- From: <noah_mendelsohn@us.ibm.com>
- Date: Wed, 28 Jan 2004 11:32:24 -0500
- To: "Martin Gudgin" <mgudgin@microsoft.com>
- Cc: xmlp-comments@w3.org
First, I apologize for missing the call where this was discussed. I have some doubts about the overall direction chosen, but I will happily defer to the will of the group in an area where anything we do involves compromises. So, I accept the overall direction of outlawing xop:Include in the input. That said, I don't think the proposed text is acceptable for at least two reasons, and so with regret I must indicate that for now the overall issue resolution is not acceptable to me. The two reasons are: 1) I think the use of the word "Note" in the phrase "Note that the data model used as input to XOP processing MUST NOT contain any element nodes" is unfortunate, as it unnecessarily suggests informal advice. I think we should avoid using "Note" and capitalized "MUST"/"MUST NOT" in the same sentence." Suggested resplution: delete the word "Note". 2) As I read the attached, it puts changes in XOP but not in the SOAP-specific portions of the spec. I think that is unacceptable, especially since in this particular way we are proposing a (marginally) non-conforming SOAP binding, and one that has at least some security or integrity exposures if not implemented carefully. In other words, if either your API or some inbound message at an intermediary allows a xop:include element to creep in and you fail to detect it, you can send erroneous data downstream. Furthermore, nothing in the SOAP Rec licenses a binding that is incapable of transmitting more or less arbitrary elements within SOAP bodies or header element children. I propose the following additional text to be included (with suitable editorial cleanup) into the HTTP binding: "Implementations of this binding MUST enforce the restriction [link to XOP spec] that XOP not be used with data models that contain element nodes of name xop:include. In any case where a SOAP envelope containing such a node is to be sent the binding MUST do one of the following: a) fall back to use of the application/soap+xml media type or (b) reflect a binding-dependent SOAP fault. Note that such envelopes could in principle arise either from data created locally at the sending node, or in data relayed at an intermediary, and bindings are responsible for checking all such input as necessary to ensure that the rule just stated is enforced. The first of these is an editorial matter that I am sure we can handle easily. I propose that, if the chair is willing, we discuss the second on the call today. Again, my apologies for being on the road at the Schema WG meeting during last week's call. -------------------------------------- Noah Mendelsohn IBM Corporation One Rogers Street Cambridge, MA 02142 1-617-693-4036 -------------------------------------- "Martin Gudgin" <mgudgin@microsoft.com> Sent by: xmlp-comments-request@w3.org 01/26/2004 06:30 AM To: <xmlp-comments@w3.org> cc: <noah_mendelsohn@us.ibm.com> Subject: Resolution for Issue 446 Noah, You raised issue 446[1] regarding whether MIFFY/XOP can serialize a data model that already contains xop:Include elements. The XMLP WG adopted the following text into Section 3 of the XOP document: Note that the data model used as input to XOP processing MUST NOT contain any element nodes with a dm:node-name {http://www.w3.org/2003/06/soap/features/binary-inclusion;Include}; data models containing such elements cannot be serialized using XOP. I trust the resolves the issue to your satisfaction. Regards Martin Gudgin For the W3C XMLP WG [1] http://www.w3.org/2000/xp/Group/xmlp-issues.html#x446
Received on Wednesday, 28 January 2004 11:33:14 UTC