Minutes from Pointer Events WG call 4 September 2019 from Patrick H. Lauke on 2019-09-04 (public-pointer-events@w3.org from July to September 2019)

From: Patrick H. Lauke <redux@splintered.co.uk>
Date: Wed, 4 Sep 2019 16:35:03 +0100
To: public-pointer-events@w3.org
Cc: dlibby@microsoft.com
Message-ID: <e130617f-f00e-4205-9119-0513db06201b@splintered.co.uk>
Dear all,

minutes from today's call available on 
https://www.w3.org/2019/09/04-pointerevents-minutes.html and posted below

(btw Daniel let me know if you've already been added to the 
public-pointer-events mailing list, github, etc - otherwise, I'll chase 
that up for you)

PEWG
04 Sep 2019
Attendees
Present
patrick_h_lauke, NavidZ
Regrets
Chair
patrick_h_lauke
Scribe
patrick_h_lauke
Contents
Topics
Summary of Action Items
Summary of Resolutions

<scribe> Scribe: patrick_h_lauke

Navid: had a task to define pointer capture scope

<NavidZ_> https://github.com/w3c/pointerevents/pull/300

<NavidZ_> https://github.com/w3c/pointerevents/issues/16

limits only work on a document. there was an old issue about security 
risk if not restricted in iframes

maybe we should always limit to sandboxed iframes

recently we decided to just live with this and see if use cases come up, 
and that's what latest PR does

matches chrome behavior, and olli was ok with it as well

if inner iframe sends pointerID, can outer frame/parent capture it

<NavidZ_> https://github.com/w3c/pointerevents/issues/291

will send request on mailing list to see if we agree on resolution of 
latest pull request

<NavidZ_> Next topic:

<NavidZ_> https://github.com/w3c/pointerevents/issues/204

Daniel: this came out of research in platform stuff on windows. OS 
actually can do better job of rendering pointer trail etc, so provide 
metadata on what app has drawn and leave it up to OS to do rest

no concrete proposal, but wanted to get sense from cross-platform 
perspective

Navid: question also how much we can support this feature across platforms

also comes down to amount of metadata - e.g. do we pass on what pressure 
is, or what the line thickness/radius should be

Daniel: should be some kind of transform/radius of the size of the tip. 
OS can also match end of trail to more seamless ink stroke...

Navid: wonder if we can enough exposure so last piece of trail is not so 
far away from the coords that were globbed by the app itself (?)

Daniel: being able to determine support, apps can opt in/out

more like a graceful degradation approach. what would support look like 
on other platforms? does it match how other platforms support inking at 
OS level? early stages/ideas

you can see this with Windows native OneNote app, depending on which 
brushes are used

Navid: looking forward to something more concrete, but if you see 
reduced latency we may have interest

Daniel: will do more prototyping, hopefully something to share at TPAC

Navid: one update regarding an issue...

<NavidZ_> Next topic:

<NavidZ_> https://github.com/w3c/pointerevents/issues/100

prototyped something that can be tested behind flag

not fully compatible because coords are promoted from integer to float

landed a change behind a flag, going to discuss this with UIEvents/web 
apps WG at TPAC

Navid: regarding merging extension document merging: touch-action move 
done, still work to be done to more the coalesced/raw stuff

will work on those and send PR addressing most of those

one aspect to consider is privacy. raw/coalesced only to secure origins

security person in Google pointed out this exposes specific device 
capabilities/properties

can fingerprint device of the user (e.g. 1000 Hz mouse)

maybe not quite a permission model, but only to secure origin

are there any other APIs that follow this?

Daniel: think it makes sense

not sure if i've seen secure origin for privacy reasons

Navid: permission model may be too hard to specify, but at least secure 
origin mitigates man in the middle attacks etc

Daniel: i have seen it with paint worklet and animation worklet

Navid: will check if there's some wording or similar that we can use

Patrick: we already have some language in spec about user agents also 
allowing user to stop certain info from being exposed at the user's 
request. worth using same for this here too

I will check on our side what we have, and it's worth expanding to cover 
coalesced/raw even more strongly. And secure origin only is a 
mitigation, but won't help if you as user don't actually want a site to 
track you (secure origin or not)

[mention of calls, AOB, TPAC]

Patrick: we don't have an actual meeting planned for TPAC (as I also 
won't be able to make it this time), but if people who are already there 
and want to have a semi-formal skype call or something, let me/the list know

(as an aside, just checked PE spec, and we have wording around user 
agents MAY consider allowing users to turn things off in 
https://w3c.github.io/pointerevents/#security-and-privacy-considerations)

-- 
Patrick H. Lauke

www.splintered.co.uk | https://github.com/patrickhlauke
http://flickr.com/photos/redux/ | http://redux.deviantart.com
twitter: @patrick_h_lauke | skype: patrick_h_lauke
Received on Wednesday, 4 September 2019 15:35:28 UTC