> That also prevents things if Referer is wrong or missing
- # [21:08] <Philip`> http://google.com/codesearch?q=show:BILmTBaOV7w:J2LE5gqHQ64:eBTzqE7cT8s&cs_p=http://wphooks.flatearth.org&cs_f=hooks/check_admin_referer/-001#first
- # [21:08] <Philip`> There's another one
- # [21:08] <Philip`> So I still haven't seen one that thinks missing referer means the request can be trusted...
- # [21:11] <Philip`> tndH: Oh :-(
- # [21:12] <Philip`> http://google.com/codesearch?q=show:cFRMv4O2bGI:eriQ8VkTUd4:dQQ6OTNA-Bs&cs_p=https://svn.radicaldesigns.org/amp/trunk&cs_f=punbb/admin_options.php#l41
- # [21:12] <Philip`> That also rejects missing referer
- # [21:13] * Quits: dbaron (n=dbaron@c-67-160-251-228.hsd1.ca.comcast.net) (Read error: 110 (Connection timed out))
- # [21:14] <Philip`> http://google.com/codesearch?q=show:2v0x4p249hg:NM4BWguMEFY:lqNJFi-SHlc&cs_p=http://scoop.kuro5hin.org/dist/releases/scoop_1.1.7.tar.gz&cs_f=scoop-1.1.7/lib/Scoop/Admin.pm#l8
- # [21:17] * Joins: roc (n=roc@202.0.36.64)
- # [21:20] <Philip`> http://google.com/codesearch?q=show:aVoQhiwqoGk:-V6ZnWGm9lc:vBMeJnZMb1M&cs_p=http://www.dcscripts.com/localFTP/gdcf625.tar.gz&cs_f=./dcf625/cgi-bin/dcforum/dcboard.cgi#l344
- # [21:21] * Philip` gives up looking
- # [21:21] <Philip`> So, I still don't have any evidence that sending requests with a missing Referer is going to introduce security issues in existing software
- # [21:22] <Philip`> (though obviously I also don't have any evidence that it isn't)
- # [21:25] <Philip`> hsivonen: Do you know of some specific anti-CSRF mechanisms that do work?
- # [21:26] * Philip` is currently unable to think of any
- # [21:29] <Philip`> http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A%3Cscript%3Evar%20xhr%3Dnew%20XMLHttpRequest()%3Bxhr.open(%27GET%27%2C%20%27https%3A%2F%2Fmail.google.com%2Fmail%2F%3Flogout%26hl%3Den-GB%27)%3Bxhr.send(null)%3C%2Fscript%3E
- # [21:29] <Philip`> In Firefox 3, that doesn't work very happily
- # [21:30] <Philip`> presumably because of the Access-Control stuff introducing new CSRF vulnerabilities
- # [21:31] <Philip`> annevk: Is that a known problem or a bug in Firefox or something?
- # [21:32] * Joins: zcorpan_ (n=zcorpan@c-cb21e353.1451-1-64736c12.cust.bredbandsbolaget.se)
- # [21:33] <Philip`> Oh, maybe not
- # [21:33] <Philip`> It's not anything new, because <script src="https://mail.google.com/mail/?logout&hl=en-GB"></script> has the same effect
- # [21:33] <Philip`> Is it a bug in Gmail, or is the web just fundamentally broken?
- # [21:33] <zcorpan_> hsivonen: apparently some people use transitional because the software they use emit stuff that only validates as transitional
- # [21:35] <zcorpan_> hsivonen: and so it might be worth to look into the default templates of popular CMSs and blogs and which errors they get when validating as html5
- # [21:35] <zcorpan_> (but i guess the results would be pretty much the same as what you've already got)
- # [21:35] <hsivonen> zcorpan_: good idea
- # [21:36] <hsivonen> zcorpan_: altough the generated stuff in CMSs is harder to change than the templates, so it would be even more interesting to isolate the template parts somehow
- # [21:37] <zcorpan_> yeah
- # [21:42] <hsivonen> I see <a name> and target=_blank in what I think is the Blogger default
- # [21:43] <hsivonen> additionally, the blogger navbar has every presentational iframe attribute
- # [21:43] <zcorpan_> "SMF and WordPress both output target="_blank"." -- http://www.sitepoint.com/forums/showthread.php?p=3718885
- # [21:44] <hsivonen> what's SMF?
- # [21:44] <zcorpan_> probably http://www.simplemachines.org/
- # [21:44] <hsivonen> never heard
- # [21:45] <zcorpan_> i hadn't, either
- # [21:45] <Philip`> SMF seems to be fairly popular
- # [21:45] * Joins: jgraham (n=james@81-86-208-197.dsl.pipex.com)
- # [21:45] <Philip`> https://labs.mozilla.com/forum/ uses it
- # [21:48] <hsivonen> Can't validate that one with Validator.nu
- # [21:48] <hsivonen> the SSL cert is not supported by Sun JDK
- # [21:50] <Philip`> http://html5.validator.nu/?doc=http%3A%2F%2Fwww.simplemachines.org%2Fcommunity%2Findex.php looks unhappy
- # [21:50] <hsivonen> zcorpan_: WordPress default has profile at least: http://html5.validator.nu/?doc=http%3A%2F%2Fthemes.wordpress.net%2Ftestrun%2F
- # [21:51] <Philip`> and http://html5.validator.nu/?doc=http://www.cyberscoreforums.com/ (SMF 1.x, whereas the other one was 2.x) looks similar
- # [21:51] <hsivonen> ah. language="JavaScript" all over the place
- # [21:58] <hsivonen> Sun's certificate management docs aren't as obvious as I'd like :-(
- # [22:01] <hsivonen> I wonder if there's a way to ask HttpClient to accept any cert and only use TLS for encryption--not for verifying the idintity of the other party
- # [22:01] <zcorpan_> <link rel="help" href="http://www.cyberscoreforums.com/index.php?action=help" target="_blank" /> (from cyberscoreforums.com)
- # [22:09] * Joins: weinig (n=weinig@c-71-198-176-23.hsd1.ca.comcast.net)
- # [22:18] * Joins: starjive (i=beos@81-233-18-73-no30.tbcn.telia.com)
- # [22:20] * Joins: dbaron (n=dbaron@c-67-160-251-228.hsd1.ca.comcast.net)
- # [22:24] * Quits: heycam|sydney (n=cam@ppp232-187.static.internode.on.net) ("bye")
- # [22:28] * Quits: zcorpan_ (n=zcorpan@c-cb21e353.1451-1-64736c12.cust.bredbandsbolaget.se) (Read error: 110 (Connection timed out))
- # [22:31] * Joins: gsnedders (n=gsnedder@host86-151-228-75.range86-151.btcentralplus.com)
- # [22:31] * Joins: zcorpan_ (n=zcorpan@c-cb21e353.1451-1-64736c12.cust.bredbandsbolaget.se)
- # [22:33] * Joins: jruderman (n=jruderma@c-67-180-15-227.hsd1.ca.comcast.net)
- # [22:33] * D2xSadEagle is now known as SadEagle
- # [22:34] * Quits: ROBOd (n=robod@89.122.216.38) ("http://www.robodesign.ro")
- # [22:40] <zcorpan_> wonder if we should allow <img with=0 height=0>
- # [22:40] <zcorpan_> er
- # [22:40] <zcorpan_> width
- # [22:45] <annevk> Philip`, Google doing actions on the user's behalf based on a GET request seems to be broken
- # [22:48] <gsnedders> annevk: seeming you said you'd explain to me anything I didn't get from the DOM specs, what does compareDocumentPosition() return?
