Publishing Working Group Telco — Minutes

Date: 2018-11-12

See also the Agenda and the IRC Log

Attendees

Present: Juan Corona, Wendy Reid, Tzviya Siegman, Gregorio Pellegrino, Wolfgang Schindler, Deborah Kaplan, Ivan Herman, Caroline Hayes, EvanOwens, Dave Cramer, Zheng Xu (Jeff), Jeff Buehler, Benjamin Young, Romain Deltour, Jun Gamou, Joshua Pyle, Avneesh Singh, Karen Myers, George Kerscher, Tim Cole, Bill Kasdorf, Garth Conboy, Mustapha Lazrek, Yu-Wei Chang (Yanni), Chris Maden, Charles LaPierre, Brady Duga, Daniel Weck, Leonard Rosenthol, Luc Audrain

Regrets: Murata Makoto, Franco Alvarado, Rachel Comerford, Ric Wright, Vladimir Levantovsky, Teenya Franklin, Nick Ruffilo, Marisa DeMeglio

Guests:

Chair: Wendy Reid

Scribe(s): Dave Cramer, Tzviya Siegman

Content:

• 1. Admin
• 2. origins and web publications
• 3. Tables of Contents
• 4. next F2F meeting
• 5. Resolutions

Wendy Reid: welcome everyone

1. Admin

Wendy Reid: https://www.w3.org/publishing/groups/publ-wg/Meetings/Minutes/2018/2018-11-05-pwg.html

Wendy Reid: minutes are approved
… new members this week!

Resolution #1: last week’s minutes approved

Yu-Wei Chang (Yanni): I’m Yanni from Taiwan

2. origins and web publications

Tzviya Siegman: a lot of people in the group aren’t familiar with the issue
… an overview would be helpful

Ivan Herman: https://github.com/w3c/wpub/issues/321 is the issue leading to this

Tzviya Siegman: https://github.com/w3c/dpub-pwp-ucr/issues?page=1&q=is%3Aissue+is%3Aclosed

Daniel Weck: jiminy wrote eloquently described the history of the origin problem on the web
… and the legacy problems we live with
… and how new things on web are built with origin in mind
… I can summarize how it impacts us
… there are JS apis in web browsers that will rely on a set of security rules
… and there is functionality that will be disabled based on those rules, regardless of whether script is used
… in CSS fonts are affected by origins
… it’s about the https, address, port number
… why is that relevant in web publications?
… we have to obey the rules of the web
… and it goes back to EPUB
… where it was underspecified
… so EPUB reading systems used weird tricks to bring stuff into webviews
… but that’s underspecified
… so most reading systems implement a content server
… with an IP address and port number
… so that when we serve content we don’t enable one publication script to access a different publication
… think of a publication with a built-in user preference
… that preference would be saved in local storage or something
… that should be sandboxed
… and origin is a mechanism for content authors to control what is available to who
… on the web we have to be mindful that origin is important
… and we need to consider the restrictions we put on content
… there are issues around service workers, which depends on scope and is sensitive to origins

Leonard Rosenthol: let me add a bit
… I gave a presentation on this at the first F2F in NY
… when web content is instantiated in a browser or reading system or any UA
… that content is instantiated in a context
… the origin is what defines the security level and infrastructure for the context
… if you’re offline, for example, there’s a null origin
… then it is an insecure context
… when contexts are insecure many JS APIs can’t run. they are not allowed to.
… this includes some interactivity, like access to geolocation
… or microphones or cameras
… but if you have an origin, and the origin is secure (https) then you can access that stuff
… then you run into cross-site stuff. CORS can allow fonts from a different origin.
… many publishers are hosting books for various authors
… you don’t want the script from one pub to access another publication
… but if they’re both on kobo.com, then they are on the same domain and so there’s nothing to prevent from a publication talking to another
… there is talk in the web security task force about suborigins, to address this problem

Daniel Weck: Related issue (discussion about HTTP CORS headers): https://github.com/w3c/wpub/issues/352#issuecomment-435913228

Leonard Rosenthol: https://w3c.github.io/webappsec-suborigins - suborigins work

Dave Cramer: It feels like we haven’t made fundamental decisions. Does the manifest have to be same origin as entry page?
… I’ve had concerns that if WP is just a collection of stuff that are glued together with a manifest, then it leaves open the possibility of someone creating a publication without my consent.
… We should consider whether some pieces MUST be same origin.
… A lot of us have had an EPUB-ish model in mind. If I create a publication at Hachette, it will end up on a Kobo origin. The Web has looked at this a lot, and we need to consider what we’re doing.

