- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 8 Apr 2008 09:59:05 -0700
- To: Marcos Caceres <marcosscaceres@gmail.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On 2008-04-08 16:46:26 +1000, Marcos Caceres wrote: > > Additionally, I don't think the current document says what to do > > with absolute URI references in Reference elements. Are these > > dereferenced? And how do you deal with references to resouces > Ignore anything that points outside: > "Apply the Reference Validation algorithm as defined in [XMLDsig], by > taking each Reference element and exactly matching the value of the > URI attribute to the file name field of a file entry. Validate against > the matched file entry's data field (do not use the decompressed > representation)." Wait a second -- core validation behavior would lead to absolue URI references being dereferenced as far as signature behavior is concerned. If you don't want that to happen, I'd suggest that you explicitly say that absolute URI references are considered an error in this profile. > > that are external to the widget resource from indiivdual elements -- > > e.g., a <script> tag in the main widget element? > This will be addressed by Opera's security input... which should > hopefully be sent to the list today(?). Looking forward to it. -- Thomas Roessler, W3C <tlr@w3.org>
Received on Tuesday, 8 April 2008 17:00:05 UTC