- # [22:48] <Philip`> I suppose doing actions on a POST request would be broken too, because anyone could set up a form and submit it via JS
- # [22:49] <Philip`> so it's basically impossible to safely allow actions
- # [22:49] <SadEagle> gsnedders: it's an untranslatable string of curses in the direction of whoever thought up of this function
- # [22:49] <gsnedders> :D
- # [22:49] <SadEagle> Philip`: check out some stuff in http rfc about pipelining and idempotency, for extra fun.
- # [22:49] <gsnedders> at a really basic level, how can I tell if something occurs before something else?
- # [22:50] <annevk> yes
- # [22:50] <annevk> though not all browsers might support it
- # [22:51] <annevk> also, iirc it returns an integer that maps to some constant
- # [22:51] <gsnedders> oh yuk.
- # [22:51] <SadEagle> hmm, it's actually not so expensive to implement as I first thought.
- # [22:51] <kig> the usual solution to ajax api is to trust the browser to not leak cookies outside SOP and use the cookie secret for authenticating requests by adding the secret as a var to the post req
- # [22:51] <SadEagle> gsnedders: this seems to explain it: http://www.quirksmode.org/blog/archives/2006/01/contains_for_mo.html
- # [22:52] <gsnedders> SadEagle: thx
- # [22:52] <kig> s/usual/what i've been using/
- # [22:53] <SadEagle> np
- # [22:53] <SadEagle> there is a separate section in DOM3 core explaining it too, just search for DocumentPosition... For some reason the method specs don't refer to it..
- # [22:54] <gsnedders> that'll be why I didn't find it.
- # [22:54] * SadEagle loves DOCUMENT_POSITION_IMPLEMENTATION_SPECIFIC
- # [22:54] <gsnedders> yeah, I just noticed that
- # [22:54] <Philip`> kig: Hmm, that sounds quite reasonable
- # [22:54] <gsnedders> SadEagle: sadly, too often order isn't defined in DOM
- # [22:56] <SadEagle> they have a disconnected flag, though
- # [22:56] <annevk> wow, someone should clean that up and remove that constant
- # [22:57] <gsnedders> DOM5!
- # [22:57] <gsnedders> next year of school will suck. No longer in Secondary 5 :(
- # [22:59] <zcorpan_> dom5 core is on my list of things to do...
- # [22:59] <annevk> Hixie, "input2.setAttribute("checked", "checked"); // sets defaultChecked, doesn't change actual state" does change the state in deployed browsers
- # [22:59] <gsnedders> zcorpan_: you can use me a test subject as someone who doesn't know much about DOM :P
- # [23:00] <zcorpan_> gsnedders: i don't follow
- # [23:01] <gsnedders> zcorpan_: To make sure DOM5 Core actually makes sense to those who don't know much about DOM
- # [23:01] <zcorpan_> gsnedders: ah
- # [23:01] <zcorpan_> gsnedders: not sure that should be a goal though
- # [23:01] <SadEagle> gsnedders: coincidentally, DOM* Core is probably the best-specified part of DOM.
- # [23:02] <gsnedders> SadEagle: I'm aware.
- # [23:02] <Hixie> annevk: oh, in the radio button tests. i thought you were talking about the checkbox tests.
- # [23:03] * SadEagle wonders whether someone will be tackling saneification of DOM2 HTML... I guess some parts of WF2 overlap, though.
- # [23:03] <gsnedders> SadEagle: HTML 5 is, AFAIK
- # [23:03] <zcorpan_> yeah
- # [23:03] <SadEagle> poor Hixie :-)
- # [23:05] <Hixie> annevk: wow, that's a big bug in the spec. i'd better make sure i fix that in html5.
- # [23:06] <annevk> i doubt that's possible
- # [23:07] <annevk> HTML5 fixed most of DOM2 HTML
- # [23:07] <Hixie> i mean a big bug in the dom2 html spec
- # [23:08] <annevk> ok
- # [23:08] <Hixie> i haven't checked wf2
- # [23:08] * Hixie mails himself
- # [23:15] <Hixie> annevk: k, fixed the test
- # [23:17] <annevk> how can input1 still be checked?
