Slashdot Mirror

So how do you propose companies like Apple and Microsoft distinguish between cases where they should follow established industry standards and specs or deviate from them?

They pay attention when the organisations proposing the standards suspend work on them? Note that this happened with P3P in 2007.

"After a successful Last Call, the P3P Working Group decided to publish the P3P 1.1 Specification as a Working Group Note to give P3P 1.1 a provisionally final state.
The P3P Specification Working Group took this step as there was insufficient support from current Browser implementers for the implementation of P3P 1.1. The P3P 1.1 Working Group Note contains all changes from the P3P 1.1 Last Call. The Group thinks that P3P 1.1 is now ready for implementation. It is not excluded that W3C will push P3P 1.1 until Recommendation if there is sufficient support for implementation. "

http://www.w3.org/P3P/

The article answers this question by quoting a section from the P3P spec:

In cases where the P3P vocabulary is not precise enough to describe a Web site's practices, sites should use the vocabulary terms that most closely match their practices and provide further explanation in the CONSEQUENCE field and/or their human-readable policy. However, policies MUST NOT make false or misleading statements.

This is correct. However, as stated further down in the same section, the effect of such policies is to be positive and declarative (meaning the policy should state what the site DOES do, not what it DOES NOT do), and be informative to the user. The standard allows for user agents to then use the P3P policy to make it the basis for "authorization" but then goes on to state that implementers of user-agents can make their own decisions as to what the declarations mean in the context of the connection.

This has led to situations where browsers that implement P3P and tie it to certain "security features" end up with a browser implementation that works dramatically different than other browsers for the very same privacy declaraion. In most cases, browsers do not even IMPLEMENT a user-readable informational dialog for P3P -- it is by standard the browser implementers' decision.

If you're keeping score at home, that's bad.

According to Google, there is no code in the P3P standard to accurately describe how Google uses cookies. [In such a case,] how should a website fill use the P3P header?

The article answers this question by quoting a section from the P3P spec:

In cases where the P3P vocabulary is not precise enough to describe a Web site's practices, sites should use the vocabulary terms that most closely match their practices and provide further explanation in the CONSEQUENCE field and/or their human-readable policy. However, policies MUST NOT make false or misleading statements.

Now, from what I can tell, the first part of that story is true – Google and many others have figured out ways to get around Apple’s default settings on Safari in iOS – the only browser that comes with iOS, a browser that, in my experience, has never asked me what kind of privacy settings I wanted, nor did it ask if I wanted to share my data with anyone else (I do, it turns out, for any number of perfectly good reasons). Apple assumes that I agree with Apple’s point of view on “privacy,” which, I must say, is ridiculous on its face, because the idea of a large corporation (Apple is the largest, in fact) determining in advance what I might want to do with my data is pretty much the opposite of “privacy.”

Then again, Apple decided I hated Flash, too, so I shouldn’t be that surprised, right?

[...]

I don’t know, but when I bought an iPhone, I didn’t think I was singing up as an active recruit in Apple’s war on the open web. I just thought I was getting “the Internet in my pocket” – which was Apple’s initial marketing pitch for the device. What I didn’t realize was that it was “the Internet, as Apple wishes to understand it, in my pocket.”

Does not make any sense to me. First the author claim that Apple should have actively asked him do define the security settings and because it did not Apple is somehow evil. No operating system ever can actively ask their users to set up everything to a microscopic level, there has to be a default somewhere. It would take days to get through all the settings on my computer. I would say "fuck this" after fifteen minutes of configuring panels where I left almost everything set to the default anyway.

How could Apple agree with your stance on privacy unless you tell Apple your privacy wishes? The author seems to be well versed in computers and smartphones, I am sure he could figure out how to tell Apple how his privacy should be managed.

Then he somehow thinks Flash is an industry standard. This is what Apple allows to run in mobile Safari and disallowing non-standard (arguably proprietary) third party extensions is not really how you stymie industry-standard practices.

Thankyou Tim Berners-Lee, another Brit.

The original WWW of 1990 did not have most of what we associate with the WWW today. Here is the spec from late 1991, and this is what a WWW page looked like. Note for example there is no img tag. (About 19 of those 20 tags were in SGML already - the breakthrough though is HREF - the hyperlink).

The original WWW of 1990 did not have most of what we associate with the WWW today. Here is the spec from late 1991, and this is what a WWW page looked like. Note for example there is no img tag. (About 19 of those 20 tags were in SGML already - the breakthrough though is HREF - the hyperlink).

Hypertext had been around since the 1980's. Apple II hypercard

anyone? There were many products before that.

