- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 29 Sep 2005 21:47:13 +0200
- To: Jim Whitehead <ejw@soe.ucsc.edu>
- CC: WebDav <w3c-dist-auth@w3.org>
OK,
I have updated
<http://greenbytes.de/tech/webdav/draft-reschke-webdav-mount-latest.html>,
shamelessly stealing text from JimW's suggestions.
The abstract now says:
Abstract
In current Web browsers, there is no uniform way to specify that a
user clicking on a link will be presented with an editable view of a
WebDAV server. For example, it is frequently desirable to be able to
click on a link, and have this link open a window that can handle
drag and drop interaction with the resources of a WebDAV server.
This document specifies a mechanism and a document format that
enables Web Distributed Authoring and Versioning (WebDAV) servers to
send "mounting" information to a WebDAV client. The protocol is
designed to work on any platform and with any combination of browser
and WebDAV client, relying solely on the well-understood dispatch of
documents through their MIME type.
The introduction was expanded to say:
1. Introduction
By definition, a WebDAV server ([RFC2518]) is an HTTP server as well
([RFC2616]). Most WebDAV servers can be (at least partly) operated
from an HTML-based user interface in a web browser. However, it is
frequently desirable to be able to switch from an HTML-based view to
a presentation provided by a native WebDAV client, directly
supporting the authoring features defined in WebDAV and related
specifications.
For example, many educational institutions use WebDAV servers as a
mechanism for sharing documents among students. Each student owns a
separate collection structure on a WebDAV server, often called their
"locker". Ideally, when a user clicks on a link in an HTML page
provided by the university (perhaps by their university Web portal),
an editable view of their locker will appear.
For completeness, Appendix A lists other approaches that have been
implemented in existing clients.
The description of dm:open now forward references the Security
Considerations:
3.3 dm:open
The optional <dm:open> element instructs the client to display the
specified child collection; it's URL is computed by concatenating
this element's value with the URL obtained from the <dm:url>
(Section 3.2) element (see Section 7 for a discussion about why this
element only supports displaying collections rather than opening
arbitrary documents).
which in turn now say:
7. Security Considerations
All security considerations connected to HTTP/WebDAV and XML apply
for this specification as well, namely [RFC2518] (Section 17) and
[RFC3470] (Section 7).
In addition, client implementers must be careful when implementing
the <dm:open> element (see Section 3.3). It MUST NOT be used to
initiate any action beyond displaying the contents of a WebDAV
collection (supporting "opening" documents could be abused to trick a
user into letting the operating system's shell execute arbitrary
content, possibly running it as an executable program).
Feedback appreciated,
Julian
Received on Thursday, 29 September 2005 19:47:27 UTC