As part of a series of interviews with W3C Members to learn more about their support for standards and participation in W3C, I asked Roberto Scano (IWA/HWG Advisory Committee Representative at W3C) some questions.

Q. Would you mind introducing IWA-HWG in a few words?

A. IWA-HWG is a non-profit professional association for the education and certification of Web professionals. IWA's initiatives now support more than 100 official chapters representing over 160,000 individual members in 106 countries. IWA's accomplishments include the creation of guidelines for ethical and professional standards, Web certification and education programs, specialized employment resources, and technical assistance to individuals and businesses.

In 2001, the IWA (International Webmasters Association) and HWG (The HTML Writers Guild) merged and joined W3C to help represent Web professionals in the standards process and to give IWA members the opportunity to participate directly in that process. We are also endorsed by CEN as an association that create standards for certification of Web professionals and we are working with a UNESCO Institute for ICT to define standards for educational courses. We are involved in some W3C Working Groups (including in the area of Web Accessibility). We are also working on helping companies that do education and outreach understand profiles of Web professionals, i.e., what standard skill sets to expect.

Q. What are your roles in the organization?

A. I am the Project Manager for the international headquarters, EMEA (Europe, Middle East and Africa) coordinator, and the AC Representative inside W3C. I also coordinate the Italian chapter of IWA, where I live. So my roles are to coordinate the activities of IWA/HWG members inside W3C Working Groups, and also those activities occurring in Italy.

Q. Does IWA-HWG express opinions as an organization, or does it collect findings? If so, how are they established? Do you succeed in passing on those opinions/findings to W3C's Working Groups?

A. IWA-HWG members who participate in W3C Working Groups represent the spirit of the Association to promote "design for all." It is on this basis that we engage in Working Groups, and this suggests a sort of "default" shared opinion that we can use as a starting point: the Web of the future is founded on modern standards with accessibility, semantics, and modularization. We use a mailing list to share and elaborate personal viewpoints, especially before a "public" proposal and/or opinion inside the WGs.

Q. If you could get browser vendors to agree on three topics that would make life much easier for designers, what would those three topics be?

A. First of all, support standards. In particular: CSS, XHTML, and correct mime types for them. A second request would be to improve DOM scripting performance. A third would be to offer native supportfor semantic and multimedia languages (such as RDFa and SMIL).

Q. Do you observe that there is a big market (internationally) for standards-based design?

A. Yes, there is a lot of momentum right now because standards support is the fastest way towards support for the development of complex Web Apps, easy reuse and maintenance, even in an enterprise environment. From my prospective, using standards and following a few design principles (for instance, that accessibility is a core part of Web development, not to be handled as an "add-on") should be the minimum requirement for recognizing a Web developer as a real Web professional. In jurisdictions with laws related to accessibility (like in Italy, with the Stanca Act - but also in USA with Section 508), there is also an increase in Web standards support. In order to meet user needs in a global market, we need to ensure that Web developers are aware of how to make products standards-complaint and accessible. The main problem for us, then, is education and outreach in this area. Though there is a big market for standards, we have more work to go to help Web developers understand the opportunities afforded by standards-based design.

Q. What are the most important obstacles to people following standards-based design?

A. Perhaps disinformation. Standards are wrongly perceived only as a "serious" thing, temporarily out of Web fashion. We need to publicize all the coolest ways to build a true, rich and accessible Internet experience. If we go back in the history of the Web, we can find that a lot of current Web developers started with visual tools, without knowledge of markup. During my training sessions, I see a lot of Web designers that still prioritize visual results over semantic markup. Some problems result from what authoring tools (especially CMS) genera, if they do not produce valid code that follows standards. The association promotes standards as a first principle because standards enable more flexibility and more support by browsers and assistive technologies.

Q. Are there areas of work that you (or your members) would like to see W3C prioritize?

A. We think that W3C should prioritize activities like the Ubiquitous Web Applications Activity. The time for Web Apps has come, and W3C should do what it can to promote the development of standards-complaint Web Apps that are accessible and universally usable with computer, PDA, and so on. We are also strongly interested in support for serious markup languages for Web Apps, such as XHTML 2.

Q. Why is Flash so alluring to web site designers? What can W3C provide as an open technology that meets their needs (i.e., what features need to be easily available)?

A. Flash is used especially by graphic designers who want to give more "action" to Web pages (including those intended to sell products). Flash has grown up and now is a modern tool to build Web Apps with its own language. But if we think about a "Flash without Flash" we will have the same results, for example with the fundamental help of javascript, XML, SMIL and SVG.

Q. What is the most problematic misconception about Web technologies that Web developers face with clients, and how do they clear it up?

A. The Web is still a sort of a mystery for many clients, especially in the "classic" ICT world often found in public administrations. Also, some clients continue to think of the Web as primarily a passive medium (or just a big videogame). So we work to explain new ways to participate, and how data-driven applications can create a rich Web experience for sharing information with more and more people.

Q. What would you recommend to a web technology enthusiast who wants to get involved in W3C or Web Standards?

A. To be strongly curious and ready to learn and conduct research independently. And maybe to join our association and connect with other Web professional. Let me add that getting involved also means having fun, because standards are sexy just like the Web! :)

Q. Similarly, what would you recommend that W3C do to lower barriers to participation? The HTML Working Group is an ongoing experiment on open participation in a Working Group. Do you have additional suggestions?

A. Yes: Do not forget that democracy without rules is only a mess, so the birth of a new language or specification needs to be a balanced mix between creativity and ratiocination: this can be done with a reliable and collaborative community of experts.

Q. Would you recommend to a Web design company to become a W3C Member? What aspects of W3C membership would benefit them most?

A. I personally appreciate hearing about TimBL's ongoing vision of the Web (starting with an early talk). I think active participation in W3C groups gives engineers an advantage in the market when a specification matures to standard. We suggest to large companies (especially here in Italy) to join inside W3C and share knowledge inside Working Groups, but there are some organizations that may not have sufficient human resources to dedicate to the development of the standards, or related research and development activities.

Q. We are currently redesigning portions of the W3C Web site and are talking with people in the community about changes they would like to see. How could W3C improve its Web site to make it more useful to Web designers and developers?

A. Apply some of the innovative languages proposed in the Recommendations. Make it standards-compliant and attractive. Make it useful for more people!

Many thanks to Roberto for his answers.

Apologies for the late and abbreviated update... something is better than nothing though. I wanted to highlight HTML 5 bugs that are marked as NEEDINFO and WONTFIX.

NEEDINFO bugs might mean proposing use cases, providing real world data, mocking up some test cases, or showing how existing implementations treat bug/feature. It could also mean demonstrating the bug is invalid or that it is already handled by the existing specification As of July 16th, there are three NEEDINFO bugs that could use some attention:

• MediaElement features are needed on OBJECT element
• Authors need more control over handling of embedded resources
• User Agent display of title attribute content not defined

There are four bugs marked as WONTFIX that have yet to be closed out by the working group. It is likely these bugs are accurately marked, but it never huts to have an extra set of eyes validate the process:

• List elements content model issues
• referencing subordinate text or asides should be through an alternate attribute
• Accessing Object Parameters from an Embedded SV
• Cross-reference "as if"

In June 2008, Opera Software released version 9.5 of its browser. As part of a series of interviews with W3C Members to learn more about their support for standards and participation in W3C, I asked Charles McCathieNevile (Opera's Advisory Committee Representative at W3C) some questions.

Note: Upcoming interview: Roberto Scano of the International Webmasters Association / HTML Writers Guild on standards-based authoring.

Q. What are your favorite new features of Opera 9.5? Can you pick one or two favorites for each of these W3C-related topics?

On Support for HTML 5

A. Naturally, we have a complete implementation of the final version of HTML 5...

Seriously, it's still a draft of course. Improvements to its parsing algorithm, reflected in improvements to ours, and continuing convergence in the way browsers build an HTML DOM, are really important to the Web, but somewhat incremental steps, so it is hard for me to pick a particular highlight in this area from 9.5.

