16:10:00 RRSAgent has joined #pwg 16:10:00 logging to https://www.w3.org/2018/11/12-pwg-irc 16:10:01 rrsagent, set log public 16:10:01 Meeting: Publishing Working Group Telco 16:10:01 Chair: wendy 16:10:01 Date: 2018-11-12 16:10:01 Regrets+ makoto, franco, rachel, rkwright 16:10:01 Agenda: https://lists.w3.org/Archives/Public/public-publ-wg/2018Nov/0013.html 16:10:02 ivan has changed the topic to: Meeting 2018-11-12: https://lists.w3.org/Archives/Public/public-publ-wg/2018Nov/0013.html 16:27:33 dkaplan3 has joined #pwg 16:44:06 wolfgang has joined #pwg 16:46:16 yanni has joined #pwg 16:49:28 regrets+ vlad 16:55:52 JuanCorona has joined #pwg 16:57:29 present+ 16:57:42 present_ 16:57:45 present+ 16:57:51 s/present_// 16:57:54 gpellegrino has joined #pwg 16:58:05 present+ 16:58:13 present+ wolfgang 16:58:18 present+ 16:58:44 present+ 16:58:51 CHayes has joined #pwg 16:58:58 present+ CHayes 16:59:09 present+ gpellegrino 16:59:53 Hi I'm Yanni (Yu-Wei) form TDPF 16:59:54 EvanOwens has joined #pwg 17:00:09 s/form/from 17:00:11 zheng_xu has joined #pwg 17:00:36 romain has joined #pwg 17:00:36 Avneesh has joined #pwg 17:00:47 present+ 17:01:10 jbuehler has joined #PWG 17:01:11 Karen has joined #pwg 17:01:12 present+ 17:01:19 present+ 17:01:32 present+ 17:01:32 josh has joined #pwg 17:01:33 present+ 17:01:49 present+ 17:01:49 Jun_Gamo has joined #pwg 17:01:50 present+ 17:01:58 present+ 17:01:58 Karen_ has joined #pwg 17:02:00 timCole has joined #pwg 17:02:09 George has joined #pwg 17:02:14 ISO is interesting for those who love numbers 17:02:17 present+ 17:02:28 present+ Teorge 17:02:37 Karen has joined #pwg 17:02:37 present+ George 17:02:46 present+ Tim_Cole 17:03:04 Bill_Kasdorf has joined #pwg 17:03:13 garth has joined #pwg 17:03:19 present+ Garth 17:03:31 MustLazMS has joined #pwg 17:03:37 gpellegrino has joined #pwg 17:03:41 zakim, pick a victim 17:03:41 Not knowing who is chairing or who scribed recently, I propose tzviya 17:03:56 zakim, pick a victim 17:03:56 Not knowing who is chairing or who scribed recently, I propose Jun_Gamo 17:04:22 zakim, pick a victim 17:04:23 Not knowing who is chairing or who scribed recently, I propose dauwhe 17:04:31 scribenick: dauwhe 17:04:43 present+ 17:04:50 present+ 17:04:50 zakim, pick a victim 17:04:50 Not knowing who is chairing or who scribed recently, I propose romain 17:04:53 present+ Yanni 17:05:06 i am on, but sorry can't scribe 17:05:11 cmaden2 has joined #pwg 17:05:17 present+ Chris_Maden 17:05:20 Hadrien has joined #pwg 17:05:34 clapierre has joined #pwg 17:05:52 wendyreid: welcome everyone 17:05:53 duga has joined #pwg 17:05:55 present+ 17:06:04 ... topic: last week's minutes 17:06:04 present+ 17:06:08 https://www.w3.org/publishing/groups/publ-wg/Meetings/Minutes/2018/2018-11-05-pwg.html 17:06:17 dauwhe: i approve 17:06:23 tzviya: approve 17:06:25 leonardr has joined #pwg 17:06:28 wendyreid: minutes are approved 17:06:37 ... new members this week! 17:06:39 resolved: last week's minutes approved 17:06:43 danielweck has joined #pwg 17:06:51 present+ 17:07:01 Present+ Leonard 17:07:04 ???: I'm Yanni from Taiwan 17:07:12 s/???/yanni 17:07:15 s/???/yanni/ 17:07:21 Topic: origins and web publications 17:07:26 q? 17:07:54 danielweck: hello everyone 17:08:14 ... do we have an issue that points to a problem? 17:08:15 present+ danielweck 17:08:31 laudrain has joined #pwg 17:08:36 Present+ 17:08:37 tzviya: a lot of people in the group aren't familiar with the issue 17:08:40 plinss has joined #pwg 17:08:43 ... an overview would be helpful 17:08:45 https://github.com/w3c/wpub/issues/321 is the issue leading to this 17:08:46 Q+ 17:09:10 danielweck: jiminy wrote eloquently described the history of the origin problem on the web 17:09:17 ... and the legacy problems we live with 17:09:23 https://github.com/w3c/dpub-pwp-ucr/issues?page=1&q=is%3Aissue+is%3Aclosed 17:09:27 ... and how new things on web are built with origin in mind 17:09:35 ... I can summarize how it impacts us 17:10:09 ... there are JS apis in web browsers that will rely on a set of security rules 17:10:26 ... and there is functionality that will be disabled based on those rules, regardless of whether script is used 17:10:36 ... in CSS fonts are affected by origins 17:10:48 ... it's about the https, address, port number 17:10:57 gpellegrino has joined #pwg 17:10:58 ... why is that relevant in web publications? 