Re: [widgets] HTML5 dependency blocking Widget Interface Proposed Recommendation

On Thu, Apr 19, 2012 at 9:04 AM, Glenn Adams <glenn@skynav.com> wrote:

>
> On Thu, Apr 19, 2012 at 9:02 AM, Marcos Caceres <marcosscaceres@gmail.com>wrote:
>
>> On Thursday, 19 April 2012 at 15:58, Glenn Adams wrote:
>>
>> >
>> > On Thu, Apr 19, 2012 at 7:06 AM, Marcos Caceres <
>> marcosscaceres@gmail.com (mailto:marcosscaceres@gmail.com)> wrote:
>> > > On Thursday, 19 April 2012 at 13:48, Arthur Barstow wrote:
>> > > > Marcos - would you please enumerate the CR's uses of HTML5 and state
>> > > > whether each usage is to a stable part of HTML5?
>> > >
>> > > 3. "When getting or setting the preferences attribute, if the origin
>> of a widget instance is mutable (e.g., if the user agent allows
>> document.domain to be dynamically changed), then the user agent must
>> perform the preference-origin security check. The concept of origin is
>> defined in [HTML]."
>> > > Origin is concept that is well understood - as is the same origin
>> policy used by browsers.
>> >
>> >
>> > TWI [1] does not define "the origin of a widget instance".
>> That's because they are not bound to any particular URI scheme. Just to
>> some origin.
>> > Nor does HTML5. It is also confusing to say that HTML5 defines the
>> 'concept of origin', given that it normatively refers to The Web Origin
>> Concept [2]. TWI needs to be more specific about what aspect of Origin is
>> being referenced and where that specific aspect is defined.
>>
>> As there are no interoperability issues, I don't agree the TWI spec needs
>> to be updated any further. It's just a simple spec and any further
>> clarifications would just be academic.
>> >
>> > [1] http://www.w3.org/TR/2011/CR-widgets-apis-20111213/
>> > [2] http://tools.ietf.org/html/rfc6454
>>
>
> in that case, please record an objection on my part
>

just to be clear, I mean an objection to publishing as PR unless this is
clarified; i believe this is an issue because the concept and use of origin
is (1) very complex and (2) thus prone to misinterpretation; for example,
it is not well recognized that HTML5 itself does not require a UA to send
an Origin header in a URL request (see [3])

[3] https://www.w3.org/Bugs/Public/show_bug.cgi?id=16574

Received on Thursday, 19 April 2012 15:12:16 UTC