/irc-logs / w3c / #html-wg / 2008-03-14 / end

Options:

1. # Session Start: Fri Mar 14 00:00:00 2008
2. # Session Ident: #html-wg
3. # [00:05] * Joins: dorchard (42f8de22@128.30.52.23)
4. # [00:07] * Joins: ChrisWilson (cwilso@131.107.0.71)
5. # [00:14] * DanC_lap waves, heading out for the day
6. # [00:14] <dorchard> I'm not sure how office hours work, so I'll just start asking questions if that's ok..
7. # [00:15] * Quits: matt (matt@128.30.52.30) (Quit: matt)
8. # [00:15] <ChrisWilson> go for it
9. # [00:15] <dorchard> Chris, could you elaborate on why IE 8 beta 1 chose the particular subset it did? like which uses cases?
10. # [00:15] <dorchard> for namespaces that is
11. # [00:17] <ChrisWilson> you mean, why did we choose to implement the namespace-mapping-to-binary-behaviors that we did?
12. # [00:17] <dorchard> I'm quite supportive of increased support for decentralized extensibility btw.
13. # [00:18] <dorchard> I mean things like: not supporting nested default ns decls, prefix decls only on <html>
14. # [00:18] <ChrisWilson> Ah. Because we didn't really change that part very much at all.
15. # [00:19] <ChrisWilson> (or more to the point, we were changing it as little as possible)
16. # [00:19] <ChrisWilson> And given the way our parser works, it would have been more costly in performance to do that.
17. # [00:19] * Philip notes that you can put the xmlns prefix declaration on an <html> element that is not the first element in the document, and is not even the only <html> element in the document
18. # [00:20] <Philip> s/element/tag/
19. # [00:20] <ChrisWilson> (we have a pre-parser/tokenizer as well as a parser; if you support non-prefixed elements, you have to be careful not to be speculative prior to applying the namespacing)
20. # [00:20] <dorchard> Do you think there's much chance of influencing IE 8 Final on this matter? Say if a group of people (maybe html5) gave some solid feedback on changes could they realisticaly make it in?
21. # [00:21] <ChrisWilson> yes? You can put prefixed namespace declarations elsewhere in the doc.
22. # [00:21] <ChrisWilson> (sorry, that was to Philip)
23. # [00:21] <ChrisWilson> I'd love to hear the feedback on use cases.
24. # [00:21] * Quits: billmason (billmason@69.30.57.25) (Quit: .)
25. # [00:21] <dorchard> (we need to name prefix our responses i guess :-)
26. # [00:21] <anne> Philip means that you can do <html xmlns:foo="test"> anywhere in the document because of the special way <html> is treated
27. # [00:22] <anne> <html a><html b> gives the root element two attributes a="" and b=""
28. # [00:22] <dorchard> Lately the HTML5 WG has lately been talking about svg + mathml use cases, I thought Henri's were a great start.
29. # [00:22] <ChrisWilson> In short, the goal of that work was "we've seen people use binary behaviors to fake up namespaced support - e.g. the MathType stuff. We want to enable use of that without the ugly proprietary goo that binary behaviors require today."
30. # [00:22] <ChrisWilson> Or something like that.
31. # [00:22] <dorchard> oh interesting..
32. # [00:23] <anne> ChrisWilson, fwiw, namespaced HTML is just as proprietary as binary goo :)
33. # [00:23] <Philip> anne: I was particularly thinking of http://canvex.lazyilluminati.com/misc/dom-viewer/?%3C!DOCTYPE%20html%3E%0D%0A%3Cbody%3E%0D%0A%3Cfoo%3Abar%3Ex%3C%2Ffoo%3Abar%3E%0D%0A%3Chtml%20xmlns%3Afoo%3E%0D%0A%3Cfoo%3Abar%3Ex%3C%2Ffoo%3Abar%3E
34. # [00:24] <Philip> just as a slightly weird (and quite undocumented) consequence of how the thing works :-)
35. # [00:24] * Joins: mjs (mjs@17.203.15.201)
36. # [00:24] <Philip> (Ignore the "live" half of that, since that's a different issue)
37. # [00:25] <anne> it sort of makes "sense" it works that way, otherwise you can't do incremental parsing
38. # [00:27] <ChrisWilson> Actually, Anne, I disagree with your statement. namespaced HTML is supported in other browsers (e.g. Mozilla's MathML support).
