- From: Marcos Caceres <marcosc@opera.com>
- Date: Fri, 28 Aug 2009 11:54:34 +0200
- To: Robin Berjon <robin@berjon.com>
- Cc: public-webapps <public-webapps@w3.org>
On Fri, Aug 28, 2009 at 11:23 AM, Robin Berjon<robin@berjon.com> wrote: > On Aug 27, 2009, at 14:33 , Marcos Caceres wrote: >> >> For the purpose of testing, I think the following assertion is in the >> wrong spec (P&C): >> >> [[ >> A user agent must prevent a browsing context of a widget from accessing >> (e.g., via scripts, CSS, HTML, etc.) the contents of a digital signature >> document unless an access control mechanism explicitly enables such access, >> e.g. via an access control policy. The definition of such a policy mechanism >> is beyond the scope this specification, but can be defined by implementers >> to allow access to all or parts of the signature documents, or deny any such >> access. An exception is if a user agent that implements this specification >> also implements the optional [Widgets-DigSig] specification, in which case >> the user agent must make digital signature documents available only to the >> implementation of the [Widgets-DigSig] specification; a user agent must not >> make the digital signatures accessible to scripting or other content loading >> mechanisms, unless explicitly enabled by an access control mechanism. >> ]] >> >> It think we should move it out of P&C into the API spec or some other >> spec. > > Why? Oh yeah, explaining why would help:) Like with the UI product from the prev email, this UA does not execute or deal with scripts. It only deals with processing config.xml and zip files. It should not behave as a policy enforcement point. -- Marcos Caceres http://datadriven.com.au
Received on Friday, 28 August 2009 09:55:34 UTC