- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 19 Nov 2007 23:28:32 +0100
- To: "Ian Hickson" <ian@hixie.ch>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
Thanks a lot Ian! A few questions below. On Wed, 14 Nov 2007 20:14:03 +0100, Ian Hickson <ian@hixie.ch> wrote: > On Wed, 14 Nov 2007, Anne van Kesteren wrote: >> http://dev.w3.org/2006/waf/access-control/ > > 1.1 has an example that reads: > > Access-Control: <hello-world.invalid> > > ...which seems invalid. Fixed. > "case-insensitive match" is defined poorly. If it is intended to _only_ > be about swapping a-z for A-Z, it should say so explicitly, not in > parenthesis. If it is about full Unicode mapping, then it should be > stated appropriately and the a-z part should be removed. Also, generally > it is > better to lowercase and compare than uppercase and compare, since in full > Unicode cases the lowercase versions are more canonical iirc. Fixed. > The algorithm to "obtain the values from a space-separated list" mixes > its tenses. It starts in the simple present ("must replace"), and then > switches to the present progressive ("dropping ... and then chopping"). > The way it is phrased doesn't technically define how you obtain values, > it defines how you replace characters, which for some reason involves > chopping the string. Any idea how you're going to change http://www.w3.org/TR/2007/CR-xbl-20070316/#attributes0 as that's pretty much what text I'm reusing. > 2.1 Access Item: "When the access item is used as part of the > Access-Control HTTP header authors must specify the result of applying > the ToASCII algorithm to the internationalized domain name as HTTP does > not > support Unicode." still doesn't make sense to me. The requirement is that > the author provide a purely ASCII domain name, not that they take an IDN > and apply ToASCII, IMHO. Fixed. > 2.1 Access Item: Example "http://example.org:*" is said to be invalid but > as far as I can tell it is valid. Fixed. > Why is the "*." bit redundant in the domain part? How do I make sure > something matches "livejournal.com" but not "ianhickson.livejournal.com"? allow <livejournal.com> exclude <ianhickson.livejournal.com> or more generic allow <livejournal.com> exclude <*.livejournal.com> > There are numerous hosts where the subdomain space isn't trusted but > where the hostname itself is secure, and "example.com" doesn't at all > convey > that all subdomains are also trusted. I think we should require > "*.example.com" to indicate that subdomains are trusted. Writing allow <example.com> <*.example.com> was expected to be the general case and therefore we previously decided to go for allow <example.com> to address that case. I'm not really comfortable with revisiting that once again. > It actually seems that even in the spec there is confusion about this, > for example there is this example: > > Access-Control: allow <example.org> <*.example.org> Examples are not always updated when the normative text does unfortunately. Fixed now. > 2.4. Referer-Root (sic) HTTP header: Do we need to continue misspelling > this? It seems more consistent with the existing header. > 3.1. Cross-site Access Request: "followed by the port (defaulting to the > default port for the scheme) of the resource" -- it makes no sense to > default the port in this case, since the resource had to have a port for > the request to have been made in the first place. Fixed. > 3.1. Cross-site Access Request: "of the resource from which the request > originated" -- is this true? Isn't it of the resource that the calling > spec wants used as the origin? e.g. in XHR I would imagine that the > actual URI used would be the origin, which (e.g. in the case of data: > URIs) might not match the resource's own URI at all. The next paragraph > seems to agree with me. Fixed. > 3.1. Cross-site Access Request: Does the referrer root URI include the > port even if it is the default port? That's what the definition says, no? > 3.1. Cross-site Access Request: what does "Specifications are strongly > encouraged to define this in equivalent ways." mean? I reworded this. The intention is that specifications base it on the same "source" as much as possible. > 3.1. Cross-site Access Request: "As this algorithm is used by other > specifications, those specifications must ensure to handle all return > values. Specifications may ignore "reason" if "error" is "true"." -- this > paragraph makes no sense at this point. What algorithm? What return > values? What are "reason" and "error"? I recommend, before this > paragraph, giving an overview of what the algorithms can return. Done. > 3.1.1. Generic Cross-site Access Request Algorithms: "are same-origin" is > not defined yet. Defined. > 3.1.1. Generic Cross-site Access Request Algorithms: It's not clear which > algorithm "this algorithm" is. The "Generic Cross-site Access Request > Algorithms"? The "generic redirect steps"? Reworded. > 3.1.1. Generic Cross-site Access Request Algorithms: What does > "transparently follow the redirect while observing the set of request > rules" mean? It somehow needs