- From: Larry Masinter <masinter@adobe.com>
- Date: Thu, 28 May 2009 17:51:33 -0700
- To: Jean-Claude Dufourd <jean-claude.dufourd@telecom-paristech.fr>, public-webapps <public-webapps@w3.org>
- CC: public-pkg-uri-scheme <public-pkg-uri-scheme@w3.org>
> My past standardization experience is that things which "will never be > used by the author and will never be exchanged between two > implementations" should not be standardized at all. I believe the requirements for a URI scheme for use within packages are similar, if not the same, as the ones that led to the introduction of "thismessage" in MHTML RFC 2557 (1999) as an update to RFC 2110 (1997). http://www.rfc-editor.org/rfc/rfc2557.txt So I think there is some experience that (at least for rhetorical purposes) there are requirements for an explicit URI scheme, e.g., to make the "absolute URI" calculation explicit. I'd suggest looking harder at "thismessage", though, before inventing a new URI scheme for "widget", especially since it will (should) not appear outside of the internal operational context. Reusing existing technology has the advantage of learning from experience rather than repeating it. Larry -- http://larry.masinter.net -----Original Message----- From: public-pkg-uri-scheme-request@w3.org [mailto:public-pkg-uri-scheme-request@w3.org] On Behalf Of Jean-Claude Dufourd Sent: Tuesday, May 26, 2009 8:39 AM To: public-webapps Cc: public-pkg-uri-scheme Subject: Re: [widgets] Widgets URI scheme... it's baaaack! Marcos, Mark, all, I am picking up the discussion where Cyril left it some months ago. I have read this thread, the Oct 08 one, the proposed URI scheme spec, even skimmed through the wam minutes. I still am leaning towards Mark's position. It seems to me that the URI scheme is not needed, or if needed, the reasons have not yet been "shown". I am trying to reformulate the situation: 0- the author needs a way to point to resources within the widget package 1- the "URI scheme will never be used by the author" (written by Marcos), the author will use relative URIs for resources within the widget. 2- the browser will have to resolve the relative URI to an absolute URI because of the DOM spec, hence a possible vulnerability by divulging private information (e.g. actual name of current user in file: URI example of Apple Dashboard widgets) to scripts running in the widget. 3- Marcos seems to be deducing from 2- that a URI scheme must be defined for mandatory internal use in all widget UAs to guarantee that this vulnerability does not exist. 3- does not follow logically from 2-. "Mandating the implementation in the widget UA of a URI resolution that does not divulge private information to the widget scripts" is sufficient to ensure that the vulnerability mentioned in 2- does not happen. The proposed URI scheme could be suggested as an option, but not more. My understanding is that 3- mandates a particular URI scheme which will never be used by the author and will never be exchanged between two implementations. My past standardization experience is that things which "will never be used by the author and will never be exchanged between two implementations" should not be standardized at all. Are there other predicates for the need for standardisation ? Marcos mentions the widget V2 spec and extensibility as one reason for adopting the proposed URI scheme. I would like to understand how V2 and extensibility could make the URI scheme either seen by the author or exchanged between implementations, or make its absence otherwise imperil implementations. Thanks. Best regards JC -- JC Dufourd Groupe Multimedia/Multimedia Group Traitement du Signal et Images/Signal and Image Processing Télécom ParisTech, 46 rue Barrault, 75 013 Paris, France
Received on Friday, 29 May 2009 00:52:16 UTC