Re: [widgets] Minutes from 12 March 2009 Voice Conference

On Mar 16, 2009, at 15:06 , Hillebrand, Rainer wrote:
> Regarding "P&C spec - Mandatory config file", I would like to give  
> more information about my concerns.
>
> According to the current "W3C Working Draft 9 March 2009", the  
> config.xml file has a single mandatory element. This is the <widget>  
> element. All its expected children elements and attributes are  
> optional. Therefore I have got the impression that the config.xml  
> file does not add any security. However, it will help to identify a  
> zip archive as a widget if the media type and/or file extension are  
> missing.
>
> To be clear, I do not have any objections against the config.xml  
> file in general. I only have concerns regarding its potential to  
> improve security.

I would like to echo these concerns. I may have missed something but  
it is still rather unclear to me how making config.xml required  
improves security. I would expect there to be default, security- 
conscious options that would apply irrespective of the presence of a  
config.xml document, and would also be the default values for the  
elements it contains when they are absent. I don't have an extremely  
strong opinion here, but I do see value in making widget creation as  
simple as possible: at the simplest, just zip up that index.svg file  
you have, rename the zip, and run with it.

The use case of wanting to identify a widget that does not have the  
media type or file extension seems to me tenuous at best. In fact, if  
I happen to have a zip archive that happens to contain a config.xml I  
wouldn't want anything to assume that it's a widget and I've somehow  
made a mistake. I want it treated as a vanilla zip archive until such  
a time as I decide otherwise.

-- 
Robin Berjon - http://berjon.com/
     Feel like hiring me? Go to http://robineko.com/

Received on Monday, 16 March 2009 14:45:11 UTC