Some of my favourite stuff that seems destined for HTML 5 is still not in the spec: Webforms 2 brings things like <input type="date"> for a date picker or the ability to make an input+dropdown list in declarative markup, instead of massive amounts of javascript. But that was already released in older versions of Opera. And there is canvas, which we have had in previous releases, but which is now clearly happening in W3C.

So for me the best HTML5 that is new in Opera 9.5 is Accessible Rich Internet Applications (WAI-ARIA). We're talking about an experimental implementation of an unfinished spec being incorporated into another unfinished spec, so there is plenty of good stuff to come in this area. But I think it is a really nice piece to have working, and the first implementation we have released is in 9.5.

I also have a disappointment. It wold be nice to have video there, but until we get a royalty-free way of enabling everyone to do that it is hard to make it high priority. So we didn't end up releasing that in 9.5, although I encourage W3C to keep following this up and find a useful solution because video is important on today's Web and should be interoperable and open enough for people to build products.

On Support for CSS

Personally, the most exciting stuff in CSS is that we made a significant level of MathML support possible through the MathML for CSS profile, and that we can use SVG in CSS backgrounds, list buttons, etc.

This probably shows how boring I am. I am not a designer, and I realise that any true designer would give very different answers about what rocks for them. Chris Mills wrote about a bunch of new CSS stuff in 9.5 that is pretty cool, like the effects you can get with multiple text shadows. Håkon [Wium Lie, Opera Chief Technology Officer] is excited by our CSS3 selectors work, which is great stuff.

But for me the MathML and SVG stuff running on my OLPC is one of the things about 9.5 that really rocked my boat.

On Support for XSLT 2, XForms

We have had effectively zero demand for these features. It is possible to use Xforms through javascript libraries in Opera, but I have not done it for a while. We did fix up a few bugs that were troubling people in our XSLT 1 implementation, which was important to the Web.

On Support for Accessibility

This question is easy for me - rebuilding screen reader support, which is a major ongoing effort under the hood, shows its nose in the public release build with Opera 9.5 on Mac and Windows. Given that it is difficult to work with Windows-based screen readers, I would suggest you try this feature out on a Mac (besides, you don't have to buy VoiceOver separately as it is part of the OS).

As a close second I would name ARIA. Again, our support for this is experimental - the spec was having some crucial parts nailed down as I was writing these answers - but we are proud of our contribution, which includes solving a problem with namespaces so it is possible to use ARIA interoperably in HTML, SVG, XHTML or XHTML2, and allows it to be incorporated into other XML/namespace-based languages like DAISY or MathML as well.

On Support for Security

We continue to work hard making sure we are the most secure browser. 9.5 brings support for the so-called EV ("Extended Validation") certificate, where a user knows not only that someone bought a certificate to encrypt their data, but that the the people who sold that certificate can actually find the person who bought the certificate, and if something goes wrong you therefore have some real means of redress.

We also worked pretty hard on our anti-fraud and anti-malware protection, covering both sites you visit and things you might download. Overall we have worked on making security user friendly, and at the same time powerful enough to protect users who want to use the web and what it has.

Users need simple guidance they can understand, as well as the power to do complicated things like decide whether to accept a certificate from an unknown authority (something that only makes sense to a few power users).

On a Mobile Experience

Opera Mobile 9.5. Opera Mini.

The HTC Touch Diamond is a high-end piece of hardware with a manufacturer who wanted a great Web browser, and chose Opera Mobile 9.5 - I think they were the first to announce it in a product, with the Samsung i900 also having it. Because these are windows mobile browsers built on our cross-platform core, we can provide similar levels of experience on other pieces of hardware for other suppliers, and I am looking forward to the public beta being available soon for anyone with a windows mobile phone.

Opera Mini is not running Opera 9.5 in the current 4.1 release. But it has been a game changer in the world of mobile web over the last 18 months. Mobile browsing has started really taking off, and Mini has been one of the major contributors to this. Lifting the level of what is available on a mobile phone, not just to the relatively tiny 'smartphone' market (the top few percent, who already have access everywhere) but to the much larger featurephone market which includes many people globally who have no other form of internet access, strikes me as a pretty big benefit in a world where increasingly web access is as fundamental as literacy to equal participation in society.

Beyond both those things, there's lots of stuff we have done in Opera that is relevant to mobile browsing. We reverse-engineered the "make it work for the iPhone" HTML hack and figured how to integrate that with the CSS standards-based approach we were already using, we further improved Opera's zoom, we put our leading SVG implementation into our native mobile browser (we had used the already good Ikivo plugin for SVG) as part of the upgrade to Core 2, added widget support, among zillions of other fixes and improvements.

But I think some of the most exciting stuff in mobile is not especially standards-oriented yet - Opera Link allows you to synchronise various kinds of information between mobile and desktop browsers, and this seems something that others want too, with Mozilla's "weave" heading the same way.

Q. Are there some noteworthy changes that will make cross-browser authoring easier?

A. Yes. These fall into two categories.

We have further improved our standards support in a variety of areas. As mentioned above, we improved our XSLT engine. But in some cases this is more a case of waiting for other browsers to catch up in order to allow people to use things reliably. As far as I know we are still the only browser shipping with a decent @media implementation, for example - a ten-year-old piece of CSS that makes for simple slideshow creation, or allows basic sites (the "long tail") to adapt to mobile rendering pretty painlessly.

There are also non-standard things we have to make compatibility for. Matching the strange bit of code Apple gets people to use so their sites look alright on iPhones, bringing undocumented or unspecified APIs closer in line with what other browsers do, and so on. But we have also made a point of trying to get the undocumented hacks, as well as the pure innovations, into the standards track so it is easier for everyone to improve interoperability, and for developers to know what really happens out there on the Web.

The second important change is the major upgrade of our developer tools, called Dragonfly. Still in beta, these are now designed to provide the power that developers have relied on Firebug to give them - but with some added bonuses. Because we have a very cross-platform browser, our tools are designed so you can debug remotely - see your code running on a different machine, or in a different browser instance (perhaps take a random weekly build from the Opera Desktop Team and debug it with your stable working release) or, importantly, on a different device. Since this is built into Core 2.1, as soon as mobile browsers are shipped based on Core 2.1 you will be able to debug what is happening in your real mobile (not an emulation on a desktop architecture), live from the comfort of your desktop.

Q. Can say a word about Opera's priorities in CSS support for the next year or so (and how they align with those of the CSS Working Group)?

A. There are some shiny features being shown off in the CSS Working Group, like using basic SVG features through CSS to apply them to HTML documents. We would like to see this work cleaned up, and the interactions with SVG in particular (which it replicates) carefully considered, but we think there are still lots of useful things that could be one with CSS (as well as some things that are better off done in markup).

We would also like to see CSS specifications advance in maturity. There are lots of things that can be done easily with CSS (our MathML implementation is based on having decent stylesheet support, being able to do seriously good HTML/SVG/etc slideshows or simple adaptations of a site to different devices is based on the ten-year-old @media rule) but there needs to be a lot of basic work done to give the design community a stable target. Webfonts is something that Håkon has recently been focussing on, because it is, as he says, well past time that we moved beyond a handful of proprietary fonts that were generously donated, and unleash people's ability to design real fonts for real text not just in SVG but for the entire Web.

I think this is broadly in line with the CSS working group, and we are basically happy with the priorities of that group if they can get specs moving along the process and completed.

Q. Does Opera 9.5 ship with XForms in the default configuration? If not, is there a reason we should be aware of?

A. Nope. We haven't seen any demand, nor any content on the Web that is causing major compatibility problems by requiring it. As I mentioned already, there are javascript-based implementations that can be used in a intranet setting, and so far that has been sufficient so we have focused our development efforts on other things. (I might add that although we actually support a relatively large amount of XHTML 2, it is more or less by accident, and it is for essentially the same reasons that we don't focus on implementing it completely).