Berners Lee released HTML by early 1991.

The character entities in HTML are only to try to get around legacy encodings. And since you can specify numerical Unicode entities, all of the Unicode set is accessible, there is no need for explicit names for everything.

If you aren't constrained to legacy encodings, then the obvious approach is just to set the encoding to something sensible, for example UTF8. There are several ways to do this in HTML. http://www.w3.org/TR/html5-diff/#character-encoding

Resource Description Format? Oh no, it's a Framework.

http://www.w3.org/RDF/

Which makes me prefer a standalone app instead of a website for utilities.

Ideally a web application SHOULD work offline using the Application Cache and Web Storage components of the HTML5 stack. But some publishers are under the impression that offline access is a premium feature.

Here's a link to the actual discussion on the HTTPbis mailing list.

This posting quotes an unreliable news report, and claims that IETF HTTP working group head Mark Nottingham, "called for it [SPDY] to be included in the HTTP 2.0 standard". Nonsense. It's easy enough to find the actual announcement from Mark which says, in part:

I've put together a charter proposal (see attached) that has us going to WGLC shortly (something that I want to see us do regardless), and starting work on HTTP/2.0. Note that it does NOT call out a starting point; rather, we'll start by asking for proposals, considering them and selecting one based upon the traditional IETF criteria of rough consensus and running code.

Indeed, the proposed formal charter for the new work that's included in Mark's note doesn't mention SPDY at all. I've been in meetings with Mark about this, and SPDY is no doubt at or near the top of the list in terms of interesting candidate technologies to look at, but it's incorrect to say that Mark is calling for its use in HTTP 2.0. At the very least, the Slashdot post on which this is a comment would do a much better service to the community if it linked and quoted Mark's actual announcement, rather than some hyped up misinterpretation from the press. All the conspiracy theorists should calm down a little while, and subscribe to the IETF working group mailing list if they really want to see how this plays out.

This posting quotes an unreliable news report, and claims that IETF HTTP working group head Mark Nottingham, "called for it [SPDY] to be included in the HTTP 2.0 standard". Nonsense. It's easy enough to find the actual announcement from Mark which says, in part:

I've put together a charter proposal (see attached) that has us going to WGLC shortly (something that I want to see us do regardless), and starting work on HTTP/2.0. Note that it does NOT call out a starting point; rather, we'll start by asking for proposals, considering them and selecting one based upon the traditional IETF criteria of rough consensus and running code.

Indeed, the proposed formal charter for the new work that's included in Mark's note doesn't mention SPDY at all. I've been in meetings with Mark about this, and SPDY is no doubt at or near the top of the list in terms of interesting candidate technologies to look at, but it's incorrect to say that Mark is calling for its use in HTTP 2.0. At the very least, the Slashdot post on which this is a comment would do a much better service to the community if it linked and quoted Mark's actual announcement, rather than some hyped up misinterpretation from the press. All the conspiracy theorists should calm down a little while, and subscribe to the IETF working group mailing list if they really want to see how this plays out.

I agree with but since no one seemed to have any answers for this person... I have not used these but they seem to be options a Dreamweaver replacement. NVU http://net2.com/nvu/ Quanta Plus http://freecode.com/projects/quantaplus Amaya http://www.w3.org/Amaya/ Blue Griffon http://bluegriffon.org/ Hope this helps the original poster. Oh and if you just want free as in beer. http://www.microsoft.com/visualstudio/en-us/products/2010-editions/express I have used any of them but out of this is you will probably find something that will fill the bill.

I hadn't heard of Blue Griffon, so I looked it up and found that it is made by the same guy who made Nvu all those years ago. Nvu hasn't been updated for over 6 years, so as a result the community forked it and it became KompoZer. Now, though, KompoZer hasn't been updated in almost 2 years. The other options don't appear to be faring much better on the release front. It looks like Blue Griffon might be the way to go at the moment.

LWATCDR posted:

I agree with but since no one seemed to have any answers for this person... I have not used these but they seem to be options a Dreamweaver replacement. NVU http://net2.com/nvu/ Quanta Plus http://freecode.com/projects/quantaplus Amaya http://www.w3.org/Amaya/ Blue Griffon http://bluegriffon.org/ Hope this helps the original poster. Oh and if you just want free as in beer. http://www.microsoft.com/visualstudio/en-us/products/2010-editions/express I have used any of them but out of this is you will probably find something that will fill the bill.

Good of you to actually address the OP's question. However:

NVU - only useful for sites hosted by the program's vendor.

Quanta Plus - only runs on Linux (DW is a Mac/Windows application).