39. # [00:27] <anne> Mozilla's MathML only works in XHTML
40. # [00:28] <anne> You can't put MathML in a document coming from a text/html stream without scripting
41. # [00:29] <Philip> (Hmm, http://philip.html5.org/tests/ie8/cases/xmlns-crash.html crashes IE (at least 6 and 8-beta-1))
42. # [00:30] <ChrisWilson> Anne, how would YOU like to incorporate MathML, et al, into HTML?
43. # [00:31] <anne> I don't have a concrete plan. If I had one I would've posted it to the list
44. # [00:31] * Quits: Sander (svl@86.87.68.167) (Quit: And back he spurred like a madman, shrieking a curse to the sky.)
45. # [00:32] <ChrisWilson> well, then, given that we don't have XHTML MIME type support in IE at this time, this would seem like the most compatible, interoperable thing to do.
46. # [00:32] <ChrisWilson> I'm open to other plans. I don't know what exactly you're looking for, and this isn't intended to be a big deal. It was certainly not a big code focus.
47. # [00:33] <dorchard> I think there are some people, myself included, that believe that decentralized evolvability, using whatever form of namespaces chosen, is a big deal.
48. # [00:33] <anne> All I'm saying is that namespaced HTML at this point is just as proprietary as binary goo
49. # [00:34] <dorchard> I guess if HTML5 adopted MSFT's subset, it would become "standard" goo then..
50. # [00:34] <Philip> anne: What would make it less proprietary?
51. # [00:34] <Philip> (Would documentation of the behaviour be sufficient?)
52. # [00:35] <Philip> dorchard: The difficulty with adopting it is that other browsers apparently break when trying to adopt it, because web sites assume all non-IE browsers don't do HTML namespaces
53. # [00:36] <anne> I'd prefer some rough agreement on what's the right approach among browser vendors
54. # [00:36] <anne> but it doesn't seem IE8 made that many changes here as opposed to IE7/IE6 so maybe it's not a big deal indeed
55. # [00:37] <dorchard> Anne, that's why I was asking Chris about evolvability of IE's subset..
56. # [00:43] <ChrisWilson> How do other browsers break when trying to adopt "IE's HTML namespaces"? (I'm not sure I understand what that means, anyway, but I don't understand how it doesn't fit for others)
57. # [00:44] <anne> Opera implemented support for namespaces in text/html around Opera 8 and we had to revert that as it broke too many pages. Unfortunately I don't know the details.
58. # [00:48] <anne> live.com used IE-style namespaces for a while and used different DOM methods in other browsers to retrieve elements (non-namespace aware methods). If we implemented namespace support like IE that site would break.
59. # [00:50] <ChrisWilson> heh. Live, we could get to change, if they had a way to do it on other browsers.
60. # [00:51] <ChrisWilson> (Sorry to drop out for a few minutes - was filing Philip's crashing bug)
61. # [00:51] <Philip> http://js.shared.live.com/xlFSa6KIBUFmcZ1UAoQ5FQ/liveframeworkex.js still does some special things with document.namespaces (in IE and in Opera versions older than 9, judging by the code)
62. # [00:53] <Philip> I haven't yet encountered any sites other than live.com that do much with namespaces
63. # [00:54] <Philip> ChrisWilson: (Thanks!)
64. # [00:55] <Philip> ChrisWilson: (I found something else that crashed a few days ago, but I posted it to microsoft.public.internetexplorer.beta so I'm assuming that means someone will look at it eventually and that I won't have to report bugs via you :-) )
65. # [00:56] <anne> Oh, I found some old stuff, sites with <html xmlns="http://www.w3.org/TR/xhtml1"> broke
66. # [00:56] <anne> MS Word output utterly failed
67. # [00:57] <Philip> anne: Sounds like that could be fixed by implementing something closer to what IE does
68. # [00:57] <anne> Yeah, probably
69. # [00:58] <Philip> (and further away from what XML does)
70. # [00:58] <Philip> (which is kind of a pain since namespaced documents sent as text/html and application/xhtml+xml would be processed very differently)
71. # [00:58] <ChrisWilson> we can, of course, also pull html namespacing support closer to xml...
