Upcoming WHATNOT meeting on 5/16/2024

[past]

What is the issue with the HTML Standard?

Today we held our now weekly triage call (#10318) and I will post the meeting notes there in a bit. The next one is scheduled for May 16, 1am PDT. Note that this is 1 week later (per #10163) in an Americas+APAC friendly time.

People interested in attending the next call please respond here or reach out privately to me or the spec editors. We will be tagging issues for the next call again using the agenda+ label in all WHATWG repos and we would like to invite anyone that can contribute to said issues to join us.

[past]

@aphillips if you want to have the I18N-related discussion in this meeting, please add a comment with the propose topics.

[keithamus]

@past woud you mind sending the invite to me again please?

[past]

I removed and added you back to the calendar invite, which should have generated another email to you.

[yoavweiss]

I'd love to briefly chat about #10269

[past]

Thank you all for attending the meeting today and special thanks to Anne van Kesteren for copiously taking meeting notes! Here are the notes from this meeting (the next one is at #10352):

Agenda

Attendees: Olli Pettay, Simon Pieters, Michael Smith, Domenic Denicola, Luke Warlow, Anne van Kesteren, Benjamin Beurdouche, Yoav Weiss, Frederik Braun, Keith Cirkel, Emilio Cobos Álvarez, Peter Van der Beken
Scribe: Anne van Kesteren

1. Review past action items
   1. Rakesh will write a PR to have a more concrete conversation on The dropEffect column in the Drag and Drop events summary table should clarify it represents default values.
      1. Carry over.
   2. Rakesh will compare the platforms-specific behavior and come up with a concrete proposal for Drag and drop spec allows multiple values for dropEffect which might cause browsers to behave differently and How should UAs handle web authors setting dropEffect values?
      1. Carry over.
   3. Anne to find someone from WebKit to comment with their implementation details on Consider improving interoperability of <iframe> throttling margins.
      1. Emilio will take charge per action item.
      2. There's a related issue around scroll to text fragment.
   4. Chris Wilson will ask in the WebKit standards position to bring the discussion to the Add InvokeTarget & InvokeEvent IDLs & invocation steps for Dialog & Popover PR.
      1. WebKit needs more time to discuss, and will do so on the issue.
2. Carryovers from last time
   1. [Addison] Joint session with the I18N WG. Addison will provide a list of topics.
      1. Carry over.
   2. [Yoav] Add subresource integrity support for ES modules, through importmaps
      1. Delay landing the PR for 2 weeks while Yoav, Ben, and others work through the overlap with the larger integrity proposal. But we suspect it will be fine.
3. New topics
   1. [Simon] Should showPicker() consume user activation?
      1. Consume user activation in show the picker #10344
      2. https://github.com/whatwg/html/security/advisories/GHSA-hr74-5fj7-jgxp
      3. https://whatpr.org/html/10344/f239744...fc8b0dd/input.html#show-the-picker,-if-applicable
      4. There's evidence from Gecko that this change is web-compatible
      5. This will not completely fix all security problems.
      6. WebKit is on board (per https://github.com/whatwg/html/security/advisories/GHSA-hr74-5fj7-jgxp#advisory-comment-95045).
   2. [Simon] Remove UA style for h1-h6 in section (et. al.) and hgroup
      1. Vague interest from WebKit and Chromium people in the room, who will check in and report back

Action Items

1. @emilio to work on pulling out the common points for iframe throttling into the issue about Consider improving interoperability of <iframe> throttling margins, and maybe a spec PR.
2. @domenic to ping relevant Chrome people to give opinions on Consume user activation in show the picker #10344 and Remove UA style for h1-h6 in section (et. al.) and hgroup #7867
3. @zcorpan to find other issues with file pickers.

Minutes

Topic: Past action items.

Rakesh is not attending so deferring drag & drop action items.

Anne: WebKit does something hacky for display: none

Emilio: I think the special casing in WebKit for display: none iframes might be removable once there's more consistent throttling.

Domenic: Someone should take ownership of this and propose something.

Emilio: I volunteer as tribute.

Simon: somewhat related WICG/scroll-to-text-fragment#79. Throttling can enable you to detect this with setTimeout/rAF instead of having to use IntersectionObserver. [Also see w3c/IntersectionObserver#508 (comment)]

Emilio: this is not a perfect side channel as there are other ways iframes might become visible

Simon: you can combine with navigation timing to make it even better, possibly 100%

Topic: Carryover

Domenic: i18n WG is not here, so skipped.

Yoav: Integrity proposal is moving along. Various implementation patches. PR is ready.

Benjamin: At Mozilla we are working on a proposal around integrity that's more general. Closer to Code Verify. https://faq.whatsapp.com/1210420136490135/ presumably.

[Audio breaking up for minute taker.]

Benjamin: Large providers can't have individual modules listed as the manifest gets too large(?). And we also want coverage for other subresources, such as CSS and resources that are fetched on the fly.

Yoav: That's an interesting problem. I'd like to be involved. However, I see integrity for the entire app as a separate problem from integrity for individual subresources. This just brings JS modules on par with <script integrity>.

Benjamin: I think we need some more time to look into this and discuss this more at length.

Domenic: I think it's important that there's something simple if all you care about is subresources.

Freddy: I didn't know this is related to payment standards, when are those going into effect?

Yoav: Sometime next year. https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

Domenic: Can we merge? It seems like nobody is blocking this?

Benjamin: I'd like a further two weeks.

Topic: showPicker()

Simon: Wanted to double check that consuming user activation for this method is okay.

Luke: Need to make sure it's in the correct place so there's no conflict with invokers.

Simon: #10084 (comment)

Anne: Main thing I'd like to be sure on is that we're not leaving any attacks on the table.

Simon: Will double check.

Topic: Removing "legacy" UA style rules for headings

Simon: Is there interest in this? I think we can drive down usage further. And the breakage is fairly minimal. A couple websites are actually improved as they were written before the specification changed.