Q. Can you comment on the state of SVG implementation in Opera 9.5?

A. It is pretty good. (That's Australian understatement we inherited from the British. It means "We Rock").

Alternatively could let the SVG community comment - we are listed on codedread (the site of the new SVG Interest Group chair Jeff Schiller) as the best native implementation going around, with the quote

"In roughly a year, the Opera browser went from being one of the least usable SVG implementations (no scripting/DOM support) to the best native implementation"

(which is slightly more presentable than his most enthusiastic comment about Opera, about kicking, and parts of the body).

We are working on further improving but I think our SVG work, in implementation, in contribution to the specification, and in contribution to the community, is something to be proud of, and the SVG and Graphics guys have done a great job.

Q. W3C has a goal of designing technology that works well on different types of devices with minimal or no additional effort for authors and readers. Opera creates Web software for many different devices (e.g., for desktop environment, mobile phones, and game consoles). From your perspective as browser developer, what challenges do you face when developing for different environments? What would you suggest that W3C do (e.g., improve existing technology, develop new technology, provide tools, promote education) to make it easier to develop for different environments?

A. Challenges come in 4 ways. The first is hardware - we have squeezed recent Opera builds onto platforms that were below our minimum specification for Opera 1, and we now have CSS, ECMAscript and DOM, and other features of the modern Web. In this sense it is important to ensure that specifications focus on what people really need, since anything else is at risk of being dumped in order to maximise the efficiency of the platform, but also because building what people use everyday into native code, rather than needing some javascript extension library, is important for performance.

Of particular concern in this context is battery life. People rely on phones in particular not just for Web access, but as a crucial tool in their everyday life (and in some circumstances as a vital part of their personal security). Running down the battery through poor design of standards is really quite unhelpful.

The second is input - as you move from a keyboard to a voice interface, or waving a wand (or game controller), or a small touch screen, a joystick or a limited keypad, you need standards that consider this range of input. At the same time we are seeing a growth of applications, whose designers want to build so the user thinks s/he is interacting with a normal application. We need much more thoughtful design of input mechanisms to cope with the huge variety of devices around. Some of this work is pretty old - WAI and the early device-independence groups at W3C have been dealing with this kind of problem for a decade and more. But the knowledge and attention to this problem are still very unevenly distributed through W3C.

The third is output - different devices also have different ways of presenting information - and we are constantly inventing new ways of using them. Zoom was once something Opera did with a simple scaling effect, with the variety being text zoom where you could change the font-size. Then came fit-to-width, ensuring that the layout reflowed even when the designers forgot, and small screen mode, and over the last 3 years zoom has become much more powerful and intelligent, with what we call "Opera zoom" intelligently and dynamically reflowing the zoomed section of what is basically a large-screen view to provide for ease of use and user efficiency - this is something that you can now see in various browsers on different devices. And here I have only mentioned screens - there are also voice, various kinds of tactile feedback, the use of "soundscapes", and so on to consider. Again, there has been work in this area for years, but spreading the knowledge and ensuring the review of new work by people who have been working in this area is important.

The other potential concern is security. W3C began with virtually no attention paid to security aspects of its technology, I think because it was initially a group of high-minded and like-thinking people who simply didn't consider the "dark side" as something that could be interesting, and who were working with essentially public data. The Web now reaches into your phone, a device whose capability to run up bills and provide personal information matches a credit card - and security and trust models need to mature to recognise that. An important piece of work is being done by the Web Security Context Working Group, who are looking not just at abstract security models for boffins, but at what ordinary users and ordinary developers know and understand - because those are the people who the security models need to help and protect. Building extremely powerful applications is only a part of the puzzle - for years we have enabled access to special functions on the platform. The other part of the puzzle is identifying the security risks, and describing them in a way that clarifies what implementations should note, without simply having the Web hamstrung by barriers imposed because we didn't bother to find ways to improve security.

And not just for device independence, although it is important in that context; I really think there has to be more focus at W3C on the tools people use to develop content. We can't (and shouldn't) develop those tools in Working Groups, but we really desperately need to make sure that the people who do develop those tools are turning up, involved, and are developing their tools along the lines of the standards as they emerge. One reason why anyone can make a browser, but making a good browser is so very difficult, is that we have to handle the things that tools produce, and that hand-authors who only learn by copy-paste-tweak produce. In the long run, this does not help standardisation, so we need to have the tool producers there are the start of the process.

With the profusion of low-cost devices, chiefly phones and the wave of OLPC-inspired cheap laptops, and with the increasing use of the Web in cars, in industrial machinery, and in other specialist devices, this is more important than ever to get right.

Q. Do you plan to make HTML input-mode available to mobile users, and if so, when?

A. We have the code to enable it in the core, so we can ship it in deliveries if anyone asks for it. But it's a pretty vague specification, so enabling it by default especially in desktop is likely to cause as many problems as it solves.

Q. What do you see as the biggest challenges today in enabling accessible Web browsing on mobile platforms with Opera?

A. If you mean accessible in the W3C sense of "to people with disabilities", the fragmentation in devices, platforms, and assistive technologies. Building a real cross-browser platform means that we need to have our own layer for UI, and then hook that to the platform we ship to. On some platforms this is just a matter of work, but on others it really involves dealing with a mish-mash of half-solutions coming from all over the place.

Effectively, this is going to take time - as I mentioned, our compatibility with accessibility tools is a work in progress - in some areas such as problems faced by people with limited vision we have had plenty of accessibility for ages, but in others, like for people with no vision there is still a lot of work to do.

If on the other hand you just mean the broad English-language sense of the term, then most of the challenge is in distribution, which comes down to the question of price of access and use, compared to the benefits available. Which means we have to build a great application platform, support it with things like our debugging tools and our widget SDK, get an ecosystem of great applications and use cases in place, let users know that it is there, and have users decide that the cost of the service is repaid by the value it gives them - something that I think is happening already (why else would Opera mini be growing at about 10% *per month*?).

Q. There are signs that both browser makers and authors are rediscovering the benefits of embedded data. Does Opera have plans to support microformats (e.g., display hatom and hcalendar with the RSS reader, or hcard with the address book), RDFa, or XMP?

A. Yes. :) (You'll have to stay tuned for more).

Q. Opera has support the application/xhtml+xml media type since version (ages ago). What challenges did you face in implementing it? Did you have a specific strategy for doing so?

A. It's XML...

Seriously, it is not very hard. There are a couple of strange issues that come up because it is not quite compatible with HTML, and people expect it to be so (for example, scripting is not exactly the same, and namespaces in XML are easier to work with than in HTML where they generally cause problems) but nothing that really makes it difficult to do.

Like everything that distinguishes a good standards-compliant browser from a great standards-compliant and also useful browser, we have various strategies for dealing with the Web as it is, as well as the Web as we would like it to be.

Q. Opera 9.5 includes integrated support for torrents, irc, usenet, rss and atom, in addition to HTML, CSS, and other formats. How do you choose which features to include natively and which would best remain independent applications (that evolve independently)?

A. It is important to us that a new release doesn't mean that some critical application breaks. If we decide that something is important enough to be a core feature, rather than an experimental add-on, we feel it is important enough to ensure that it develops alongside the browser.

Q. Scripts can be useful or malicious. Does Opera 9.5 allow users to distinguish between (and control the execution of) scripts from trusted sources (e.g., extensions written in javascript) from those found in pages on the wild Web? Would that be useful?

A. Javascript extensions (userJS - which is basically the same thing as greasemonkey have certain privileges that scripts in the wild don't have. The same goes for scripts in Widgets. The same goes for browser.js - compatibility scripts that Opera produces and periodically ships to the browser in order to solve problems with major websites from time to time - a sort of limited live-update that applies to a few specific sites that have especially unpleasant coding problems in them.

A useful model of trust has to be one that makes clear sense to users. Widgets on widgets.opera.com are code-checked before being posted, because we think it is important for us to be trustworthy. browser.js is shipped totally unobscured so that users can read it for themselves - an easy way to develop trust is how what you're doing, although in practice it only applies to stuff that people can readily get their head around.

