W3C home > Mailing lists > Public > public-webapi@w3.org > March 2006

Re: XMLHttpRequest security section draft

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 21 Mar 2006 00:57:30 -0800
Message-ID: <441FBFFA.1090608@sicking.cc>
To: Jim Ley <jim@jibbering.com>
Cc: Web APIs WG <public-webapi@w3.org>

>> This is not required and an implementation is free to ignore this 
>> section.
> 
> Such a phrase and then subsequent MUST's is confusing.

Yeah, a 'must' snuck in there, i tried to stay away from it. That should 
be replaced by something else.

However I was not aiming to use rfc 2119 keywords though, but rather 
plain english. Can we say that this section of the spec do not use them? 
Is it enough to say that the section is informative rather then normative?

> I don't see the 
> point in listing the problems at all, all implementors know them, and an 
> exhaustive list would be prohibitive, and a selective list pointless, 
> just say "limiting stuff for security reasons doesn't break conformance, 
> enjoy."

I think the idea was to give some suggestions for implementations to 
keep in mind. It's not as simple as "all implementors know them". All 
implementations had the classic redirect flaw for example, even though 
they all were aware of same-origin policies, it's probably fair to 
assume that future new implementations might too.

I do agree that we do not want to give an exhaustive list though of 
features that should be limited, I was not trying to do that. But I 
think we should give good pointers to things that might be easy to miss.

I'm absolutely open to suggestions, but your sentence above I think is 
too little information.

/ Jonas
Received on Tuesday, 21 March 2006 08:57:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT