RE: What is Microsoft's intent with XDR vis-à-vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests] from Ian Hickson on 2008-03-26 (public-appformats@w3.org from March 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 26 Mar 2008 21:21:44 +0000 (UTC)
To: "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>
Message-ID: <Pine.LNX.4.62.0803262111150.12521@hixie.dreamhostps.com>

On Wed, 26 Mar 2008, Sunava Dutta wrote:
>
> IE would like to propose XDR as a new (Rec-track) spec for the Web API 
> WG. We think there is a place for both implementations within the 
> charter of the Web API.

I think it would be very bad for the Web platform for there to be multiple 
ways to achieve this. We need to keep the platform simple, making it more 
complicated like this for no extra benefit merely acts as a "divide and 
conquer" strategy for proprietary platforms.

> - XDR is provably secure and does not introduce new surface area of 
> attack compared to HTML Forms.

This is blatently untrue, a number of serious security problems with XDR 
have already been raised (such as the fact that it encourages content-type 
sniffing, and the fact that it encourages people to pass their credentials 
to untrusted third parties).

> - It's really simple to program against.

IMHO keeping the existing XHR API is far simpler than introducing a 
slightly different API that solves nearly the same problem.

> - It accommodates several scenarios around public data aggregation.

It fails to address the majority of use cases for cross-domain data 
transfer on the Web.

> - There may be a place for an access control model today, especially 
> around RESTful services. The model is extensible and powerful however 
> for the draft itself it will need more design thought to build a secure 
> implementation.

I disagree, I think XHR and Access Control have been shown to be just as 
secure as XDR, possibly more so since they don't require bad security 
practices like XDR does.

I strongly object to the Web API working group adopting a proprietary 
solution developed by one vendor with no external consultation, when the 
group has already spent several man-years' worth of time on a 
technologically superior, safer, and more comprehensive solution that has 
as much implementation experience and significantly more authoring 
experience, based on extending existing APIs instead of arbitarily 
introducing new, incompatible APIs.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 26 March 2008 21:22:26 UTC