W3C home > Mailing lists > Public > public-xml-core-wg@w3.org > March 2006

Re: Appling inheritance rule to xml:base, was Re: FINAL minutes for the XML

From: Daniel Veillard <daniel@veillard.com>
Date: Mon, 6 Mar 2006 17:46:19 +0100
To: John Boyer <boyerj@ca.ibm.com>
Cc: daniel@veillard.com, "Henry S. Thompson" <ht@inf.ed.ac.uk>, public-xml-core-wg@w3.org, public-xml-core-wg-request@w3.org
Message-ID: <20060306164619.GD8294@daniel.veillard.com>

On Mon, Mar 06, 2006 at 07:58:18AM -0800, John Boyer wrote:
> But again, it's not a security problem that arises *because* of the 
> inheritance rule. 
> It is an orthogonal security problem, and an extreme edge case, that 
> authors could 
> experience if they *express* an xml:base (non-inherited) on a node
> *and* it is orphaned by a filter *and* the xml:base contains a relative 
> URI.
> While the inheritance rule has nothing to do with addressing this problem 
> (whether it should
> be addressed notwithstanding), the inheritance rule does remove a certain 
> number of other
> security issues, so there is certainly no harm in retaining it.

  Copying the xml:base when we know it's likely to break should then not
be done, I think it's better to let the user fully handle the case
than handle it half way leading to deceiving expectations.
  I really don't think xml:base should be copied by default processing
of c14n if we don't do it in a sematically correct way.


Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel@veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | 
Received on Monday, 6 March 2006 16:48:51 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:35 UTC