>> This is not required and an implementation is free to ignore this >> section. > > Such a phrase and then subsequent MUST's is confusing. Yeah, a 'must' snuck in there, i tried to stay away from it. That should be replaced by something else. However I was not aiming to use rfc 2119 keywords though, but rather plain english. Can we say that this section of the spec do not use them? Is it enough to say that the section is informative rather then normative? > I don't see the > point in listing the problems at all, all implementors know them, and an > exhaustive list would be prohibitive, and a selective list pointless, > just say "limiting stuff for security reasons doesn't break conformance, > enjoy." I think the idea was to give some suggestions for implementations to keep in mind. It's not as simple as "all implementors know them". All implementations had the classic redirect flaw for example, even though they all were aware of same-origin policies, it's probably fair to assume that future new implementations might too. I do agree that we do not want to give an exhaustive list though of features that should be limited, I was not trying to do that. But I think we should give good pointers to things that might be easy to miss. I'm absolutely open to suggestions, but your sentence above I think is too little information. / JonasReceived on Tuesday, 21 March 2006 08:57:29 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT