Re: Namespace dispatching in XHTML, XML from Jamie Lokier on 2008-07-04 (public-html@w3.org from July 2008)

From: Jamie Lokier <jamie@shareable.org>
Date: Fri, 4 Jul 2008 14:18:35 +0100
To: Mark Baker <distobj@acm.org>
Cc: John Kemp <john@jkemp.net>, Sam Ruby <rubys@us.ibm.com>, Daniel Stenberg <daniel@haxx.se>, HTTP Working Group <ietf-http-wg@w3.org>, public-html@w3.org, public-html-request@w3.org
Message-ID: <20080704131835.GD29484@shareable.org>

Mark Baker wrote:
> >>>> http://feedvalidator.org/testcases/atom/1.1/brief-noerror.xml
> >
> >> The content-type is reported (via 'View Page Info') in my Firefox 2 as
> >> application/xhtml+xml. However, the page is rendered as if it were an
> >> ATOM feed (which usually has the content-type application/atom+xml IIRC)
> >> rather than as if it were XHTML.
> >
> > That's because the MIME-type dispatch of the application/xhtml+xml
> > type triggers XML processing by namespace-based dispatch.
> 
> Not if you're going by the spec!  I ensured that the old HTML WG
> stayed well clear of that issue, which is why it isn't mentioned in
> RFC 3236.  RFC 3023 also explicitly warns against assuming it.

Ok, it's not mentioned, not assumed etc.

> Not that it's that big a deal, because there's definitely utility in
> such an interpretation of a mixed namespace document.

If you put well-known namespaces into an XHTML document, imho it's
pretty much asking the browser to render those components of the
document as it sees fit.  Why _else_ would you do that?

I agree there's potential security issues with that, if the
"rendering" invokes active behaviour which is unexpected, or which
hides information or presents it misleadingly.

But i think you can reasonably argue that displaying Atom XML the way
Firefox does is nothing more than styling.  Styling is acceptable, and
it's also very clear in this instance.

That is one thing Content-Type doesn't handle well.  Imagine an XHTML
document which contains XHTML, some MathML (somewhere in the second
paragraph), some SVG (inline picture over there), some VRML (same), a
little bit of Atom (in a sidebar).  There is no Content-Type which
says "this document should be presented as a composition of these
types", unless you consider the XML types to mean that.

> There's just a loss of flexibility and visibility (and therefore
> security) in using embedded metadata like a namespace, rather than
> external metadata such as a media type.

I'm not sure I agree with this.  Any time you might look at external
metadata, if that metadata says "this document contains mixed types"
than you'll proceed to look into the document - or classify it as too
complex to classify for security/visibility purposes.  XHTML even
provides strict parsing rules to make sure that's reliable :-)

-- Jamie

Received on Friday, 4 July 2008 13:19:17 UTC