So it would be good to have a more powerful, and more comprehensible model of trust on the Web - not just for scripts but for applications in general. It's no good building a layer of the technology stack that is perfectly secure if that just turns out to be a transport layer for all kinds of malware that people accept because they trusted the system. Work such as AC4CSR, or the file I/O proposal and its friends in the Web Apps space, are trying to open specific areas to enhance what can be done on the web. But we really need to think through the whole security and trust architecture better, I think and this is something that takes a fair bit of time.

Q. Based on the Opera 9.5 experience, are there any particular issues that you would like W3C to address as a priority?

A. I think that understanding the security space is important. I would love to see some more direct focus on multimedia and getting some resources behind those who are building patent-free alternatives to what is currently available. I think W3C needs to focus more effort and attention on the tools that are used to create Web content, and ensuring that it is feasible to build authoring tools so people don't need to become experts in SVG and HTML and scripting in order to share their expertise in water-pump installation or Mayan history using proper web standards. Too often I hear this mentioned at the beginning of some work area, and a few years later people are still saying "yes, we really should think about authoring tools, too" without doing anything about them. Although it is important that Web standards can be hand-authored ("view source" is important to tool developers as well as copy-and-hack early adopters), it is critical that people can create content without having to hand-author it.

Ensuring that technology really works on mobiles, and other devices, and the related technology work in accessibility is critical to the future of the Web, and while it isn't something we solve in a week it is something that needs to be front and center so that we don't turn around in a few years and discover we have to spend a few years re-doing our work because we forgot to focus where it matters.

Q. The W3C standards process seeks to balance speed and fairness. Building consensus takes times. Building software also takes time. Any suggestions for how to speed those processes up while promoting participation and maintaining fairness?

A. W3C has been moving towards a more open model, and almost of necessity this slows down the work, as more people need to understand and digest what is happening as it occurs rather than being presented with a fait accompli.

Providing more support for translation of Working Drafts would be helpful - this speeds input and adoption from non-English-speaking communities, which also ensures a better specification. Perhaps the incentives for translating a new Working Draft should be raised compared to translating some short test case or simple tutorial article. (It is pretty apparent that one key consideration for doing this is based on SEO, so increasing the SEO rewards for doing more useful work seems like a simple thing to help).

Promoting implementation across the toolchain - from browsers to authoring tools and tutorials - and promoting the development of interoperable but different systems over the idea of a single implementation are important to improving spec quality and the speed of development.

Q. On a similar note: do you think it would speed up the standards process if, within a given Working Group, participating Members were to prioritize and agree to implement a list of features? Or do the different priorities of the participants (and their customers) make that unlikely?

A. If Members agree to a prioritisation of implementation, and follow through, of course it speeds up work significantly. Element Traversal is an example of a perfectly simple spec, readily implementable and with several interoperable versions shipping on totally distinct codebases, that was held up some months because someone thought that it might be interesting to implement something new instead of what everyone did, and then specifying the new piece. It turns out there is no real problem with shipping the old spec and then making a new one to cover the extended functionality, which we also expect people to implement, so we expect to have the first spec finished with probably four complete implementations very soon, and the extra functionality specified and implemented relatively soon after.

On the other hand, it is possible to waste a huge amount of time trying to get agreement where there simply is none.

Q. What innovations (in particular, related to standards support) should we expect from Opera in the next major release of the browser?

A. Some things are predictable: further improvements to the accessibility support, more HTML 5 and SVG and CSS and MathML and better integration, and so on. And there are various things we have previewed at labs.opera.com that will come to release, like audio and video, Acid 3 compliance, selectors API, improved webfonts, filesystem access, and so on.

But expect the unexpected! We're working on some cool stuff that we will start to launch pretty soon. We're working to build a fantastic cross-platform standards-based application environment, and there are many things that would be good to put into that space. We'll come up with some new toys, and it might pay to watch labs.opera.com for an idea of what we are working on before we make a major release.

Many thanks to Charles for his answers.

Hi, I’m Sharath Udupa, developer on the IE team focusing on AJAX features for IE8. One of the AJAX improvements we adopted in IE8 from HTML5 is AJAX page navigations. In IE8 mode, we provide support for script to update the travel log components (for e.g. back/forward buttons, address bar) to reflect client-side updates to documents. This allows a better user experience where users can navigate back and forth without messing the AJAX application state.

For more information regarding the feature and sample code, refer to the Internet Explorer MIX08 Hands-on Labs for AJAX and IE8 Beta 1 for Developers. For an example of how this can be used to hook navigation in Silverlight (with sample code!), see Michael Scherotter’s blog  posts titled How IE8 Enables Silverlight Deep Linking and Browser Back/Forward Navigation and IE8 Forward/Back in a Silverlight 2 (Beta 2) Application for further details.

Sharath Udupa
Internet Explorer Developer

Continuing my minimalist markup quest, I’ve converted posts to be mostly valid HTML5.  The overall structure is correct, but individual comments may only be well-formed but may contain deviations from validity.  Most posts will have no span, div, or table elements.  Over time, the hope is to make it so that all new comments are valid.

The HTML5 Validator is currently down, so I proceeded to install a local copy.  Other than having to make the following change, all went smoothly.

===================================================================
--- build.py    (revision 58)
+++ build.py    (working copy)
@@ -77,7 +77,7 @@
   ("http://www.slf4j.org/dist/slf4j-1.4.3.zip", "5671faa7d5aecbd06d62cf91f990f80a"),
   ("http://www.nic.funet.fi/pub/mirrors/apache.org/commons/fileupload/binaries/commons-fileupload-1.2-bin.zip", "6fbe6112ebb87a9087da8ca1f8d8fd6a"),
 #  ("http://mirror.eunet.fi/apache/xml/xalan-j/xalan-j_2_7_1-bin.zip", "99d049717c9d37a930450e630d8a6531"),
-  ("http://mirror.eunet.fi/apache/ant/binaries/apache-ant-1.7.0-bin.zip" , "ac30ce5b07b0018d65203fbc680968f5"),
+  ("http://archive.apache.org/dist/ant/binaries/apache-ant-1.7.0-bin.zip" , "ac30ce5b07b0018d65203fbc680968f5"),
   ("http://surfnet.dl.sourceforge.net/sourceforge/iso-relax/isorelax.20041111.zip" , "10381903828d30e36252910679fcbab6"),
   ("http://ovh.dl.sourceforge.net/sourceforge/junit/junit-4.4.jar", "f852bbb2bbe0471cef8e5b833cb36078"),
   ("http://dist.codehaus.org/stax/jars/stax-api-1.0.1.jar", "7d436a53c64490bee564c576babb36b4"),

I’m also experimenting with hoisting the author’s name to a floating aside in the top right of each comment.

Sections are used to group comments by days.  These groupings will adjust based on your local time zone.

The pages themselves display reasonably consistently between the three browsers that I have been testing with (Firefox 3.0, Safari 3.1.2, Opera 9.5), and mostly differ in the amount of support they have for CSS-based rounded corners (full, partial, none; respectively).

In a recent item on IE8 Security, Eric Lawrence, Security Program Manager for Internet Explorer, introduced a work-around to the security risks associated with content-type sniffing: an authoritative=true parameter on the Content-Type header in HTTP. This re-started discussion of the content-type sniffing rules and the Support Existing Content design principle of HTML 5. In response to a challenge asking for evidence that supporting existing content requires sniffing, Adam made a suggestion that I'd like to pass along:

I encourage you to build a copy of Firefox without content sniffing and try surfing the web. I tried this for a while, and I remember there being a lot of broken sites ...

That reminded me of an idea I heard in TAG discussions of MIME types and error recovery: a browser mode for "This is my content, show me problems rather than fixing them for me silently."

Though Adam offered a patch, building firefox is not something I have mastered yet, so I'm interested to learn about run-time configuration options in IE (notes Julian) and Opera (notes Michael). Eric Lawrence's reply points out:

Please do keep in mind, however, that most folks (even the ultra-web engaged on these lists) see but a small fraction of the web, especially considering private address space/intranets, etc.