72. # [00:59] <anne> Most reported bugs were about recognizing xmlns="" on HTML elements it seems
73. # [00:59] <ChrisWilson> (as in, IE's support)
74. # [00:59] <Philip> It would be nice if http://philip.html5.org/misc/xmlns-dom.html and http://philip.html5.org/misc/xmlns-dom.xhtml acted the same as each other and the same in all browsers
75. # [00:59] <ChrisWilson> anne - you mean, because they started getting XHTML treatment?
76. # [01:00] <anne> ChrisWilson, well, because <html xmlns="foo"><h1>xxx</h1></html> would not be treated equally to <html><h1>xxx</h1></html>
77. # [01:01] <anne> (dependong on what you mean by XHTML treatment, the answer may be yes :), but we didn't throw well-formedness errors if that's what you meant)
78. # [01:01] <anne> depending*
79. # [01:01] <ChrisWilson> sure... but if foo==XHTML1, then they effectively do, don't they?
80. # [01:01] <anne> then it would work, but note that http://www.w3.org/TR/xhtml1 is not the XHTML namespace :)
81. # [01:02] <anne> http://www.w3.org/1999/xhtml is
82. # [01:02] * Joins: Laura (lauracarls@131.212.34.94)
83. # [01:02] * Quits: dorchard (42f8de22@128.30.52.23) (Quit: CGI:IRC (EOF))
84. # [01:02] * Quits: Laura (lauracarls@131.212.34.94) (Quit: Laura)
85. # [01:02] * Joins: Laura (lauracarls@131.212.34.94)
86. # [01:02] <ChrisWilson> ah. Hmm. Well, you could ignore setting the default namespace on the <html> element, or something like that (you=html5 definition)
87. # [01:02] <Philip> There's a lot of <html xmlns="http://www.w3.org/TR/REC-html40">
88. # [01:03] <ChrisWilson> oh, crud, it's 5. Gotta run pick my daughter up from preschool.
89. # [01:03] <anne> oops, see you :)
90. # [01:03] * Quits: smedero (smedero@192.223.6.251) (Quit: smedero)
91. # [01:03] <anne> Philip, I think because of that Opera 9 still has a leftover quirk where we support that namespace...
92. # [01:03] <Philip> 1348 http://www.w3.org/1999/xhtml
93. # [01:03] <Philip> 84 http://www.w3.org/TR/REC-html40
94. # [01:03] <Philip> 2 http://www.w3.org/TR/xhtml1
95. # [01:03] <Philip> 1 undefined
96. # [01:04] <Philip> out of about 9K documents
97. # [01:04] <fearphage> Philip: what are those numbers from exactly?
98. # [01:04] <Philip> (That's literally <html xmlns="undefined">)
99. # [01:05] <Philip> fearphage: A random sample of URIs downloaded from dmoz.org
100. # [01:06] <Philip> then passed through grep -i '<html xmlns' and counted
101. # [01:06] <fearphage> i see
102. # [01:07] <Philip> There's some <br xmlns="">, <script xmlns="">, <form xmlns="">
103. # [01:08] <Philip> ...and meta and link (still with empty xmlns strings)
104. # [01:08] <Philip> and h2 and center and div
105. # [01:08] <Philip> and title
106. # [01:09] <Philip> and also a <p xmlns="http://www.w3.org/1999/xhtml"> and some <div xmlns="http://www.w3.org/1999/xhtml">
107. # [01:09] <anne> using the same syntax as in XML doesn't seem too good
108. # [01:09] <Philip> and a <table xmlns="http://my.netscape.com/rdf/simple/0.9/">
109. # [01:10] <Philip> (http://www.gregpremru.com/ )
110. # [01:11] <anne> have fun with grep ;)
111. # [01:11] * anne goes to bed
112. # [01:11] <Philip> (and there's a load more with xmlns:foo)
113. # [01:13] * Joins: dorchard (42f8de22@128.30.52.23)
114. # [01:14] * Quits: tH (Rob@77.86.108.106) (Quit: ChatZilla 0.9.81-rdmsoft [XULRunner 1.8.0.9/2006120508])
115. # [01:19] * Quits: Laura (lauracarls@131.212.34.94) (Quit: Laura)
116. # [01:43] * Quits: jgraham (james@81.86.216.20) (Quit: I get eaten by the worms)
117. # [01:44] * Quits: adele (adele@17.203.14.235) (Quit: adele)
118. # [01:46] * Joins: aaronlev (chatzilla@65.78.0.149)
119. # [01:55] <Hixie> IE8 specifically ignores xmlns="" on any known html element for exactly the reason Philip cites
120. # [01:57] <Hixie> and as far as i can tell the reason Office used this namespace support is http://iowa.gotthefacts.org/122106/PLEX0_5879.pdf
121. # [01:57] <Philip> http://www.bavi.cz/
122. # [01:58] <Philip> <PoznamkaAktualu xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/office/infopath/2003/myXSD/2005-03-17T08:56:29"><div xmlns="http://www.w3.org/1999/xhtml">Zahájen prodej letních rekreací do celého světa – Řecko, Bulharsko, Španělsko, Itálie, Tunisko, Egypt, ČR…</div> ...
