- From: Dominique Hazael-Massieux <dom@w3.org>
- Date: Wed, 23 Jun 2010 09:06:11 +0200
- To: public-device-apis <public-device-apis@w3.org>
- Message-ID: <1277276771.1845.763.camel@localhost>
Hi, In an effort to better grasp the current proposal for the so-called XACML profile, I've tried to describe current browsers policies for: * the same origin policies as defined in HTML5, http://dev.w3.org/html5/spec/origin-0.html#origin-0 * what I know of the current implementations of the geolocation API behaviors The resulting policies are attached; they validate against the relaxng schema, but I'm not sure at all they really say what I wanted them to say :) They come with comments that highlights the limitations of the XACML profile to properly describe these policies. The high-level summary seems to be that the declarative approach that the XACML profile is defining will have a very hard time matching the intricacies of actual deployed policies in browsers. Even with adding some missing modifier functions (origin, port seem rather important ones), dealing with time/repetition-based considerations, or with the type of events/markups that triggered an API call is going to be extremely painful in a declarative approach, and require a very extensive vocabulary. And that's only to deal with two existing cases; I'm not sure if I would be able to describe what we have defined for the Contacts API with the current framework. Maybe the complex policies don't apply as much to widgets (although I think it's more that we have less experience with deploying widgets), but given that widgets can include/load Web content, I don't think we can really escape the Web-related aspects. Dom
Attachments
- application/xml attachment: geolocation.xml
- application/xml attachment: same-origin-policy.xml
Received on Wednesday, 23 June 2010 07:06:20 UTC