Amaya - hasn't been updated since 2009, and it's utterly broken in many respects (can't cut-and-paste tables, for instance).

Blue Griffon - shows promise. I haven't used it, so I don't know how well it works, but at least it's currently under development. Otoh, it's still in beta, it's "free to download" - which means they plan to charge some unknown amount for the commercial release version - and it has a bunch of add-ons that are NOT free, and do not appear to be OS.

Visual Web Studio Express - is a Windows application. OP may well be working in a Mac environment. Also, resulting HTML is likely bloatacious and nearly impossible to hand-tune.

I agree with but since no one seemed to have any answers for this person...
I have not used these but they seem to be options a Dreamweaver replacement.
NVU http://net2.com/nvu/
Quanta Plus http://freecode.com/projects/quantaplus
Amaya http://www.w3.org/Amaya/
Blue Griffon http://bluegriffon.org/
Hope this helps the original poster.
Oh and if you just want free as in beer.
http://www.microsoft.com/visualstudio/en-us/products/2010-editions/express
I have used any of them but out of this is you will probably find something that will fill the bill.

You should definitely try Amaya

CSS3 adds multi-column layouts. We just need the browsers to get there.

The bad part is that IE9 (and lower, obviously) does not support it. The good part is that IE10 will.

For what it's worth - there are a few groups working on solutions to this dissociation between layout and content to us visual beings.

Others have already pointed out that layout and content should be separate, allowing the layout to differ completely while serving up the same content in order to facilitate different clients (screen sizes, screen readers, etc.)

But most of them missed the part that you actually complained about - that it's practically impossible to glance at either HTML or CSS and have an impression of how it should look for the given medium.

Here's one such solution...
http://www.w3.org/TR/css3-layout/

It essentially specifies a grid onto which you specify certain reference characters (a,b,c, etc.) which you can then reference in your CSS. If you then ever wish to swap the left and right columns, you don't even have to worry about the exact CSS markup, you simply swap the two characters in the grid layout.

There are many others - some simpler, some vastly most sophisticated (almost in line with professional publishing software and practically requiring a WYSIWYG editor.. at which point the underlying code becomes a bit secondary) - but it looks like the problem you're facing now should become a thing of the past 'soon' (depending on browser implementation and finalization, basically).

There is a case I stumbled upon in which IE9 behaves differently than FF/Chrome/Opera, which forces me to warn users that IE doesn't display properly the page. It appears IE9 doesn't interpret properly 'white-space: pre-wrap' (while other browsers do), it unfortunately does collapse newline characters, while it should not, as per w3.org. (of course, prior versions of IE have even more problems.)

http://www.w3.org/Security/faq/wwwsf4.html

At the bottom of the referenced page is this:

$Id: wwwsf4.html,v 1.11 2003/02/23 22:46:27 lstein Exp $

Not exactly up-to-date, is it?

These days, in my opinion, sessions are done better and more securely with cookies; a cookie, for example, can be set to require a secure transmission vector (usually SSL in an HTTPS request), and aren't bookmarked as part of a URL. Yes it is more difficult to see what cookies are stored in your browser than in a URL, but most browsers will allow you to view and/or clear cookies easily enough. In addition, cookies can be set to expire automatically a set time on the client so they're only valid for a specified period of time, which can be completely separate from the server side. For instance, you could create a session that would live for 5 hours, and regularly change the session ID (say every fifth request if you like); the session cookie would get updated each time, but the overall session would live only for that 5 hour window. While the same could be done with a session ID in a URL, that session ID could still end up in a bookmark; in the very unlikely event of the session ID being reused, that bookmark could represent an inadvertent attack vector.

In addition, cookies are passed with both GET and POST requests; not every page has to be a POST request to use cookies to pass session IDs, and as I explained already, a session ID in a URL can be bookmarked. GET and POST have two different purposes, and I think everyone designing web pages could stand to read through the HTTP RFC . Logins should be done exclusively with POST in my opinion, and normal data retrieval once logged in should be done with GET. There's no reason that any search engine should ever be given a session, let alone a session ID; if a search engine needs access to otherwise secured information, there are options to accomplish that, but I can't see the logic in locking up data then making it publicly available in a search engine.

http://www.w3.org/Security/faq/wwwsf4.html Once you understand the things they recommend and WHY they recommend them, you won't need to ask this question anymore.

