W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

RE: [WARP] Comments to WARP spec

From: SULLIVAN, BRYAN L (ATTCINW) <BS3131@att.com>
Date: Wed, 18 Nov 2009 05:31:11 -0800
Message-ID: <8080D5B5C113E940BA8A461A91BFFFCD0FC53B4F@BD01MSXMB015.US.Cingular.Net>
To: "Robin Berjon" <robin@berjon.com>
Cc: "Marcos Caceres" <marcosc@opera.com>, "WebApps WG" <public-webapps@w3.org>
In this case, it is definitely better late than never. And months is really not that long for a feature to undergo initial scrutiny (especially over summer), and further scrutiny for consistency within the broader set of specifications.

I think the statement that "the default is defined by the security policy of the host language" is good, or more specifically "the default security policy is defined by the specifications governing processing of the widget content".

Best regards,
Bryan Sullivan | AT&T
-----Original Message-----
From: Robin Berjon [mailto:robin@berjon.com] 
Sent: Wednesday, November 18, 2009 4:00 AM
To: SULLIVAN, BRYAN L (ATTCINW)
Cc: Marcos Caceres; WebApps WG
Subject: Re: [WARP] Comments to WARP spec

On Nov 9, 2009, at 20:22 , SULLIVAN, BRYAN L (ATTCINW) wrote:
> (1) we need to be specific about which API's / resource types are affected by inclusion (or exclusion) of domains in <access> (and keep this equivalent to HTML5)

We're very specific: it's a blanket exclusion. Now I can be sensitive to an argument indicating that the default is defined by the security policy of the host language, in which case we need to also clarify which default to pick when there are several (HTML for instance has different origin rules for file:// and http://). My primary objection is that it's pretty late to have this discussion, the restriction has been there for months.

-- 
Robin Berjon - http://berjon.com/
Received on Wednesday, 18 November 2009 13:31:57 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT