W3C home > Mailing lists > Public > public-device-apis@w3.org > June 2010

Using XACML profile to describe two current browser policies

From: Dominique Hazael-Massieux <dom@w3.org>
Date: Wed, 23 Jun 2010 09:06:11 +0200
To: public-device-apis <public-device-apis@w3.org>
Message-ID: <1277276771.1845.763.camel@localhost>
Hi,

In an effort to better grasp the current proposal for the so-called
XACML profile, I've tried to describe current browsers policies for:
* the same origin policies as defined in HTML5,
http://dev.w3.org/html5/spec/origin-0.html#origin-0
* what I know of the current implementations of the geolocation API
behaviors

The resulting policies are attached; they validate against the relaxng
schema, but I'm not sure at all they really say what I wanted them to
say :) They come with comments that highlights the limitations of the
XACML profile to properly describe these policies.

The high-level summary seems to be that the declarative approach that
the XACML profile is defining will have a very hard time matching the
intricacies of actual deployed policies in browsers.

Even with adding some missing modifier functions (origin, port seem
rather important ones), dealing with time/repetition-based
considerations, or with the type of events/markups that triggered an API
call is going to be extremely painful in a declarative approach, and
require a very extensive vocabulary. And that's only to deal with two
existing cases; I'm not sure if I would be able to describe what we have
defined for the Contacts API with the current framework.

Maybe the complex policies don't apply as much to widgets (although I
think it's more that we have less experience with deploying widgets),
but given that widgets can include/load Web content, I don't think we
can really escape the Web-related aspects.

Dom




Received on Wednesday, 23 June 2010 07:06:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:14:10 GMT