- # [23:18] <annevk> .defaultChecked is exactly equivalent to setAttribute("checked", "checked") ...
- # [23:18] <annevk> or did you change other things, too?
- # [23:19] <Hixie> wait i thought you said that setting setAttribute("checked", "checked") was specifically _not_ equivalent to setting defaultChecked?
- # [23:19] <Hixie> so you're saying that setting defaultChecked also changes checked???
- # [23:20] <annevk> yes
- # [23:20] <annevk> sorry for not being more specific initially
- # [23:21] <annevk> maybe I'm wrong
- # [23:23] * Joins: heycam (n=cam@b4F38.static.pacific.net.au)
- # [23:24] <Dashiva> Wouldn't it be nice if there was a website that would screenshot a given page in IE6+7, FF2+3, Safari2+3 and Opera9.2+9.5 and display the results?
- # [23:24] * Hixie puts it back to what it used to be
- # [23:24] <Hixie> Dashiva: there is
- # [23:24] <Dashiva> really?
- # [23:24] <Dashiva> And not a paid service?
- # [23:24] <Hixie> yes
- # [23:24] <Hixie> i forget the url
- # [23:24] <Hixie> but there are some
- # [23:24] * heycam is now known as heycam|sydney
- # [23:24] <Dashiva> Hmm... guess it's google time
- # [23:25] <annevk> http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3Ex%3Cinput%20name%3Dradio%20type%3Dradio%3E%3Cinput%20name%3Dradio%20type%3Dradio%3E%3Cscript%3Evar%20i%20%3D%20document.getElementsByTagName(%22input%22)%3B%20i[0].defaultChecked%20%3D%20true%3B%20i[1].defaultChecked%20%3D%20true%20%3C%2Fscript%3E
- # [23:25] <annevk> Firefox seems inconsistent
- # [23:26] <Hixie> well i've put it back to what the spec says
- # [23:26] <annevk> but given how inconsistent Firefox is I'm not sure we can fix it
- # [23:30] <Philip`> Dashiva: http://browsershots.org/ ?
- # [23:30] <Dashiva> Yeah, looking at that now
- # [23:31] * Quits: zcorpan_ (n=zcorpan@c-cb21e353.1451-1-64736c12.cust.bredbandsbolaget.se) (Read error: 110 (Connection timed out))
- # [23:42] * Quits: jgraham (n=james@81-86-208-197.dsl.pipex.com) ("I get eaten by the worms")
- # [23:51] <annevk> Hixie, because of "iframe { float: left; height: 0; width: 0; }" some of the media query tests are invalid
- # [23:51] <annevk> specifically, y1, y2, y3, and y4 will not function as expected
- # [23:51] <annevk> (if I uncomment that CSS line the media query tests pass in Opera as expected)
- # [23:54] <Hixie> oh the media queries depend on the iframe dimensions?
- # [23:55] <annevk> y1, y2, y3, y4 test the width and height media features
- # [23:55] <Hixie> yes
- # [23:55] <Hixie> i didn't realise that those heights and widths were the viewport dimensions
- # [23:55] <Hixie> of the inner viewport
- # [23:56] <annevk> they are
- # [23:56] <Hixie> but indeed it is
- # [23:56] <annevk> you could change them to min-device-width etc. I suppose
- # [23:56] <Hixie> fixed
- # [23:58] <Hixie> there, let me know if that works
- # [23:58] <annevk> that works, but you should update the comment to say that the tests assume a 0x0 window
- # [23:58] <annevk> "// the next four assume that the window is bigger than 1em by 1em at the time the test is run"
- # [23:59] * Joins: jgraham (n=james@81-86-208-197.dsl.pipex.com)
- # [23:59] <Hixie> fixed
- # [23:59] <annevk> great
- # Session Close: Mon Feb 11 00:00:00 2008
The end :)