A report from one developer suggests there's light at the end of the tunnel, at least for sniffing associated with feeds:

I did, partly as an experiment, stop sniffing text/plain in the latest release of SimplePie (which, inevitably, isn't the nicest of things to do, seeming there are tens of thousands of users). Next to nothing broke. I know for a fact this couldn't have been done a year or two ago: things have certainly moved on in terms of the MIME types feeds are served with ...

If you get a chance to try life without MIME type sniffing, please let us know how it goes.

Raising Issues

In order to raise an issue or proposal in regards to the HTML5 specification you do not have to be a member of the W3C HTML Working Group (HTML WG). Anyone can simply enter a bug into the HTML Bugzilla. If the proposal or issue is rejected by those that control the specification and the issue is related to accessibility, you can refer the issue to the W3C Protocols and Formats Working Group (PF WG). Probably the best method is to subscribe to and send an email to the WAI-XTECH mailing list.

I would suggest that you take this course of action if you consider that the issue raised to be substantive and it has not been given appropriate consideration due to lack of accessibility expertise or understanding of the obligations of the HTML WG to ensure deliverables will satisfy accessibility requirements.

The PF WG is responsible for ensuring accessibility considerations are taken into account in all specifications produced within the W3C.  If the PF WG considers the matter substantive they may formally request that the HTML WG, not just the editor, reconsider the matter. This may lead to the HTML WG as a whole having a vote on the matter, that is up to the HTML WG Chairs to decide.

By following this course of action you at least guaranteed that the issue will be discussed by a group within the W3C that has expertise in relation to accessibility and the web. It will also be considered employing the W3C consensus process, which is not a process currently used in practice within the HTML WG.

W3C Member Organisations

You can also bring matters to the attention of W3C member organisations, so when it comes time to review and vote on the HTML5 specification before publication, those organisations can make an informed decision about whether the specification takes the accessibility requirements of their constituents into account.

W3C members include organisations such as the Royal National Institute for the Blind and vision australia who represent the interest of people with disabilities, so you can voice your concerns with them directly.

Related Reading:

• Re: WAI mandate to work with other WGs?
  
• Clarification of process for raising html5 accessibility related issues
• Re: Clarification of process for raising html5 accessibility related issues
• on involvement of PF
• RE: on involvement of PF

You have read a lot about the html 5 specification. You heard that there were hidden dragons and acid rains. But what about looking by yourself practically how html 5 parsing is working? There are already some tools to play with html 5.

DOM in actual browsers

DOM (Document Object Model) is the representation that browsers are using in memory to manipulate Web content. Browsers have bugs and the content on the Web is largely not conforming. It results in very different DOM representations in browsers. If you are interested by seeing what a document looks like in different browsers, you can use the Live DOM Viewer. Open this link with each browser you know and paste code into the window.

This helps you to see how the Web content is understood today by different tools.

DOM after html 5 parsing

Now you might be interested to see how a document will be represented by a tool implementing html 5 parsing rules. An important note, html 5 is a specification in development. Things might change. The following tools might be incomplete and contain bugs as well. But it will give you an idea of the DOM. It is very practical when you are developing another language which is not html 5 but might be sent as text/html (by mistake or practical choice).

There are at least two online services:

• Live html 5 parser by Philip Taylor
• html5lib Based HTML5 Parser

Henri Sivonen developed a standalone application that you can use on your desktop. Here are the instructions to get it running. It worked fine on my macintosh.

1. Check out the source: svn co http://svn.versiondude.net/whattf/htmlparser/trunk/ htmlparser
2. Download and untar GWT 1.5 RC1: http://code.google.com/webtoolkit/versions.html
3. On Linux, install libstdc++5 and a JDK (Ubuntu's OpenJDK-based package worked for me).
4. Edit the paths in HtmlParser-shell (Mac) or HtmlParser-linux (Linux) to point to the location of GWT.
5. Run HtmlParser-shell (Mac) or HtmlParser-linux (Linux)

Henri gave a list of limitations and bugs

Using html 5 parsing in your own code

There are for now three implementations of the html 5 parsing algorithm.

• html5lib python 0.11.1
• html5lib ruby 0.10.0
• html 5 parser java

There is an attempt at implementing in C# for .Net 2.0, but no code has been released yet.

• Twintsam

If you know other tools implementing it, leave a comment.

When a software is shipped, it has bugs. There are many reasons for these bugs. It can be poor in-house development, it can be careless testing, it can be unclear specifications, and many other things. We have to live with these bugs in software.

A bug deployed in a software for a long term becomes a feature.

It's specifically true in a distributed environment where pieces are loosely joined: the Web. Softwares are released with their inherent bugs. Content and framework developers are hit by the bug. They modify their own software to accommodate the bug or take advantage of it. No new version of the buggy software is released for a long time. When it is finally time to release a new version, the buggy software has to keep the bug as a feature to not break anything on the Web. Eventually, one day the bug makes its way to a specification like html 5.

It is difficult to change things because they are all intertwined but in a very loose way, which makes its strength. You can try to fix the software knowing that it will break things at many places. You have then to be ready to loose customers if someone else as implemented the bug. Users are not aware of the bug, and they don't really care about it. Fixing means also, in this case, educating people about the issue, and content developers on how to fix their content. Content developers will be the hardest ones. If they fix, knowing that it will break things in other softwares, they will loose customers. So they are not likely to do it.

To avoid that bugs become features, softwares have to be released with a short cycle. So that people can't take advantage of bugs. It means also that bugs don't survive many releases.

Can we improve the situation for bugs already deployed?

The solution could be a simultaneous release of softwares and a campaign educating people. This is challenging. Very challenging. It means agreement between companies at the release moment and a front with regards to unsatisfied customers. I just wonder if it would be possible as an experiment for one or two bugs. For example, in HTML 5 specification, browsers and Web sites, would it be possible to fix the content-type sniffing on text/plain.

Eric Lawrence: we’ve provided web-applications with the ability to opt-out of MIME-sniffing. Sending the new authoritative=true attribute on the Content-Type HTTP response header prevents Internet Explorer from MIME-sniffing a response away from the declared content-type

While I’m not a fan of content-sniffing, one of my few pet peeves with HTML5 is that it endeavors to institutionalize the practice with no provisions for content providers to opt out.  As the lesser of the available evils, I hope Microsoft’s proposal is quickly adopted by other browsers.

Boagworld is a web design and development podcast based in the UK. In today's episode, they interview me about HTML5. In it, we discuss the current state of HTML5, some of the new features that are currently, or are being implemented, and what we can expect in the future.

Boagworld is a web design and development podcast based in the UK. In today’s episode, they interview me about HTML5. In it, we discuss the current state of HTML5, some of the new features that are currently, or are being implemented, and what we can expect in the future.

Hi! I’m Eric Lawrence, Security Program Manager for Internet Explorer. Last Tuesday, Dean wrote about our principles for delivering a trustworthy browser; today, I’m excited to share with you details on the significant investments we’ve made in Security for Internet Explorer 8. As you might guess from the length of this post, we’ve done a lot of security work for this release. As an end-user, simply upgrade to IE8 to benefit from these security improvements. As a domain administrator, you can use Group Policy and the IEAK to set secure defaults for your network. As web-developer, you can build upon some of these new features to help protect your users and web applications.

As we were planning Internet Explorer 8, our security teams looked closely at the common attacks in the wild and the trends that suggest where attackers will be focusing their attention next. While we were building new Security features, we also worked hard to ensure that powerful new features (like Activities and Web Slices) minimize attack surface and don’t provide attackers with new targets. Out of our planning work, we classified threats into three major categories: Web Application Vulnerabilities, Browser & Add-on Vulnerabilities, and Social Engineering Threats. For each class of threat, we developed a set of layered mitigations to provide defense-in-depth protection against exploits.

