/irc-logs / w3c / #webapps / 2009-11-02 / end
Options:
- # Session Start: Mon Nov 02 00:00:00 2009
- # Session Ident: #webapps
- # [02:48] * Quits: shepazu (schepers@128.30.52.169) (Quit: shepazu)
- # [03:00] * Quits: smaug (chatzilla@82.181.150.24) (Client exited)
- # [06:31] * Joins: shepazu (schepers@128.30.52.169)
- # [06:53] * Joins: annevk (opera@12.197.88.10)
- # [07:15] * Quits: annevk (opera@12.197.88.10) (Quit: annevk)
- # [07:39] * Joins: arve (arve@212.251.179.162)
- # [08:33] * Joins: timeless_mbp (timeless@24.6.182.21)
- # [09:57] * Joins: smaug (chatzilla@82.181.150.24)
- # [11:21] * Joins: arve_ (arve@213.236.208.22)
- # [11:23] * Quits: arve (arve@212.251.179.162) (Ping timeout)
- # [12:01] * Quits: arve_ (arve@213.236.208.22) (Ping timeout)
- # [12:13] * Joins: arve (arve@212.251.179.162)
- # [13:28] * Quits: arve (arve@212.251.179.162) (Ping timeout)
- # [15:01] * Joins: arve (arve@212.251.179.162)
- # [15:01] <arve> which channels are being used?
- # [15:43] * Joins: aroben (aroben@71.58.77.15)
- # [16:22] * Joins: smaug_ (chatzilla@82.181.150.24)
- # [16:25] * Quits: smaug (chatzilla@82.181.150.24) (Quit: ChatZilla 0.9.85 [Firefox 3.7a1pre/20091021122508])
- # [16:36] * Joins: annevk (opera@72.254.112.194)
- # [16:52] * Quits: timeless_mbp (timeless@24.6.182.21) (Quit: timeless_mbp)
- # [17:08] * Quits: shepazu (schepers@128.30.52.169) (Quit: shepazu)
- # [17:11] * Joins: smaug (chatzilla@82.181.150.24)
- # [17:28] * Quits: annevk (opera@72.254.112.194) (Quit: annevk)
- # [17:33] * Joins: darobin (robin@72.254.116.7)
- # [17:34] * Quits: smaug (chatzilla@82.181.150.24) (Ping timeout)
- # [17:37] * Joins: tlr (tlr@128.30.52.169)
- # [17:40] <Hixie> anyone in the geo meeting or the webapps non-widget meeting?
- # [17:49] * Joins: anne (annevk@72.254.94.228)
- # [17:50] * Joins: shepazu (schepers@128.30.52.169)
- # [17:53] * Joins: chaals (chaals@72.254.116.154)
- # [17:53] * Joins: Zakim (rrs-bridgg@128.30.52.30)
- # [17:53] <shepazu> http://www.w3.org/2008/webapps/wiki/TPAC2009APIs
- # [17:56] * Joins: weinig (weinig@72.254.116.49)
- # [18:01] * Joins: Travis (d8341cc8@128.30.52.43)
- # [18:02] * Joins: mjs (mjs@72.254.93.235)
- # [18:02] * Joins: shiki (sokasaka@72.254.84.7)
- # [18:03] * Joins: pererik (chatzilla@72.254.62.138)
- # [18:04] * Joins: RRSAgent (rrs-loggee@128.30.52.30)
- # [18:04] <RRSAgent> logging to http://www.w3.org/2009/11/02-webapps-irc
- # [18:04] <Travis> scribe: Travis
- # [18:04] <Travis> scribeNick: Travis
- # [18:04] * Joins: Marcos (Marcos@72.254.60.247)
- # [18:04] * Joins: adrianba (adrianba@72.254.109.40)
- # [18:04] <Travis> Topic: Introductions for Persons present at the WebApps TPAC Meeting
- # [18:04] * Joins: mmielke (48fe53a0@128.30.52.43)
- # [18:05] * Joins: myakura (myakura@114.163.221.102)
- # [18:06] * Joins: evlakat (chatzilla@72.254.59.5)
- # [18:06] * evlakat is now known as Vladimir
- # [18:06] * Joins: MikeSmith (MikeSmithX@mcclure.w3.org)
- # [18:07] * Joins: ArtB (48fe3886@128.30.52.43)
- # [18:07] * timeless is running a bit behind
- # [18:09] <chaals> Present: Chaals, Anne van Kesteren, SamW, Travis, Adrian, Satoshi, Frank, Maciej, Mikeā¢, Rob, Marcus, Gondo, Vagner, Erik, Vladimir, Shigeo, Mark, Doug
- # [18:09] * Joins: Vagner-br (chatzilla@72.254.81.150)
- # [18:09] <chaals> Chair: Chaals
- # [18:09] * Joins: fo (48fe55d2@64.62.228.82)
- # [18:09] <MikeSmith> s/Shigeo/Shiki/
- # [18:10] * Parts: timeless (timeless@65.75.195.122) ((attending widgets))
- # [18:10] <pererik> s/Erik/Per-Erik/
- # [18:11] <chaals> Present+ Kai
- # [18:11] <chaals> http://www.w3.org/2008/webapps/wiki/TPAC2009APIs
- # [18:11] <MikeSmith> RRSAgent, make minutes
- # [18:11] <RRSAgent> I have made the request to generate http://www.w3.org/2009/11/02-webapps-minutes.html MikeSmith
- # [18:11] <shepazu> Agenda: http://www.w3.org/2008/webapps/wiki/TPAC2009APIs
- # [18:12] <Travis> Topic: Progress Events
- # [18:12] * Joins: Kai (chatzilla@72.254.114.142)
- # [18:12] * anne wonders where the Mozilla gang is
- # [18:17] <Travis> chaals: Any additional items to add to the agenda?
- # [18:17] <chaals> Present+ PaulC, Sam, JohnG, Jeremy
- # [18:18] <Travis> chaals: Spec has been stalled for some time...
- # [18:18] * Joins: plh-webapps (plh@128.30.52.28)
- # [18:19] <chaals> Present+ Nikunj
- # [18:19] <chaals> Topic: Progress events
- # [18:19] <chaals> --> http://dev.w3.org/cvsweb/~checkout~/2006/webapi/progress/Progress.html?rev=1.32 Editor's draft
- # [18:20] * Joins: johnnyg (johnnyg@72.254.61.41)
- # [18:20] <Travis> chaals: Progress events are events for showing progress :-)
- # [18:21] * Joins: JonathanJ (hollobit@72.254.116.68)
- # [18:21] * Joins: smaug (chatzilla@91.153.243.201)
- # [18:22] <Travis> ... Issue about what events must be defined in the spec itself.