123. # [01:58] <Philip> I guess IE8 would be unhappy with that
124. # [01:59] <Hixie> try it
125. # [02:01] <Philip> IE8b1 doesn't implement the namespace support that the documentation describes
126. # [02:01] <Hixie> sure, i'm talking about what the browser does
127. # [02:02] <Hixie> that page seems to work, btw
128. # [02:04] <Hixie> http://software.hixie.ch/utilities/js/live-dom-viewer/ie8.html?%3C!DOCTYPE%20HTML%3E...%3Cxxx%20xmlns%3D%22test%22%3E%3Cyyy%3Eab%3Cinput%3Ecd%3C%2Fyyy%3E%3C%2Fxxx%3E
129. # [02:04] <Hixie> oh wait
130. # [02:04] <Hixie> i need the dead dom viewer for this
131. # [02:05] <Hixie> http://canvex.lazyilluminati.com/misc/dom-viewer/?%3C!DOCTYPE%20HTML%3E...%3Cxxx%20xmlns%3D%22test%22%3E%3Cyyy%3Eab%3Cinput%3Ecd%3C%2Fyyy%3E%3C%2Fxxx%3E
132. # [02:05] <Hixie> looks the same to me
133. # [02:06] <Philip> It creates an element named: POZNAMKAAKTUALA
134. # [02:06] <Philip> with an attribute named: xmlns="http://schemas.microsoft.com/office/infopath/2003/myXSD/2005-03-17T08:56:29"> <div xmlns=
135. # [02:06] <Philip> and with attribute value: http://schemas.microsoft.com/office/infopath/2003/myXSD/2005-03-17T08:56:29"> <div xmlns=
136. # [02:06] <Philip> (plus other attributes, but they're off the edge of the Developers Tools window)
137. # [02:07] <Philip> and everything else is processed like normal
138. # [02:07] <Hixie> yeah i can't get this supposed namespace support to work at all
139. # [02:08] <Philip> (IE7-mode does the crazy attribute name misparsing thing too, whereas IE7 didn't)
140. # [02:09] <Hixie> nice
141. # [02:09] <Hixie> confirmation, if any was needed, that Microsoft use conditional statements, and not a whole copy of the codebase
142. # [02:47] * Quits: mjs (mjs@17.203.15.201) (Quit: mjs)
143. # [03:06] * Quits: Navarr (navarr@75.53.193.248) (Quit: Yeah.. I'll see ya around...)