Web Application Defense

Cross-Site-Scripting Defenses

Over the past few years, cross-site scripting (XSS) attacks have surpassed buffer overflows to become the most common class of software vulnerability. XSS attacks exploit vulnerabilities in web applications in order to steal cookies or other data, deface pages, steal credentials, or launch more exotic attacks.

IE8 helps to mitigate the threat of XSS attacks by blocking the most common form of XSS attack (called “reflection” attacks). The IE8 XSS Filter is a heuristic-based mitigation that sanitizes injected scripts, preventing execution. Learn more about this defense in David’s blog post: IE8 Security Part IV - The XSS Filter.

XSS Filter provides good protection against exploits, but because this feature is only available in IE8, it’s important that web developers provide additional defense-in-depth and work to eliminate XSS vulnerabilities in their sites. Preventing XSS on the server-side is much easier that catching it at the browser; simply never trust user input! Most web platform technologies offer one or more sanitization technologies-- developers using ASP.NET should consider using the Microsoft Anti-Cross Site Scripting Library. To further mitigate the threat of XSS cookie theft, sensitive cookies (especially those used for authentication) should be protected with the HttpOnly attribute.

Safer Mashups

While the XSS Filter helps mitigate reflected scripting attacks when navigating between two servers, in the Web 2.0 world, web applications are increasingly built using clientside mashup techniques. Many mashups are built unsafely, relying SCRIPT SRC techniques that simply merge scripting from a third-party directly into the mashup page, providing the third-party full access to the DOM and non-HttpOnly cookies.

To help developers build more secure mashups, for Internet Explorer 8, we’ve introduced support for the HTML5 cross-document messaging feature that enables IFRAMEs to communicate more securely while maintaining DOM isolation. We’ve also introduced the XDomainRequest object to permit secure network retrieval of “public” data across domains.

While Cross-Document-Messaging and XDomainRequest both help to secure mashups, a critical threat remains. Using either object, the string data retrieved from the third-party frame or server could contain script; if the caller blindly injects the string into its own DOM, a script injection attack will occur. For that reason, we’re happy to announce two new technologies that can be used in concert with these cross-domain communication mechanisms to mitigate script-injection attacks.

Safer Mashups: HTML Sanitization

IE8 exposes a new method on the window object named toStaticHTML. When a string of HTML is passed to this function, any potentially executable script constructs are removed before the string is returned. Internally, this function is based on the same technologies as the server-side Microsoft Anti-Cross Site Scripting Library mentioned previously.

So, for example, you can use toStaticHTML to help ensure that HTML received from a postMessage call cannot execute script, but can take advantage of basic formatting:

document.attachEvent('onmessage',function(e) { 
  if (e.domain == 'weather.example.com') {
      spnWeather.innerHTML = window.toStaticHTML(e.data);
  }
}

Calling:

window.toStaticHTML("This is some <b>HTML</b> with embedded script following... <script>alert('bang!');</script>!");

will return:

This is some <b>HTML</b> with embedded script following... !

Safer Mashups: JSON Sanitization

JavaScript Object Notation (JSON) is a lightweight string-serialization of a JavaScript object that is often used to pass data between components of a mashup. Unfortunately, many mashups use JSON insecurely, relying on the JavaScript eval method to “revive” JSON strings back into JavaScript objects, potentially executing script functions in the process. Security-conscious developers instead use a JSON-parser to ensure that the JSON object does not contain executable script, but there’s a performance penalty for this.

Internet Explorer 8 implements the ECMAScript 3.1 proposal for native JSON-handling functions (which uses Douglas Crockford’s json2.js API). The JSON.stringify method accepts a script object and returns a JSON string, while the JSON.parse method accepts a string and safely revives it into a JavaScript object. The new native JSON methods are based on the same code used by the script engine itself, and thus have significantly improved performance over non-native implementations. If the resulting object contains strings bound for injection into the DOM, the previously described toStaticHTML function can be used to prevent script injection.

The following example uses both JSON and HTML sanitization to prevent script injection:

<html>
<head><title>XDR+JSON Test Page</title>
<script>
if (window.XDomainRequest){
      var xdr1 = new XDomainRequest();
      xdr1.onload = function(){
           var objWeather = JSON.parse(xdr1.responseText);
           var oSpan = window.document.getElementById("spnWeather");
           oSpan.innerHTML = window.toStaticHTML("Tonight it will be <b>"
                             + objWeather.Weather.Forecast.Tonight + "</b> in <u>" 
                             + objWeather.Weather.City+ "</u>.");
      };
      xdr1.open("POST", "http://evil.weather.example.com/getweather.aspx");
      xdr1.send("98052");
}
</script></head>
<body><span id="spnWeather"></span></body>
</html>

…even if the weather service returns a malicious response:

HTTP/1.1 200 OK
Content-Type: application/json
XDomainRequestAllowed: 1

{"Weather": {
  "City": "Seattle",
  "Zip": 98052,
  "Forecast": {
    "Today": "Sunny", 
    "Tonight": "<script defer>alert('bang!')</script>Dark",
    "Tomorrow": "Sunny"
  }
}}

MIME-Handling Changes

Each type of file delivered from a web server has an associated MIME type (also called a “content-type”) that describes the nature of the content (e.g. image, text, application, etc). For compatibility reasons, Internet Explorer has a MIME-sniffing feature that will attempt to determine the content-type for each downloaded resource. In some cases, Internet Explorer reports a MIME type different than the type specified by the web server. For instance, if Internet Explorer finds HTML content in a file delivered with the HTTP response header Content-Type: text/plain, IE determines that the content should be rendered as HTML. Because of the number of legacy servers on the web (e.g. those that serve all files as text/plain) MIME-sniffing is an important compatibility feature.

Unfortunately, MIME-sniffing also can lead to security problems for servers hosting untrusted content. Consider, for instance, the case of a picture-sharing web service which hosts pictures uploaded by anonymous users. An attacker could upload a specially crafted JPEG file that contained script content, and then send a link to the file to unsuspecting victims. When the victims visited the server, the malicious file would be downloaded, the script would be detected, and it would run in the context of the picture-sharing site. This script could then steal the victim’s cookies, generate a phony page, etc.

To combat this problem, we’ve made a number of changes to Internet Explorer 8’s MIME-type determination code.

MIME-Handling: Restrict Upsniff

First, IE8 prevents “upsniff” of files served with image/* content types into HTML/Script. Even if a file contains script, if the server declares that it is an image, IE will not run the embedded script. This change mitigates the picture-sharing attack vector-- with no code changes on the part of the server. We were able to make this change by default with minimal compatibility impact because servers rarely knowingly send HTML or script with an image/* content type.

MIME-Handling: Sniffing Opt-Out

Next, we’ve provided web-applications with the ability to opt-out of MIME-sniffing. Sending the new authoritative=true attribute on the Content-Type HTTP response header prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.

For example, consider the following HTTP-response:

HTTP/1.1 200 OK
Content-Length: 108
Date: Thu, 26 Jun 2008 22:06:28 GMT
Content-Type: text/plain; authoritative=true;

<html>
<body bgcolor="#AA0000">
This page renders as HTML source code (text) in IE8.
</body>
</html>

In IE7, the text is interpreted as HTML:

In IE8, the page is rendered in plaintext:

Sites hosting untrusted content can use the authoritative attribute to ensure that text/plain files are not sniffed to anything else.

MIME-Handling: Force Save

Lastly, for web applications that need to serve untrusted HTML files, we have introduced a mechanism to help prevent the untrusted content from compromising your site’s security. When the new X-Download-Options header is present with the value noopen, the user is prevented from opening a file download directly; instead, they must first save the file locally. When the locally saved file is later opened, it no longer executes in the security context of your site, helping to prevent script injection.

HTTP/1.1 200 OK
Content-Length: 238
Content-Type: text/html
X-Download-Options: noopen
Content-Disposition: attachment; filename=untrustedfile.html

Taken together, these new Web Application Defenses enable the construction of much more secure web applications.