- # [18:23] <Travis> ... Justification is that there is a definate pattern that must be followed when implementing these events.
- # [18:23] <Travis> ... Progress events have been implemented by SVG some years ago (there a bit of a legacy)
- # [18:24] <Travis> ... Considering making the events requirement a "SHOULD" instead of a MUST.
- # [18:24] <Travis> ... This text presumably makes it easier to integrate into other specs.
- # [18:24] * Quits: smaug (chatzilla@91.153.243.201) (Ping timeout)
- # [18:25] <Travis> Hixie: Main concern with the requirements able to be defined in other specs and the progress events spec is how do you test this?
- # [18:26] <Travis> shepazu: Can progress events be implemented outside of a host language?
- # [18:28] <Travis> Hixie: Would like to have a normative section for what the event objects look like, then a non-normative section for what other spec authors should generally follow.
- # [18:28] <Travis> shepazu: Concerned that an implementer wouldn't implement the non-normative parts.
- # [18:29] <Travis> chaals: With a spec only having SHOULDs, there's no normative requirement for implementors!
- # [18:29] <Travis> ... Would such an approach make sense?
- # [18:29] * Joins: arun (arun@72.254.57.36)
- # [18:30] <Travis> Hixie: From a UA point of view, the dispatch of the events section in Progress Events would be redundant with the definition in a host spec.
- # [18:32] * Quits: adrianba (adrianba@72.254.109.40) (Ping timeout)
- # [18:33] <Travis> chaals: Without a normative requirement, there's nothing to prevent anyone from completely ignoring the spec.
- # [18:35] <Travis> Rob: Would it make sense to have a section for reasons why the Progress events wouldn't be used as spec'd?
- # [18:36] <Travis> shepazu: Question about what the different use cases are for when scenarios might employ progress events.
- # [18:36] * Joins: smaug (chatzilla@91.153.243.201)
- # [18:37] * Joins: eric_uhrhane (48fe5926@64.62.228.82)
- # [18:37] <shepazu> for example, you could use progress events for computationally intensive progress
- # [18:37] <shepazu> s/progress/processes
- # [18:38] <Travis> mjs: Should have a section for how Progress events should "typically" be used (in a basic scenario), but to not overconstrain the spec.
- # [18:39] <Travis> chaals: I propose to take the MUST requirements off of the UA requirements, and change these to SHOULD, and include examples of when you might not want to follow the basic pattern.
- # [18:40] <Travis> anne: Don't think it makes sense to have user agent requirements in this spec.
- # [18:40] <Travis> Hixie: There are conflicting requirements must / must not depending on the spec.
- # [18:41] * Quits: mmielke (48fe53a0@128.30.52.43) (Quit: CGI:IRC (Ping timeout))
- # [18:41] <Travis> anne: XHR, AppCache, Media Elements all specify how these events are to be dispatched.
- # [18:41] <Travis> ... So don't see the point of a common model.
- # [18:43] <Travis> chaals: Rather than having a new spec author search through the various specs to find the common pattern, they could go to one place (the Progress Events spec) to have a template to copy.
- # [18:43] <Travis> Hixie: Great--as long as it's not normative, I love it.
- # [18:43] <Travis> shepazu: +1
- # [18:43] * Quits: johnnyg (johnnyg@72.254.61.41) (Quit: johnnyg)
- # [18:44] <Travis> anne: Seems pretty complicated to a make a generic model.
- # [18:44] <Hixie> specifically, what i thought i understood was that the progress events spec would have a section that can be copied and pasted into other specs, that would put requirements in those specs for queueing tasks to fire events, etc
- # [18:44] <Hixie> these requirements would not be normative at the progress events spec level
- # [18:44] <Travis> anne: No formal objection.
- # [18:45] <arun> If it is non-normative, issues behind objections can probably be mitigated (e.g. how complicated a general model might be).
- # [18:45] <chaals> Proposed resolution: Remove the User agent requirements and make them informative for the "default case", provide examples of how a spec would incorporate the default case and examples of where it would do something differently
- # [18:46] <chaals> RESOLUTION: Remove the User agent requirements and make them informative for the "default case", provide examples of how a spec would incorporate the default case and examples of where it would do something differently
- # [18:47] <MikeSmith> Hixie, so HTML5 has not normative dependency on Progress events currently, right?
- # [18:47] * Joins: johnnyg (johnnyg@72.254.61.41)
- # [18:47] <MikeSmith> s/has not/has not/
- # [18:47] <MikeSmith> s/has not/has no/
- # [18:47] * Parts: anne (annevk@72.254.94.228)
- # [18:47] <Travis> chaals: Issue 105
- # [18:47] <weinig> http://www.w3.org/2008/webapps/track/issues/105
- # [18:47] <Hixie> it has one for appcache
- # [18:48] * Joins: anne (annevk@72.254.94.228)
- # [18:49] * Joins: mmielke (48fe53a0@128.30.52.43)
- # [18:49] * Quits: myakura (myakura@114.163.221.102) (Quit: Leaving...)
- # [18:49] <Travis> ... Use cases for my "email scenario" and the Media streaming events were different.
- # [18:50] * Quits: plh-webapps (plh@128.30.52.28) (Client exited)
- # [18:51] <Travis> ... Was my addition of the attribute for tracking different transactions useful?
- # [18:51] <Travis> Hixie: The model you describe (with sub-transactions showing progress) leads to horrific UI.
- # [18:51] <Travis> chaals: Yes, but I like that UI.
- # [18:52] * Quits: arve (arve@212.251.179.162) (Quit: Ex-Chat)
- # [18:52] * Quits: johnnyg (johnnyg@72.254.61.41) (Quit: johnnyg)
- # [18:52] * Joins: smaug__ (chatzilla@80.186.206.52)
- # [18:53] * Joins: arve (arve@213.236.208.22)
- # [18:53] <MikeSmith> "The default action of these events must be, if the user agent shows caching progress, the display of some sort of user interface indicating to the user that a file is being downloaded in preparation for updating the application. [PROGRESS]" http://dev.w3.org/html5/spec/offline.html#downloading-or-updating-an-application-cache
- # [18:53] <Travis> shepazu: In the multiple items case, could I make a progress bar that handled X different items downloading at once and consolidate them?
