- From: Paul Grosso <pgrosso@arbortext.com>
- Date: Thu, 17 Mar 2005 11:39:58 -0500
- To: "James A. Larson" <jim@larson-tech.com>, "Norman Walsh" <Norman.Walsh@east.sun.com>
- Cc: "Brad Porter" <brad@tellme.com>, <connolly@w3.org>, <www-voice@w3.org>
> From: James A. Larson [jim@larson-tech.com] > Sent: Wednesday, 16 March, 2005 11:54 > To: Paul Grosso; Norman Walsh > Cc: Brad Porter; connolly@w3.org; www-voice@w3.org > Subject: Processing instructions for validating > that a document may access data > > Paul Grosso and Norman Walsh > Co-chairs, XML Core > > I'm writing to you as co-chairs of the XML Core > Working Group about an issue that Dan Connolly > believes will be of interest to you.... > Dan Connolly has raised an > issue[1] with the VoiceXML 2.1 last call working > draft, specifically about the Processing Instruction > section [2] which exposes an XML document referenced > by the <data> element via the DOM to a voice > application in which the interpreter should > validate that the host requesting the document > is allowed to access the data. > > [1] http://lists.w3.org/Archives/Public/www-voice/2005JanMar/0065.html > > [2] http://www.w3.org/TR/2004/WD-voicexml21-20040728/#sec-data-security Jim, et al., At my suggestion, the XML CG discussed this at our meeting this week. I've also done some more research on my own. I read at [2]: Before exposing an XML document referenced by the <data> element via the DOM to a voice application, the interpreter must validate that the host requesting the document is allowed to access the data. This validation is performed by comparing the hostname and IP Address of the document server from which the document containing the <data> element was fetched to the list of hostnames, hostname suffixes, and IP addresses listed in the <?access control?> processing instruction included in the XML document referenced by the <data> element. I understand that the information whose access is being discussed is the XML information being referenced by the VoiceXML <data> element, and the access-control PI is embedded within that referenced XML information, not within the VoiceXML document. At http://www.w3.org/TR/2004/WD-voicexml21-20040728/#sec-data it says: The <data> element allows a VoiceXML application to fetch arbitrary XML data from a document server without transitioning to a new VoiceXML document. This implies to me that the referenced document--in which the access-control PI is to be embedded--is arbitrary XML, not necessarily something written in the VoiceXML vocabulary. Is my understanding correct? We had at least one member of the XML CG think that using elements/attributes made more sense in the case that the access-control information was being embedded in a document using the VoiceXML vocabulary, but we had no one (on the call this week) that expressed any serious reservations about using a processing instruction to embed access-control information in an arbitrary XML document. While it is true that VoiceXML could invent, say, a vxi:access-control element (where vxi is a prefix bound to a special VoiceXML "instance" namespace) that could be placed within any document instead of some access-control PI, personally, I would probably lean toward the PI in this case. Regardless, neither I nor anyone on the XML CG expressing an opinion in this matter can see any strong technical argument against using a PI in this case. paul
Received on Thursday, 17 March 2005 16:40:33 UTC