Re: [SVGMobile12] A.7.19 getURL and postURL

Hi Jonathan,

On Jan 27, 2006, at 16:26, Jonathan Watt wrote:
> http://www.w3.org/TR/SVGMobile12/svgudom.html#svg::SVGGlobal_getURL  
> in section A.7.19 says:
>
>   For security reasons, User Agents are encouraged to restrict the
>   domains to which one may make such requests. When enforcing such
>   restrictions, the callback is called immedately with its
>   AsyncURLStatus object's success field set to false and other
>   fields set to null.
>
> Please change "are encouraged to" to at least "should".

Using "should" entails that there is a conformance requirement, which  
in turn involves testability. Since the security behaviour of SVG  
implementation is not prescribed as per spec, "should" is likely  
wrong. We have however strengthened the paragraph's wording to place  
an emphasis on the fact that it's important.

> The phrase "restrict the domains" is too vague. Please change this  
> to "restrict requests to the same origin as the SVG document".

Here we did what Boris and Maciej suggested in the thread.

> Please also make the text regarding security restrictions a  
> separate paragraph, perhaps with some sort of highlighting.

This has been done.

> Oh, and "immedately" isn't a word.

HA! To you perhaps! Erm, okay, changed that too.

Thanks a lot for your comments, please let us know shortly if this  
does not address your comments,

-- 
Robin Berjon
    Senior Research Scientist
    Expway, http://expway.com/

Received on Wednesday, 10 May 2006 08:43:48 UTC