- # [18:54] * Quits: smaug (chatzilla@91.153.243.201) (Ping timeout)
- # [18:54] * smaug__ is now known as smaug
- # [18:56] <Travis> Rob: Might want to make this very simple and keep the progress as percentages only.
- # [18:56] <Travis> chaals: On percentages: this can get tricky when you don't know how much data you're going to get.
- # [18:57] * Quits: eric_uhrhane (48fe5926@64.62.228.82) (Quit: http://www.mibbit.com ajax IRC Client)
- # [18:58] <Travis> MichaelNan: In favor of simplifying the progress events.
- # [19:01] * Quits: tlr (tlr@128.30.52.169) (Quit: tlr)
- # [19:01] * Joins: johnnyg (johnnyg@72.254.61.41)
- # [19:01] * Joins: timeless_mbp (timeless@72.254.57.15)
- # [19:01] <Travis> weinig: May not need to define in the Progress Events for sub items, but leave it up to hosting specs to provide a means to define how unique progress events are tracked.
- # [19:03] * Joins: tlr (tlr@128.30.52.169)
- # [19:04] <Travis> chaals: The purpose of the two extra attributes was to allow the data for sub items to be tracked.
- # [19:05] <Travis> weinig: For the non-simple cases, an informative section describing how to handle these might be easier.
- # [19:06] <Travis> Hixie: Could look to XHR's upload concept.
- # [19:07] <anne> http://dev.w3.org/2006/webapi/XMLHttpRequest-2/#the-upload-attribute
- # [19:07] <Travis> Action: weinig to write up sample on what the multi-file progress informative text might look like.
- # [19:07] * trackbot noticed an ACTION. Trying to create it.
- # [19:07] * RRSAgent records action 1
- # [19:07] <trackbot> Created ACTION-431 - Write up sample on what the multi-file progress informative text might look like. [on Samuel Weinig - due 2009-11-09].
- # [19:09] <Travis> chaals: Issue 107 is largely redundant if we simplify.
- # [19:10] <Travis> chaals: There is another question: what does the total and loaded count mean?
- # [19:10] <Travis> ... Now is specifies the number of bytes.
- # [19:11] <Travis> ... In removing the normative requirement, the "bytes" requirement could totally go away.
- # [19:11] <Travis> ... Makes sense for me to recommend bytes as the default simple case.
- # [19:11] <Travis> Hixie: So far, the various specs interpret the values different already {files, bytes, objects}
- # [19:15] <Travis> chaals: Propose we drop the total bytes in favor of showing progress of "something".
- # [19:15] <MikeSmith> chaals, Ian Fette and Lachy came in, need to intro himself
- # [19:16] * Joins: Lachy (Lachlan@72.254.57.120)
- # [19:16] * Quits: Lachy (Lachlan@72.254.57.120) (Connection reset by peer)
- # [19:16] * Joins: Lachy (Lachlan@72.254.57.120)
- # [19:17] * Joins: mmani (c6980d43@128.30.52.43)
- # [19:18] <Travis> shepazu: Please keep existing text in place for a compare/contrast draft.
- # [19:18] * Quits: johnnyg (johnnyg@72.254.61.41) (Quit: johnnyg)
- # [19:19] <Travis> chaals: I think this wraps up what I had to discuss on Progress Events.
- # [19:21] * Quits: Lachy (Lachlan@72.254.57.120) (Connection reset by peer)
- # [19:22] * Quits: Kai (chatzilla@72.254.114.142) (Quit: ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458])
- # [19:23] * Joins: Lachy (Lachlan@72.254.57.120)
- # [19:23] <Travis> chaals: Let's break now, and reconvene at 11. We'll be in Salon 5 meeting with Device API.
- # [19:23] * Quits: Lachy (Lachlan@72.254.57.120) (Connection reset by peer)
- # [19:23] * Parts: Travis (d8341cc8@128.30.52.43)
- # [19:24] * Quits: weinig (weinig@72.254.116.49) (Quit: weinig)
- # [19:24] * Quits: pererik (chatzilla@72.254.62.138) (Quit: ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458])
- # [19:24] * Quits: shepazu (schepers@128.30.52.169) (Quit: shepazu)
- # [19:25] * Quits: fo (48fe55d2@64.62.228.82) (Quit: http://www.mibbit.com ajax IRC Client)
- # [19:26] * Quits: Vladimir (chatzilla@72.254.59.5) (Ping timeout)
- # [19:26] * Quits: mmielke (48fe53a0@128.30.52.43) (Quit: CGI:IRC (Ping timeout))
- # [19:29] * Joins: Lachy (Lachlan@72.254.57.120)
- # [19:31] * Quits: Vagner-br (chatzilla@72.254.81.150) (Ping timeout)
- # [19:35] * Quits: darobin (robin@72.254.116.7) (Ping timeout)
- # [19:40] * Joins: johnnyg (johnnyg@72.254.61.41)
- # [19:45] * Quits: johnnyg (johnnyg@72.254.61.41) (Quit: johnnyg)
- # [19:47] * Quits: ArtB (48fe3886@128.30.52.43) (Quit: CGI:IRC (EOF))
- # [19:49] * Quits: timeless_mbp (timeless@72.254.57.15) (Quit: timeless_mbp)
- # [19:50] * Quits: arun (arun@72.254.57.36) (Quit: arun)
- # [19:54] * Joins: johnnyg (johnnyg@72.254.61.41)
- # [19:55] * Quits: JonathanJ (hollobit@72.254.116.68) (Quit: JonathanJ)
- # [19:56] * Quits: mjs (mjs@72.254.93.235) (Quit: mjs)
- # [19:58] * Quits: johnnyg (johnnyg@72.254.61.41) (Quit: johnnyg)
- # [19:59] * Quits: Lachy (Lachlan@72.254.57.120) (Quit: This computer has gone to sleep)
