<chaals> ScribeNick: mjs

sicking: I propose that we accept the suggestion that when you opt into cookies, you can't allow wildcard

weinig: what is the threat model?

<chaals> MJS: I think we should only allow *, or specific hostname - for private stuff there is no value in having wildcards, for public data there is no need no to have *

<chaals> AvK: So if it had wild card and asked for cookies it is a fail?

<chaals> ... Processsing instruction?

<chaals> MJS: I think we want to do that seperately. The use case is a static file, and it would be a burden to make a cgi wrapper.

thanks chaals

<chaals> ... in that case you are likely to be using public data, so you don't need an ACL

kriszyp: we're in favor of the PI being removed

<chaals> IH: I can live with it too

AVK: can support for the PI be added later?

JS: yes

<sicking> Proposed resolution: Remove the PI

<sicking> Proposed resolution: Make the opt-into-cookies (still to be drafted) syntax such that you can't opt in cookies while using a wildcard

<sunava> Removing PI sounds awesome

<sunava> So does the cookies being disabled with wildcard!

<sicking> Proposed resolution: Simplify the allow syntax to only allow a single origin, or whildcard. I.e. remove subdomain wildcarding, lists of origins, and the exclude syntax

MJS: I agree with all resolutions

AVK: me too

CMN: any objections?

IH: lgtm too

<arun> I agree with all resolutions

SW: I like it

DS: we should have a section that documents the name changes, for review purposes

AVK: feel free to make one

JS: redirect issue - we need a formal resolution

<sicking> Proposed Resolution: Check for AC opt-in on all steps in the redirect

RESOLUTION: remove the PI
... do not allow an access control wildcard together with opting into cookies
... Simplify the allow syntax to only allow a single origin, or whildcard. I.e. remove subdomain wildcarding, lists of origins, and the exclude syntax
... check access control opt-in on all steps of a redirect

JS: we had an informal discussion about IE compatibility
... yesterday, we had the double GET proposal, and the API flag proposal
... we focused on the double GET proposal
... pro for double GET: doesn't require API flag

MJS: pro for double GET: does not require coupling between client and server to pre-agree on cookies

JS: con for double GET: if GET has side effects (which it shouldn't) these may happen twice
... pro for API flag: allows preflightless POST
... pro for API flag: allows IE compat if IE is able to change XDR impl in IE8
... con for API flag: requires API flag in all specs that want to load private data cross site

ZB: we can use the expando solution

KZ: would it be problematic if the spec didn't specify what the default was?

JS: it wouldn't be a compatibility issue

CMN: it would be an author confusion issue

MJS: any solution like this has the API flag downside of preventing auto-negotiation

IH: what is the use case for POST without cookies

AVK: flash allows that

IH: flash has a lot of security bugs

JS: there is one thing we're changing - allowing arbitrary content types on POSTs

IH: we've got things backwards

JS: I now think it is ok to have POST w/o cookies

KZ: why allow this?

JS: flash has a header-based solution too

IH: the big problem I have with this is the migration path
... before a site gets the benefits it has to change
... clients would have to change to be able to use cookies

ZB: API flag is better

<chaalsXO> q/

AVK: you can cache the response for the first get

SW: when google does the current model you don't have cross-site requests

IH: you're saying we should always request cookies

JS: your use case is not important

(further discussion along the same lines)

<sunava> ...

<sicking> <cheering breaks out>

MJS: we should not discuss the merits of the API flag, just whether MS is willing to adopt given this change

IH: if Microsoft is willing to commit, we will cede the point

<chaalsXO> MJS: The interesting thing here is whether we can a solution that IE can and will adopt

<off the record conversation?

>

SD: I like the proposal personally, I can't commit yet without talking to more senior folks first

ZB: the timeline is very short, we have to make the decision quickly

SD: we will give an answer by Monday or Tuesday

JS: when would you need the final spec proposal

SD: the question would be whether the spec will change again

sync and async calls

<chaalsXO> ZY: Don't allow sync is a request we get a lot.