144. # [03:07] * Joins: adele (adele@67.170.232.64)
145. # [03:07] * Quits: adele (adele@67.170.232.64) (Client exited)
146. # [03:08] * Joins: adele (adele@67.170.232.64)
147. # [03:16] * Quits: aaronlev (chatzilla@65.78.0.149) (Ping timeout)
148. # [03:32] * Joins: aaronlev (chatzilla@65.78.0.149)
149. # [04:32] * Quits: aaronlev (chatzilla@65.78.0.149) (Ping timeout)
150. # [04:49] * Joins: aroben (aroben@69.142.103.232)
151. # [05:10] * Joins: aaronlev (chatzilla@65.78.0.149)
152. # [05:14] * Quits: aaronlev (chatzilla@65.78.0.149) (Ping timeout)
153. # [05:51] * Joins: mjs (mjs@64.81.48.145)
154. # [06:03] * Quits: adele (adele@67.170.232.64) (Quit: adele)
155. # [06:10] * Quits: mjs (mjs@64.81.48.145) (Quit: mjs)
156. # [06:11] * Joins: mjs (mjs@64.81.48.145)
157. # [06:18] * Quits: dbaron (dbaron@63.245.220.241) (Ping timeout)
158. # [06:44] * Quits: deltab (deltab@82.36.30.34) (Ping timeout)
159. # [06:49] * Joins: dbaron (dbaron@67.160.251.228)
160. # [06:52] * Quits: dorchard (42f8de22@128.30.52.23) (Quit: CGI:IRC (EOF))
161. # [07:09] * Joins: mike (mike@mcclure.w3.org)
162. # [07:27] * Quits: mike (mike@mcclure.w3.org) (Quit: Leaving)
163. # [07:27] * Joins: mike (mike@mcclure.w3.org)
164. # [07:28] * Joins: peepo (Jay@86.147.236.233)
165. # [07:30] * Quits: mike (mike@mcclure.w3.org) (Quit: Leaving)
166. # [07:30] * Joins: MikeSmith (MikeSmith@mcclure.w3.org)
167. # [07:36] * Quits: MikeSmith (MikeSmith@mcclure.w3.org) (Quit: Less talk, more pimp walk)
168. # [07:37] * Joins: MikeSmith (MikeSmith@mcclure.w3.org)
169. # [07:56] * Quits: dbaron (dbaron@67.160.251.228) (Quit: g'night)
170. # [08:02] * Quits: MikeSmith (MikeSmith@mcclure.w3.org) (Quit: Less talk, more pimp walk)
171. # [08:02] * Joins: tH (Rob@77.86.108.106)
172. # [08:45] * Joins: chaals (chaals@76.168.248.35)
173. # [08:57] * Joins: Sander (svl@86.87.68.167)
174. # [09:05] * Quits: aroben (aroben@69.142.103.232) (Connection reset by peer)
175. # [09:07] * Joins: ROBOd (robod@89.122.216.38)
176. # [09:20] * Joins: zcorpan (zcorpan@213.236.208.22)
177. # [10:18] * Quits: Lachy (Lachlan@84.215.54.100) (Quit: This computer has gone to sleep)
178. # [11:18] * Disconnected
179. # [11:18] * Attempting to rejoin channel #html-wg
180. # [11:18] * Rejoined channel #html-wg
181. # [11:18] * Topic is 'HTML WG chat http://www.w3.org/html/wg/tracker (logs: http://krijnhoetmer.nl/irc-logs/ ) '
182. # [11:18] * Set by DanC_lap on Mon Mar 10 03:08:44
183. # [11:18] * Quits: timbl (timbl@208.54.94.96) (Ping timeout)
184. # [11:23] * Joins: myakura (myakura@122.29.8.215)
185. # [11:55] * Joins: Lachy (Lachlan@213.236.208.22)
186. # [12:35] * Joins: Laura (lauracarls@131.212.98.217)
187. # [12:41] * Quits: Laura (lauracarls@131.212.98.217) (Quit: Laura)
188. # [12:49] * Joins: Laura (lauracarls@131.212.98.217)
189. # [12:49] * Quits: Laura (lauracarls@131.212.98.217) (Quit: Laura)
190. # [12:51] * Joins: Laura (lauracarls@131.212.98.217)
191. # [12:51] * Quits: Laura (lauracarls@131.212.98.217) (Quit: Laura)
192. # [12:52] * Joins: Laura (lauracarls@131.212.98.217)
193. # [12:52] * Quits: Laura (lauracarls@131.212.98.217) (Quit: Laura)
194. # [12:52] * Joins: Laura (lauracarls@131.212.98.217)
195. # [12:52] * Quits: Laura (lauracarls@131.212.98.217) (Quit: Laura)
196. # [12:56] * Quits: gavin (gavin@63.245.208.169) (Quit: leaving)
197. # [12:56] * Joins: gavin (gavin@63.245.208.169)
198. # [12:59] * Quits: Sander (svl@86.87.68.167) (Quit: And back he spurred like a madman, shrieking a curse to the sky.)
