W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: [access-control] Update

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 10 Jul 2008 04:10:54 -0700
Message-ID: <4875EE3E.5090304@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>, Web Applications Working Group WG <public-webapps@w3.org>

Anne van Kesteren wrote:
> 
> On Thu, 10 Jul 2008 01:13:52 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> Anne van Kesteren wrote:
>>>  This is exactly how postMessage() works and it seems nice to align 
>>> with that.
>>
>> I am very strongly against this syntax as it gives a false sense of 
>> security. To the point where I don't think I'd be willing to implement 
>> it in firefox. The fact that postMessage allows this sounds very 
>> unfortunate and something that I will look into fixing in that spec.
> 
> Let me know how that works out. postMessage() is shipping already in 
> various implementations...

I will keep you updated.

Until then I very strongly feel we need to change the parsing rules to 
refer to rfcs 3986 and 3490 the way the previous draft did.

>>>> Additionally, the way the spec was written before we could create a 
>>>> conformat implementation now without having to worry about HTML5 
>>>> changing things under us.
>>>
>>> Well, in the end we want all those concepts implemented in the same 
>>> way everywhere, right? So I'm not sure how this matters.
>>
>> So why not let HTML5 refer to Access-Control?
> 
> I don't really see how that would work.

Access-Control can define how to parse the 'origin' part of the URI and 
HTML5 can refer to that. Or they can both refer to the same RFCs.

/ Jonas
Received on Thursday, 10 July 2008 11:12:27 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT