--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPP4Oe93pZgj9ux_vRNHF-1cS0mfJcQsSeJHCfr-Y-JL0Q%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPP%3DLpewQoYCCSpu-4PXRRjPTGU9MjB0-8R2g-NefdDFmQ%40mail.gmail.com.
Has anything changed on the front of signals from other vendors? Do we have more concrete support (and hence, less of an interoperability risk) from Mozilla? Any word from Safari?
We discussed this a bit during the Blink API owner meeting and I think there are still some parts that are unclear, or at least not obvious. It looks close to ready but I would like some things to be updated and clarified:
2. You write that you have a fair understanding of how to resolve the remaining issues, but it's unclear to me if those solutions are complete or if there might be followup problem stemming from the implementation.
1. The TAG review is still in progress and it would be beneficial to let it complete.
Has anything changed on the front of signals from other vendors?
On 2/14/20 3:33 AM, Mike West wrote:
> We could have made that more clear in the PR against IDL, and
> will do so next time.
Mike,
Thank you, that would help a lot.
Just to be clear, I try to very clearly separate my "IDL spec editor"
and "Mozilla representative" roles. I will likewise try to make it
clearer which hat I am wearing when, to avoid confusion.
> At the same time, I hope that our engagement here and elsewhere shows
> that we're _really_ trying to take Mozilla's feedback into account
> generally, and that we're not "playing" you.
Again, just to be clear, I do not feel that "Mozilla" was being "played"
here in any way, but "Boris" was, albeit accidentally. In particular I
ended up spending many more hours on this last night than I was planning
to, after being presented with the "oh, that comment means everything is
fine" bit, in an attempt to make sure things were clarified before too
much more time passed and ship decisions were final. If you look at the
timestamps, I ended up going to bed about 3 hours later than I was
planning to...
Maybe I could have pushed all that off to this morning. It's hard to
tell, with intents, how fast things will move.
Hello,
Thanks all for your patience. I would now like to pick this up again. I think we have a good understanding of the issues, and a plan to resolve them. The major changes are:
1, Improve extensibility, following the discussion here: Split the trusted types CSP directive in two, one to restrict the policies allowed, and one to activate the feature (require-trusted-types-for). The latter now enables/disables the feature, and is a CSP-idiomatic hook for potential future extensions.
2, Revise specification and implementation of the "default policy" feature, following the discussion here: This started out as a concern about the interaction of regular DOM manipulation and the <script> element, but morphed into a more general concern about how to handle the "default policy" callback.
This concern is centered around the observation that the "default policy" is an author supplied callback, which might modify the DOM while being called from within a DOM operation. This same general concept has caused problems - both bugs and interop issues - for the DOM Mutation Events, and we were encouraged to pretty please be careful of similar issues. We will address this by changing both the spec and the implementation, so that the time the callbacks are run will be clearly defined, and guarantees that the callbacks have finished before the underlying DOM operation starts.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPP%3DLpewQoYCCSpu-4PXRRjPTGU9MjB0-8R2g-NefdDFmQ%40mail.gmail.com.
On Tue, Jan 21, 2020, 8:28 AM 'Daniel Vogelheim' via blink-dev <blin...@chromium.org> wrote:Hello,
Thanks all for your patience. I would now like to pick this up again. I think we have a good understanding of the issues, and a plan to resolve them. The major changes are:
1, Improve extensibility, following the discussion here: Split the trusted types CSP directive in two, one to restrict the policies allowed, and one to activate the feature (require-trusted-types-for). The latter now enables/disables the feature, and is a CSP-idiomatic hook for potential future extensions.
2, Revise specification and implementation of the "default policy" feature, following the discussion here: This started out as a concern about the interaction of regular DOM manipulation and the <script> element, but morphed into a more general concern about how to handle the "default policy" callback.
This concern is centered around the observation that the "default policy" is an author supplied callback, which might modify the DOM while being called from within a DOM operation. This same general concept has caused problems - both bugs and interop issues - for the DOM Mutation Events, and we were encouraged to pretty please be careful of similar issues. We will address this by changing both the spec and the implementation, so that the time the callbacks are run will be clearly defined, and guarantees that the callbacks have finished before the underlying DOM operation starts.Did the implementation require changing the ScriptForbiddenScope coverage? As someone who spent years fixing security and behavior bugs in the DOM I'd hope we can avoid future sync callbacks that are not either at CEReactions time or at microtask. Defining new timing is really hard.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPKeNHnDjN-tYgUyK-A0WT656neWYu44WfjuR%2B1WjV1qtWvwrA%40mail.gmail.com.
On Tue, Jan 21, 2020, 8:28 AM 'Daniel Vogelheim' via blink-dev <blin...@chromium.org> wrote:2, Revise specification and implementation of the "default policy" feature, following the discussion here: This started out as a concern about the interaction of regular DOM manipulation and the <script> element, but morphed into a more general concern about how to handle the "default policy" callback.
