W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2005

Re: last calling WebDAV mounting spec, was I-D ACTION:draft-reschke-webdav-mount-01.txt

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 29 Sep 2005 21:47:13 +0200
Message-ID: <433C44C1.6000909@gmx.de>
To: Jim Whitehead <ejw@soe.ucsc.edu>
CC: WebDav <w3c-dist-auth@w3.org>


I have updated 
shamelessly stealing text from JimW's suggestions.

The abstract now says:


    In current Web browsers, there is no uniform way to specify that a
    user clicking on a link will be presented with an editable view of a
    WebDAV server.  For example, it is frequently desirable to be able to
    click on a link, and have this link open a window that can handle
    drag and drop interaction with the resources of a WebDAV server.

    This document specifies a mechanism and a document format that
    enables Web Distributed Authoring and Versioning (WebDAV) servers to
    send "mounting" information to a WebDAV client.  The protocol is
    designed to work on any platform and with any combination of browser
    and WebDAV client, relying solely on the well-understood dispatch of
    documents through their MIME type.

The introduction was expanded to say:

1.  Introduction

    By definition, a WebDAV server ([RFC2518]) is an HTTP server as well
    ([RFC2616]).  Most WebDAV servers can be (at least partly) operated
    from an HTML-based user interface in a web browser.  However, it is
    frequently desirable to be able to switch from an HTML-based view to
    a presentation provided by a native WebDAV client, directly
    supporting the authoring features defined in WebDAV and related

    For example, many educational institutions use WebDAV servers as a
    mechanism for sharing documents among students.  Each student owns a
    separate collection structure on a WebDAV server, often called their
    "locker".  Ideally, when a user clicks on a link in an HTML page
    provided by the university (perhaps by their university Web portal),
    an editable view of their locker will appear.

    For completeness, Appendix A lists other approaches that have been
    implemented in existing clients.

The description of dm:open now forward references the Security 

3.3  dm:open

    The optional <dm:open> element instructs the client to display the
    specified child collection; it's URL is computed by concatenating
    this element's value with the URL obtained from the <dm:url>
    (Section 3.2) element (see Section 7 for a discussion about why this
    element only supports displaying collections rather than opening
    arbitrary documents).

which in turn now say:

7.  Security Considerations

    All security considerations connected to HTTP/WebDAV and XML apply
    for this specification as well, namely [RFC2518] (Section 17) and
    [RFC3470] (Section 7).

    In addition, client implementers must be careful when implementing
    the <dm:open> element (see Section 3.3).  It MUST NOT be used to
    initiate any action beyond displaying the contents of a WebDAV
    collection (supporting "opening" documents could be abused to trick a
    user into letting the operating system's shell execute arbitrary
    content, possibly running it as an executable program).

Feedback appreciated,

Received on Thursday, 29 September 2005 19:47:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:34 UTC