Re: XMLHttpRequest security section draft from Charles McCathieNevile on 2006-03-21 (public-webapi@w3.org from March 2006)

From: Charles McCathieNevile <chaals@opera.com>
Date: Tue, 21 Mar 2006 20:21:32 +0100
To: "Jonas Sicking" <jonas@sicking.cc>, "Jim Ley" <jim@jibbering.com>
Cc: "Web APIs WG" <public-webapi@w3.org>
Message-ID: <op.s6r2p6avwxe0ny@pc031.coreteam.oslo.opera.com>

On Tue, 21 Mar 2006 09:57:30 +0100, Jonas Sicking <jonas@sicking.cc> wrote:

>>> This is not required and an implementation is free to ignore this  
>>> section.

> However I was not aiming to use rfc 2119 keywords though, but rather  
> plain english. Can we say that this section of the spec do not use them?  
> Is it enough to say that the section is informative rather then  
> normative?

I would simply avoid saying must. Make it an example - many user agents do  
not allow ...

>> I don't see the point in listing the problems at all, all implementors  
>> know them, and an exhaustive list would be prohibitive, and a selective  
>> list pointless, just say "limiting stuff for security reasons doesn't  
>> break conformance, enjoy."
>
> I think the idea was to give some suggestions for implementations to  
> keep in mind. It's not as simple as "all implementors know them". All  
> implementations had the classic redirect flaw for example, even though  
> they all were aware of same-origin policies, it's probably fair to  
> assume that future new implementations might too.
>
> I do agree that we do not want to give an exhaustive list though of  
> features that should be limited, I was not trying to do that. But I  
> think we should give good pointers to things that might be easy to miss.
>
> I'm absolutely open to suggestions, but your sentence above I think is  
> too little information.

Agreed. I think we should give a couple of examples, and find references  
for further information, pointing out clearly that these are a couple of  
examples, and explainining the various security implications is beyond the  
scope of this document, which limits itself to "user agents can block what  
they want for security and we hope they document that better in future..."  
(or something like that).

cheers

Chaals

cheers

Chaals

-- 
Charles McCathieNevile                     chaals@opera.com
   hablo español  -  je parle français  -  jeg lærer norsk
      Peek into the kitchen: http://snapshot.opera.com/

Received on Tuesday, 21 March 2006 19:21:54 UTC