Re: [widgets] P&C, assertion in wrong spec from Marcos Caceres on 2009-08-30 (public-webapps@w3.org from July to September 2009)

From: Marcos Caceres <marcosc@opera.com>
Date: Sun, 30 Aug 2009 18:54:19 +0200
To: Arthur Barstow <art.barstow@nokia.com>
Cc: Robin Berjon <robin@berjon.com>, public-webapps <public-webapps@w3.org>
Message-ID: <b21a10670908300954o193f9563kd3fba481bd5708c@mail.gmail.com>

On Fri, Aug 28, 2009 at 3:29 PM, Arthur Barstow<art.barstow@nokia.com> wrote:
> On Aug 28, 2009, at 5:54 AM, ext Marcos Caceres wrote:
>
>> On Fri, Aug 28, 2009 at 11:23 AM, Robin Berjon<robin@berjon.com> wrote:
>>>
>>> On Aug 27, 2009, at 14:33 , Marcos Caceres wrote:
>>>>
>>>> For the purpose of testing, I think the following assertion is in the
>>>> wrong spec (P&C):
>>>>
>>>> [[
>>>> A user agent must prevent a browsing context of a widget from accessing
>>>> (e.g., via scripts, CSS, HTML, etc.) the contents of a digital signature
>>>> document unless an access control mechanism explicitly enables such
>>>> access,
>>>> e.g. via an access control policy. The definition of such a policy
>>>> mechanism
>>>> is beyond the scope this specification, but can be defined by
>>>> implementers
>>>> to allow access to all or parts of the signature documents, or deny any
>>>> such
>>>> access. An exception is if a user agent that implements this
>>>> specification
>>>> also implements the optional [Widgets-DigSig] specification, in which
>>>> case
>>>> the user agent must make digital signature documents available only to
>>>> the
>>>> implementation of the [Widgets-DigSig] specification; a user agent must
>>>> not
>>>> make the digital signatures accessible to scripting or other content
>>>> loading
>>>> mechanisms, unless explicitly enabled by an access control mechanism.
>>>> ]]
>>>>
>>>> It think we should move it out of P&C into the API spec or some other
>>>> spec.
>>>
>>> Why?
>>
>> Oh yeah, explaining why would help:) Like with the UI product from the
>> prev email, this UA does not execute or deal with scripts. It only
>> deals with processing config.xml and zip files. It should not behave
>> as a policy enforcement point.
>
> I think this requirement isn't appropriate for what we should consider a
> strict P+C UA. As such, this bug could be addressed in a number of ways
> including making the text non-normative, removing the text from the spec,
> etc.
>
> The text could also be included in a document that describes or defines a
> Widget [runtime] User Agent.
>

I've requested that Robin add this text to the Widget URI spec. I
think this text should live there for now, until we see if we have
enough requirements to make a Widget UA spec.



-- 
Marcos Caceres
http://datadriven.com.au

Received on Sunday, 30 August 2009 16:55:29 UTC