Local Browser Defenses

While Web Application attacks are becoming more common, attackers are always interested in compromising ordinary users’ local computers. In order to allow the browser to effectively enforce security policy to protect web applications, personal information, and local resources, attacks against the browser must be prevented. Internet Explorer 7 made major investments in this space, including Protected Mode, ActiveX Opt-in, and Zone Lockdowns. In response to the hardening of the browser itself, attackers are increasingly focusing on compromising vulnerable browser add-ons.

For Internet Explorer 8, we’ve made a number of investments to improve add-on security, reduce attack surface, and improve developer and user experience.

Add-on Security

We kicked off this security blog series with discussion of DEP/NX Memory Protection, enabled by default for IE8 when running on Windows Server 2008, Windows Vista SP1 and Windows XP SP3. DEP/NX helps to foil attacks by preventing code from running in memory that is marked non-executable. DEP/NX, combined with other technologies like Address Space Layout Randomization (ASLR), make it harder for attackers to exploit certain types of memory-related vulnerabilities like buffer overruns. Best of all, the protection applies to both Internet Explorer and the add-ons it loads. You can read more about this defense in the original blog post: IE8 Security Part I: DEP/NX Memory Protection.

In a follow-up post, Matt Crowley described the ActiveX improvements in IE8 and summarized the existing ActiveX-related security features carried over from earlier browser versions. The key improvement we made for IE8 is “Per-Site ActiveX,” a defense mechanism to help prevent malicious repurposing of controls. IE8 also supports non-Administrator installation of ActiveX controls, enabling domain administrators to configure most users without administrative permissions. You can get the full details about these improvements by reading: IE8 Security Part II: ActiveX Improvements. If you develop ActiveX controls, you can help protect users by following the Best Practices for ActiveX controls .

Protected Mode

Introduced in IE7 on Windows Vista, Protected Mode helps reduce the severity of threats to both Internet Explorer and extensions running in Internet Explorer by helping to prevent silent installation of malicious code even in the face of software vulnerabilities. For Internet Explorer 8, we’ve made a number of API improvements to Protected Mode to make it easier for add-on developers to control and interact with Protected Mode browser instances. You can read about these improvements in the Improved Protected Mode API Whitepaper.

For improved performance and application compatibility, by default IE8 disables Protected Mode in the Intranet Zone. Protected Mode was originally enabled in the Intranet Zone for user-experience reasons: when entering or leaving Protected Mode, Internet Explorer 7 was forced to create a new process and hence a new window.

Internet Explorer 8’s Loosely Coupled architecture enables us to host both Protected Mode and non-Protected Mode tabs within the same browser window, eliminating this user-experience annoyance. Of course, IE8 users and domain administrators have the option to enable Protected Mode for Intranet Zone if desired.

Application Protocol Prompt

Application Protocol handlers enable third-party applications (such as streaming media players and internet telephony applications) to directly launch from within the browser or other programs in Windows. Unfortunately, while this functionality is quite powerful, it presents a significant amount of attack surface, because some applications registered as protocol handlers may contain vulnerabilities that could be triggered from untrusted content from the Internet.

To help ensure that the user remains in control of their browsing experience, Internet Explorer 8 will now prompt before launching application protocols.

To provide defense-in-depth, Application Protocol developers should ensure that they follow the Best Practices described on MSDN.

File Upload Control

Historically, the HTML File Upload Control (<input type=file>) has been the source of a significant number of information disclosure vulnerabilities. To resolve these issues, two changes were made to the behavior of the control.

To block attacks that rely on “stealing” keystrokes to surreptitiously trick the user into typing a local file path into the control, the File Path edit box is now read-only. The user must explicitly select a file for upload using the File Browse dialog.

Additionally, the “Include local directory path when uploading files” URLAction has been set to "Disable" for the Internet Zone. This change prevents leakage of potentially sensitive local file-system information to the Internet. For instance, rather than submitting the full path C:\users\ericlaw\documents\secret\image.png, Internet Explorer 8 will now submit only the filename image.png.

Social Engineering Defenses

As browser defenses have been improved over the last few years, web criminals are increasingly relying on social engineering attacks to victimize users. Rather than attacking the ever-stronger castle walls, attackers increasingly visit the front gate and simply request that the user trust them.

For Internet Explorer 8, we’ve invested in features that help the user make safe trust decisions based on clearly-presented information gathered from the site and trustworthy authorities.

Address Bar Improvements

Domain Highlighting is a new feature introduced in IE8 Beta 1 to help users more easily interpret web addresses (URLs). Because the domain name is the most security-relevant identifier in a URL, it is shown in black text, while site-controlled URL text like the query string and path are shown in grey text.

When coupled with other technologies like Extended Validation SSL certificates, Internet Explorer 8’s improved address bar helps users more easily ensure that they provide personal information only to sites they trust.

SmartScreen® Filter

Internet Explorer 7 introduced the Phishing Filter, a dynamic security feature designed to warn users when they attempt to visit known-phishing sites. For Internet Explorer 8, we’ve built upon the success of the Phishing Filter feature (which blocks millions of phishing attacks per week) and developed the SmartScreen® Filter. The SmartScreen Filter goes beyond anti-phishing to help block sites that are known to distribute malware, malicious software which attempts to attack your computer or steal your personal information. SmartScreen works in concert with other technologies like Windows Defender and Windows Live OneCare to provide comprehensive protection against malicious software.

You can read more about the new SmartScreen Filter in my earlier post: IE8 Security Part III - The SmartScreen Filter.

Summary

Security is a core characteristic of trustworthy browsing, and Internet Explorer 8 includes major improvements to address the evolving web security landscape. While the bad guys are unlikely to ever just “throw in the towel,” the IE team is working tirelessly to help protect users and provide new ways to enhance web application security.

Please stay tuned to the IEBlog for more information on the work we’re doing in Privacy, Reliability, and Business Practices to build a trustworthy browser.

Onward to Beta-2 in August!

Eric Lawrence
Program Manager
Internet Explorer Security

reboot10 has once again been a very interesting conference. I gave 15x20 micropresentation on HTML5 which was just a variant of my XTech 2008 lightning talk (I converted it to Apple Keynote and removed some slides, basically). The other presentation was Keeping the Web Free (slides) which thanks to tough competition was not quite as well attended as I’d hoped, but it went quite well.

If you’ve investigated how browsers parse HTML, you’ve probably used Hixie’s Live DOM Viewer to see what happens. Wouldn’t it be cool, though, if you could experiment with the HTML5 parsing algorithm in the same UI? Well, now you can.

I was looking for a way to experiment with document.write() in the code base of the Validator.nu HTML Parser and I was looking for a way to let people see the parse tree output of the HTML5 parsing algorithm more easily. Instead of writing a test harness fully in Java, I thought it would be better to use the Live DOM Viewer and a browser engine as the test harness. The good news is that Google Web Toolkit makes it possible to put these pieces together, and the trunk of the Validator.nu HTML parser now comes with a document.write()-aware tokenizer driver and a tree builder subclass for GWT.

The bad news is that the Java-to-JavaScript compiler of GWT has a bug that blocks me from putting the result online as JavaScript. The Hosted Mode of GWT, works, though.

Here’s how you can run the Validator.nu HTML Parser in the Live DOM Viewer locally in the Hosted Mode of GWT (on Mac or Linux):

1. Check out the source: svn co http://svn.versiondude.net/whattf/htmlparser/trunk/ htmlparser
2. Download and untar GWT 1.5 RC1
3. On Linux, install libstdc++5 and a JDK (Ubuntu's OpenJDK-based package worked for me).
4. Edit the paths in HtmlParser-shell (Mac) or HtmlParser-linux (Linux) to point to the location of GWT.
5. Run HtmlParser-shell (Mac) or HtmlParser-linux (Linux)

Known problems:

• The Linux version of GWT runs an outdated version of Gecko, and the rendered view doesn't work. The DOM view does.
• The Mac version of GWT runs a Web Inspector-enabled version of WebKit, but SVG does not draw.
• document.write() semantics are right only for inline scripts.
• Copying and pasting using keyboard shortcuts doesn’t work. (Use the context menu.)
• On Linux, GTW prints a lot of harmless warnings about not finding annotations. (I don’t know why that happens. The annotations should be among translatables.)
• Gecko (used by GTW on Linux) doesn't allow the creation of xmlns attributes in no namespace, so things stop working if you try to put an attribute called xmlns on HTML elements.
• The DOM view on Linux doesn't report names with colons in them per the HTML5 spec.