17:11:05 ... we have to obey the rules of the web 17:11:10 ... and it goes back to EPUB 17:11:17 ...where it was underspecified 17:11:33 ... so EPUB reading systems used weird tricks to bring stuff into webviews 17:11:43 ... but that's underspecified 17:11:51 ... so most reading systems implement a content server 17:12:00 ... with an IP address and port number 17:12:24 ... so that when we serve content we don't enable one publication script to acccess a different publication 17:12:37 ... think of a publication with a built-in user preference 17:12:42 s/acccess/access/ 17:13:00 ... that preference would be saveed in localstorage or something 17:13:04 ... that should be sandboxed 17:13:14 s/saveed/saved/ 17:13:20 ... and origin is a mechanism for content authors to control what is available to who 17:13:40 ... on the web we have to be mindful that origin is important 17:13:57 ... and we need to consider the restrictions we put on content 17:14:15 ... there are issues around service workers, which depends on scope and is sensitive to origins 17:14:30 leonardr: let me add a bit 17:14:50 ... I gave a preso on this at the first F2F in NY 17:15:13 ... when web content is instantiated in a browser or reading system or any ua 17:15:22 ... that content is instantiated in a context 17:15:36 q? 17:15:36 ... the origin is what defines the security level and infrastructure for the context 17:15:43 ack leonardr 17:15:44 ack leonardr 17:15:51 ... if you're offline, for example, there's a null origin 17:15:59 ... then it is an insecure context 17:16:13 ... when contexts are insecure many JS APIs can't run. they are not allowed to. 17:16:25 ... this includes some interactivity, like access to geolocation 17:16:32 ... or microphones or cameras 17:16:50 ... but if you have an origin, and the origin is secure (https) then you can access that stuff 17:17:29 ... then you run into cross-site stuff. CORS can allow fonts from a different origin. 17:17:44 ... many publishers are hosting books for various authors 17:17:56 ... you don't want the script from one pub to access another publication 17:18:18 ... but if they're both on kobo.com, then they are on the same domain and so there's nothing to prevent from a publication talking to another 17:18:35 ... there is talk in the web security task force about suborigins, to address this problem 17:18:36 Karen has joined #pwg 17:18:51 Related issue (discussion about HTTP CORS headers): https://github.com/w3c/wpub/issues/352#issuecomment-435913228 17:19:01 q? 17:19:17 scribenick: tzviya 17:19:44 dauwhe: It feels like we haven't made fundamental decisions. Does the manifest have to be same origin as entry page? 17:20:09 Karen_ has joined #pwg 17:20:28 ...I've had concerns that if WP is just a collection of stuff that are glued together with a manifest, then it leaves open the possibility of someone creating a publication without my consent. 17:20:40 ...We should consider whether some pieces MUST be same origin. 17:20:53 Karen__ has joined #pwg 17:21:32 q? 17:21:32 q+ 17:21:33 ... A lot of us have had an EPUB-ish model in mind. If I create a publication at Hachette, it will end up on a Kobo origin. The Web has looked at this a lot, and we need to consider what we're doing. 