yoavweiss

Self-Review Questionnaire: Security and Privacy

styleDuration, layoutDuration, forcedStyleDuration, and forcedLayoutDuration attributes

Answers to the W3C Security and Privacy Self-Review Questionnaire for the newly added timing duration attributes in the Long Animation Frames API.

These attributes break down existing aggregate timing into finer-grained style and layout components:

• PerformanceLongAnimationFrameTiming.styleDuration / layoutDuration: Time spent in style recalculation and layout during the rendering phase of a long animation frame.
• PerformanceScriptTiming.forcedStyleDuration / forcedLayoutDuration: Time spent in synchronous (forced) style recalculation and layout triggered during script execution (e.g., by calling getComputedStyle() or getBoundingClientRect()).

yoavweiss

const totalStyleCost = async () => {
  return new Promise(resolve => {
    let total = 0;
    const obs = new PerformanceObserver(entryList => {
      const entries = entryList.getEntries();
      for (const entry of entries) {
          if (entry.paintTime) {
              total += entry.paintTime - entry.styleAndLayoutStart;
          } else {
              total += entry.startTime + entry.duration - entry.styleAndLayoutStart;

yoavweiss

Participants

Yoav Weiss

Rouslan Solomakhin (Google)

Darwin Yang (Google)

(Shopify)

yoavweiss

WICG: Address Autofill

• TPAC

Attendees: Westin, Martin Lechner, Yoav Weiss, Anne van Kesteren, Christian Indra, Rick Byers, Adam Rice, Michal Mocny, Dominic Batre

• Yoav: Discuss Address Autofill
• autofill is a key feature for login and web forms etc

yoavweiss

Joel: Welcome! Gonna show a live use case for FedCM

Demo to bootstrap the conversation

Shop.app is the buyer-facing identity at Shopify

Reaching checkout when you’re not authenticated can be complicated

Buyers that reach checkout authenticated, they’re more likely to successfully complete checkout

yoavweiss

<script type="importmap">
{
  "imports": {
    "square": "./module/shapes/square.js"
  },

  "integrity": {
    "./module/shapes/square.js": "sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  }
}

yoavweiss

Self-Review Questionnaire: Security and Privacy

This questionnaire has moved.

1. What information does this feature expose, and for what purposes?

No Information is exposed.

2. Do features in your specification expose the minimum amount of information

yoavweiss

noopener-allow-popups Cross-Origin-Opener-Policy value

Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application. Such a document need to ensure its opener cannot script it, even if the opener document is a same-origin one.

The noopener-allow-popups Cross-Origin-Opener-Policy value severs the opener relationship between the document loaded with this policy and its opener. At the same time, the opened document can open further documents (as the "allow-popups" in the name suggests) and maintain its opener relationship with them, assuming that their COOP policy allows it.

yoavweiss

#!/bin/bash
hidutil property --set '{"UserKeyMapping":[{"HIDKeyboardModifierMappingSrc":0x700000064,"HIDKeyboardModifierMappingDst":0x700000029}, {"HIDKeyboardModifierMappingSrc":0x700000029,"HIDKeyboardModifierMappingDst":0x700000073}]}'

yoavweiss

var DOMTokenListSupports = function(tokenList, token) {
  if (!tokenList || !tokenList.supports) {
    return;
  }
  try {
    return tokenList.supports(token);
  } catch (e) {
    if (e instanceof TypeError) {
      console.log("The DOMTokenList doesn't have a supported tokens list");
    } else {