199. # [13:03] * Quits: gavin (gavin@63.245.208.169) (Quit: leaving)
200. # [13:03] * Joins: gavin (gavin@63.245.208.169)
201. # [13:23] * Joins: matt (matt@128.30.52.30)
202. # [13:52] * Disconnected
203. # [13:52] * Attempting to rejoin channel #html-wg
204. # [13:52] * Rejoined channel #html-wg
205. # [13:52] * Topic is 'HTML WG chat http://www.w3.org/html/wg/tracker (logs: http://krijnhoetmer.nl/irc-logs/ ) '
206. # [13:52] * Set by DanC_lap on Mon Mar 10 03:08:44
207. # [14:17] * Disconnected
208. # [14:17] * Attempting to rejoin channel #html-wg
209. # [14:17] * Rejoined channel #html-wg
210. # [14:17] * Topic is 'HTML WG chat http://www.w3.org/html/wg/tracker (logs: http://krijnhoetmer.nl/irc-logs/ ) '
211. # [14:17] * Set by DanC_lap on Mon Mar 10 03:08:44
212. # [14:23] * Joins: zcorpan (zcorpan@213.236.208.22)
213. # [14:47] * Quits: ROBOd (robod@89.122.216.38) (Quit: http://www.robodesign.ro )
214. # [15:00] * Quits: matt (matt@128.30.52.30) (Quit: matt)
215. # [15:00] * Joins: matt (matt@128.30.52.30)
216. # [15:02] * Joins: Julian (chatzilla@217.91.35.233)
217. # [15:11] * Quits: DanC_lap (connolly@128.30.52.30) (Ping timeout)
218. # [15:12] * tlr is now known as tlr-bbl
219. # [15:13] * Joins: DanC_lap (connolly@128.30.52.30)
220. # [15:25] * Quits: zcorpan (zcorpan@213.236.208.22) (Ping timeout)
221. # [15:27] * Joins: aaronlev (chatzilla@24.61.74.31)
222. # [15:32] * Quits: aaronlev (chatzilla@24.61.74.31) (Client exited)
223. # [16:07] * Joins: timbl (timbl@217.41.235.121)
224. # [16:09] * Joins: dbaron (dbaron@67.160.251.228)
225. # [16:10] * Quits: myakura (myakura@122.29.8.215) (Quit: Leaving...)
226. # [16:18] * Quits: DanC_lap (connolly@128.30.52.30) (Ping timeout)
227. # [16:18] * Joins: ROBOd (robod@89.122.216.38)
228. # [16:21] * Joins: DanC_lap (connolly@128.30.52.30)
229. # [18:27] * Disconnected
230. # [18:28] * Attempting to rejoin channel #html-wg
231. # [18:28] * Rejoined channel #html-wg
232. # [18:28] * Topic is 'HTML WG chat http://www.w3.org/html/wg/tracker (logs: http://krijnhoetmer.nl/irc-logs/ ) '
233. # [18:28] * Set by DanC_lap on Mon Mar 10 03:08:44
234. # [18:35] * Joins: jgraham (james@81.86.216.20)
235. # [18:35] * Quits: jgraham (james@81.86.216.20) (Quit: I get eaten by the worms)
236. # [18:39] * Joins: aaronlev (chatzilla@65.78.0.149)
237. # [19:03] <anne> another 14 "dropped" from the HTML WG...
238. # [19:05] * Quits: mjs (mjs@17.255.104.245) (Quit: mjs)
239. # [19:06] * Quits: aaronlev (chatzilla@65.78.0.149) (Connection reset by peer)
240. # [19:09] * Joins: dbaron (dbaron@63.245.220.241)
241. # [19:09] * Joins: mjs (mjs@17.255.104.245)
242. # [19:12] * Joins: mjs_ (mjs@17.255.104.245)
243. # [19:12] * Quits: mjs (mjs@17.255.104.245) (Connection reset by peer)
244. # [19:13] <mjs_> anne: did you see that Microsoft submitted their XDomainRequest thing?
