There are a ton of features in the web platform that take a URL. (As the platform is build around URLs, that makes a ton of sense, too.) XMLHttpRequest, <img>, background-image, <script>, @font-face, … The semantics around obtaining a resource from such a URL however are not very well defined. Are redirects followed? What if the server uses HTTP authentication? What if the server returns 700 as status code for the resource? Does a data URL work? Does about:blank work? Is the request synchronous? What if I use a skype URL? Or mailto? Is CORS used? What value will the Referer header have? Can I read data from the resource returned (e.g. via the canvas element)? Can I display it?

For what seems rather trivial, is actually rather complicated.

At the moment Ian Hickson has defined some of this in the HTML Standard. In an algorithm named fetch. Then CORS came about (for sharing cross-origin resources) and the idea was that it would neatly layer on top, but it ended up rather intertwined. And now there is another layer controlling fetching, named CSP. To reduce some of this intertwinedness and simplify defining new features that take a URL, I wrote the Fetch Standard. It supersedes HTML fetch and CORS and should be quite a bit clearer about the actual model as well as fix a number of edge cases.

It is not entirely done, but it is at the point where review would be much appreciated.

At Mozilla we’re trying to bring the web platform closer to what is taken for granted in the “walled gardens” of our time (Apple’s App Store, Google Play, and friends). A big thing we need to solve is offline. As applications, sites should just work without network connectivity. Some variant of “NavigationController” (the name is bad) will give us that, but we need to iterate on it more. And in particular we need to test it to make sure performance is adequate and the API simple enough.

We have an API for end-user notifications, but after the site is closed clicking the notification from the notification center will fail (what should happen?) and if there are multiple browsing contexts with the same site open there is also some ambiguity as to which should receive focus. The permission grant is per-origin, but a single origin can host multiple sites. Push notifications face similar issues. The site is not open, but a push notification for it comes in, where should it be delivered?

The idea we have been toying around with is a worker that could be fired up whenever there is some external event that cannot be directly managed by the site (e.g. when the site is not open). This idea is not new, Google suggested it long ago, but it did not take off. A change from their model would be to not make these workers persistent, but rather short-lived so they are not too wasteful. Part of the application logic would move to the server, and push notifications can be used to wake the worker (we have been using “event worker” as a name) to e.g. notify the user or synchronize state for when the user navigates to the relevant site next.

Well it’s not possible to win this kind of thing. This is a continuous striving that people have done for a long time. Of course, there is many individual battles that we win, but it is the nature of human beings that human beings lie and cheat and deceive and organized groups of people who do not lie and cheat and deceive find each other and get together… and because they have that temperament, are more efficient. Because they are not lying and cheating and deceiving each other. And that is an old, a very old struggle between opportunists and collaborators. And so I don’t see that going away. I think we can make some significant advances and it is perhaps, it is the making of these advances and being involved in that struggle that is good for people. So the process is in part the end game. It’s not just to get somewhere in the end, rather this process of people feeling that it is worthwhile to be involved in that sort of struggle, is in fact worthwhile for people.

The W3C TAG meeting I attended in Boston went better than expected. I got to meet the rest of the group and we discussed a variety of interesting topics without ever getting too far into lalaland (although the Polyglot Markup discussion was pushing it). I did think it was a bit too formal, though fortunately Jeni and Tim supplied a healthy dose of comic relief.

I thought I would outline some of what we discussed here and quickly jot some thoughts down for further reflection later:

• Authoritative Metadata: We know that the most popular user agents out there are not respecting this finding. We know that the HTML Standard is not respecting this finding. We know that developers do have not sufficient control over their server, even now (one of the issues with httprange-14, CORS, CSP, deploying new formats such as WebVTT). While authoritative metadata may be good in principle (and I think that in retrospect for Content-Type file signatures would have worked just as well with a safe fallback), it has not worked out in practice. We should at least indicate in the finding that what it requires is not what is practiced.
• Layering: Yehuda and Alex outlined a vision for a more layered web platform. While the network stack has pretty good layering, it gets messier once you get to the bits that go over the wire, such as HTML and JavaScript. I think this one is pretty non-controversial, though it is a lot of work and we need to watch out along the way to not constrain new implementations architectures (insofar they are not already). If you are interested in this space look at where Web Components is heading.
• API Design: Both Alex and Yehuda are frustrated with W3C/WHATWG APIs. Part of this is due to IDL not encouraging the kind of APIs that are close to JavaScript, part of this is people from a non-JavaScript background exposing low-level functionality to the platform. I personally feel that we have been hearing this problem aired for a while, but it never goes much further than that. I tried to point out that people would be supportive of doing this better, but we are resource constrained and lack the advice. Yehuda and Alex will take this back to TC39 to see if they can bring something to the table.
• Capabilities: Over dinner we discussed URLs to a particular resource where the access rights to that resource were part of the URL itself by means of a token in the path and the various implications of using that over a more traditional access control list model. E.g. whether we should have an HTTP header that indicates part of the URL should be hidden just as we hide passwords today. Jeni is currently sole keeper of these notes, but they should be public soon. (This was part of a larger discussion on Web Intents, Web Activities, and unhosted.org.)
• DRM: One contentious bit of standardizing DRM is that it standardizes the API to talk to the black box, but the black box is not standardized and will likely end up being highly proprietary. An argument in favor of standardizing DRM that has been made is that when we standardized the video element we also standardized the API and left the black box (the codec) as an open question for which we eventually found WebM as an acceptable solution. (Of course WebM is not universal so whether this is completely okay is to be seen still unfortunately.) As a corollary, standardizing the API for the DRM black box will bring more content out of plugins and may at some point lead to a standardized black box (presumably then a white box). A counter argument goes that while everyone would be happy with a open codec, not everyone would be with W3C-blessed DRM. And that even while you could envision an “open” black box, nobody would use it because it does not provide the protection deemed necessary.

