Re: Feedback on draft-gregorio-uritemplate-00 from Bjoern Hoehrmann on 2006-10-05 (uri@w3.org from October 2006)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Thu, 05 Oct 2006 18:15:17 +0200
To: Julian Reschke <julian.reschke@gmx.de>
Cc: uri@w3.org
Message-ID: <11aai25dj1o2bqr291dht3ts29h9adq8km@hive.bjoern.hoehrmann.de>

* Julian Reschke wrote:
>[draft-gregorio-uritemplate-00.txt]
>I think this goes into the right direction. Congratulations.

I somewhat miss the point of the document. What is being defined is a
general-purpose template format except that:

>"If the value of a template variable would conflict with a reserved 
>character's purpose as a delimiter, then the conflicting data must be 
>percent-encoded before substitution."

Without this escaping procedure (and I do not understand the require-
ment at all), there is nothing specific to "URIs" in this document,
except for the title and the misplaced constraint that the result of
applying the replacement algorithm must be a "valid" URI in some sense.

Why not leave the validity requirement to protocols using this kind of
template format, and make the escaping configurable, if you have any
escaping at this level at all? You could, for example, provide triples
of

  [ name, value, escaping-method ]

as input to the template processor, or specify it inline like

  http://{punycode:host}/{uri:dir}?q={base64:q}#{frag}

Or use a encoding specifier prefix like

  {:uri}http://...

Or, if this is really specifically designed for URIs, define that, if
the template has well-balanced {} pairs and the variable names are
well-formed, applications behave as if they parse the whole thing into
a parse tree and template variable replacement then only occurs in the
tree, without severely changing the semantics of the identifier. With
the current model it seems you can easily do

  http://{host}/path - with host => "example.com/dir" - becoming
  http://example.com/dir/path

I've just completed some security research in this area, and problems
of this kind should at the very least be mentioned in the security
considerations section.

It somewhat seems that "URI templates" is really just marketing...
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

Received on Thursday, 5 October 2006 16:15:25 UTC