RE: [access-control] Forms WG comments on Access Control WD

Great! Thank you for confirming the assumptions I've made. 
I'm pleased to see you're considering implementation in the Mozilla Firefox user agent.  Once that's underway, would you be willing to help write the guidelines on the basis of that work?  I'll work with the Forms WG to find the right publication avenue (W3C Note, one of our recommendation-track documents, etc.)

Leigh.

-----Original Message-----
From: Jonas Sicking [mailto:jonas@sicking.cc] 
Sent: Wednesday, February 06, 2008 6:20 PM
To: Klotz, Leigh
Cc: Anne van Kesteren; public-appformats@w3.org; Forms WG
Subject: Re: [access-control] Forms WG comments on Access Control WD

Klotz, Leigh wrote:
> Anne,
> 
> We discussed this issue today at the Forms WG F2F meeting, and decided that we would abstain from any comment on the access-control protocol per se; however, we remain interested in enabling the implementation of access-control in XForms user agents.
> 
> While it appears that it would be possible to express the current WD protocol operations (resource GET, header tests, etc.) directly as XForms markup, it would seem to be pointless, as the its raison d'être is user agent enforcement, not optional compliance by authored markup.  

Yes, I think it would in fact only be confusing if XForms markup was 
used to "implement" the spec as it might only lead to a false sense of 
security.

> Therefore, we believe that recommendations to XForms user agent authors are in order.  (We note that the fact that XForms cross-site access is supported by some implementations was discussed at the 2007/11/05 WAF meeting [1].)

Absolutely. It should be fairly easy to integrate the access-control 
implementation in firefox into the firefox XForms extension.

> As noted in Requirement 10 of your current WD, it's likely that no changes to markup XForms markup will be required.  However, the XForms WG or WAF (or both) may choose to issue a note offering guidance to user agent implementers.  

Yup, that was the exact intent. The XForms markup should simply be able 
to point to a different server as target uri.

Best Regards,
Jonas Sicking

Received on Thursday, 7 February 2008 17:29:52 UTC