Using XACML profile to describe two current browser policies

Hi,

In an effort to better grasp the current proposal for the so-called
XACML profile, I've tried to describe current browsers policies for:
* the same origin policies as defined in HTML5,
http://dev.w3.org/html5/spec/origin-0.html#origin-0
* what I know of the current implementations of the geolocation API
behaviors

The resulting policies are attached; they validate against the relaxng
schema, but I'm not sure at all they really say what I wanted them to
say :) They come with comments that highlights the limitations of the
XACML profile to properly describe these policies.

The high-level summary seems to be that the declarative approach that
the XACML profile is defining will have a very hard time matching the
intricacies of actual deployed policies in browsers.

Even with adding some missing modifier functions (origin, port seem
rather important ones), dealing with time/repetition-based
considerations, or with the type of events/markups that triggered an API
call is going to be extremely painful in a declarative approach, and
require a very extensive vocabulary. And that's only to deal with two
existing cases; I'm not sure if I would be able to describe what we have
defined for the Contacts API with the current framework.

Maybe the complex policies don't apply as much to widgets (although I
think it's more that we have less experience with deploying widgets),
but given that widgets can include/load Web content, I don't think we
can really escape the Web-related aspects.

Dom

Received on Wednesday, 23 June 2010 07:06:20 UTC