[01:01:11] <tgr>	 bd808: any thoughts on https://www.mediawiki.org/wiki/Wikimedia_Engineering/2015-16_Q4_Goals#Reading ?
[01:01:47] <tgr>	 should we just pick what looks biggest from https://etherpad.wikimedia.org/p/reading-infra-2015-16-q4 ?
[01:03:36] <ori>	 how about proper svg support?
[01:04:06] <tgr>	 got a task for that?
[01:04:12] * ori checks
[01:05:26] <ori>	 https://phabricator.wikimedia.org/T5593
[01:06:12] <ori>	 the trick is to either thoroughly strip javascript or (better but harder) sandbox it
[01:06:40] <ori>	 but IMO things like <https://upload.wikimedia.org/wikipedia/commons/6/6c/Trajans-Column-lower-animated.svg> (try clicking on the column) have quite a lot of encyclopedic value
[01:07:56] <tgr>	 they do, but so does any kind of JS-based interactive widget
[01:07:57] <ori>	 that one in particular uses SVG animation elements rather than JS, but sandboxed JS would allow for a much richer interactivity. Still, it would be a great start to allow SVGs with no javascript (or to strip javascript from SVGs)
[01:08:25] * tgr is a fan of http://explorableexplanations.com/
[01:08:57] <ori>	 oh, cool! yeah, this is really neat
[01:09:03] <tgr>	 https://phabricator.wikimedia.org/T31242 seems like a better approach for that
[01:09:04] <ori>	 i bookmarked it to play with later
[01:09:32] <ori>	 I haven't heard of oEmbed
[01:10:44] <tgr>	 oEmbed is not really the point, rather the technique of including scripted content in an iframe from a separate domain
[01:11:24] <tgr>	 that makes XSS relatively harmless
[01:12:12] <ori>	 yeah, that's a viable approach; I include that in "sandboxing"
[01:14:35] <tgr>	 I'll throw it on the list for things to consider for Q4 but IMO it's too speculative to make it a key result, especially since the draft goals are supposedly due today
[01:22:43] <ori>	 thanks for considering it :)
[01:24:57] <ori>	 tgr: oh, I forgot to mention -- Paul Irish e-mailed me about a year ago to introduce me to someone internal at Google who was really interested in helping us with SVGs
[01:25:05] <ori>	 if you are interested, I can make the connection
[01:25:20] <tgr>	 as in, sandboxing SVGs?
[01:28:28] <tgr>	 my main fear with these things is that we spend a bunch of time on it and then no one is actually going to use it
[01:28:36] <tgr>	 lack of tooling etc
[01:29:13] <tgr>	 MW supports multilingual SVGs, for example; I don't think I ever saw one apart from test files
[01:29:42] <tgr>	 so the community support is the real bottleneck there
[01:30:35] <tgr>	 same with 3D files, video and other new media types
[01:33:29] <Krinkle>	 GitHub has gotten pretty far with securely rendering SVGs and PDFs client-side
[01:35:22] <Krinkle>	 https://github.com/wikimedia/oojs-ui/commit/51c661101de1c90d7
[01:35:46] <Krinkle>	 The rich preview goes through a subdomain frame.githubusercontent.com and renders in an iframe as data uri with javascript
[01:35:48] <Krinkle>	 pretty heavy
[01:37:32] <tgr>	 those diff tools are impressive
[01:38:15] <tgr>	 do they leave the original JS in the rich preview, though?
[01:38:34] <Krinkle>	 nope, they filter and sanitize it
[01:38:52] <Krinkle>	 some of it still executes (e.g. external stylesheet?, not sure), but from a neutral domain
[01:39:04] <Krinkle>	 Or maybe they strip that too
[01:39:08] <Krinkle>	 interactive scripts work
[01:39:21] <Krinkle>	 to some degree
[01:39:22] <tgr>	 a separate domain prevents you from session theft and such but someone using Wikipedia to distribute a JS-based browser exploit still feels bad
[01:39:31] <Krinkle>	 Yeah
[01:40:43] <Krinkle>	 The trick with interactive SVG is what we want, not what we can.
[01:40:54] <Krinkle>	 Do we want to maintain JavaScript inside SVG files inside Commons blobs?
[01:41:17] <Krinkle>	 I'm surprised https://upload.wikimedia.org/wikipedia/commons/6/6c/Trajans-Column-lower-animated.svg works on that domain
[01:41:30] <Krinkle>	 not rejected on upload?
[01:42:14] <Krinkle>	 Ah, it works without javascript
[01:42:20] <Krinkle>	 it's a native event bound with animationMotion
[01:42:23] <Krinkle>	 not bad not bad
[01:43:42] <Krinkle>	 so this is fine. No sandboxing needed
[01:44:01] <Krinkle>	 SVG rocks :)
[01:44:35] <Krinkle>	 https://bigbitecreative.com/introduction-svg-animation/
[01:48:08] <tgr>	 apparently we have an element whitelist, enforced in UploadBase::detectScriptInSvg()
[01:50:06] <tgr>	 so if that's fully trusted including raw SVGs as thumbnails seem fairly easy, although supporting browsers with no or partial SVG rendering might be tricky
[01:50:28] <tgr>	 the consensus in https://phabricator.wikimedia.org/T5593 seems to be that it's not fully trusted
[04:14:36] <ori>	 all browsers except IE8 (global usage: 0.84%) and android 4.2/4.3 (global: 0.88%) support SVGs