- # [20:01] * Joins: tlr_ (tlr@72.254.89.250)
- # [20:01] * Quits: shiki (sokasaka@72.254.84.7) (Quit: shiki)
- # [20:02] * Joins: arun (arun@72.254.57.36)
- # [20:03] * Joins: darobin (robin@72.254.116.7)
- # [20:05] * Joins: johnnyg (johnnyg@72.254.61.41)
- # [20:06] * Joins: mjs (mjs@72.254.93.235)
- # [20:06] * Joins: weinig (weinig@72.254.116.49)
- # [20:06] * Joins: shiki (sokasaka@72.254.84.7)
- # [20:07] * Joins: pererik (chatzilla@72.254.62.138)
- # [20:07] * Joins: jorlow (jorlow@72.254.60.146)
- # [20:08] * Joins: Vladimir (chatzilla@72.254.59.5)
- # [20:08] * Joins: shepazu (schepers@128.30.52.169)
- # [20:09] * Quits: jorlow (jorlow@72.254.60.146) (Quit: jorlow)
- # [20:10] * Joins: jorlow (jorlow@72.254.60.146)
- # [20:10] * Joins: sicking (chatzilla@72.254.59.32)
- # [20:10] <chaals> rrsagent, make logs public
- # [20:10] <RRSAgent> I have made the request, chaals
- # [20:10] <chaals> rrsagent, draft minutes
- # [20:10] <RRSAgent> I have made the request to generate http://www.w3.org/2009/11/02-webapps-minutes.html chaals
- # [20:10] <chaals> rrsagent, this meeting crosses midnight
- # [20:10] <RRSAgent> I'm logging. I don't understand 'this meeting crosses midnight', chaals. Try /msg RRSAgent help
- # [20:11] <chaals> rrsagent, this meeting spans midnight
- # [20:11] <RRSAgent> ok, chaals; I will not start a new log at midnight
- # [20:11] * Joins: jorlow_ (jorlow@216.239.44.65)
- # [20:13] * Quits: jorlow (jorlow@72.254.60.146) (Ping timeout)
- # [20:13] * jorlow_ is now known as jorlow
- # [20:13] * Zakim excuses himself; his presence no longer seems to be needed
- # [20:13] * Parts: Zakim (rrs-bridgg@128.30.52.30)
- # [20:14] * Quits: Marcos (Marcos@72.254.60.247) (Quit: Marcos)
- # [20:14] * Joins: Vagner-br (chatzilla@72.254.81.150)
- # [20:22] * Joins: tlr__ (tlr@72.254.89.250)
- # [20:22] * Quits: tlr (tlr@128.30.52.169) (Quit: tlr)
- # [20:22] * Quits: smaug (chatzilla@80.186.206.52) (Ping timeout)
- # [20:22] * Quits: tlr_ (tlr@72.254.89.250) (Connection reset by peer)
- # [20:23] * Joins: Marcos (Marcos@72.254.60.247)
- # [20:23] * tlr__ is now known as tlr_
- # [20:24] * Joins: tlr (tlr@128.30.52.169)
- # [20:25] * Quits: tlr_ (tlr@72.254.89.250) (Connection reset by peer)
- # [20:43] * Joins: gsnedders (gsnedders@83.252.229.211)
- # [20:47] * Parts: Vagner-br (chatzilla@72.254.81.150)
- # [20:48] * Joins: mmielke (cdf86653@128.30.52.43)
- # [20:48] * mmielke is now known as mielke
- # [20:53] * Joins: NEWTON_VAGNER_DIN (chatzilla@72.254.81.150)
- # [21:02] * Quits: Hixie (ianh@129.241.93.37) (Ping timeout)
- # [21:04] * Quits: mmani (c6980d43@128.30.52.43) (Quit: CGI:IRC)
- # [21:04] * Joins: mmani (c6980d43@128.30.52.43)
- # [21:04] * Quits: mmani (c6980d43@128.30.52.43) (Quit: CGI:IRC)
- # [21:05] * Joins: smaug (chatzilla@82.181.150.24)
- # [21:07] * Joins: Hixie (ianh@129.241.93.37)
- # [21:09] * Joins: JonathanJ (hollobit@72.254.116.68)
- # [21:25] * Joins: timeless_mbp (timeless@216.239.45.19)
- # [21:28] * Quits: pererik (chatzilla@72.254.62.138) (Ping timeout)
- # [21:29] * Joins: pererik (chatzilla@72.254.62.138)
- # [21:36] * Quits: Marcos (Marcos@72.254.60.247) (Quit: Marcos)
- # [21:38] * Quits: smaug_ (chatzilla@82.181.150.24) (Quit: ChatZilla 0.9.85 [Firefox 3.7a1pre/20091015073430])
- # [21:41] * Quits: mjs (mjs@72.254.93.235) (Quit: mjs)
- # [21:41] * Quits: NEWTON_VAGNER_DIN (chatzilla@72.254.81.150) (Ping timeout)
- # [21:51] * Joins: Marcos (Marcos@72.254.60.247)
- # [21:51] * Quits: shepazu (schepers@128.30.52.169) (Quit: shepazu)
- # [21:51] * Quits: tlr (tlr@128.30.52.169) (Quit: tlr)
- # [21:51] * Quits: weinig (weinig@72.254.116.49) (Quit: weinig)
- # [21:51] * Joins: jorlow_ (jorlow@72.254.60.146)
- # [21:51] * Quits: shiki (sokasaka@72.254.84.7) (Quit: shiki)
- # [21:52] * Quits: johnnyg (johnnyg@72.254.61.41) (Quit: johnnyg)
- # [21:52] * Quits: Marcos (Marcos@72.254.60.247) (Quit: Marcos)
- # [21:52] * Joins: Marcos (Marcos@72.254.60.247)
- # [21:52] * Quits: jorlow_ (jorlow@72.254.60.146) (Connection reset by peer)
- # [21:52] * Quits: Marcos (Marcos@72.254.60.247) (Quit: Marcos)
- # [21:52] * Quits: chaals (chaals@72.254.116.154) (Quit: chaals)
- # [21:54] * Quits: darobin (robin@72.254.116.7) (Ping timeout)
- # [21:54] * Quits: Vladimir (chatzilla@72.254.59.5) (Ping timeout)
- # [21:54] * Quits: pererik (chatzilla@72.254.62.138) (Ping timeout)
- # [21:54] * Quits: jorlow (jorlow@216.239.44.65) (Ping timeout)
- # [21:56] * Quits: JonathanJ (hollobit@72.254.116.68) (Quit: JonathanJ)
- # [21:56] * Quits: arun (arun@72.254.57.36) (Quit: arun)
- # [21:59] * Quits: sicking (chatzilla@72.254.59.32) (Ping timeout)
- # [22:00] * Quits: mielke (cdf86653@128.30.52.43) (Quit: CGI:IRC (EOF))
- # [22:24] * Quits: timeless_mbp (timeless@216.239.45.19) (Quit: timeless_mbp)