17:21:43 ack dkaplan3 17:21:51 dkaplan3: add to what dave says 17:21:52 ack dkaplan 17:22:04 ... not all of everyone's requirements are compatible, they can't co-exist 17:22:17 ... early on, some requreiments are about anthologies, which is a valid use case 17:22:27 ... and security and rights means there are limits 17:22:33 q+ 17:22:35 TAG Findings on distributed and syndicated content https://www.w3.org/2001/tag/doc/distributed-content/ 17:22:36 scribenick: dauwhe 17:22:39 s/requreiments/requirements/ 17:22:45 ... it's not just a technological limitation; there are competing priorities, and one of them is going to win 17:22:49 ack ivan 17:22:51 ack ivan 17:22:58 ivan: the question for me is 17:23:07 q+ 17:23:08 ... what of this is something that should be part of the specification 17:23:17 q+ 17:23:21 ... and what should be part of an accompanying document on limitations 17:23:31 https://w3c.github.io/webappsec-suborigins - suborigins work 17:23:39 ... the Q that dave was asking, should manifest be same domain as entry page 17:23:52 ... if they are on different domains than getting to manifest might be problematic 17:24:07 ... but if I publish my manifest with CORS flags set it's a deployment question 17:24:34 +1 to Ivan's comments 17:24:35 ... so this might be a deployment question 17:24:43 ... but it's not something that WPUB defines 17:24:51 ... just as HTML does not define these things 17:24:57 +1 Ivan 17:24:58 q+ 17:24:58 q? 17:25:03 ack tzviya 17:25:11 q+ 17:25:11 tzviya: one issue that we keep kicking down the road is offlining 17:25:26 ... which is associated with packaging but is not the same 17:25:31 ... and this is related to the boundaries 17:25:41 ... which we've defined philosophically 17:25:56 ... I'm not familiar enough with SWs to know how they operate,a nd that CORS is an issue 17:26:13 ... we're handwaving about offlining, but we'll have to face origins in reality 17:26:22 ... and cross-origin might be causing problems 17:26:29 ... so we may have to prioritize our requirements 17:26:40 q? 17:26:55 ack bigbluehat 17:27:05 https://github.com/w3c/wpub/issues/104 17:27:08 Basically, Tzviya is saying specifics of my general point: we have competing and incompatible requirements, and ultimately one of them will win. 17:27:19 bigbluehat: issue 104 around browsing contexts... 17:27:22 (possibly incompatible.) 17:27:44 ... beyond the origin idea, and we still haven't answered the question about what environment this spec is operating in 17:28:00 ... just like HTML is for browers, but other user agents might use it for PDF generation or something 17:28:09 ... in which case the UAs might not follow all the rules 17:28:11 s/browers/browsers/ 17:28:19 ... HTML defines origins and browsing contexts 17:28:46 ... are web publication intended to be run primarily in browsers, and thus any user agent should expect to operate in those confines 17:28:52 ... and we'd lean on web app security 17:29:08 ... or are we going to redefine those things, and craft our own user agent definition 17:29:29 ... that uses OWP content, but might not care about origins etc 17:29:37 q? 17:29:40 ack dauwhe 17:30:30 dauwhe: we need to be aware that specs may enable bad things 17:30:33 +1 to Dave 17:30:34 +1 dauwhe 17:30:35 dauwhe: let's be careful about the effects of our tecchnology 17:30:56 +1 17:31:03 s/tecchnology/technology/ 17:31:09 ack Hadrien 17:31:10 s/tecchnology/technology/ 17:31:21 Hadrien: I'm uncomfortable with the way we describe those issues 17:31:31 ... a lot of it comes down to how you implement the affordances 17:31:36 ... we say offlining or packaging 17:31:45 ... very diff issues depending how you implement 17:31:58 ... the audio book example... I used a previously hosted audiobook 17:32:13 ... the UA is using an audio element in html, so I don't have issues with origins 17:32:13 q+ 17:32:27 ... so it's hard to talk about vague things, as it depends on how we implement 17:32:45 ack duga 17:32:55 q+ 17:32:55 duga: responding to some things that tzviya and dave 17:33:10 ... I"m worrying about limiting what we can do based on how things work today 17:33:29 ... like if we restrict what we can do based on the