whatwg - Dave's Blog


Retweet of GundersenMarius

2016 Jan 19, 10:49
I love this diagram in the WHATWG spec. It explains it much better than words could pic.twitter.com/RflCT5JIGu

location.hash and location.search are bad and they should feel bad

2014 May 22, 9:25
The DOM location interface exposes the HTML document's URI parsed into its properties. However, it is ancient and has problems that bug me but otherwise rarely show up in the real world. Complaining about mostly theoretical issues is why blogging exists, so here goes:
  • The location object's search, hash, and protocol properties are all misnomers that lead to confusion about the correct terms:
    • The 'search' property returns the URI's query property. The query property isn't limited to containing search terms.
    • The 'hash' property returns the URI's fragment property. This one is just named after its delimiter. It should be called the fragment.
    • The 'protocol' property returns the URI's scheme property. A URI's scheme isn't necessarily a protocol. The http URI scheme of course uses the HTTP protocol, but the https URI scheme is the HTTP protocol over SSL/TLS - there is no HTTPS protocol. Similarly for something like mailto - there is no mailto wire protocol.
  • The 'hash' and 'search' location properties both return null in the case that their corresponding URI property doesn't exist or if its the empty string. A URI with no query property and a URI with an empty string query property that are otherwise the same, are not equal URIs and are allowed by HTTP to return different content. Similarly for the fragment. Unless the specific URI scheme defines otherwise, an empty query or hash isn't the same as no query or hash.
But like complaining about the number of minutes in an hour none of this can ever change without huge compat issues on the web. Accordingly I can only give my thanks to Anne van Kesteren and the awesome work on the URL standard moving towards a more sane (but still working practically within the constraints of compat) location object and URI parsing in the browser.

WHATWG Weekly: http+aes URL scheme, control Referer, …

2012 Mar 7, 8:08

Seems generally bad to embed sensitive info in the URI (the http+aes URI scheme’s decryption key) similar to the now deprecated password field.

Use case is covered here: http://lists.w3.org/Archives/Public/ietf-http-wg/2012JanMar/0811.html.  Also discussion including someone mentioning the issue above.

PermalinkCommentstechnical html5 html uri uri-scheme http http+aes

Web Worker Initialization Race

2012 Feb 24, 1:44

Elaborating on a previous brief post on the topic of Web Worker initialization race conditions, there's two important points to avoid a race condition when setting up a Worker:

  1. The parent starts the communication posting to the worker.
  2. The worker sets up its message handler in its first synchronous block of execution.

For example the following has no race becaues the spec guarentees that messages posted to a worker during its first synchronous block of execution will be queued and handled after that block. So the worker gets a chance to setup its onmessage handler. No race:

var worker = new Worker();

onmessage = function(e) {
// ...

The following has a race because there's no guarentee that the parent's onmessage handler is setup before the worker executes postMessage. Race (violates 1):

var worker = new Worker();
worker.onmessage = function(e) {
// ...


The following has a race because the worker has no onmessage handler set in its first synchronous execution block and so the parent's postMessage may be sent before the worker sets its onmessage handler. Race (violates 2):

var worker = new Worker();

function() {
onmessage = function(e) {
// ...
PermalinkCommentstechnical programming worker web-worker html script

[whatwg] CORS requests for image and video elements

2011 May 23, 4:26Applying CORS to the media elements: "I've added a content attribute to <img>, <video>, and <audio> that makes the image or media resource be fetched with CORS And have the origin of the page if CORS succeeded. The attribute is "cross-origin" and it has two allowed values, "use-credentials" and "anonymous". The latter is the default, so you can just say <img cross-origin src="data.png">."PermalinkCommentscors crossdomain web browser webbrowser html technical

[whatwg] Proposal for IsSearchProviderInstalled / AddSearchProvider

2011 Feb 23, 2:17Proposal to standardize on the function to add search providers in user agents.PermalinkCommentstechnical search-provider browser webbrowser web whatwg

The WHATWG Blog » Blog Archive » What’s next in HTML, episode 2: who’s been peeing in my sandbox?