You can also spread your application out into layers. From your request I assume you will be collecting and/or publish sensitive data. It may be possible to divide that process into sections, and spread the seconds over three different machines, with custom-written interfaces between them. That way, when (not if, but when) your world-facing server gets pwned, the pwners will probably be unable to immediately pull anything useful out of the second section (on the second machine), since it isn't using any ordinary method (e.g. HTTP on port 80) to publish data. This arrangement, like a bank vault, is not perfect defense, but it does give you more time to notice the breach and react.

http://www.w3.org/Security/faq/wwwsf4.html

Once you understand the things they recommend and WHY they recommend them, you won't need to ask this question anymore.

There's a big difference between forcing everything to go through to committee, and having a strong leadership but with a "release early, release often" approach and seeking input.

And Javascript is a great example of a good technology with bad warts that could've been corrected if he had a little more time to gather feedback. As for HTTP, have you looked at the original spec? The implementation was so simple feedback would've been almost useless.

currently, NaCl is a mere curiosity

Possibly, but NaCl is just an example of what it seems to me as a trend.

Is there some fundamental difference between a PC browser's javascript and a phone browser's javascript?

No, but there is a fundamental difference between a PC browser's DOM and a phone browser's DOM. Phone browsers are less likely to implement certain HTML5 APIs. For example, Apple claims that Safari for iOS doesn't even support <input type="file">, let alone the File API.

Or is there some threshold of code volume beyond which you have to have a connection?

Yes. Phone browsers are likely to impose smaller quotas on the application cache and local storage, as I mentioned in another comment.

Americans do not "control" soft dictionaries. Tin foil much?

Set your country code and browser language appropriately and you are good to go.

Is that a display:run-in sentence? rofl. I see you're out of date: http://www.w3.org/Style/CSS/Test/

Please. This did more bad than good.

Instead use the force, read it at the source, Luke!

No.

XMLHttpRequest Level 2, which supports CORS is the proposed W3C standard. See this. Firefox, Chrome, and Safari implement this spec.

Microsoft's XDomainRequest is Microsoft's non-standard proprietary implementation, though they have attempted to get it ALSO added to the W3C. See this for a response to Microsoft, and why XDomainRequest is a bad idea.

Also see the XMLHttpRequest Wikipedia page as well as the cross origin resource sharing page. Microsoft's proprietary XDomainRequest partially implements the CORS spec, but they don't implement the XMLHttpRequest Level 2 spec at all.

Quoting a Microsoft documentation page isn't any way to prove a point. Nothing in the referenced page says other browsers are non-standard. I can't decide if you are Astroturfing, ignorant, or just can't Google.

No.

XMLHttpRequest Level 2, which supports CORS is the proposed W3C standard. See this. Firefox, Chrome, and Safari implement this spec.

Microsoft's XDomainRequest is Microsoft's non-standard proprietary implementation, though they have attempted to get it ALSO added to the W3C. See this for a response to Microsoft, and why XDomainRequest is a bad idea.

Also see the XMLHttpRequest Wikipedia page as well as the cross origin resource sharing page. Microsoft's proprietary XDomainRequest partially implements the CORS spec, but they don't implement the XMLHttpRequest Level 2 spec at all.

Quoting a Microsoft documentation page isn't any way to prove a point. Nothing in the referenced page says other browsers are non-standard. I can't decide if you are Astroturfing, ignorant, or just can't Google.

Encrypted data cannot be meaningfully differentiated from compressed data

It doesn't really need to be. If you use the method like Shane Alcock uses in protoident, check the first four bits against a vector of known L7 protocols, you can usually determine the L7 protocol. You have to completely tunnel over HTTPS to keep the L7 protocol indistinguishable. Of course looking for information in the body of the packet trace_get_payload_from_* for an SSL handshake works too; but, it takes a lot more code and slows down your sensor. ie. regex'ing and sorting and chomping until you get what you want on every packet that doesn't have the SYN, FIN, or RST flag set.

I see a fork of ABP in 3... 2... 1...

If I send a HTTP GET to get a page from you, and the HTML you decide yourself to send to me in return, contains some links to other stuff, it is entirety up to me, to request those from you!
If you wanted me to load them, then you should have denied me access until that happened! Too late is too late.
But even then, it is entirely up to me to actually look at them. (Why the hell would I? All advertisements nothing but lies for the purpose of conning people. No exceptions.)

So it's a extremely stupid business model, based on anachronistic things like unidiectional media (e.g. TV/radio broadcast, newspapers, etc). Only somebody who doesn't understand the Internet at all would use it.

If you want to make money with your information, don't send it to people without making sure you get money in return first ! Duh! Is that so hard?

HTTP 402 Payment Required! ! It's there for a reason!

No, they really don't.

Yes, they really do. Please, this is beyond tedious. Here is the W3C's patent policy:

http://www.w3.org/Consortium/Patent-Policy-20040205/

Have a read. Note that the W3C insists on standards that can be implemented on a royalty-free basis. Anything that does not meet that test cannot be considered a web standard.

I'm sure the perspective shot of the cute girl on the cover will sell a few copies at the local bookstore (and probably a few on Amazon, too). But from reading the review, I can't see anything about the content that looks more valuable than a printout of the W3C standards documents.

This is a good question, and I appreciate that unrestricted space consumption is its own form of denial of service, but while thinking about better security it's not always a good idea to shackle oneself with best. It is certainly better to be sure that the web browser cannot overwrite kernel.dll, yes?

True. But I've still seen cases where a device manufacturer uses such quotas as a lock-in method. I seem to remember that on iOS, web applications viewed in a web browser are limited to 5 MB of application cache and 5 MB of local storage, which the user cannot override, but applications downloaded from the curated application repository can use more space.

This is a good question, and I appreciate that unrestricted space consumption is its own form of denial of service, but while thinking about better security it's not always a good idea to shackle oneself with best. It is certainly better to be sure that the web browser cannot overwrite kernel.dll, yes?

True. But I've still seen cases where a device manufacturer uses such quotas as a lock-in method. I seem to remember that on iOS, web applications viewed in a web browser are limited to 5 MB of application cache and 5 MB of local storage, which the user cannot override, but applications downloaded from the curated application repository can use more space.

It is not 100% working yet but it already exists. There are standard java bindings for the DOM. As an example, rhinohide allows java applets to access the DOM via the standard bindings thanks to a javascript bridge. In this demo, which should work in firefox, a java applet modifies the document it is embedded in via this mechanism.

... and then writing code to dynamically change which images are fed back based on the browser.

You mean the Content Negotiation stuff that is part of most, if not all, web servers already?

Sorry. You're just wrong about the progressive download thing. And it's not in the scope of HTML5 to define bitrate or fragmented delivery. Fragmented delivery is turf for HTTP and bitrate is for the browser or embedded player.

Read:

14.35.2 Range Retrieval Requests

HTTP retrieval requests using conditional or unconditional GET methods MAY request one or more sub-ranges of the entity, instead of the entire entity, using the Range request header, which applies to the entity returned as the result of the request:

            Range = "Range" ":" ranges-specifier

Please read the HTTP 1.1 RFC

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

umm.. not sure if your trolling but, don't talk about the web if you don't know how to use google or what a url is...

http://www.w3.org/Addressing/

If you don't understand why HAVING TO USE google's search engine to utilize the + feature does not conform to a url (the thing you use to access websites) then Idk what to say to you, alone indeed. Try the astronomy section of slashdot.

Because HTML has shitty support for vector graphics

You're mistaken, there's <canvas> and <SVG>. Here's a basic summary comparing them. You can also do some impressive vector effects just with CSS, such as animating graphs and pie charts.

Because HTML has shitty support for vector graphics

You're mistaken, there's <canvas> and <SVG>. Here's a basic summary comparing them. You can also do some impressive vector effects just with CSS, such as animating graphs and pie charts.

Because HTML has shitty support for vector graphics

You're mistaken, there's <canvas> and <SVG>. Here's a basic summary comparing them. You can also do some impressive vector effects just with CSS, such as animating graphs and pie charts.

Good question, I don't think you can. The CSS Print Profile keeps track of a current page counter, but I think you only have access to the current page number for presentation and styling; you can't query another element and ask what page it's on. So you have to do references by section number, and when printing arrange for the current section's number to show up in the page header or footer.

PDFs are great for scientific papers.

Only for printing. The difference between PDF (produced from something like LaTeX) and XHTML+MATHML+SVG is that

(1) PDF is paginated nicely, which is essential for printing, and an obvious minus for on-screen viewing.

(2) PDF has lost the content layer, which is nearly irrelevant for printing, and unforgivable for on-screen viewing.

What you really need for scientific papers is a large page that can flexibly display full color text and images. PDF is one of the best ways to describe a printable version, but it's a far cry from the best way to describe an on-line document .

As you can see from the specification page, Bert Bos also worked on the CSS spec. Bert and Håkon also wrote a book together "CSS: Design for the Web" covering CSS. It's not as practical as some CSS books, but it certainly covers the spec and explains why things are the way they area. (especially the first edition of the book)

http://www.w3.org/TR/2008/REC-CSS1-20080411/

Blah
More blah

Happy now, or do you need me to hold your hand whilst you read them?

Blah
More blah

Happy now, or do you need me to hold your hand whilst you read them?