security model of service workers, and then that changes later 17:33:44 ... I might want to have stuff in another doc on the realities of deployement today 17:33:57 ... to what dave said about white supremacists 17:34:21 ... that's an abuse of origins, and is more about rights management 17:34:27 q? 17:34:31 ack dkaplan3 17:34:32 ... and it seems dangerous to use a security model to enforce rights 17:34:40 dkaplan3: there are tech limits and functional requirements 17:34:44 ack dkaplan 17:34:47 ...they're differeent and they get conflated 17:34:57 ... we need to keep them separate 17:35:08 s/differeent/different/ 17:35:10 ... the set of requirements: what must we allow, what must we forbid 17:35:21 ... I want to move away from Dave's specific example 17:35:48 ... and say that there might be a functional requirement that you can't take your stuff without perrmission 17:35:57 ... and there are technical limitations 17:36:10 s/perrmission/permission/ 17:36:14 ... so we must make sure our tech enables our functional requirements 17:36:49 ... my Inner Ivan says that the technology today is all the technology we have. We have to write around today's technology 17:37:18 ... my interpretations of Dave's statement, wasn't about the copyright, but we can't just be building tech and pretending what anyone does with it is not our fault 17:37:25 ... we don't want to be Oppenheimer 17:37:31 ... let's be respoinsible about our specs 17:37:48 s/respoinsible/responsible/ 17:37:52 ... and let's be clear about functional requirements, and distinguish them from the technology that enables them 17:38:16 Topic: Tables of Contents 17:38:30 ivan: what is, if any, the next step re: origins 17:38:56 garth: is the inner or outer ivan proposing that we don't put origin stuff in our spec 17:39:11 ivan: fundamentally, yes 17:39:31 ... there are specific questions, because origins is part of our text on retrieving the manifest 17:39:53 q+ 17:39:53 ... the other question which we must have, are there security issue that we must mention and describe 17:40:02 q+ 17:40:03 ... I know this is a horizontal review requirement 17:40:17 ... and neither the inner nor outer ivan has any idea 17:40:49 tzviya: I want to ask the people in the group who understand this to contribute. I like Deborah's idea of functional requirements 17:41:07 ... we don't need a task force, but there is some work to be done 17:41:11 ... just a list of stuff 17:41:18 Sure :) 17:41:24 dauwhe: sure 17:41:31 ack tzviya 17:41:33 I'm sure Jiminy will be delighted :) 17:41:35 ack zheng_xu 17:41:40 zheng_xu: I understand origin is a big issue 17:41:41 present+ zheng_xu 17:42:00 ... I wonder if we can get some requirements we can put this origin stuff into a spec 17:42:09 q+ 17:42:16 ... will it be helpful to create task force? 17:42:36 ... if we put each book ID into subdomain we remove the issue 17:42:46 ack timCole 17:42:47 timCole: related to this 17:42:49 present+ timCole 17:42:58 ... part of the WG's job is to talk to other WGs 17:43:15 ... Leonard mentioned suborigins. We should probably provide them with use cases 17:43:29 ... we should probably talk about how a more granular CORS would help 17:43:49 ... I want cross-origin with these domains, but not those domains 17:43:51 +1 on de-origining 17:44:11 q+ 17:44:11 ... a task force to look at this, but to also inform other w3c work. I would be happy to participate. 