W3C home > Mailing lists > Public > public-webapi@w3.org > March 2006

Re: Security was ACTION-54: Whatwg restricts XHR more headers then we do

From: Charles McCathieNevile <chaals@opera.com>
Date: Mon, 20 Mar 2006 17:59:55 +0100
To: "Jonas Sicking" <jonas@sicking.cc>, "Web APIs WG" <public-webapi@w3.org>
Message-ID: <op.s6p1h5lrwxe0ny@pc031.coreteam.oslo.opera.com>

On Sat, 18 Mar 2006 03:17:55 +0100, Jonas Sicking <jonas@sicking.cc> wrote:

> I have an action to ask Hixie why the whatwg spec for XHR restricts more  
> headers then our current draft.
> He said that the spec is basically still a work in progress and that he  
> had gotten many comments on it that were not yet addressed.
> His recommendation is that we go ahead with the spec as is and collect  
> comments on our own.
> The intended reason for the restrictions were simply security.

As I have said before, I have a strong preference that we do not place  
restrictions on specs for security reasons. It makes sense that we have a  
security issues section in a spec, noting things that are commonly done by  
user agents, but I am not convinced that it makes sense to prohibit things  
which have use cases in a trusted environment just so the Foo spec can be  
complete and stand-alone in an untrusted environment. I hope that an  
outcome of the recent W3C security workshop will be that they get a  
security group together who actually describe what happens at the moment,  
and how to make a decent security model for the web - that would be far  
more appropriate than each group trying to work out the security issues  
with their own spec...



Charles McCathieNevile                     chaals@opera.com
   hablo español  -  je parle français  -  jeg lærer norsk
      Peek into the kitchen: http://snapshot.opera.com/
Received on Monday, 20 March 2006 16:59:59 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:20 UTC