- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 26 Mar 2008 21:21:44 +0000 (UTC)
- To: "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>
On Wed, 26 Mar 2008, Sunava Dutta wrote: > > IE would like to propose XDR as a new (Rec-track) spec for the Web API > WG. We think there is a place for both implementations within the > charter of the Web API. I think it would be very bad for the Web platform for there to be multiple ways to achieve this. We need to keep the platform simple, making it more complicated like this for no extra benefit merely acts as a "divide and conquer" strategy for proprietary platforms. > - XDR is provably secure and does not introduce new surface area of > attack compared to HTML Forms. This is blatently untrue, a number of serious security problems with XDR have already been raised (such as the fact that it encourages content-type sniffing, and the fact that it encourages people to pass their credentials to untrusted third parties). > - It's really simple to program against. IMHO keeping the existing XHR API is far simpler than introducing a slightly different API that solves nearly the same problem. > - It accommodates several scenarios around public data aggregation. It fails to address the majority of use cases for cross-domain data transfer on the Web. > - There may be a place for an access control model today, especially > around RESTful services. The model is extensible and powerful however > for the draft itself it will need more design thought to build a secure > implementation. I disagree, I think XHR and Access Control have been shown to be just as secure as XDR, possibly more so since they don't require bad security practices like XDR does. I strongly object to the Web API working group adopting a proprietary solution developed by one vendor with no external consultation, when the group has already spent several man-years' worth of time on a technologically superior, safer, and more comprehensive solution that has as much implementation experience and significantly more authoring experience, based on extending existing APIs instead of arbitarily introducing new, incompatible APIs. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 26 March 2008 21:22:26 UTC