W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Review of widget access request

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 9 Jun 2009 10:59:29 +0200
Message-Id: <696CA33E-0BEA-4DCE-B770-E26A4AA608A9@w3.org>
To: Robin Berjon <robin@berjon.com>
Cc: public-webapps WG <public-webapps@w3.org>
Quick review of the WAR spec...
   http://dev.w3.org/2006/waf/widgets-access/

1. The definitions section seems to introduce "instantiated  
components" as a first class object that is granted access.  However,  
what the spec talks about are the rights that the widget execution  
scope is granted.  Notably, that execution scope *includes* an HTML  
file that sits within the widget, but loads a script off the network.

2. It would be useful for the policy section to explicitly say that  
network access from the web execution scope is controlled by the HTML5  
security policy, not by this specification's security policy.

3. I continue to believe that it is a mistake to introduce new  
limitations on inline elements in this spec, and at this point of time.

4. The processing model is gratuitously detailed and complex, and pins  
down implementation detail.  For example, the meaning of a sequence of  
access elements does not actually depend on the order in which these  
elements appear; nevertheless, the processing model is specified as  
walking down the list of access elements in document order.  This  
could be made significantly easier to understand by simply saying what  
the values are, and what they mean, instead of the present page of  
prose.

Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>
Received on Tuesday, 9 June 2009 08:59:37 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT