- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 04 Aug 2006 16:07:44 -0400
- To: public-appformats@w3.org
I think I identified some new issues that probably need to be looked at as well. * Do we need to say anything on when UAs have to check the access control mechanisms (HTTP header and XML processing instruction)? For example, for a typical safe request (same-domain) would the UA still verify with the access control mechanism that it can indeed request the resource? * Error handling. This consists of two separate issues. - Currently it is not defined what happens when someone uses a pseudo-attribute not defined to be valid in the processing instruction. - Currently it is not defined what happens when someone uses invalid syntax inside one of the psuedo-attributes. We could either directly put the resource in default access state or even access denied state (to be sure) or just say the particular attribute is to be ignored or the whole processing instruction is to be ignored. One reason for putting the resource into the access denied state is that I might want to ban domain A explicitly, but typed AA. * For ease of authoring I think we should allow whitespace at the start and end of the pseudo-attribute values as well. For the HTTP header we should not allow new lines there by the way, but I assume that's clear... -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Friday, 4 August 2006 20:14:19 UTC