- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 21 Mar 2006 00:57:30 -0800
- To: Jim Ley <jim@jibbering.com>
- Cc: Web APIs WG <public-webapi@w3.org>
>> This is not required and an implementation is free to ignore this >> section. > > Such a phrase and then subsequent MUST's is confusing. Yeah, a 'must' snuck in there, i tried to stay away from it. That should be replaced by something else. However I was not aiming to use rfc 2119 keywords though, but rather plain english. Can we say that this section of the spec do not use them? Is it enough to say that the section is informative rather then normative? > I don't see the > point in listing the problems at all, all implementors know them, and an > exhaustive list would be prohibitive, and a selective list pointless, > just say "limiting stuff for security reasons doesn't break conformance, > enjoy." I think the idea was to give some suggestions for implementations to keep in mind. It's not as simple as "all implementors know them". All implementations had the classic redirect flaw for example, even though they all were aware of same-origin policies, it's probably fair to assume that future new implementations might too. I do agree that we do not want to give an exhaustive list though of features that should be limited, I was not trying to do that. But I think we should give good pointers to things that might be easy to miss. I'm absolutely open to suggestions, but your sentence above I think is too little information. / Jonas
Received on Tuesday, 21 March 2006 08:57:29 UTC