RE: Spec changes for ISSUE-180 change proposal

On Thu, 29 Mar 2012, Jacob Rossi wrote:
> But right now, you're the only one who knows exactly what changes you 
> think need to be made. :-)

Right now I don't even know. I haven't done the research yet.

> As I asked before offline, it'd be great to have clarity on exactly what 
> refactoring you think is necessary so that we can work together on this 
> in the open. We should have a bug opened for this that details the 
> changes that you think are necessary.

The next thing I'm doing is putting <dialog> in, and then after that is 
allow-popups and the sandbox CSP stuff. The CSP stuff will consist of me 
reading the CSP spec and learning it to work out what needs to happen, at 
which time I will finally know what needs to happen, at which point it 
would take me exactly as long to describe it in a bug as to just do it.

> > Once I do apply it, I will naturally (as with any patch) try to make 
> > sure it matches existing implementations. Unfortunately I can't test 
> > IE10 since I don't have a way to run it.
> Again, I can help you with any details about the implementations that 
> you think are missing from our proposal.  If you'd like to test IE10 
> yourself, just about any x86/x64 computer made in the last 5 years can 
> run the preview release as a dual boot [1].

Rebooting my laptop to test a browser is really not something I'm willing 
to do, sorry. (Especially when every other browser I have to test I can 
test without even running a VM these days.)

> Customers have asked us (and other browser vendors) for this feature 
> [2]. It's important to them that the feature be interoperable, and 
> writing down the spec is our tool as a working group to do that. Without 
> this, real customers are blocked from using sandbox in their products 
> and are thus left less secure. A security feature should not prevent a 
> UI on the basis that it is "bad UI," unless that UI somehow invalidates 
> the security of the feature altogether. We first proposed this change a 
> year ago back in March 2011, about 5 or so months before we shipped the 
> first preview with this feature [3,4].

The spec will be updated with this long before IE10 ships, which will be 
long, long before HTML5 is a REC at the W3C.

However, it is rather odd that your customers would somehow be blocked on 
this specific feature being in the spec since they never seem to be 
blocked on using all the many features that Microsoft has invented over 
the years and put in IE without any effort at making a spec or getting 
interoperability. What's changed?

Ian Hickson               U+1047E                )\._.,--....,'``.    fL       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Tuesday, 3 April 2012 05:02:56 UTC