W3C home > Mailing lists > Public > public-appformats@w3.org > March 2008

RE: What is Microsoft's intent with XDR vis--vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests]

From: Sunava Dutta <sunavad@windows.microsoft.com>
Date: Wed, 26 Mar 2008 14:28:38 -0700
To: Ian Hickson <ian@hixie.ch>, "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>
CC: Eric Lawrence <ericlaw@exchange.microsoft.com>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>, David Ross <dross@windows.microsoft.com>, Nikhil Kothari <nikhilko@microsoft.com>
Message-ID: <083D18C6B9B71F4CBCA7B76D97B7483102C681B6A1@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>

Adding my team back on the thread...

-----Original Message-----
From: public-webapi-request@w3.org [mailto:public-webapi-request@w3.org] On Behalf Of Ian Hickson
Sent: Wednesday, March 26, 2008 2:22 PM
To: Web API WG (public); public-appformats@w3.org
Subject: RE: What is Microsoft's intent with XDR vis--vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests]

On Wed, 26 Mar 2008, Sunava Dutta wrote:
> IE would like to propose XDR as a new (Rec-track) spec for the Web API
> WG. We think there is a place for both implementations within the
> charter of the Web API.

I think it would be very bad for the Web platform for there to be multiple
ways to achieve this. We need to keep the platform simple, making it more
complicated like this for no extra benefit merely acts as a "divide and
conquer" strategy for proprietary platforms.

> - XDR is provably secure and does not introduce new surface area of
> attack compared to HTML Forms.

This is blatently untrue, a number of serious security problems with XDR
have already been raised (such as the fact that it encourages content-type
sniffing, and the fact that it encourages people to pass their credentials
to untrusted third parties).

> - It's really simple to program against.

IMHO keeping the existing XHR API is far simpler than introducing a
slightly different API that solves nearly the same problem.

> - It accommodates several scenarios around public data aggregation.

It fails to address the majority of use cases for cross-domain data
transfer on the Web.

> - There may be a place for an access control model today, especially
> around RESTful services. The model is extensible and powerful however
> for the draft itself it will need more design thought to build a secure
> implementation.

I disagree, I think XHR and Access Control have been shown to be just as
secure as XDR, possibly more so since they don't require bad security
practices like XDR does.

I strongly object to the Web API working group adopting a proprietary
solution developed by one vendor with no external consultation, when the
group has already spent several man-years' worth of time on a
technologically superior, safer, and more comprehensive solution that has
as much implementation experience and significantly more authoring
experience, based on extending existing APIs instead of arbitarily
introducing new, incompatible APIs.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 26 March 2008 21:30:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:22 UTC