245. # [19:14] * Quits: Lachy (Lachlan@213.236.208.22) (Quit: This computer has gone to sleep)
246. # [19:15] <anne> I saw they reposted some notes they posted elsewhere on the interwebs :)
247. # [19:16] * Quits: mjs_ (mjs@17.255.104.245) (Connection reset by peer)
248. # [19:16] * Joins: mjs (mjs@17.255.104.245)
249. # [19:16] <anne> It seems to offer a lot less functionality than Access Control. It is basically cross-site <form> without cookies/credentials but with the response.
250. # [19:17] <anne> You can't use it for XSLT or <event-source>, you can't set arbitrary headers, it only works for 200 response codes, etc.
251. # [19:18] <anne> It requires a new networking interface...
252. # [19:20] <hsivonen> anne: looks like they don't preflight on POST...
253. # [19:20] * Quits: mjs (mjs@17.255.104.245) (Connection reset by peer)
254. # [19:21] * Joins: mjs (mjs@17.255.104.245)
255. # [19:22] * Quits: mjs (mjs@17.255.104.245) (Connection reset by peer)
256. # [19:22] * Joins: mjs (mjs@17.255.104.245)
257. # [19:22] <mjs> anne: I would guess the security issue they alluded to is DNS rebinding
258. # [19:23] <mjs> anne: if any form of permission granting is persistent across multiple requests then there would be a DNS rebinding attack
259. # [19:23] <mjs> hmmm
260. # [19:23] <anne> hsivonen, yes, but they don't do cookies/credentials either and they have some intranet weirdness
261. # [19:24] <hsivonen> mjs: not if they happen in the same keep-alive
262. # [19:24] <hsivonen> (which would violate layering, but...)
263. # [19:24] <mjs> hsivonen: sure, I don't remember how much persistence is in the spec
264. # [19:24] <anne> mjs, not if you give the server sufficient information (Access-Control-Origin) to prevent that
265. # [19:24] <mjs> anne: ok then maybe there is no vulnerability
266. # [19:25] <mjs> anne: but I think the attempt to prevent non-GET requests without explicit allow might be vulnerable to a rebinding attack
267. # [19:25] <anne> The editor's draft states that: "In addition to checking the Access-Control-Origin HTTP header authors should also check the Host HTTP header and make sure the host name provided by that header matches the host name of their server. This will provide protection against DNS rebinding attacks."
268. # [19:26] <mjs> but isn't there a separate GET request to allow non-GET?
269. # [19:27] <anne> there's an OPTIONS request, yes
270. # [19:27] <mjs> presumably to protect servers that have not adopted XXX at all from getting surprising non-GET method requests?
271. # [19:27] <mjs> right, OPTIONS
272. # [19:27] <mjs> couldn't you subvert that with DNS rebinding?
273. # [19:28] <anne> as long as the server does the checks I'm not sure why
274. # [19:28] <mjs> the point of the check is to prevent doing a cross-site POST to a server that has not been changed to do any checks
275. # [19:28] <mjs> (the point of the OPTIONS request that is)
276. # [19:29] <mjs> so if you arrange for the OPTIONS request to be sent to evil.com
277. # [19:29] <mjs> then rebind evil.com to point to victim.com's server
278. # [19:29] <mjs> then do a POST to evil.com
279. # [19:29] <mjs> victim.com gets an unexpected cross-site POST
280. # [19:30] <mjs> I'm not sure if that is any worse in practice than a cross-site form post
281. # [19:30] <anne> it might be
282. # [19:30] <mjs> but it does seem to subvert part of the purpose of the OPTIONS check
283. # [19:31] <mjs> similarly, if the OPTIONS result can be cached for a long time, then there's also a potential DNS poisoning attack which lasts even after you leave the network with polluted DNS
284. # [19:31] <hsivonen> what if evil.com hijacks the DNS and points victim.com to evil.com during OPTIONS and then points it to victim.com
285. # [19:31] * Joins: adele (adele@17.203.14.235)
286. # [19:31] <hsivonen> in that case the Host header will be victim.com
287. # [19:31] <hsivonen> (although the hijack will be harder)
288. # [19:32] <mjs> hsivonen: if evil.com can DNS hijack victim.com it can do all sorts of attacks, though of course it is good not to add new ones
289. # [19:32] <hsivonen> mjs: fair enough
290. # [19:33] <anne> ah, this was started because of some e-mails I just started to receive
291. # [19:33] <mjs> I guess we can see what MS says about what they think the vulnerabilities are
292. # [19:33] <hsivonen> how common is it for servers not to reject unknown Host these days?