Deborah Kaplan: add to what dave says
… not all of everyone’s requirements are compatible, they can’t co-exist
… early on, some requirements are about anthologies, which is a valid use case
… and security and rights means there are limits
… it’s not just a technological limitation; there are competing priorities, and one of them is going to win

Tzviya Siegman: TAG Findings on distributed and syndicated content https://www.w3.org/2001/tag/doc/distributed-content/

Ivan Herman: the question for me is
… what of this is something that should be part of the specification
… and what should be part of an accompanying document on limitations
… the Q that dave was asking, should manifest be same domain as entry page
… if they are on different domains than getting to manifest might be problematic
… but if I publish my manifest with CORS flags set it’s a deployment question

Brady Duga: +1 to Ivan’s comments

Ivan Herman: so this might be a deployment question
… but it’s not something that WPUB defines
… just as HTML does not define these things

Daniel Weck: +1 Ivan

Tzviya Siegman: one issue that we keep kicking down the road is offlining
… which is associated with packaging but is not the same
… and this is related to the boundaries
… which we’ve defined philosophically
… I’m not familiar enough with SWs to know how they operate,a nd that CORS is an issue
… we’re handwaving about offlining, but we’ll have to face origins in reality
… and cross-origin might be causing problems
… so we may have to prioritize our requirements

Deborah Kaplan: Basically, Tzviya is saying specifics of my general point: we have competing and incompatible requirements, and ultimately one of them will win.

Deborah Kaplan: (possibly incompatible.)

Benjamin Young: issue 104 around browsing contexts…
… beyond the origin idea, and we still haven’t answered the question about what environment this spec is operating in
… just like HTML is for browsers, but other user agents might use it for PDF generation or something
… in which case the UAs might not follow all the rules
… HTML defines origins and browsing contexts
… are web publication intended to be run primarily in browsers, and thus any user agent should expect to operate in those confines
… and we’d lean on web app security
… or are we going to redefine those things, and craft our own user agent definition
… that uses OWP content, but might not care about origins etc

Dave Cramer: let’s be careful about the effects of our technology

Luc Audrain: +1 to Dave

Tzviya Siegman: +1 dauwhe

Romain Deltour: +1

Hadrien Gardeur: I’m uncomfortable with the way we describe those issues
… a lot of it comes down to how you implement the affordances
… we say offlining or packaging
… very diff issues depending how you implement
… the audio book example… I used a previously hosted audiobook
… the UA is using an audio element in html, so I don’t have issues with origins
… so it’s hard to talk about vague things, as it depends on how we implement

Brady Duga: responding to some things that Tzviya and Dave
… I”m worrying about limiting what we can do based on how things work today
… like if we restrict what we can do based on the security model of service workers, and then that changes later
… I might want to have stuff in another doc on the realities of deployment today
… to what dave said about white supremacists
… that’s an abuse of origins, and is more about rights management
… and it seems dangerous to use a security model to enforce rights

Deborah Kaplan: there are tech limits and functional requirements
… they’re different and they get conflated
… we need to keep them separate
… the set of requirements: what must we allow, what must we forbid
… I want to move away from Dave’s specific example
… and say that there might be a functional requirement that you can’t take your stuff without permission
… and there are technical limitations
… so we must make sure our tech enables our functional requirements
… my Inner Ivan says that the technology today is all the technology we have. We have to write around today’s technology
… my interpretations of Dave’s statement, wasn’t about the copyright, but we can’t just be building tech and pretending what anyone does with it is not our fault
… we don’t want to be Oppenheimer
… let’s be responsible about our specs
… and let’s be clear about functional requirements, and distinguish them from the technology that enables them

Ivan Herman: what is, if any, the next step re: origins?