2010 Jan 26, 2:00The sandbox attribute for the iframe element sounds like a big pit of issues. Includes a new mime type text/html-sandbox to put on content that shouldn't be rendered as html in browsers that don't support the sandbox attribute.PermalinkCommentshtml html5 sandbox security web browser iframe mime mimetype html-sandbox technical

The WHATWG Blog » Blog Archive » Sniffing for RSS 1.0 feeds served as text/html

2009 Sep 29, 10:54How Firefox and IE7&8 perform feed sniffingPermalinkCommentsrss feed atom mime mime-sniffing sniffing mimetype web browser html5 technical


2009 Sep 10, 6:42"Although HTML and XHTML appear to have similarities in their syntax, they are significantly different in many ways."PermalinkCommentshtml html5 xml xhtml whatwg wiki technical

Implementations in Web browsers - WHATWG Wiki

2009 Jun 8, 4:56"List of known implementations of HTML 5 in web browsers (list is incomplete, feel free to extend it)"PermalinkCommentsreference browser html ie8 firefox html5 opera whatwg wiki

[whatwg] Superset encodings [Re: ISO-8859-* and the C1 control range]

2009 Apr 23, 1:35"This e-mail is an attempt to give a relatively concise yet reasonably complete overview of non-Unicode character sets and encodings for 'Chinese characters', excluding those which are not supported by at least one of the four browsers IE, Safari, Firefox and Opera (henceforth 'all browsers'), and tentatively avoiding technical details which are out of scope for HTML5 unless they are important to gain a general understanding of the relevant issues."PermalinkCommentshtml html5 iso-2022 charset encoding character unicode cjk

[whatwg] [WhatWG] Some additional API is needed for sites to see whether registerProtocolHandler() call was successful

2009 Apr 7, 12:14This makes plenty of sense, that a site should be able to check if a protocol handler exists for some URI scheme, but it'd be nice if this were some sort of declaritive fallback plan rather than having to do it all with script. "The HTML5 standard function registerProtocolHandler() should probably remain void as in standard, but WhatWG could invent yet another boolean protocolRegistered("area"), with the only argument (protocol name as string), to check whether a protocol is registered."PermalinkCommentshtml5 registerProtocolHandler html script url uri scheme protocol

Planet HTML5

2009 Apr 7, 10:04Aggregation of feeds concerning HTML5 including Ian Hickson's, Planet Mozilla, Planet WebKit, the IE Blog, the WHATWG blog, etc etc.PermalinkCommentsw3c html5 html blog feed daily

Thoughts on registerProtocolHandler in HTML 5

2009 Apr 7, 9:02

I'm a big fan of the concept of registerProtocolHandler in HTML 5 and in FireFox 3, but not quite the implementation. From a high level, it allows web apps to register themselves as handlers of an URL scheme so for (the canonical) example, GMail can register for the mailto URL scheme. I like the concept:

However, the way its currently spec'ed out I don't like the following: PermalinkCommentsurl template registerprotocolhandler firefox technical url scheme protocol boring html5 uri urn

The WHATWG Blog - Blog Archive - This Week in HTML 5 - Episode 20

2009 Feb 3, 11:15"r2719 specifies that browsers should not allow scripts to set document.domain to anything on the Public Suffix List, such as "com" or "co.jp". Essential background reading on why this is dangerous: Untraceable XSS Attacks. Most browsers already block this attack, e.g. Firefox since 3.0. [Background: Re: Setting document.domain]"PermalinkCommentshtml5 tld publicsuffix dns security html internet web reference w3c


2008 Oct 1, 1:08A weekly summary of the going-ons in the WHATWG usually on the topic of squabbles in HTML5 esp. what to do about the alt attribute in the img tag. Interesting stuff on charsets.PermalinkCommentsdevelopment software whatwg html5 html specification feed rss user-agent w3c

[whatwg] Web Applications 1.0 Draft

2008 Aug 20, 9:48Apple will or will not license the canvas tag? 'Apple Computer, Inc. ("Apple") believes it has intellectual property rights ("IP Rights") relative to WHATWG's Web Applications 1.0 Working Draft, dated March 24, 2005, Section 10.1, entitled "Graphics: The bitmap canvas". At this time, Apple reserves all rights in its IP Rights and makes no representations as to Apple's willingness or unwillingness to license these IP Rights. However, in the event that the Web Applications 1.0 Working Draft, dated March 24, 2005, becomes part of a formalized draft standard at W3C or IETF, for example, Apple is prepared to address the disclosure/licensing rules of such organizations.'PermalinkCommentsapple patent html ip html5 canvas whatwg browser browser-war
Older Entries Creative Commons License Some rights reserved.