- From: Arve Bersvendsen <arveb@opera.com>
- Date: Wed, 27 May 2009 09:34:50 +0200
- To: "Jean-Claude Dufourd" <jean-claude.dufourd@telecom-paristech.fr>, public-webapps <public-webapps@w3.org>
- Cc: public-pkg-uri-scheme <public-pkg-uri-scheme@w3.org>
On Tue, 26 May 2009 17:38:48 +0200, Jean-Claude Dufourd <jean-claude.dufourd@telecom-paristech.fr> wrote: > 2- the browser will have to resolve the relative URI to an absolute URI > because of the DOM spec, hence a possible vulnerability by divulging > private information (e.g. actual name of current user in file: URI > example of Apple Dashboard widgets) to scripts running in the widget. ... > Marcos mentions the widget V2 spec and extensibility as one reason for > adopting the proposed URI scheme. I would like to understand how V2 and > extensibility could make the URI scheme either seen by the author or > exchanged between implementations, or make its absence otherwise imperil > implementations. > Thanks. The main issue here, I think, is one of being proactive on this front. Given that absolute URIs are required for resolution, and that UA vendors will, unless specified, have to pick a URI scheme of their own, the situation may well arise where they have specified something that would either be insecure (eg. file:), incompatible ( again, file:) or inappropriate (all schemes that fail to make query strings and fragment identifiers useful) -- Arve Bersvendsen Opera Software ASA, http://www.opera.com/
Received on Wednesday, 27 May 2009 07:35:47 UTC