W3C home > Mailing lists > Public > public-webapi@w3.org > March 2008

RE: What is Microsoft's intent with XDR vis--vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests]

From: Sunava Dutta <sunavad@windows.microsoft.com>
Date: Wed, 26 Mar 2008 13:57:03 -0700
To: Arthur Barstow <art.barstow@nokia.com>
CC: "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>, David Ross <dross@windows.microsoft.com>, Nikhil Kothari <nikhilko@microsoft.com>
Message-ID: <083D18C6B9B71F4CBCA7B76D97B7483102C681B674@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>

IE would like to propose XDR as a new (Rec-track) spec for the Web API WG. We think there is a place for both implementations within the charter of the Web API. Here's a re-summary of why that I've extracted from our proposal and our responses. For more details please refer to our proposal and the mail conversations on the topic:

- XDR is provably secure and does not introduce new surface area of attack compared to HTML Forms.
- It's really simple to program against.
- It accommodates several scenarios around public data aggregation.
- There may be a place for an access control model today, especially around RESTful services. The model is extensible and powerful however for the draft itself it will need more design thought to build a secure implementation.
- While the existing proposal can do what XDR does and more, it is complicated with XHR and also tricky to implement. As we mentioned before, authentication scenarios behave differently compared to XHR and so do headers. Editing the policy also quickly gets tricky as the number of rules increase. For public data aggregation scenarios web developers would benefit from the simple and secure XDR object.
If I'm not mistaken this model currently exists within the framework of the W3C in the form of the HTML 5.0 DOM Store Spec that's simple and it's bigger brother with a larger scope, the SQL based storage.

Along those lines, we are more than glad to pickup editorship here.
Cheers,
-Sunava

-----Original Message-----
From: Arthur Barstow [mailto:art.barstow@nokia.com]
Sent: Monday, March 24, 2008 4:52 AM
To: Sunava Dutta
Cc: Web API WG (public); public-appformats@w3.org; Eric Lawrence; Chris Wilson; Zhenbin Xu; Gideon Cohn; Sharath Udupa; Doug Stamper; Marc Silbey
Subject: What is Microsoft's intent with XDR vis--vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests]

[[ My apologies for the late response to this thread (I was OOO last
week). ]]

Sunava, All,

Would you please elaborate on Microsoft's intent with XDR with regard
to W3C? For example is it being proposed as a new (Rec-track) spec
for the Web API WG; is it a counter proposal for the WAF WG's AC4CSR
spec; something else?

Regards, Art Barstow
---


On Mar 13, 2008, at 11:46 PM, ext Sunava Dutta wrote:

> Purpose
>
> XDR helps web developers to create secure mashups, replacing less
> secure or non-performant approaches, including SCRIPT SRC'ing
> content or IFRAME injection.
>
> Microsoft would like to submit XDR to the W3C for standardization
> so that other browsers can benefit from this technology.
Received on Wednesday, 26 March 2008 20:57:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 26 March 2008 20:57:15 GMT