- From: SULLIVAN, BRYAN L (ATTCINW) <BS3131@att.com>
- Date: Mon, 2 Nov 2009 17:39:50 -0800
- To: "WebApps WG" <public-webapps@w3.org>
Here are the comments I had to the WARP spec in the Webapps/DAP joint meeting: 1) Does "*" grant/require either HTTP or HTTPS as schemes? It would be better to allow "https://*/" or "http://*/" distinctly since some applications may not be allowed by policy to access specific sources using non-secure HTTP, e.g. an e-commerce-enabled application. It would thus not be possible to include both "http://*/" (for generic content) and also limit access to the e-commerce sensitive sites via HTTPS. 2) Re "A user agent enforces an access request policy. In the default policy, a user agent must deny access to network resources external to the widget by default, whether this access is requested through APIs (e.g. XMLHttpRequest) or through markup (e.g. iframe, script, img).". Note that content that is typically not executable, e.g. img sources, this limitation on access to linked resources is significant, and will require e.g. for mashup applications that all content and references are pre-retrieved (or reference URI's re-written at least, to be proxied upon request) by the web application server (or set of servers as represented by the access list). It would be good to consider a way for the webapp to allow for certain types of content reference methods to be allowed from a wider set of sources, while preserving restrictions on others, e.g.: <access origin="http://trustedsite.com" "tag=script"/> <access origin="*" "tag=img"/> Best regards, Bryan Sullivan | AT&T
Received on Tuesday, 3 November 2009 01:40:34 UTC