- # [22:38] * Joins: timeless_mbp (timeless@216.239.45.19)
- # [22:46] * Joins: Marcos (Marcos@72.254.60.247)
- # [22:46] * Joins: shiki (sokasaka@72.254.84.7)
- # [22:48] * Joins: shepazu (schepers@128.30.52.169)
- # [22:50] * Joins: weinig (weinig@72.254.116.49)
- # [22:51] * Joins: pererik (pe@72.254.62.138)
- # [22:53] * Joins: mjs (mjs@72.254.93.235)
- # [22:54] * Joins: NEWTON_VAGNER_DIN (chatzilla@72.254.81.150)
- # [22:59] * Joins: sicking (chatzilla@72.254.59.32)
- # [23:01] * Joins: ArtB (48fe3886@128.30.52.43)
- # [23:01] * Quits: pererik (pe@72.254.62.138) (Quit: ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458])
- # [23:01] * Joins: pererik (pe@72.254.62.138)
- # [23:01] * Joins: darobin (robin@72.254.116.7)
- # [23:02] * Joins: plh (plh@128.30.52.28)
- # [23:02] * Joins: Vladimir (chatzilla@72.254.59.5)
- # [23:02] * ArtB changes topic to 'WebApps agenda Nov 2: http://www.w3.org/2008/webapps/wiki/TPAC2009APIs#Monday.2C_November_2'
- # [23:02] * Joins: chaals (chaals@72.254.116.154)
- # [23:02] <ArtB> RRSAgent, pointer
- # [23:02] <RRSAgent> See http://www.w3.org/2009/11/02-webapps-irc#T22-02-40
- # [23:02] * Quits: Marcos (Marcos@72.254.60.247) (Quit: Marcos)
- # [23:03] <ArtB> RRSAgent, make minutes
- # [23:03] <RRSAgent> I have made the request to generate http://www.w3.org/2009/11/02-webapps-minutes.html ArtB
- # [23:03] <chaals> Scribe: Chaals
- # [23:03] <chaals> ScribeNick: chaals
- # [23:03] <chaals> Topic: CORS
- # [23:04] * ArtB notes CORS agenda items: http://www.w3.org/2008/webapps/wiki/TPAC2009APIs#Monday.2C_November_2
- # [23:04] * Joins: Marcos (Marcos@72.254.60.247)
- # [23:05] * Quits: timeless_mbp (timeless@216.239.45.19) (Quit: timeless_mbp)
- # [23:05] * chaals wonders where TLR is
- # [23:05] <ArtB> Present+ ArtB
- # [23:05] * Joins: timeless_mbp (timeless@216.239.45.19)
- # [23:06] <chaals> AvK: Two open issues raised by mnot
- # [23:06] <chaals> ... one is naming, one is technical. And a missing issue MM is here to talk about - should we throw it all away...
- # [23:06] * ArtB notes CORS Editor's Draft: http://dev.w3.org/2006/waf/access-control/
- # [23:07] <chaals> MM: Suggesting the mechanism should not present authorising information in a ?? fashion. It's up to applications to decide what to do
- # [23:07] * Joins: DanC (connolly@128.30.52.169)
- # [23:07] <chaals> AvK: Also status of origins spec at IETF, and call for tutorials/use cases.
- # [23:07] * Joins: Magnus (chatzilla@72.254.111.212)
- # [23:07] * Quits: NEWTON_VAGNER_DIN (chatzilla@72.254.81.150) (Ping timeout)
- # [23:07] * Quits: timeless_mbp (timeless@216.239.45.19) (Quit: timeless_mbp)
- # [23:07] <chaals> ... let's begin with the big fat guy in the middle of the room
- # [23:07] * chaals notes he is towards the front left corner really
- # [23:08] <chaals> MM: Objection is that we know about confused deputy problems. Systems that do authentication by associating authority on the identity of the requesting identity creates vulnerabilities.
- # [23:09] <chaals> ... CORS links origin of requester from origin header, which fulfils requirements to make Confused Deputy problems.
- # [23:09] <chaals> ... discussion hasn't addressed the objection.
- # [23:09] <chaals> ... Not showed that it doesn't apply, doesn't matter, etc.
- # [23:09] <arun> q+ to ask about a sample attack...
- # [23:10] <chaals> ack arun
- # [23:10] <mjs> q+
- # [23:10] * Joins: tlr (tlr@128.30.52.169)
- # [23:10] <shepazu> q+ tyler
- # [23:10] <chaals> AR: Can anyone show a sample attack that demonstrates the nature of the problem?
- # [23:11] <chaals> MM: Tyler Close posted a 3-aparty interaction where each step is intuitive in CORS< and the result creates a confused deputy problem.
- # [23:11] <chaals> ack mjs
- # [23:11] * Joins: adrianba (adrianba@72.254.109.40)
- # [23:11] * Joins: jorlow (jorlow@216.239.45.4)
- # [23:11] <chaals> MJS: My reply was that this came from using arbitrary URIs rather than recognising that they are meant to be scoped to a specific subdomain. Don't think that is created by CORS
- # [23:12] <chaals> MM: What validation should the second party do to the URIs to ensure control?
- # [23:12] <chaals> MJS: Site 1 has photos, site 2 printing, site 3 has storage.
- # [23:12] <chaals> ... photo site wants printer to get things from storage.
- # [23:12] <Hixie> http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/1324.html is Tyler's example
- # [23:12] <anne> example from Tyler: http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/1324.html
- # [23:12] <chaals> ... etc.
- # [23:12] <shepazu> q+
- # [23:13] * Joins: ht (ht@128.30.52.169)
- # [23:13] <chaals> ... Right approach: Printing site creates one-time store, passes that, and the photo site uses a different API to pass it to the photo site.
