In this case, it is definitely better late than never. And months is really not 
that long for a feature to undergo initial scrutiny (especially over summer), 
and further scrutiny for consistency within the broader set of specifications.

I think the statement that "the default is defined by the security policy of 
the host language" is good, or more specifically "the default security policy 
is defined by the specifications governing processing of the widget content".

Best regards,
Bryan Sullivan | AT&T
-----Original Message-----
From: Robin Berjon [mailto:[email protected]] 
Sent: Wednesday, November 18, 2009 4:00 AM
To: SULLIVAN, BRYAN L (ATTCINW)
Cc: Marcos Caceres; WebApps WG
Subject: Re: [WARP] Comments to WARP spec

On Nov 9, 2009, at 20:22 , SULLIVAN, BRYAN L (ATTCINW) wrote:
> (1) we need to be specific about which API's / resource types are affected by 
> inclusion (or exclusion) of domains in <access> (and keep this equivalent to 
> HTML5)

We're very specific: it's a blanket exclusion. Now I can be sensitive to an 
argument indicating that the default is defined by the security policy of the 
host language, in which case we need to also clarify which default to pick when 
there are several (HTML for instance has different origin rules for file:// and 
http://). My primary objection is that it's pretty late to have this 
discussion, the restriction has been there for months.

-- 
Robin Berjon - http://berjon.com/




Reply via email to