This concern is centered around the observation that the "default policy" is an author supplied callback, which might modify the DOM while being called from within a DOM operation. This same general concept has caused problems - both bugs and interop issues - for the DOM Mutation Events, and we were encouraged to pretty please be careful of similar issues. We will address this by changing both the spec and the implementation, so that the time the callbacks are run will be clearly defined, and guarantees that the callbacks have finished before the underlying DOM operation starts.Did the implementation require changing the ScriptForbiddenScope coverage?
As someone who spent years fixing security and behavior bugs in the DOM I'd hope we can avoid future sync callbacks that are not either at CEReactions time or at microtask. Defining new timing is really hard.
On 3/5/20 1:20 PM, 'Daniel Vogelheim' via blink-dev wrote:
> However, it
> seems they all differ in how & where exactly they are specified, but
> between them there don't seem to be any user-visible or script-visible
> behavioural differences. (At least, I'm not seeing any.)
Hmm. Can you summarize which proposals are still on the table at this
point in terms of Web IDL? There are definitely script-visible
differences between different proposals that I saw being discussed; I
just want to make sure we're on the same page in terms of what things
are still being considered here.
P.S. There are also, I believe, open concerns at least from Apple on
the overall complexity of the setup, but I haven't been following that
thread closely.
On 3/6/20 5:48 AM, 'Daniel Vogelheim' via blink-dev wrote:
> I am referring to this
> <https://github.com/heycam/webidl/pull/841> discussion. I'm not seeing
> consensus there
Right.
> Options I see being discussed are: Merging spec vs "monkey patching" in
> TT, whether to spec an explicit union type (maybe with extended
> attributes) vs just a string with an extended attribute; whether
> [StringContext] needs to be specced in WebIDL or if it can be moved to
> other specs.
>
> I'm not seeing how this would affect script behaviour. It seems all of
> those would handle TT checking before DOM
Yes, but would they handle it in the same order wrt validity checking on
other arguments and the side-effects of their conversions?
That is, given foo(arg1, arg2, arg3), will a TT check on arg2 happen
before processing of arg1, between processing of arg1 and arg2, or after
processing of arg3? That is one of the still-open questions, as far as
I can tell.
> I think you're referring to this
> <https://github.com/mozilla/standards-positions/issues/20#issuecomment-584793239> feedback.
That's correct.
> A proposal to address it is here
> <https://github.com/w3c/webappsec-trusted-types/issues/258>. We ended up
> not making a change, because we didn't see the reduction in complexity
> that was sought for.
Just to check, was Maciej involved in that discussion, and is he aware
of its resolution?
LGTM2
Thanks for all the work making this ready for shipping! I agree
that what remains to clarify won't have any impact on deployment
and compatibility, and maybe not even implementation, and can be
done in parallel with exposing the feature to the web.
/Daniel
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DfNoNy%3Dh1-yKfd8NgBra16dDGup4WTc9wBPGcPzJhJ0_w%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/00575690-29b1-e4ba-71c3-b2981e0f6d39%40gmail.com.
LGTM3I just ask that if there is additional actionable feedback from Maciej or others that comes in before final shipping time to the stable channel, please incorporate it and update this thread with the latest status.
On Wed, Mar 11, 2020 at 2:20 PM Daniel Bratell <brat...@gmail.com> wrote:LGTM2
Thanks for all the work making this ready for shipping! I agree that what remains to clarify won't have any impact on deployment and compatibility, and maybe not even implementation, and can be done in parallel with exposing the feature to the web.
/Daniel
On 2020-03-07 08:33, Mike West wrote:
Hey folks!
Elsewhere, I was asked about the open GitHub issues. We've done another pass through them, and believe that https://github.com/w3c/webappsec-trusted-types/milestone/1 is the set of changes we need to make before shipping. https://github.com/w3c/webappsec-trusted-types/issues/259 is resolved (though not yet fixed in the spec), and https://github.com/w3c/webappsec-trusted-types/issues/252 is likely already taken care of in the spec, but we're waiting to wrap up the IDL discussion to verify that assertion.
https://github.com/w3c/webappsec-trusted-types/milestone/2 is a set of improvements that we're pondering for future iterations. These seem possible to change post-v1.
On Fri, Mar 6, 2020 at 10:02 PM Boris Zbarsky <bzba...@mit.edu> wrote:
On 3/6/20 5:48 AM, 'Daniel Vogelheim' via blink-dev wrote:
> I am referring to this
> <https://github.com/heycam/webidl/pull/841> discussion. I'm not seeing
> consensus there
Right.
> Options I see being discussed are: Merging spec vs "monkey patching" in
> TT, whether to spec an explicit union type (maybe with extended
> attributes) vs just a string with an extended attribute; whether
> [StringContext] needs to be specced in WebIDL or if it can be moved to
> other specs.
>
> I'm not seeing how this would affect script behaviour. It seems all of
> those would handle TT checking before DOM
Yes, but would they handle it in the same order wrt validity checking on
other arguments and the side-effects of their conversions?
That is, given foo(arg1, arg2, arg3), will a TT check on arg2 happen
before processing of arg1, between processing of arg1 and arg2, or after
processing of arg3? That is one of the still-open questions, as far as
I can tell.