- # [23:13] <chaals> TC: That is right, but you don't need CORS to do it
- # [23:13] * Joins: NEWTON_VAGNER_DIN (chatzilla@72.254.81.150)
- # [23:13] <chaals> MJS: How do you do it without server-server comms which is a goal of CORS
- # [23:14] <ht> ArtB -- TAG is coming, unless you say no. . .
- # [23:14] <MikeSmith> chaals, some TAG members will be joining in a minute
- # [23:14] * Joins: soonho (soonho@72.254.114.255)
- # [23:14] * NEWTON_VAGNER_DIN is now known as Vagner_W3C_Brasil
- # [23:14] * Vagner_W3C_Brasil is now known as NEWTON_VAGNER_DIN
- # [23:14] * Quits: jorlow (jorlow@216.239.45.4) (Ping timeout)
- # [23:14] * NEWTON_VAGNER_DIN is now known as Vagner_W3C_Brasil
- # [23:14] * chaals sure, step inside our dungeon...
- # [23:14] <arun> This is Tyler's Email: http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/1324.html
- # [23:15] * Quits: DanC (connolly@128.30.52.169) (Client exited)
- # [23:15] * Joins: Qiuling (panqiuling@72.254.91.36)
- # [23:15] <chaals> TC: We know in principle that using client authentication is vulnerable to CD. We have experienced this on the web - csrf, clickjacking.
- # [23:15] * Quits: ArtB (48fe3886@128.30.52.43) (Quit: CGI:IRC (EOF))
- # [23:16] <chaals> ... CORS proposes another way to use client auth on the web.
- # [23:16] <shepazu> q+ to ask if we are worried about malicious or accidental problems
- # [23:16] <chaals> q?
- # [23:16] * Joins: ArtB (48fe3886@128.30.52.43)
- # [23:16] * Joins: Zakim (rrs-bridgg@128.30.52.30)
- # [23:16] <chaals> DS: It seemed that the attacks are not malicious, but accidental. Ambient authority gets wrong access.
- # [23:17] <chaals> MM: My sense was that it is not accidental. The program issuing a command could, I think maliciously, "mis"direct information
- # [23:18] <chaals> DS: Think we could distinguish accidental cases (things people get wrong) from malicious attacks - the latter are ways people can hack you, the other is something that doesn't give malicious access.
- # [23:18] <chaals> MJS: CSRF lets people set up malicious attack
- # [23:18] <chaals> MM: I am happy that if we can solve the malicious cases we are fine.
- # [23:19] <chaals> TC explains his email example with a drawing.
- # [23:19] <shepazu> original confused deputy description: http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html
- # [23:20] <chaals> MJS: I think that this setup requires a shared secret, which requires server-server communication.
- # [23:20] <chaals> Present+ TAG
- # [23:21] * Quits: Marcos (Marcos@72.254.60.247) (Quit: Marcos)
- # [23:22] * Joins: DanC (connolly@128.30.52.169)
- # [23:22] * Joins: johnnyg (johnnyg@216.239.45.4)
- # [23:22] <MikeSmith> q?
- # [23:22] * Zakim sees no one on the speaker queue
- # [23:22] * DanC wonders who (if anybody) is scribing
- # [23:22] * Joins: mmielke (mmielke@72.254.83.160)
- # [23:22] * Joins: noahm (noah_mende@72.254.93.185)
- # [23:22] * anne chaals is
- # [23:23] * anne but he's prolly not scribing what has already been said
- # [23:23] * Quits: mmielke (mmielke@72.254.83.160) (Quit: mmielke)
- # [23:23] <DanC> RRSAgent, poinger?
- # [23:23] <RRSAgent> I'm logging. Sorry, nothing found for 'poinger'
- # [23:23] <DanC> RRSAgent, pointer?
- # [23:23] <RRSAgent> See http://www.w3.org/2009/11/02-webapps-irc#T22-23-14
- # [23:23] <chaals> TC: 3 servers. 1 has photos, 2 is a printer, 3 is a storage service
- # [23:23] * Joins: htt (ht@128.30.52.169)
- # [23:23] * Joins: Marcos (Marcos@72.254.60.247)
- # [23:23] * Joins: mmielke (mmielke@72.254.83.160)
- # [23:23] * Quits: ht (ht@128.30.52.169) (Ping timeout)
- # [23:24] * htt is now known as ht
- # [23:24] <chaals> MJS: CORS tries to cut out the requirement that your servers have to talk to each other in order to allow the request. Request something from server A, then you can make a request to server B without having to ping back to server A and ask that to talk to B
- # [23:24] <MikeSmith> somebody who has a camera should please take a photo of Tyler's diagram
- # [23:25] <chaals> TC: I think you are explaning how people can use one-time tokens to solve that problem. We don't think you need to use CORS to do that, and if you do rely on CORS you are vulnerable to Confused Deputy
- # [23:25] <DanC> (what mjs said sounds like one of the CORS requirements... advancing the state-of-the-art from having to go thru the origin to get to (coorperating) 3rd parties)
- # [23:25] <chaals> MM: The key is that post-login the auth login is not ambient
- # [23:25] <shepazu> q+ rob
- # [23:25] * Zakim sees rob on the speaker queue
- # [23:25] * Quits: plh (plh@128.30.52.28) (Quit: always accept cookies)
- # [23:26] <chaals> MJS: Main reason for CORS is to bootstrap the one-time mechanism - only other known ways are shared secret on server side and require server-server communication to pass the tokens
- # [23:26] <chaals> s/ways/way/
- # [23:27] <chaals> ... (server can't send its secret via the client, because then it isn't secret)
- # [23:27] * Joins: JonathanJ (hollobit@72.254.116.68)
- # [23:27] <chaals> DS: Is the data otherwise secure?
- # [23:27] <chaals> TC: Yes.
- # [23:28] <DanC> (can't quite tell if that requirement is in http://www.w3.org/TR/access-control/#requirements or not. maybe it's in the use cases.)
- # [23:28] <chaals> ack rob
- # [23:28] * Zakim sees no one on the speaker queue
- # [23:28] <chaals> Rob: Seems there are disagreements on what CORS is. You see it as an auth system, and I don't think that it is - CORS says you can talk to this guy, but the auth sits on top of that.
- # [23:28] * DanC would like a clue... who's that in red?
- # [23:28] * Joins: mmani (c6980d43@128.30.52.43)
- # [23:29] <chaals> MM: You are not an origin...
- # [23:29] * DanC t
- # [23:29] * DanC tx
- # [23:29] <chaals> MJS: You can make a request, but you can't guarantee that it gets fulfilled
- # [23:29] * anne DanC Mark Miller
- # [23:29] <MikeSmith> q?
- # [23:29] * Zakim sees no one on the speaker queue
- # [23:29] * Joins: timeless_mbp (timeless@72.254.57.15)
- # [23:29] * ht danc, see #tagmem
- # [23:29] * Quits: adrianba (adrianba@72.254.109.40) (Ping timeout)
- # [23:30] <chaals> TC: CORS adds a header on origin, that sites will use (because they are encouraged to) as a mechanism for auth, and that leads them to be caught by confused deputy
- # [23:31] * Quits: Marcos (Marcos@72.254.60.247) (Quit: Marcos)
- # [23:31] <DanC> (the security risks are clear enough to me; have alternative designs that avoid the risks been offered?)
- # [23:32] <chaals> MJS: Think that there are cases where CORS will be used, that do not introduce the problem. I want to see why we will run into problems.
- # [23:32] * ht believes that Mark and Tyler's proposal is exactly that, but only on circumstantial evidence
- # [23:32] * DanC pointer to proposal?
- # [23:32] * ht the flip chart
- # [23:32] * ht sorry
- # [23:33] * DanC thought the flip chart was a description of the problem. guess I'm not following
- # [23:33] <chaals> MM: Objection specifically applies to 3-party scenarios. 2-parties don't create a problem. But once you create the system, and people apply their 2-party system to 3-party cases, you *will* end up with problems.
- # [23:33] * anne ... I don't think the alternative has been explained fully yet
- # [23:33] <chaals> MJS: Classic CSRF problem is that the 2 parties are a site expecting a form, and the user giving it, and a 3rd-party making malicious use of the user's authority.
- # [23:33] * ht right
- # [23:33] <DanC> (seems to me all the relevant arguments are represented in the WG; if you just give me an issue # so I can tune in later and see what's decided, I'll happily go do other stuff.)
- # [23:33] <ht> +1
- # [23:34] <anne> DanC, there is no issue number
- # [23:34] <DanC> yeah, that seems like a bug
- # [23:34] <chaals> ... CORS lets you solve this by giving a secure mechanism for dealing with the transaction.
- # [23:34] <shepazu> q+ raman
- # [23:34] * Zakim sees raman on the speaker queue
- # [23:34] * Joins: Marcos (Marcos@72.254.60.247)
- # [23:34] * Quits: Marcos (Marcos@72.254.60.247) (Quit: Marcos)
- # [23:34] <DanC> easy to fix: ISSUE: confused deputy problem
- # [23:34] <anne> DanC, if we agree this is an issue there's no need for an issue number because we'd need to do something else
- # [23:35] <chaals> TC: Web browser is on a site that cmes from the photo manager. all interactions take place on that page.
- # [23:35] <DanC> anne, not at all.
- # [23:35] <noahm> Art: I'm seeing some sentiment that if the Webapps group would open a formal issue to explore confused deputy, the TAG would consider that a good step.
- # [23:35] <chaals> ... user hits a button to print a photo. a button asks a printer site to print a photo.
- # [23:35] <DanC> an issue is just a promise to make a decision; it doesn't presume which way the decision will go
- # [23:36] * chaals will open an issue if we don't solve this...
- # [23:36] * noahm Dan and Henry, that do it for you?
- # [23:36] * DanC would like you to open an issue even if you don't
- # [23:36] * chaals welcomes anyone else doing so in the meantime
- # [23:36] * ht put that on the record Chaals and we can go
- # [23:36] * chaals ok,cheers
- # [23:36] * noahm all set, TAG members?
- # [23:36] * ht waiting to see it on the record
- # [23:36] <chaals> ACTION: chaals to raise an issue for this question
- # [23:36] * trackbot noticed an ACTION. Trying to create it.
- # [23:36] * RRSAgent records action 2
- # [23:36] <trackbot> Created ACTION-432 - Raise an issue for this question [on Charles McCathieNevile - due 2009-11-09].
- # [23:36] * Quits: Qiuling (panqiuling@72.254.91.36) (Quit: Qiuling)
- # [23:36] * ht thanks!
- # [23:36] <MikeSmith> action-432?
- # [23:37] * trackbot getting information on ACTION-432
- # [23:37] <trackbot> ACTION-432 -- Charles McCathieNevile to raise an issue for this question -- due 2009-11-09 -- OPEN
- # [23:37] <trackbot> http://www.w3.org/2008/webapps/track/actions/432
- # [23:37] <anne> DanC, fair enough http://www.w3.org/2008/webapps/track/issues/108
- # [23:37] * noahm methinks s/this issue/confused deputy/ Modulo that, thanks much, Chaals!
- # [23:37] <anne> close ACTION-432
- # [23:37] * trackbot attempting to close ACTION-432.
- # [23:37] <trackbot> ACTION-432 Raise an issue for this question closed
- # [23:37] * Joins: Kai (chatzilla@72.254.114.142)
- # [23:37] <DanC> :) issue-108. thanks.
- # [23:37] <MikeSmith> ht, I will change that now
- # [23:37] * ht thanks Anne, Mike, Chaals
- # [23:38] * DanC is ready to head out... wonders what's the least disruptive way to do so
- # [23:38] <chaals> IH: How does the manager authorise printing?
- # [23:38] * ht stand up on 3..
- # [23:38] <ht> 2..
- # [23:38] * ht 2..
- # [23:38] * ht 1..
- # [23:38] * ht go!
- # [23:38] * Quits: DanC (connolly@128.30.52.169) (Client exited)
- # [23:38] <chaals> TC: Out of band, they made an agreement that the manager could ship jobs to the printer.
- # [23:38] * Joins: arun (arun@72.254.57.36)
- # [23:40] * Quits: noahm (noah_mende@72.254.93.185) (Ping timeout)
- # [23:40] <chaals> MJS: THe question is whether there is a sensible way to use CORS that doesn't have a vulnerability?
- # [23:40] <chaals> CMN: I think the question is whether there is an obvious way to use CORS that introduces a security risk
- # [23:41] <chaals> TC: We are objecting to the idea that the group is baking up a way that people will create security risks
- # [23:41] <chaals> MJS: I don't think that is an issue. CORS allows for 2-party transactions to be done that are secure.
- # [23:42] <chaals> MM: The 2-site model is OK. The problem is that the assumption that the request reflects only the requestor's intention, and it is actually formed using information coming from a third party, a set of decision each individually sensible will compose to create a 3-party interaction pattern that we know to be vulnerable.
- # [23:43] * Joins: noahm (noah_mende@72.254.93.185)
- # [23:43] <chaals> TC: You say it is unlikely, but we have seen it played out into cookies. and into clickjacking. How often do we repeat the pattern before we stop doing it?
- # [23:44] <chaals> [back to the example]
- # [23:44] <MikeSmith> issue-108?
- # [23:44] * trackbot getting information on ISSUE-108
- # [23:44] <trackbot> ISSUE-108 -- confused deputy problem -- RAISED
- # [23:44] <trackbot> http://www.w3.org/2008/webapps/track/issues/108
- # [23:44] * Quits: ht (ht@128.30.52.169) (Ping timeout)
- # [23:44] <chaals> TC: The page now sends a request to the printer page to get the spool file, then we send a request to the storage page to copy stuff into the printer spool.
- # [23:45] * Joins: DanC (connolly@128.30.52.169)
- # [23:45] <MikeSmith> RRSAgent, make minutes
- # [23:45] <RRSAgent> I have made the request to generate http://www.w3.org/2009/11/02-webapps-minutes.html MikeSmith
- # [23:46] <chaals> ... the user owns lots of sites on the storage site. If the printer site sends back a request for DontTouchMe, the file transferred goes into DontTouchMe instead of a spool file.
- # [23:46] <chaals> MM: Intuitive assumption for the developer is that the URL from teh printer site is a URLthe printer has access to.
- # [23:47] <chaals> ... problem arises because if the storage site checks access against the origin, it will check against the manager's access, not the printer's.
- # [23:47] <chaals> ... manager would want to make the decision based on whether the printer has access, but has no way to ask that.
- # [23:48] <chaals> TC: There is an access control problem. CORS is telling developers to use a solution that won't work. There are other solutions.
- # [23:48] <chaals> Rob: If manager was only talking direct to the client, direct to the printer, and direct to the store, no problem.
- # [23:48] <chaals> AR: The use case can be shoe-horned into other systems.
- # [23:49] <chaals> MM: Yes, into any situtation where auth is passed on behalf of the client. If the requestor can say "I want this if my request source had access" then you solve the problem.
- # [23:49] <chaals> DS: MM agreed there are ways to build secure applications with CORS< as well as building vulnerabilities.
- # [23:49] <chaals> MM: True.
- # [23:49] <chaals> q+
- # [23:49] * Zakim sees raman, chaals on the speaker queue
- # [23:50] <chaals> q- raman
- # [23:50] * Zakim sees chaals on the speaker queue
- # [23:50] <chaals> q+ Tyler
- # [23:50] * Zakim sees chaals, Tyler on the speaker queue
- # [23:50] <mjs> oh hey Zakim is back
- # [23:51] <mjs> q+
- # [23:51] * Zakim sees chaals, Tyler, mjs on the speaker queue
- # [23:51] <chaals> MM: Issue is primitives that compose data. Analogy - LISP was dynamically scoped, and that was useful in many ways. But there were a set of individual decisions where you can't know tha they are bad, compose together to create a problem.
- # [23:52] <chaals> CMN: If you can restrict the system to 2 servers, can you avoid the problem.
- # [23:52] <chaals> TC: No. You can still make the problem without the 3rd website.
- # [23:53] <chaals> ... e.g. combine the storage and manager here
- # [23:53] <chaals> IH: Why would the manager give the printer access to tell it to write something over closed content?
- # [23:53] <sicking> q+
- # [23:53] * Zakim sees chaals, Tyler, mjs, sicking on the speaker queue
- # [23:53] <chaals> MJS: it seems in the 2-party case you have to make it needlessly complicated to make the vulnerability work
- # [23:53] <chaals> ack chaals
- # [23:53] * Zakim sees Tyler, mjs, sicking on the speaker queue
- # [23:54] <mjs> q+ rob
- # [23:54] * Zakim sees Tyler, mjs, sicking, rob on the speaker queue
- # [23:54] <chaals> TC: If any auth data from site A came from site B, you create confused authority.
- # [23:54] <chaals> MM: If you are not using anything that didn't come from *you*, then you are not creating a vulnerability.
- # [23:55] <arun> q+
- # [23:55] * Zakim sees Tyler, mjs, sicking, rob, arun on the speaker queue
- # [23:55] <chaals> ack ty
- # [23:55] * Zakim sees mjs, sicking, rob, arun on the speaker queue
- # [23:56] <chaals> TC: If you can say "don't apply my authority to anything I didn't make myself" you solve the problem.
- # [23:56] <chaals> ack mj
- # [23:56] * Zakim sees sicking, rob, arun on the speaker queue
- # [23:56] <chaals> MJS: If making requests to yourself can have this problem, that already exists. XHR requests to you implicitly carry auth because you are the only one that can make a request to yourself.
- # [23:57] <chaals> ... so any request using info from a 3rd party exposes this.
- # [23:57] <chaals> TC: Yes
- # [23:57] <chaals> MJS: Self to self has client authority
- # [23:57] <chaals> TC: Yes, but we should be trying to reduce this.
- # [23:58] <chaals> MM: Guest XHR should not present auth even when it goes back to its own origin.
- # [23:58] * Quits: gsnedders (gsnedders@83.252.229.211) (Quit: gsnedders)
- # [23:58] <MikeSmith> Present+ timeless
- # [23:58] <chaals> MJS: So using guestXHR is similar to formulating requests in a way that you use guestXHR-like behaviour for requesting things with 3rd party data.
- # [23:59] * Joins: timeless (timeless@65.75.195.122)
- # [23:59] <chaals> MM: Yes. It is normally possible to make the mistake. Compat prevents us from retiring existing mechanisms that allow this, but not introduce new mechanisms that have the same problem, but a new mechanism that doesn't have this problem.
- # [23:59] <MikeSmith> q?
- # [23:59] * Zakim sees sicking, rob, arun on the speaker queue
- # [23:59] <chaals> ... guestXHR is a refolrmulation of CORS that addresses our security concerns.
- # Session Close: Tue Nov 03 00:00:00 2009
The end :)