W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

[WARP] Comments to WARP spec

From: SULLIVAN, BRYAN L (ATTCINW) <BS3131@att.com>
Date: Mon, 2 Nov 2009 17:39:50 -0800
Message-ID: <8080D5B5C113E940BA8A461A91BFFFCD0FA1E8DD@BD01MSXMB015.US.Cingular.Net>
To: "WebApps WG" <public-webapps@w3.org>
Here are the comments I had to the WARP spec in the Webapps/DAP joint
meeting:

1) Does "*" grant/require either HTTP or HTTPS as schemes? It would be
better to allow "https://*/" or "http://*/" distinctly since some
applications may not be allowed by policy to access specific sources
using non-secure HTTP, e.g. an e-commerce-enabled application. It would
thus not be possible to include both "http://*/" (for generic content)
and also limit access to the e-commerce sensitive sites via HTTPS.
 
2) Re "A user agent enforces an access request policy. In the default
policy, a user agent must deny access to network resources  external to
the widget by default, whether this access is requested through APIs
(e.g. XMLHttpRequest) or through markup (e.g. iframe, script, img).".
Note that content that is typically not executable, e.g. img sources,
this limitation on access to linked resources is significant, and will
require e.g. for mashup applications that all content and references are
pre-retrieved (or reference URI's re-written at least, to be proxied
upon request) by the web application server (or set of servers as
represented by the access list). It would be good to consider a way for
the webapp to allow for certain types of content reference methods to be
allowed from a wider set of sources, while preserving restrictions on
others, e.g.:

<access origin="http://trustedsite.com" "tag=script"/>
<access origin="*" "tag=img"/>

Best regards,
Bryan Sullivan | AT&T
Received on Tuesday, 3 November 2009 01:40:34 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT