- From: Robin Berjon <robin@berjon.com>
- Date: Tue, 15 Dec 2009 14:54:54 +0100
- To: Larry Masinter <masinter@adobe.com>
- Cc: "public-webapps@w3.org" <public-webapps@w3.org>
Hi Larry, On Dec 7, 2009, at 19:59 , Larry Masinter wrote: > If the purpose of the authority and query components is that they are > supposed to be processed by scripts in pages that use widget URIs, > then the specification should say so. Opaque fields with no semantics > and no identified purpose are not "well-defined", in my opinion. > > There is some reasonable risk that implementors will take what > is currently defined as "opaque" in the authority field and use > it for cross-widget references. Without clear definition of these > semantics, to merely leave it as "out of scope" introduces a > security risk. > > If implementations MUST completely ignore the authority field > and MUST treat any reference as if it ONLY applied to the local > widget, then that would address the security concern. The intent is that they are reserved for future use (and therefore that implementers doing anything with them now do so at the risk of being railroaded later). Would making this clearer address your concerns? -- Robin Berjon - http://berjon.com/
Received on Tuesday, 15 December 2009 13:55:26 UTC