W3C home > Mailing lists > Public > www-forms@w3.org > August 2004

RE: XForms - Secure or Insecure?

From: Mark Birbeck <mark.birbeck@x-port.net>
Date: Wed, 25 Aug 2004 19:34:48 +0100
To: "'Thompson, Bryan B.'" <BRYAN.B.THOMPSON@saic.com>
Cc: <www-forms@w3.org>
Message-ID: <004501c48ad2$33790170$6f01a8c0@W100>

Bryan,

> Care to expand on your xforms / Atom project?  This is 
> something that I have also been working on.

Good news - perhaps we should find a way of sharing work. Open source
XForms-based Atom editor, anyone?

> One of my goals 
> is to recommend some XForms 1.1 requirements based on this 
> effort.  As it stands, I find that I need to extend XForms in 
> a few ways.  E.g., support for DELETE, but also support for 
> Location headers.

That's definitely worth doing. The ones I've spotted so far, are:

* as you say, specifying any header you want is fundamental - it's needed
for SOAP 1.0 (but not 1.1), WebDAV and the security headers in Atom;

* you also need to be able to control the method (WebDAV and Atom, for
example);

* you need to be able to submit to a URL that comes from the instance data,
and not hard-coded in the form. Atom needs this (as I'm sure you know), but
so do the SOAP interfaces to ASP services like Salesforce.com (they get you
to log on, and then pass you back a URL to navigate to once you are
authenticated).

We've actually added all of these features to formsPlayer, but we've done it
for now via the xf:extension element under xf:submission. Once the spec
supports them, then we'll just use whatever syntax is finally decided on. It
shouldn't mean much of a change to any forms, since the features will be the
same.

Regards,

Mark


Mark Birbeck
CEO
x-port.net Ltd.

e: Mark.Birbeck@x-port.net
t: +44 (0) 20 7689 9232
w: http://www.formsPlayer.com/

Download our XForms processor from
http://www.formsPlayer.com/

> -----Original Message-----
> From: www-forms-request@w3.org 
> [mailto:www-forms-request@w3.org] On Behalf Of Thompson, Bryan B.
> Sent: 25 August 2004 18:56
> To: 'Mark Birbeck '; 'www-forms-request@w3.org '; 'www-forms@w3.org '
> Subject: RE: XForms - Secure or Insecure?
> 
> 
> 
> Mark,
> 
> 
> -bryan
> 
> -----Original Message-----
> From: www-forms-request@w3.org
> To: www-forms@w3.org
> Sent: 8/25/2004 1:26 PM
> Subject: Re: XForms - Secure or Insecure?
> 
> 
> Aaron,
> 
> We obviously have very different concepts of what web services are!
> 
> I would have thought that just about all web services that 
> you refer to would be in "domains different to the one where 
> the page was downloaded". As it happens, that's what makes it 
> so exciting - in one form we can search both Google and 
> Amazon for the same word; in one form we can find a zip code 
> from an address, and then use that zip code to find weather 
> and traffic reports; in one form I can monitory umpteen news 
> feeds or RSS logs, or even manage my Atom-powered blog 
> (coming soon ;)).
> 
> In other words, far from causing a problem, XForms makes 
> these new-fangled web services accessible. Let's face it, 
> despite being around for years web services are pretty much 
> unusable by anyone outside of a corporate IT department.
> 
> Regards,
> 
> Mark
> 
> 
> Mark Birbeck
> CEO
> x-port.net Ltd.
> 
> e: Mark.Birbeck@x-port.net
> t: +44 (0) 20 7689 9232
> w: http://www.formsPlayer.com/
> 
> Download our XForms processor from
> http://www.formsPlayer.com/
> 
> > -----Original Message-----
> > From: www-forms-request@w3.org [mailto:www-forms-request@w3.org] On 
> > Behalf Of Aaron Reed
> > Sent: 24 August 2004 21:50
> > To: www-forms@w3.org
> > Subject: XForms - Secure or Insecure?
> > 
> > 
> > 
> > I also have a question about XForms security.  For example, the 
> > formsPlayer example at: 
> > http://www.formsplayer.com/community/samples/google-search.html.
> > 
> > Running this example in a browser should raise eyebrows. Submitting 
> > SOAP to domains DIFFERENT from the one where the page was downloaded
> > and REPLACING content in the current page so that the user 
> > doesn't have any kind of cue that something just happened 
> > seems like the kind of power for a form that we don't want to 
> > encourage (in a browser context, at least).  Is this 
> > something that is going to be addressed in the 1.1 spec when 
> > the SOAP stuff goes in?
> > 
> > --Aaron
> > 
> > 
> > 
> 
> 
Received on Wednesday, 25 August 2004 18:34:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 10 March 2012 06:21:58 GMT