Garth Conboy: is the inner or outer Ivan proposing that we don’t put origin stuff in our spec?

Ivan Herman: fundamentally, yes
… there are specific questions, because origins is part of our text on retrieving the manifest
… the other question which we must have, are there security issue that we must mention and describe
… I know this is a horizontal review requirement
… and neither the inner nor outer ivan has any idea

Tzviya Siegman: I want to ask the people in the group who understand this to contribute. I like Deborah’s idea of functional requirements
… we don’t need a task force, but there is some work to be done
… just a list of stuff

Daniel Weck: Sure :)

Dave Cramer: sure

Daniel Weck: I’m sure Jiminy will be delighted :)

Zheng Xu (Jeff): I understand origin is a big issue
… I wonder if we can get some requirements we can put this origin stuff into a spec
… will it be helpful to create task force?
… if we put each book ID into subdomain we remove the issue

Tim Cole: related to this
… part of the WG’s job is to talk to other WGs
… Leonard mentioned suborigins. We should probably provide them with use cases
… we should probably talk about how a more granular CORS would help
… I want cross-origin with these domains, but not those domains

Leonard Rosenthol: +1 on de-origining

Tim Cole: a task force to look at this, but to also inform other w3c work. I would be happy to participate.

3. Tables of Contents

Wendy Reid: OK
… let’s move on to TOCs. Some people should get together to talk about this

Tzviya Siegman: let’s let JuanCorona show his stuff

Juan Corona: https://github.com/jccr/toc-outliner

Juan Corona: I do live demos too much :)
… (shows his screen)
… I have an algorithm
… I got inspired by the h5zero project which implements outline
… before I had a treewalker
… walking the DOM is the first step
… there are some basic similarity with the h5z algo
… you go through children, sibling, then callbacks for entering and exiting nodes
… the first thing it does is keep track of the nesting level
… it finds out if we are entering a list element
… I read the github issue about this, and we agreed that TOC out there in the web are typically using ul/ol and li
… there was an idea to use headings
… this is purely about list items, but it’s flexible, you can have lots of divs and spans
… identify list tags and save nesting level
… it identifies implicit paragraphs and nesting levels and links
… I have some test markup
… there are lots of edge cases
… and I don’t know what data structure people expect
… but first I’ll show the cool stuff
… I collected some samples from the web
… here’s the wikipedia ebook article
… here’s an epub3 nav
… here’s one of our meeting minutes
… it’s not that hard to get a structure out of this
… we talked about SpaceJam
… this is where the algo starts falling short
… I can print out the nodes in raw form
… with a list of anchors you can extract alt text, but it doesn’t do that now
… let’s look at list item descendants, and a span with anchor inline with the span
… (more details of algo)
… I only spent a few hours on this, it could be made more robust, and try it with more examples
… I’ll gather my thoughts on where I found issues

Deborah Kaplan: I have a Q
… this is cool
… what is the takeaway for the WG writ large?

Juan Corona: the takeaway is that we got some results. This is all on my github. some of the samples…. we have a lot of flexibility, more than in EPUB and we can still get stuff that’s workable and is still machine-readable
… that’s the takeaway. You can do this.
… it can be refined.
… and we can loosen the rules in the EPUB3 spec, and still get a machine-readable TOC

Wendy Reid: we are one minute from the end

Luc Audrain: q about the algo
… in epub we use h1-h6 for titles of sections

Ivan Herman: https://github.com/w3c/wpub/issues/291#issuecomment-437571943

Ivan Herman: we need more on the structure of a toc, and the extraction algo must be specified. this is great because we need this.
… but the issue refers to other things. We should look there. I tried to find consensus.
… this is a very important issue.

4. next F2F meeting

Garth Conboy: May 6-7, 2019, we have space at Google in Cambridge, MA in Kendall Square for a F2F. Hotels are expensive, even though it is after the marathon.

Garth Conboy: 6-7 Monday, Tuesday.

5. Resolutions

• Resolution #1: last week’s minutes approved