to point back to the algorithm that invoked it where there is a list of "request rules" which define what to do in case of a network error, redirect, etc. > Tuples are denoted (like, this) not "like, this". (e.g. in 3.1.1. Generic > Cross-site Access Request Algorithms.) Fixed. > In fact in general you seem to > overuse quote marks -- I recommend only using them for strings, quotes, > euphemisms, and sarcasm, not for variables and literals. If you have suggestions for what to use instead that would be welcome. I'm often wondering what would be best to use in a particlar case. > 3.1.2. Cross-site GET Access Request: "Perform an access check" isn't > defined yet nor hyperlinked. Same applies in "3.1.3. Cross-site Non-GET > Access Request". Fixed. > 3.1.2. Cross-site GET Access Request: Why do you invent "current request > URI"? It's just given the value of "request URI" and seems to only be > used once, so why not just use "request URI"? The idea is that "current request URI" is updated during a redirect and "request URI" always points to the initial starting point. I suppose we could just update "request URI" along the way. I wasn't sure if that would be confusing or not. > I'm assuming this is related to > the "macro" steps in "3.1.1. Generic Cross-site Access Request > Algorithms", but it isn't clear to me how this all works. For example, > those refer to "origin" but I don't know what origin that is. That's defined at the start of the algorithm that invokes it. It's the referrer root URI. > 3.1.3. Cross-site Non-GET Access Request: The first paragraph has the > MUST for the list of steps, but the second paragraph confuses matters by > being > "in the way". Reordered. > 3.1.3. Cross-site Non-GET Access Request: What is the "target URI"? Typo I think. I can no longer find it. Probably should've been request URI. > 3.1.3. Cross-site Non-GET Access Request: Again with the mention of > "origin" -- whose origin? Where does it come from? It doesn't seem to be > any of the arguments passed from the other spec. It is defined at the start of the algorithm, no? "Let origin be the referrer root URI." > "If there is a Method-Check-Expires HTTP response headers that can be > successfully parsed it must be honered." misspells "honored", but in any > case it doesn't define what honoring it means. It should probably say > instead that the entry must be removed once the current time exceeds the > time specified by the header, or some such. Tried a fix. > I assume how to parse the header is defined somewhere? It's no better defined than the HTTP-date production (also used in the Expires header). I'm afraid to look into that. > 3.2. Access Control Check: "The second subsection of this section" is > confusing. I couldn't tell if "this section" was section 3 or section > 3.2, and whethe the second subsection was 3.2, or 3.2.2. I'd just remove > paragraphs that tell you what you're about to read, frankly. Ok. > The way you have the "temp method list" defined, you don't cache as > much as you should. Consider a resource with the following: > > <?access-control allow="example.com" method="POST"?> > <?access-control allow="example.com" method="PUT"?> > <?access-control allow="example.com" method="DELETE"?> > > Now imagine you do a POST followed by a PUT, followed by another POST. > Ideally, we should send a single GET, and then the POST, and then the > PUT, and then the final POST, because we know the PUT will succeed. > However, > instead, we will send a GET, a POST, another GET, a PUT, and then a POST. Actually, the idea *was* that the PUT would simply not be allowed. Error flag to "fail" and "detail" to "network". I guess we should revisit that. See below. > I believe we should cache all the methods that are allowed, not just the > methods of the access-control item that was matched. Ok, so the idea is to keep "looping" and adding methods to the list when it's ok? > Incidentally, you should mention whether the authorization request cache > can have multiple items with the same key. (It seems that it can.) The idea is that you can't. When would this be possible? > The rules for processing access-control PIs will drop any PI with a > method="" pseudo-attribute at the moment. In fact the pseudo-attribute is > generally not supported by the algorithm as far as I can tell. Fixed. > The rules for processing access-control PIs look like they won't drop PIs > with multiple pseudo-attributes of the same name other than exclude="". > e.g. <?access-control allow="example.com" allow="example.com"?> doesn't > get dropped by the current rules. Duplicate pseudo-attributes are a parse error per the <?xml-stylesheet?> specification. > 3.3. Access Item Check, step 1: This line is confusing. You are letting > the algorithm's parameters be overwritten by undefined variables. I think > you mean "let origin be..." and "let item be..." not the other way > around. Fixed. > 3.3. Access Item Check, step 6: how can "origin" not have a scheme? Fixed. Kind regards, -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Monday, 19 November 2007 22:28:30 UTC