293. # [19:33] <mjs> hsivonen: sadly, not common at all
294. # [19:33] <mjs> though I think it is important for them to start doing so to defend against rebinding attacks
295. # [19:34] * Quits: Julian (chatzilla@217.91.35.233) (Ping timeout)
296. # [19:34] * Joins: mjs_ (mjs@17.203.15.201)
297. # [19:36] * Quits: mjs (mjs@17.255.104.245) (Ping timeout)
298. # [19:43] <anne> so the only trick to work around DNS rebinding of OPTIONS is have some kind nonce I suppose
299. # [19:43] <anne> hmm
300. # [19:46] <hsivonen> or mixing layers so that OPTIONS is required for each HTTP connection
301. # [19:46] <hsivonen> might be a pain for http libraries
302. # [19:46] <anne> I don't understand
303. # [19:46] <hsivonen> s/HTTP/TCP/
304. # [19:47] <anne> I also don't get the MS comments "existing implementations have bugs" with a pointer to a bug in Mozilla about implementing cross-site XMLHttpRequest... and another pointer to Flash which uses a totally different mechanism
305. # [19:47] <anne> (which is indeed insecure)
306. # [19:48] <hsivonen> i.e. requiring the preflight and the main request to go in a single TCP connection
307. # [19:51] <mjs_> it doesn't have to be a single TCP connection as long as it is the same IP address
308. # [19:51] * mjs_ is now known as mjs
309. # [19:52] * Quits: chaals (chaals@76.168.248.35) (Quit: chaals)
310. # [21:52] * Disconnected
311. # [21:52] * Attempting to rejoin channel #html-wg
312. # [21:52] * Rejoined channel #html-wg
313. # [21:52] * Topic is 'HTML WG chat http://www.w3.org/html/wg/tracker (logs: http://krijnhoetmer.nl/irc-logs/ ) '
314. # [21:52] * Set by DanC_lap on Mon Mar 10 03:08:44
315. # [21:58] * Quits: matt (matt@128.30.52.30) (Quit: matt)
316. # [22:10] * Joins: aaronlev (chatzilla@65.78.0.149)
317. # [22:10] * Joins: gsnedders (gsnedders@86.138.199.53)
318. # [22:10] * Quits: ROBOd (robod@89.122.216.38) (Quit: http://www.robodesign.ro )
319. # [22:37] * Joins: fearphage (fearphage@66.68.52.63)
320. # [22:44] <anne> ah, jonas knows why the above isn't an issue
321. # [22:44] <anne> good
322. # [22:44] <anne> i was already wondering why that would've been overlooked for over a year and half
323. # [22:45] <mjs_> the dns rebinding problem?
324. # [22:45] * mjs_ is now known as mjs
325. # [22:45] <mjs> I should probably read the relevant specs more closely
326. # [22:47] * Quits: aroben (aroben@69.142.103.232) (Ping timeout)
327. # [22:58] <hsivonen> http://www.robweir.com/blog/2008/03/disharmony-of-ooxml.html
328. # [22:59] <hsivonen> "An easy counter-example is HTML. Does HTML reflect the internals of NCSA Mosaic? Does it represent the internals of Netscape Navigator? Firefox? Opera? Safari? Are any faults in HTML justified by what a single browser does internally?"
329. # [22:59] <anne> oops
330. # [23:00] <gsnedders> hsivonen: wait… you mean it isn't a binary dump of WorldWideWeb? :P
331. # [23:06] * Quits: Julian (chatzilla@80.143.186.140) (Quit: ChatZilla 0.9.81 [Firefox 2.0.0.12/2008020121])
332. # [23:07] <mjs> hsivonen: are those meant to be rhetorical questions?
333. # [23:08] <mjs> anne: do you know why the pre-check for unsafe methods is there in XHR2?
334. # [23:09] <mjs> anne: I don't understand what it's trying to prevent well enough to analyze the security issues
335. # Session Close: Sat Mar 15 00:00:00 2008

The end :)