RE: use namespaces and elements/attributes, not <?access-control?> PI (VBWG official response to last call issue)

On Thu, 2005-03-10 at 23:03 -0800, MattO wrote:
> "Er... you moved something to an appendix? Can I have a look at a draft?"
> Look for "Before exposing the data in an XML document" in section 5 [1].
> Then follow the link to Appendix E which is informative as indicated in the
> "Status of this Document" section.

This text doesn't look informative to me:

  Before exposing an XML document referenced by the <data> element
  via the DOM to a voice application, the interpreter should
  validate that the host requesting the document is allowed to
  access the data.

though I can't quite tell how the term "interpreter" relates
to the term Conforming VoiceXML 2.1 Processor".

But even if it's informative, it's still not something I think W3C
should be advocating.

> "I can't tell from your response why a namespace-qualified element or
> attribute won't work just as well if not better than a processing 
> instruction, so no, I'm not satisfied by this response. Can you give me an
> example of something bad that would happen if you used a namespace qualified
> element or attribute?"
> Please see [2].

OK, I see

4)  Encode access rights as a parent envelope around the enclosed XML
data or root tag elements and have the browser enforce access to that
XML content only to the allowed domains.

      * Allows for extensibillity of security sandboxing primitives
        through an XML namespace
      * Probably best performed as its own specification
      * Requires structural or attribute modification to existing XML
      * Requires parsing and interpreting the XML content before
        deciding whether to grant access to that content

And that doesn't persuade me that an element or attribute is a bad thing
at all. The fact that this is orthogonal to VoiceXML2.1 conformance
(as implied by the fact that appendix E is informative) would be more
clear by moving it to a separate document.

And a PI has to be parsed, so that 3rd point applies to PIs as well.

Regarding "structural or attribute modification," yes, that's what
using an element or attribute means. I don't see that as an argument

I see the XML Schema WG mentioned in the related groups in your

Have they reviewed the VoiceXML last call spec? Or has XML Core?
If they've reviewed this use of PIs and OK'd it, perhaps I'll
step aside.

> [1]
> 0308.html#sec-data 
> [2]

Dan Connolly, W3C
D3C2 887B 0F92 6005 C541  0875 0F91 96DE 6E52 C29E

Received on Tuesday, 15 March 2005 22:40:46 UTC