- From: Robert Bateman <bobbateman@sequoiallc.com>
- Date: Wed, 25 Aug 2004 13:50:01 -0400
- To: www-forms@w3.org
Aaron, On Tuesday 24 August 2004 04:49 pm, Aaron Reed wrote: > I also have a question about XForms security. For example, the formsPlayer > example at: > http://www.formsplayer.com/community/samples/google-search.html. > > Running this example in a browser should raise eyebrows. Submitting SOAP > to domains DIFFERENT from the one where the page was downloaded and > REPLACING content in the current page so that the user doesn't have any > kind of cue that something just happened seems like the kind of power for a > form that we don't want to encourage (in a browser context, at least). Is I can't disagree with you more here... Why should the user care that a SOAP message was sent to a domain and the results displayed on the screen? If you are concerned about sending a SOAP message to a secure site, there are WS-xxxx standards that are developed / being developed that address security. But getting back to the original Xforms example, lets change the example a little bit. Lets say I have created a nifty portal for all users of the Blackberry(tm). Thru my portal, my subscribers can book flights, hotels, cars, check traffic, get directions, weather updates, and more. Is it smarter for me to send a SOAP message to a hotel to make or alter a reservation or to open a window? Too many of todays browser exploits exist because the browser executes arbitrary code. In the case of SOAP, there is no code to execute at the client. The results of the SOAP message are data that is acted upon or rendered. And for those cases where I have to worry about security or authentication, the community is working on those very issues. But I suspect that you and I will not have to worry about those things in most of the work we will see in the near future. Of course, these are just my opinion. Bob
Received on Wednesday, 25 August 2004 17:53:11 UTC