(Aside: This code could have applicability beyond testing the parser. If the compiler bug were fixed or worked around, a script could document.write() a math element and an svg element to sniff if they are parsed according to HTML5 and if they aren't, move aside load event handlers, document.write() <plaintext style='display:none'>, wait until DOMContentLoaded, load the the already created html, head and body elements onto the tree builder stack and head pointer of the HTML5 parser to and reparse the content of the plaintext element as HTML5 and call the load event handlers. See Philip Taylor’s proof of concept with S-expressions.)

Almost 70 years ago, on a Sunday, October 30, 1938, we could hear on a radio:

Ladies and gentlemen, we interrupt our program of dance music to bring you a special bulletin from the Intercontinental Radio News. At twenty minutes before eight, central time, Professor Farrell of the Mount Jennings Observatory, Chicago, Illinois, reports observing several explosions of incandescent gas, occurring at regular intervals on the planet Mars.

Recently on Monday, June 23, 2008, we could read on a radio site

hCalendar will be gone from /programmes by the next deploy (probably this Thursday).

In the meantime we'll be looking at the possible use of RDFa (a slightly bigger S semantic web technology similar to microformats but without some of the more unexpected side-effects).

What's common between the two? They created a big wave of reactions, comments and arguments: A war of the worlds.

microformats, RDFa and HTML 5

I would like to focus on two blog posts which I like in this flood of comments. There are many more interesting.

Ed Dumbill says in The BBC, microformats, RDFa and Resig:

One of the wonderful things Resig has done with JavaScript is take time to love it and figure out its corners. Take some of the "confusing" and "advanced" things away and you're not able to achieve the same things. What he's done in jQuery is add a layer of elegance, predictability and accessibility.

I for one would love to see what Resig would do with semantic markup. jQuery really encourages and enables good markup practices, so there's a lot of synergy with his current style.

Not only jQuery, I met once, John Resig in Tokyo. He was giving a talk about new features of the future Ecmascript. It was complex, not necessary easy to understand, but he made it in a way that was enlightning. We could see he had pleasure talking about it. That was refreshing. I decided to put it on the side of good speakers who are worth to go see again.

Then not so far ago, John ported Processing vizualization language to Javascript. I love graphics and information processing. It was yet again another moment of pleasure thinking "Some people have talents and creativity in their hands, they do beautiful things with complex objects."

The other blog post is in French and comment also about the affair. Damien Bonvillain is giving his take on RDFa and its simplicity:

In fact, RDFa defines only 5 new attributes (about, property, resource, datatype, typeof)

RDFa became a candidate recommendation last week. You can read the Primer or go to the RDFa wiki to learn a bit more about the technology. Yes, indeed, for some people it will need a bit of work to understand the concepts. But it took me time to learn HTML, and I don't really master Javascript, but people like John gave me the opportunity to simplify things by developping tools, libraries or authoring tools.

And HTML 5 in all that? Here again there is the story behind the story. The first version of RDFa was using a lot elements like meta and link in the body of a page. But browsers because of invalid markup found on the Web have to recover pages and put back the link and the meta in the head of the document. RDFa community listened and learned. They modified their model to make a step toward HTML 5, to create an environment that will create less interoperability issues. They made a step in the right direction to be able to work together.

Next week, I will show why it is important and how that can work even if not perfectly. But remember, it is because there are people like John Resig, who creates, that complex things become easy. The war of the worlds was a fiction.

Ian Hickson, the editor of the current HTML5 draft, posted an Error handling in URIs message to the uri@w3.org mailing list outlining some issues related to browser error handling behaviour for URIs, and to IRIs and character encodings other than UTF-8 — and asking, “Is there any chance that the URI and IRI specifications might get updated to handle these issues?”.

That posting and question spawned some spirited discussion, with messages from Julian Reschke, Anne van Kesteren, Tim Bray, John Cowan, Frank Ellermann, and Martin Duerst, and provoking some comments like the following one:

That’s kind of what I said already, and why I guess that HTML5 will never fly: It tries to reinvent the Web, if not the Internet.

…and from Ian to the above, the following response:

Actually we’re trying to not reinvent the Web, but to document it, so that browser vendors can write browsers that handle existing Web content in a fashion compatible with legacy UAs without reverse-engineering each other.

(It’s true that this is requiring defining things that are at odds with existing specifications, but that’s mostly because those specifications aren’t in fact in line with real usage…)

Ian Hickson, the editor of the current HTML5 draft, posted an Error handling in URIs message to the uri@w3.org mailing list outlining some issues related to browser error handling behaviour for URIs, and to IRIs and character encodings other than UTF-8 — and asking, “Is there any chance that the URI and IRI specifications might get updated to handle these issues?”.

That posting and question spawned some spirited discussion, with messages from Julian Reschke, Anne van Kesteren, Tim Bray, John Cowan, Frank Ellermann, and Martin Duerst, and provoking some comments like the following one:

That’s kind of what I said already, and why I guess that HTML5 will never fly: It tries to reinvent the Web, if not the Internet.

…and from Ian to the above, the following response:

Actually we’re trying to not reinvent the Web, but to document it, so that browser vendors can write browsers that handle existing Web content in a fashion compatible with legacy UAs without reverse-engineering each other.

(It’s true that this is requiring defining things that are at odds with existing specifications, but that’s mostly because those specifications aren’t in fact in line with real usage…)

While Ryan, James, and Mark have been pursing a minimalist design from a presentation perspective, I’ve been quietly pursuing a minimalist design from a markup perspective.  I’m not sure when it changed, but Firefox 3.0, Safari 3.1.1, and Opera 9.5 now all support units of em in SVG dimensions.

This means that my front page (under development) can be valid HTML5 and yet have absolutely no div or span elements, no inline style or class attributes, and no table or img elements used purely for layout purposes.

I have more work to do on individual post pages and on the archives.  The archives will continue to employ a table for the calendar.

Starting in June, the W3C HTML WG began using Bugzilla for tracking of detailed specification issues. The following is a summary of changes for the week of June 15th, 2008.

The following bugs were CLOSED:

• priority request: reply to outline e-mail

  Ian Hickson opened and closed his own bug but it originated via a message to public-html from James Graham back in March 2008. James was primarily concerned about this language:

  Otherwise, if the element being entered has a rank equal to or greater than the heading of the current section, then create a new section and append it to the outline of the current outline element.

  Ian responded to this message on June 17th, 2008:

  The first "otherwise" section was too aggressive, which, as you point out, prevented the second "otherwise" clause from affecting the bits it was supposed to.

  There was some additional discussion surrounding the outline section as Geoffrey Sneddon was writing a test implementation algorithm. Ian responded to Geoffrey with both information and acknowledgement of some specification changes. There was also some discussion between Geoffrey, Ian, James and Philip Taylor via IRC between June 12th - June 19th.

  The editor's draft of section 4.3.10.1 includes the corrected language.

• Newly introduced void elements are not mentioned in "Writing HTML Documents" section

  Lachlan Hunt noted that the list of void elements was incomplete and missing: command, event-source, source. The draft of section 9.1.2 has been updated by Ian Hickson.

• content sniffing should be allowed on link elements with a relationship type of icon

  Philip Taylor did a bit of research on existing usage of content-types with favicons and found many inconsistencies. Philip suggested that <link rel=icon> resources should be treated the same as those sourced from an <img> element. Philip originally brought this issue to the attention of the editor via IRC on June 18th.

  Ian Hickson updated the Link type "icon" section with additional language that user agents