You can find the raw minutes here: March 18, March 19, and March 20. Time to get back to London.

Standards developed by the WHATWG are licensed under CC0 (variant of Public Domain that works globally). The HTML Standard is licensed under MIT for historical reasons. This is important for these reasons:

• Standards should be reusable everywhere without there being a legal grey area. The IDL code will end up in software, examples and text will end up in articles and books, either literally or modified as required. This and all that which we cannot foresee must be possible without copyright getting in the way.
• If the person or entity maintaining the standard takes it in the wrong direction or ceased maintenance it is paramount for the community depending on the standard to work on an alternative without copyright getting in their way.

The W3 Project at CERN had the same policy as the WHATWG: The definition of protocols such as HTTP and data formats such as HTML are in the public domain and may be freely used by anyone. Tim BL Nowadays the W3C employes a more restrictive W3C document license that does not allow for derivative works and requires attribution.

Received an introductory email from my bank today. “Dear Customer,” it starts and it goes on to explain how online statements work. For instance, how can I be sure these emails are from my bank? “[W]e will always greet you personally using your name[.]”

I have been quite busy preparing for this and all the while I felt uninspired as to how to write about it. And now I am here and the words still won’t come, though the place is awesome and full of excitement. I live in London now and Monday I start working at Mozilla.

My MacBook Pro crashes every hour. Considering I did not need most of things that were on it anyway, I made a quick backup of the essentials, erased the hard drive, and started anew. That it crashed again while installing Mac OS X was not that promising and unfortunately a fresh install did nothing but remove the non-essentials from my system. So presumably it is a hardware failure of sorts.

Anyway, what does it take to make a commit again?

1. Install XCode and its Command Line Tools.
2. Install TextWrangler and its Command-Line Tools (edit is so useful).
3. Install html5lib, lxml, cssselect, and Anolis.
4. Install GitHub.

Time well spent!

(Not sure why Apple and Bare Bones Software spell command-line tools differently.)

Quite quickly after the summer vacation period I figured out I was not that passionate about building a new product. What I wanted to be working on was a much smaller territory: URLs. So I started writing the URL Standard. Some time in I learned about the NLnet Foundation and wondered whether they might be able to help me out in this endeavor, as being independent for a while felt nice. It would also ensure I could finish the first 80% of the URL Standard, leaving the remaining 80% (no typo) for when implementations start to align and feedback starts coming in, which for standards work about already implemented technology is usually much later (e.g. the HTML parser was first defined in 2006 and it took until 2012 for it to be mostly implemented across the board).

NLnet is one of the few organisations in the world that funds independent people who contribute to the internet. The projects they have funded range from software running on root servers of the internet to popular security browser plugins such as NoScript, from TOR Hidden Services to Unhosted, from real time kernel updates (KSplice) to finding the security holes in GSM telephony (and then rebuilding it with open source GSM/LTE). All open source and out in the open.

So I made a proposal to work on WHATWG standards budgeted for three months and after handing over a more detailed proposal it was accepted. Putting the work in the public domain and in repositories on GitHub as I had been doing was encouraged. I can heartily recommend them either if you’re looking for an organisation to support this kind of work or if you’re looking to sponsor such an organisation.

In rough chronological order (see also 2008, 2009, 2010, and 2011), omitting any duplicates, and lacking in detail and praise:

• Colombia; got my PADI Rescue Diver and did some hiking through the jungle.
• Czech Republic; pitched XML5 one last time and had loads of fun with Robbert and Yolijn exploring Prague.
• Norway; awesome ski trip with work, also just work, and a goodbye. I still catch myself saying “we”, but meaning Opera.
• United States; interviewed twice this year in Mountain View (more about that later), went to a W3C WebApps and HTML meeting at Microsoft in Mountain View, and visited San Francisco during those trips whenever possible.
• United Kingdom; visited Peter and Stefanie once again!
• Portugal; visited Marcos and Barbara in Lisbon. Anna joined later for extensive port tasting in Porto. In can now tell a ruby from a tawny.
• Romania; went there with Peter, Koen, Bas, and Inge because we found some cheap tickets to Bucharest. Ended up sleeping on the beach one day and thanks to a nice fire and some homemade whisky I did not freeze (accommodation was unavailable). Went back later to see Rada again. Definitely good times all around.
• Spain; explored Madrid with my two brothers and said hi to Charles while I was there.
• Germany; went to my first Oktoberfest in Munich with some friends I met in Romania. Learned to pace the larger glasses the second day. Visited Hamburg and Bremen later as Remy was performing there.
• France; W3C had a big meetup going on in Lyon. Thanks to Mozilla and the W3C I got to go and ended up writing about copyright and process.