CDR Framework: Last Call Comments from Ian Hickson on 2005-12-29 (public-cdf@w3.org from December 2005)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 29 Dec 2005 00:59:45 +0000 (UTC)
To: public-cdf@w3.org
Message-ID: <Pine.LNX.4.62.0512290042400.7669@dhalsim.dreamhost.com>
(I've only reviewed the normative parts.)


* http://www.w3.org/TR/2005/WD-CDR-20051219/#dom

The specification encourages subsetting. Subsets encourage a splintering 
of the Web, which is bad for everyone.

Please change the specification so that subsets are discouraged.


* http://www.w3.org/TR/2005/WD-CDR-20051219/#child-to-parent-dom-access

The ReferencedDocument interface requires that implementations perform 
security checks at the element level. Historically, implementations have 
only needed to perform checks at the Document/Window boundary. Changing 
this will introduce a very high potential for security bugs.

Please do not introduce the ReferencedDocument interface.

Instead, the Window.parent member can be used in existing UAs to get to 
the parent Window context.

Please coordinate with the new Web APIs group in creating specifications 
for the Window interface.


* http://www.w3.org/TR/2005/WD-CDR-20051219/#parent-to-child-dom-access

The specification contradicts itself. On the one hand it says "If access 
to the child document is disabled or there is no child document the 
attribute must be null.", and on the other it says "Accessing parent or 
child documents through the DOM as described in sections 2.1.2 and 2.1.3 
can be disabled for security reasons. In such cases user agents should 
throw a SecurityException.".

Please correct the specification to be clear as to what should happen if 
the contentDocument attribute is disabled.


* http://www.w3.org/TR/2005/WD-CDR-20051219/#security-exception

Please do not use a code so close to the LSExceptionCode codes of DOM3 LS, 
as this may lead to unintended clashes in future.


* http://www.w3.org/TR/2005/WD-CDR-20051219/#event-propagation

Please define what "events targetted at the document shall propagate to 
the parent document" means, in particular in terms of the DOM3 Events 
capture phase.


* http://www.w3.org/TR/2005/WD-CDR-20051219/#security-event

"When a document breaks through the user agent security policy" -- surely 
this is supposed to say "When a document attempts to break through the 
user agent's security policy"? Since if the document has actually broken 
it, it's too late to do anything.

Please change the first sentence of 2.2.2 Security Event to specifically 
define when the "security" event should be fired.

The event doesn't say what its default action is.

Please define the default action of the "security" event.


* http://www.w3.org/TR/2005/WD-CDR-20051219/#event-related-legacy-markup

"what phases it supports" implies that some events may support less than 
all the phases. This is incorrect.

Please remove the mention of "what phases it supports".

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 29 December 2005 01:00:08 UTC