ZY: suggestion, don't allow sync XHR for cross-site calls

SW: I don't think that is a good idea

<chaalsXO> KZ: We are built on sync...

<chaalsXO> MJS: Since we can't remove sync in the same-site case now, making it ipossible in new cases won't help...

<chaalsXO> ... so we are sadly stuck with the problem

SD: my deal with the async vs sync debate is that I think async is the right way moving forward

<arun> A listing of cross-site mechanisms: http://www.arunranga.com/articles/browser-cross-site.html

JS: should there be a UI to protect user's private data
... this discussion should probably be outside this working group

<chaalsXO> SD: Would like to have that discussion

<Zakim> chaalsXO, you wanted to float the silly 'shall we change the names' idea again

<sicking> it applies as much to iframes as it does to Access-Control

CMN: should we have an async-only API that is otherwise thesame as XHR, for cross-site?

JS: no matter what mechanism we use to remove synch cross-site, I see a cost in doing

it

CMN: the win is when people do cross-site they will do async

<discussion of compatibility, can IE safely change anything?>

JS: we have two incompatible requirements

SD: I can make a suggestions

(off the record discussion)

<chaalsXO> [people have different customers, need to balance the needs they have with the need for standards]

SD: can we add flexibility to the spec?

AVK: leaving things undefined has historically led to really bad results

ZY: I don't know if anyone is going to implement a new XHR

(general disagreement)

MJS: ActiveX constructor vs. XMLHttpRequest constructor gives you a free versioning hook

<chaalsXO> MJS: IE has 2 ways to do an XHR - one is compatible. That gives a free versioning hook. I would guess that you can freeze the ActiveX one for people who rely on IE behaviour, and move the one compatible with the web to be compliant

<chaalsXO> 10 minute break

<MikeSmith> scribenick: MikeSmith

<scribe> scribe: MikeSmith

Test cases for XHR1

<chaalsXO> http://tc.labs.opera.com/apis/XMLHttpRequest/ -> Anne's tests

<chaalsXO> AvK:(And Hallvord's)

Present now: Hixie, anne, chaalsXO, shepazu, Sunava, Gideon, MikeSmith, mjs, weinig, Zhenbin

chaalsXO: Sunava, you guys have run these tests?

sunava: Yeah

[discussion about the fact that reviewing each test will take a lot of time]

<anne> ^^ Potential bugs identified in XHR LC Test Suite

<sunava> http://lists.w3.org/Archives/Public/public-webapps/2008AprJun/0034.html

[sunava reviews comments about tests that his team found problems with]

[discussion about a particular test that's actually in part testing DOM support]

sunava: also, 4.32

<chaalsXO> http://tc.labs.opera.com/apis/XMLHttpRequest/open/032.htm

<chaalsXO> ZX: We may not do this because of security

<chaalsXO> AvK: most browsers fail

<chaalsXO> ... and not sure this needs to be a real test.

Hixie: this looks like it is effectively a network timing test
... we shouldn't use a timeout at all for this kind of test ... we don't need the timeout at all

weinig: we should remove the timeout from this test
... otherwise it otherwise looks OK

<chaalsXO> http://tc.labs.opera.com/apis/XMLHttpRequest/abort/003.htm

<chaalsXO> [resolved to keep the open/032 with the timeout removed]

mjs: crazy to reset the event listeners

<anne> (mjs actually said that)

<mjs> ywH RHr qA MW

<chaalsXO> network problem - will return to this

<chaalsXO> http://tc.labs.opera.com/apis/XMLHttpRequest/onreadystatechange/004.htm

ljU EUe dN ZJ

<chaalsXO> ZX: We don't allow re-entrants...

weinig: just re-open, don't need to use new object, can just re-use the same object

anne: check if ready state is 4
... if so, process it, and start a new request using the same object
... it works ...
... in most browsers ...

weinig: you can open it and use a new URL

Zhenbin: do that and you just end up a stack the just keeps growing
... IE doesn't support this and we have never in 10 years had any customer request for this

anne: it works fine in other browsers

mjs: why should event dispatch for the XHR case be different from event dispatch for other things?
... Safari has always had it be re-entrant, and don't see any need to change for this

chaalsXO: I suggest we raise an issue for this and ask the FF guys for feedback also

<chaalsXO> ISSUE: Shoulld re-entrance be allowed foronreadystatechange?