17:44:14 wendyreid: OK 17:44:33 ... let's move on to TOCs. Some people should get together to talk about this 17:44:34 q- 17:44:45 Simon Says Topic: TOCs 17:45:01 tzviya: let's let JuanCorona show his stuff 17:45:09 present+ JuanCorona 17:45:31 JuanCorona: I do live demos too much :) 17:45:41 (shows his screen) 17:45:54 ... I have an algorithm 17:46:14 difficult to read Juan’s screen 17:46:16 ... I got inspired by the h5zero project which implements outline 17:46:23 ... before I had a treewalker 17:46:29 ... walking the DOM is the first step 17:46:48 ... there are some basic similiarity with the h5z algo 17:47:15 ... you go through children, sibling, then callbacks for entering and exiting nodes 17:47:27 ... the first thing it does is keep track of the nesting level 17:47:43 ... it finds out if we are entering a list element 17:48:26 I read the github issue about this, and we agreed that TOC out there in the web are typically using ul/ol and li 17:48:32 there was an idea to use headings 17:48:46 ... ivan talked about that 17:49:04 ... this is purely about list items, but it's flexible, you can have lots of divs and spans 17:49:13 ... identifiy list tags and save nesting level 17:49:51 ... it identifies implicit paragraphs and nesting levels and links 17:49:58 ... I have some test markup 17:50:05 ... there are lots of edge cases 17:50:15 ... and I don't know what data structure people expect 17:50:21 ...but first I'll show the cool stuff 17:50:37 ... I collected some samples from the web 17:50:44 ... here's the wikipedia ebook article 17:51:03 ... here's an epub3 nav 17:52:12 ... here's one of our meeting minutes 17:52:21 ... it's not that hard to get a structure out of this 17:52:26 ... we talked about SpaceJam 17:52:46 ... this is where the algo starts falling short 17:53:17 ... I can print out the nodes in raw form 17:53:34 ... with a list of anchors you can extract alt text, but it doesn't do that now 17:54:24 regrets+ teenya 17:54:54 regrets+ nick 17:55:09 ... let's look at list item descendents, and a span with anchor inline with the span 17:55:39 ... (more details of algo) 17:56:08 regrets+ makoto 17:56:31 ... I only spent a few hours on this, it could be made more robust, and try it with more examples 17:56:42 q+ 17:56:43 ... I'll gather my thoughts on where I found issues 17:56:43 q? 17:56:47 q+ 17:56:49 q+ 17:56:52 dkaplan3: I have a Q 17:56:56 ... this is cool 17:57:04 ... what is the takeaway for the WG writ large? 17:57:07 Karen has joined #pwg 17:57:45 clapierre has left #pwg 17:58:02 JuanCorona: the takeaway is that we got some results. this is all on my github. some of the samples.... we have a lot of flexibility, more than in EPUB and we can still get stuff that's workable and is still machine-readable 17:58:11 ... that's the takeaway. You can do this. 17:58:16 ... it can be refined. 17:58:35 ... and we can loosen the rules in the EPUB3 spec, and still get a machine-readable TOC 17:58:52 https://github.com/jccr/toc-outliner 17:58:54 q? 17:59:02 wendyreid: we are one minute from the end 17:59:03 ack dkaplan 17:59:08 ack laudrain 17:59:08 laudrain: q about the algo 17:59:22 ... in epub we use h1-h6 for titles of sections 17:59:30 ack ivan 18:00:02 https://github.com/w3c/wpub/issues/291#issuecomment-437571943 18:00:38 ivan: we need more on the structure of a toc, and the extraction algo must be specified. this is great because we need this. 18:00:58 ... but the issue refers to other things. we should look there. I tried to find consensus. 18:01:15 ... this is a very important issue. 18:01:47 garth: may 6-7 F2F we have space at Google in Cambridge, MA in Kendall Square. Hotels are expensive, even though it is after the marathon. 18:02:11 garth: 6-7 Monday, Tuesday. 18:02:24 wendyreid: thanks everyone 18:02:36 dauwhe has joined #pwg 18:02:43 evan has joined #pwg 18:02:59 cmaden2 has left #pwg 18:04:21 rrsagent, draft minutes 18:04:21 I have made the request to generate https://www.w3.org/2018/11/12-pwg-minutes.html ivan 18:04:22 zakim, bye 18:04:22 rrsagent, bye 18:04:22 I see no action items 18:04:22 leaving. As of this point the attendees have been wendyreid, tzviya, gpellegrino, wolfgang, dkaplan, ivan, CHayes, dauwhe, zheng_xu, jbuehler, bigbluehat, JuanCorona, romain, 18:04:22 Zakim has left #pwg 18:04:25 ... josh, Avneesh, Jun_Gamo, Teorge, George, Tim_Cole, Garth, Bill_Kasdorf, MustLazMS, Yanni, Chris_Maden, clapierre, duga, danielweck, Leonard, laudrain, timCole