- From: Robin Berjon <robin@berjon.com>
- Date: Sun, 19 Apr 2009 16:15:18 +0200
- To: Scott Wilson <scott.bradley.wilson@gmail.com>
- Cc: public-webapps WG <public-webapps@w3.org>
Hi Scott, On Apr 16, 2009, at 18:18 , Scott Wilson wrote: > So far we haven't come across a widget thats needed more than - at > most - access to a few services, all coded as a single URL or single > domain. The only exception to the rule are RSS widgets, but these > are right at the other end of the spectrum, and would need <access > href="*"/>. In the current version that's being put into CVS right now the above wildcard would have to be done as: <access uri="http://*"/> or, possibly: <access uri="http://*"/> <access uri="https://*"/> The reason for this is that just putting a * means that if the implementation supports other protocols (e.g. ftp, but it could really be anything else) you're really asking for it to be open for anything. This might not be portable (it'll depend on which protocols the platform supports) and it might break all of a sudden (say the platform suddenly adds support for IRC, or file:, but security restrictions say that's forbidden for this widget). I think it's a small cost to pay for the benefits. > I think the wording here is perhaps phrased in an 'inverted' way: > <access> provides hints to the UA that it should permit access to > the specified resource, its not about restricting restrict access to > unspecified resources, which would seem to me to be entirely a > question for the implementation. Yeah, the wording was the opposite of what I meant :) Fixed now. -- Robin Berjon - http://berjon.com/ Feel like hiring me? Go to http://robineko.com/
Received on Sunday, 19 April 2009 14:15:56 UTC