<trackbot> Created ISSUE-33 - Shoulld re-entrance be allowed foronreadystatechange? ; please complete additional details at http://www.w3.org/2008/webapps/track/issues/33/edit .

http://tc.labs.opera.com/apis/XMLHttpRequest/send/009.htm

<chaalsXO> and http://tc.labs.opera.com/apis/XMLHttpRequest/setRequestHeader/017.htm

chaalsXO: sounds like what we are testing is not XHR-specific

Zhenbin: INVALID_STATE_ERROR bug is a bug in the DOM, not in XHR

Hixie: yeah, that's the bug this is exposing

Zhenbin: so the XHR spec is introducing dependencies on other specs?

chaalsXO: it's a failure in your DOM implementation, but if you can't pass it, then you can't conform to the XHR spec

<Hixie> thx

Hixie: XHR doesn't say "raise an exception", it says "raise this particular DOM exception"

anne: this exception is thrown in other places

<anne> (open() method, step 4)

chaalsXO: it is qualitatively a different kind of test

weinig: I don't think everybody agrees that's true, actually

chaalsXO: if we can mark out the other tests in this class, maybe we can make some progress on this

<chaalsXO> We set aside this test for now and move on.

sunava: spec could say, "must throw an exception, should throw [specific exception]"

<chaalsXO> http://tc.labs.opera.com/apis/XMLHttpRequest/send/011.htm

<anne> http://dev.w3.org/2006/webapi/XMLHttpRequest/#send

<chaalsXO> [definition in the spec]

<chaalsXO> SW: If you are expecting a string and pass an object it gets toStringed

weinig: basic JS behavior is if you pass an object to a method that expects a string, it gets converted the object to a string

<chaalsXO> ZX: We disabled it because we think there is a security issue

anne: stringification by calling toString() is defined in Javascript
... stringification by calling toString() is mandated by the ecmascript spec

Zhenbin: this is a security problem
... it could cause a crash ...

mjs: dynamic typing is not a violation of type safety
... there is nothing that XHR specifically doing in regard to toString()
... when current implementations do different things, than we have to choose something to spec anyway, and that means some implementation will break

sunava: I'm concerned we are going to run into this same problem with other parts of the spec
... I don't see a way forward ...

<chaalsXO> we don't have a way forward here

[reading through next test]

http://tc.labs.opera.com/apis/XMLHttpRequest/open/033.htm

weinig: I don't think you're allowed to do parent.past

anne: could probably use postMessage()

weinig: yeah, that probably would be better ... it's interoperable
... are Javascript URIs allowed to access their parent frame?

chaalsXO: does anyone pass this test?

[discussion about what the correct failure should be here]

chaalsXO: what is this test testing?

anne: You'd have to ask Hallvord
... but basically it is more advanced iframe test
... but looking at it now, it is clear that the expected result should be to fail

Hixie: it's testing something useful, but it's testing it wrong

anne: I will change it, or I will ask Hallvord to change it

trackbot, status?

<trackbot> This channel is not configured

<chaalsXO> ACTION: Anne to change test http://tc.labs.opera.com/apis/XMLHttpRequest/open/033.htm and propose it again [recorded in http://www.w3.org/2008/07/03-wam-minutes.html#action01]

<trackbot> Created ACTION-12 - Change test http://tc.labs.opera.com/apis/XMLHttpRequest/open/033.htm and propose it again [on Anne van Kesteren - due 2008-07-10].

