Re: XML Schema validation and https redirects from Norm Tovey-Walsh on 2022-08-23 (xmlschema-dev@w3.org from August 2022)

From: Norm Tovey-Walsh <ndw@nwalsh.com>
Date: Tue, 23 Aug 2022 08:08:32 +0100
To: "Henry S. Thompson" <ht@inf.ed.ac.uk>
Cc: Michael Kay <mike@saxonica.com>, Gerald Oskoboiny <gerald@w3.org>, Michael Sperberg-McQueen <cmsmcq@blackmesatech.com>, xmlschema-dev@w3.org
Message-ID: <m2o7wbpgka.fsf@nwalsh.com>

> Hmm.  To take my favourite example, I would argue that the primary
> purpose of the namespace URI for XHTML, http://www.w3.org/1999/xhtml,
> is to identify documents as conforming to the XHTML spec.  It is
> entirely reasonable to bake exactly that sequence of ASCII characters
> into your software when you need to detect XHTML.  And I _don't_ think
> we should invalidate such software, by changing the XHTML spec. to use
> https.

Namespace URIs are special because they’re names.

(Norm pauses to place several bright orange warning cones around a rat
hole. “The ‘are http URIs properly names’ rat hole is really very, very
deep; you don’t want to fall down there, it might take years to find
your way back. Trust me.”)

I observe, also, that namespace URIs *already* redirect to https:
presumably because they’re “just” HTML documents and no one thought it
would matter. Although the namspace document prose says that the name is
“http://www.w3.org/1999/xhtml”, I think a user who blindly
cut-and-pasted the URI out of the address bar could fairly assert that
they had a very reasonable expectation that doing so was correct.
(Narrator voice, “it wasn’t.”)

But I think that’s all a little tangential. Consider Mike’s statement
with respect to the URIs in appendix A of the XSD part 1 recommendation.
Should the document be updated to read:

    Independent copies of this material are available in an undated
    (mutable) version at https://www.w3.org/2009/XMLSchema/XMLSchema.xsd
    and in a dated (immutable) version at
    https://www.w3.org/2012/04/XMLSchema.xsd — the mutable version will
    be updated with future revisions of this specification, and the
    immutable one will not.

One could make the argument, I think, that it should. If there ever
comes a day when http: URIs cannot be served or automatic redirection to
the equivalent https: URI ceases to function, it’ll become a much more
significant question.

At the moment, I don’t feel strongly about it one way or the other. I
think users are used to http->https redirection so no one is going to be
started by it. Heck, popular browser extensions like HTTPS Everywhere
will effectively redirect you to https: URIs even if the web server
doesn’t!

                                        Be seeing you,
                                          norm

--
Norman Tovey-Walsh <ndw@nwalsh.com>
https://nwalsh.com/

> Opportunity is missed by most people because it is dressed in overalls
> and looks like work.--Thomas A. Edison

Received on Tuesday, 23 August 2022 07:25:48 UTC