W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

RE: [public-webapps] Comment on Widget URI (1)

From: Larry Masinter <masinter@adobe.com>
Date: Mon, 7 Dec 2009 10:59:13 -0800
To: Robin Berjon <robin@berjon.com>
CC: "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <C68CB012D9182D408CED7B884F441D4D0B0755@nambxv01a.corp.adobe.com>
Sorry I missed the messages earlier...

If the purpose of the authority and query components is that they are
supposed to be processed by scripts in pages that use widget URIs,
then the specification should say so. Opaque fields with no semantics
and no identified purpose are not "well-defined", in my opinion.

There is some reasonable risk that implementors will take what
is currently defined as "opaque" in the authority field and use
it for cross-widget references. Without clear definition of these
semantics, to merely leave it as "out of scope" introduces a
security risk.

If implementations MUST completely ignore the authority field
and MUST treat any reference as if it ONLY applied to the local
widget, then that would address the security concern.

Larry
--
http://larry.masinter.net


-----Original Message-----
From: Robin Berjon [mailto:robin@berjon.com] 
Sent: Thursday, November 19, 2009 6:13 AM
To: Larry Masinter
Cc: public-webapps@w3.org
Subject: Re: [public-webapps] Comment on Widget URI (1)

Dear Larry,

thank you for your comments.

On Oct 10, 2009, at 19:44 , Larry Masinter wrote:
> 1) ** WELL DEFINED QUERY AND AUTHORITY **
> http://www.w3.org/TR/webarch/#URI-scheme points to RFC 2617, which has been
> replaced by RFC 4395. I think WebArch should be updated to recommend that
> W3C recommendations must use "permanent" schemes and not "provisional" ones.

Does this apply in any way to us?

> RFC 4395 requires that permanent scheme definitions be "Well-defined". Leaving in syntactic components and declaring them "out of scope"  is leaving them undefined.

The only parts the semantics of which were flagged as "outside the scope" were fragment and query - this section has been removed.

> Suggestion: Remove 'authority' from the syntax, and any sections that
>  refer to them; disallow query components
> Alternate Suggestion: define the meaning of "authority" and query components.

Neither the authority nor the query components are undefined or out of scope. Authority is syntactically defined, and is clearly specified as being devoid of semantics (opaque). Stating that this makes the scheme not "well-defined" is untrue - it is like saying that XML Namespaces aren't well-defined because they are equally opaque.

The query component is equally defined as to its syntax, and its meaning is left to the processor (typically, a script inside an HTML page, but for other resources it could be different). I can't see how this differs from the http scheme.

-- 
Robin Berjon - http://berjon.com/
Received on Monday, 7 December 2009 19:00:00 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT