- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 29 Sep 2005 21:47:13 +0200
- To: Jim Whitehead <ejw@soe.ucsc.edu>
- CC: WebDav <w3c-dist-auth@w3.org>
OK, I have updated <http://greenbytes.de/tech/webdav/draft-reschke-webdav-mount-latest.html>, shamelessly stealing text from JimW's suggestions. The abstract now says: Abstract In current Web browsers, there is no uniform way to specify that a user clicking on a link will be presented with an editable view of a WebDAV server. For example, it is frequently desirable to be able to click on a link, and have this link open a window that can handle drag and drop interaction with the resources of a WebDAV server. This document specifies a mechanism and a document format that enables Web Distributed Authoring and Versioning (WebDAV) servers to send "mounting" information to a WebDAV client. The protocol is designed to work on any platform and with any combination of browser and WebDAV client, relying solely on the well-understood dispatch of documents through their MIME type. The introduction was expanded to say: 1. Introduction By definition, a WebDAV server ([RFC2518]) is an HTTP server as well ([RFC2616]). Most WebDAV servers can be (at least partly) operated from an HTML-based user interface in a web browser. However, it is frequently desirable to be able to switch from an HTML-based view to a presentation provided by a native WebDAV client, directly supporting the authoring features defined in WebDAV and related specifications. For example, many educational institutions use WebDAV servers as a mechanism for sharing documents among students. Each student owns a separate collection structure on a WebDAV server, often called their "locker". Ideally, when a user clicks on a link in an HTML page provided by the university (perhaps by their university Web portal), an editable view of their locker will appear. For completeness, Appendix A lists other approaches that have been implemented in existing clients. The description of dm:open now forward references the Security Considerations: 3.3 dm:open The optional <dm:open> element instructs the client to display the specified child collection; it's URL is computed by concatenating this element's value with the URL obtained from the <dm:url> (Section 3.2) element (see Section 7 for a discussion about why this element only supports displaying collections rather than opening arbitrary documents). which in turn now say: 7. Security Considerations All security considerations connected to HTTP/WebDAV and XML apply for this specification as well, namely [RFC2518] (Section 17) and [RFC3470] (Section 7). In addition, client implementers must be careful when implementing the <dm:open> element (see Section 3.3). It MUST NOT be used to initiate any action beyond displaying the contents of a WebDAV collection (supporting "opening" documents could be abused to trick a user into letting the operating system's shell execute arbitrary content, possibly running it as an executable program). Feedback appreciated, Julian
Received on Thursday, 29 September 2005 19:47:27 UTC