- From: Robin Berjon <robin.berjon@expway.fr>
- Date: Wed, 10 May 2006 10:43:46 +0200
- To: Jonathan Watt <jwatt@jwatt.org>
- Cc: www-svg@w3.org
Hi Jonathan,
On Jan 27, 2006, at 16:26, Jonathan Watt wrote:
> http://www.w3.org/TR/SVGMobile12/svgudom.html#svg::SVGGlobal_getURL
> in section A.7.19 says:
>
> For security reasons, User Agents are encouraged to restrict the
> domains to which one may make such requests. When enforcing such
> restrictions, the callback is called immedately with its
> AsyncURLStatus object's success field set to false and other
> fields set to null.
>
> Please change "are encouraged to" to at least "should".
Using "should" entails that there is a conformance requirement, which
in turn involves testability. Since the security behaviour of SVG
implementation is not prescribed as per spec, "should" is likely
wrong. We have however strengthened the paragraph's wording to place
an emphasis on the fact that it's important.
> The phrase "restrict the domains" is too vague. Please change this
> to "restrict requests to the same origin as the SVG document".
Here we did what Boris and Maciej suggested in the thread.
> Please also make the text regarding security restrictions a
> separate paragraph, perhaps with some sort of highlighting.
This has been done.
> Oh, and "immedately" isn't a word.
HA! To you perhaps! Erm, okay, changed that too.
Thanks a lot for your comments, please let us know shortly if this
does not address your comments,
--
Robin Berjon
Senior Research Scientist
Expway, http://expway.com/
Received on Wednesday, 10 May 2006 08:43:48 UTC