W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [WARP] Comments to WARP spec

From: Marcos Caceres <marcosc@opera.com>
Date: Fri, 6 Nov 2009 17:19:54 +0100
Message-ID: <b21a10670911060819h7eb10962j3cc788e7453d0d79@mail.gmail.com>
To: "SULLIVAN, BRYAN L (ATTCINW)" <BS3131@att.com>
Cc: WebApps WG <public-webapps@w3.org>
2009/11/2 SULLIVAN, BRYAN L (ATTCINW) <BS3131@att.com>:
> Here are the comments I had to the WARP spec in the Webapps/DAP joint
> meeting:
>
> 1) Does "*" grant/require either HTTP or HTTPS as schemes? It would be
> better to allow "https://*/" or "http://*/" distinctly since some
> applications may not be allowed by policy to access specific sources
> using non-secure HTTP, e.g. an e-commerce-enabled application. It would
> thus not be possible to include both "http://*/" (for generic content)
> and also limit access to the e-commerce sensitive sites via HTTPS.
>
> 2) Re "A user agent enforces an access request policy. In the default
> policy, a user agent must deny access to network resources  external to
> the widget by default, whether this access is requested through APIs
> (e.g. XMLHttpRequest) or through markup (e.g. iframe, script, img).".
> Note that content that is typically not executable, e.g. img sources,
> this limitation on access to linked resources is significant, and will
> require e.g. for mashup applications that all content and references are
> pre-retrieved (or reference URI's re-written at least, to be proxied
> upon request) by the web application server (or set of servers as
> represented by the access list). It would be good to consider a way for
> the webapp to allow for certain types of content reference methods to be
> allowed from a wider set of sources, while preserving restrictions on
> others, e.g.:
>
> <access origin="http://trustedsite.com" "tag=script"/>
> <access origin="*" "tag=img"/>

The "tag" attribute assumes HTML is the language being used. But there
is no relationship between packaging and the content type of the start
file. Cute idea thought :)

-- 
Marcos Caceres
http://datadriven.com.au
Received on Friday, 6 November 2009 16:20:30 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT