Call with Joe Walker Minutes Feb 26 2008

From RuntimeWiki

Topic

Call with Joe Walker on Feature Requests Summary Page

Attendees

• Coach Wei
• Joe Walker
• Jon Ferraiolo
• Krishna Sankar

Minutes

• Coach: (give a quick overview of Runtime Task force: history and current status;) now the floor is yours Joe.
• Joe: two big items are missing: cross site scripting (XSS) and cross site request forgery (CSRF). I don't know what browser vendors are doing with them. I don't know why browser vendors are not doing more about them;
• Jon: Joe, do you subscribe to W2C WAF email list?
• Joe: no.
• Jon: there are a lot of email exchanges on Access Control, related to this topic (cross site scripting). There is a lot of controversy here too.
• Joe: besides "httpOnly" cookie attribute, how about "sameReferrer Only"? This will prevent cookies being sent to a site if the referrer is not the right one, as a mechanism to prevent CSRF.
• coach: both make sense to be added to the list. Possible solution could be "same referrer only" for example.
• Jon: what about XSS? do you have a solution?
• Joe: Content restriction is hard. My idea is to add some rules around content with regard to the content's right, such as a new XML-based tag to describe such rules.
• Jon: I think we should add two items: Stronger CSRF protection and Stronger XSS protection.
• Coach: now let's go through the list one by one, starting with "Two HTTP connection limit issue". what do you think, Joe?
• Joe: the only solution i think make sense is to let the server decide whether it should accept more than two connections.
• Joe: this is an important problem. From DWR point of view, it is one of the biggest problems that you can not hack away.
• Coach: what do you think of "Cross frame communication support"?
• Joe: not sure of this. It doesnt' personally cause me the pain as the previous one. From my own perspective, it doesn't look like a big issue. Broadly speaking, it looks like important;
• Coach: what's your take on "Event Transparency" and "Mutation events"?
• Joe: outside of my expertise. Seems reasonable to me.
• Joe: String performance on IE is an issue, we figured out ways to get around it; DOM performance is an issue, but less. Anything with performance falls into browser vendors;
• Krishna: are there specific performance issues you see from DWR?
• Joe: browser vendors should know the performance issues better. I think Javascript performance is a big reason how people pick which browser they use. The question is not that they don't have the infomation. It is about whether we should push them to do something. They certainly know a great deal of performance issues;
• Joe: it is more a political problem.
• Coach: Client side storage and caching?
• Joe: very important. FireFox already has a lot of this. DWR will use a lot of it;
• Jon: i want to add a comment on performance largely being a political issue. To some extent, we are doing a little bit arm twisting with IE. For example, the Web Standard guys made the Acid Test known to IE and IE passed it recently. So community voice matters.
• Joe: Xpath support - it is in the catogery of "I don't care" but would love to use it if available;
• Joe: Vector graphics - high priority. Important. There are three things with top priority for me:
  • Security (XSR) and XSRF;
  • Vector Graphics;
  • Video tag
  • The two connection limit;
• Coach: what do you mean by "video" tag?
• Joe: the capability to embed "video" in a page without using Flash, such as in HTML5. Adding a video tag and vector graphics to web browsers would be great.
• Coach: what about scoped ID?
• Joe: it is a problem that we have to work around, but it is not a major issue.
• Jon: there are various ways to work around it too. It is so fundamental to the browser world that it is probably not a good thing to tackle.
• Coach: what about "Hashes for DOM elements and associated API"?
• Joe: no spefific comments from me. Not in my high priority list.
• Coach: thanks Joe. thanks all.