Hixie: all the tests with timeouts in them, the timeouts should be removed

<chaalsXO> http://tc.labs.opera.com/apis/XMLHttpRequest/getAllResponseHeaders/001.htm and http://tc.labs.opera.com/apis/XMLHttpRequest/getAllResponseHeaders/004.php have test harness issues

<chaalsXO> RESOLUTION: We don't *want* tests to have timeouts

<chaalsXO> http://tc.labs.opera.com/apis/XMLHttpRequest/getResponseHeader/001.htm

<chaalsXO> (for previous pair, we need to deal with harness issues, but te

<chaalsXO> and timeouts, but tests are basically sound)

chaalsXO: send 5, 7, & 8

Ahmed (MS XHR developer) joins the meeting

<chaalsXO> http://tc.labs.opera.com/apis/XMLHttpRequest/setRequestHeader/034.php and http://tc.labs.opera.com/apis/XMLHttpRequest/setRequestHeader/035.php

<weinig> http://dev.w3.org/2006/webapi/XMLHttpRequest/#setrequestheader

weinig: in the spec, number 3.. raising the exception will cause the test to never finish

anne: check if it's a valid HTTP header value, if it's not, throw

weinig: the test here is incorrect

sunava: so the spec is correct, but the test is wrong

[discussion about the fact that we all want to test suite to have thorough coverage and expose existing bugs so that we can fix them]

sunava: my concern is, in the CR phase, will we be able to say that the test suite is complete?
... that we are confident in the test suite ?

mjs: the point of CR is that we freeze the spec and then to *exit* from CR, then we need to have the test suite compelte

weinig: tests show only if some implementation is not conformant to the spec
... they can't show that a particular implementation *is* conformant

Hixie: when we get towards exiting from CR, then we should evaluate using it

<Zakim> chaalsXO, you wanted to say "and MS contributing more tests is therefore very welcome..."

Hixie: but the test suite will still grow after that, for years ...

chaalsXO: even tests where everybody passes are valuable

sunava: so we don't ever move forward from CR if we have known issues in the test suite?

[re-affirmation that we never move on from CR for any spec if there are unresolved problems in the test suite]

<Hixie> "bbl"

<sunava> s+

<chaalsXO> Thanks to MS for hosting and for last night's dinner, to Ann Bassetti and Opera for houseboat hanging out, and to everyone for a productive meeting with a lot of progress...

<chaalsXO> Meeting adjourned

chaalsXO: Big thanks to Microsoft for hosting the meeting, and for the great dinner at Maggiano's -- and thanks in particular to Sunava for all the work he's done to organize. Great meeting, we made a lot of progress.

This is scribe.perl Revision: 1.133  of Date: 2008/01/18 18:48:51  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/JS:/DS:/
Succeeded: s/we should have an ancillary document/we should have a section that documents the name changes, for review purposes/
Succeeded: s/API/API that is otherwise thesame as XHR, for cross-site/
Succeeded: s/anne:/mjs:/
Succeeded: s/should show/should throw/
Succeeded: s/this is/stringification by calling toString() is/
Succeeded: s/this behavior is/stringification by calling toString() is/
Succeeded: s/that/what/
WARNING: No scribe lines found matching ScribeNick pattern: <MikeSmith> ...
Found ScribeNick: mjs
Found ScribeNick: MikeSmith
Found Scribe: MikeSmith
Inferring ScribeNick: MikeSmith
ScribeNicks: mjs, MikeSmith
Present: Chaals MikeTM Hixie Arun AnnevK Jonas Doug Sunava Maciej Sam Zhenbin Kris

WARNING: No meeting title found!
You should specify the meeting title like this:
<dbooth> Meeting: Weekly Baking Club Meeting


WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Got date from IRC log name: 03 Jul 2008
Guessing minutes URL: http://www.w3.org/2008/07/03-wam-minutes.html
People with action items: anne