Re: [widgets] P&C, assertion in wrong spec from Arthur Barstow on 2009-08-28 (public-webapps@w3.org from July to September 2009)

From: Arthur Barstow <art.barstow@nokia.com>
Date: Fri, 28 Aug 2009 09:29:49 -0400
To: Marcos Caceres <marcosc@opera.com>, Robin Berjon <robin@berjon.com>
Cc: public-webapps <public-webapps@w3.org>
Message-Id: <7855A815-E263-4E1A-9E85-CEBA06C77335@nokia.com>

On Aug 28, 2009, at 5:54 AM, ext Marcos Caceres wrote:

> On Fri, Aug 28, 2009 at 11:23 AM, Robin Berjon<robin@berjon.com>  
> wrote:
>> On Aug 27, 2009, at 14:33 , Marcos Caceres wrote:
>>>
>>> For the purpose of testing, I think the following assertion is in  
>>> the
>>> wrong spec (P&C):
>>>
>>> [[
>>> A user agent must prevent a browsing context of a widget from  
>>> accessing
>>> (e.g., via scripts, CSS, HTML, etc.) the contents of a digital  
>>> signature
>>> document unless an access control mechanism explicitly enables  
>>> such access,
>>> e.g. via an access control policy. The definition of such a  
>>> policy mechanism
>>> is beyond the scope this specification, but can be defined by  
>>> implementers
>>> to allow access to all or parts of the signature documents, or  
>>> deny any such
>>> access. An exception is if a user agent that implements this  
>>> specification
>>> also implements the optional [Widgets-DigSig] specification, in  
>>> which case
>>> the user agent must make digital signature documents available  
>>> only to the
>>> implementation of the [Widgets-DigSig] specification; a user  
>>> agent must not
>>> make the digital signatures accessible to scripting or other  
>>> content loading
>>> mechanisms, unless explicitly enabled by an access control  
>>> mechanism.
>>> ]]
>>>
>>> It think we should move it out of P&C into the API spec or some  
>>> other
>>> spec.
>>
>> Why?
>
> Oh yeah, explaining why would help:) Like with the UI product from the
> prev email, this UA does not execute or deal with scripts. It only
> deals with processing config.xml and zip files. It should not behave
> as a policy enforcement point.

I think this requirement isn't appropriate for what we should  
consider a strict P+C UA. As such, this bug could be addressed in a  
number of ways including making the text non-normative, removing the  
text from the spec, etc.

The text could also be included in a document that describes or  
defines a Widget [runtime] User Agent.

-Regards, Art Barstow

Received on Friday, 28 August 2009 13:30:56 UTC