Thanks Björn and Brad for your comments.
I agree early comments from a broad set of stakeholders is important and
I encourage everyone to please send all technical feedback on this spec to:
public-webapps@w3.org
-Art Barstow
On 7/5/11 11:14 PM, ext Hill, Brad wrote:
To the procedural points:
I am not a member of the Web Applications WG. I do not have standing to block
or make a formal objection to this moving forward as a FPWD. Responsibility to
measure consensus and the decision to move forward within that WG rests with
Art.
The opinion of the proposed Web Applications Security WG (currently in the
process of being chartered and of which I am a proposed co-chair) was
solicited as to whether the work should move to that forum or be a joint
deliverable with the Content Security Policy. Additionally, one of the goals
of the draft was to address concerns around clickjacking, an item under the
proposed charter scope of the WebAppSec WG. Wearing that (still phantom) hat,
I can say is that there isn't consensus to move this proposed mechanism as a
cross-domain framing security solution to FPWD, alone or as part of the CSP, in
the WebAppSec WG, at this time. Until AC approval, we can't move anything to
FPWD at this time. :)
My other concerns with the proposal are put forward only as an interested
member of the community. I expect there will be ample opportunity to discuss
them. If Art feels that moving forward to FPWD is the best next step to foster
that and other discussions, I'm more than happy to participate there to the
extent the WG welcomes my feedback and finds it useful.
Thanks,
Brad Hill
-----Original Message-----
From: public-web-security-requ...@w3.org
[mailto:public-web-security-requ...@w3.org] On Behalf Of Bjoern Hoehrmann
Sent: Tuesday, July 05, 2011 4:38 PM
To: Marcos Caceres
Cc: WebApps WG; public-web-secur...@w3.org
Subject: Re: Publishing From-Origin Proposal as FPWD
* Marcos Caceres wrote:
On Tue, Jul 5, 2011 at 5:50 PM, Hill, Brad<bh...@paypal-inc.com> wrote:
I feel that the goals of this draft are either inconsistent with the
basic architecture of the web, cannot be meaningfully accomplished by
the proposed mechanism, or both, and I haven't seen any discussion of
these concerns yet.
I note that the Web Applications Working Group's Charter, if Brad Hill is a
member, does require the rest of the Working Group to duly consider his points
before moving on without consensus. If not, then the group is not required to
wait with publication, but not discussing the points in a timely manner,
without an argument how publication is urgent in some way, does not inspire
confidence that the arguments will be heard and duly handled.
Publication will enable wider discussion - particularly wrt the issues
you have raised. Not publishing it is tantamount to saying "I OBJECT TO
PROGRESS!". If you are correct, more people will see it and the
proposal will be shot down. Otherwise, other opinions will flourish
that may sway your position (or a new perspective will emerge all
together). In any case, calling for a spec not to be published, no
matter how bad it is, is not the right way to do this. Publishing a
spec is just a formality which can lead to discussion.
The more invested people are into something, the less likely they are to cut
their losses; by doing things, you frame the discussion in favour of doing
more. You get people to think more about how something can be fixed rather than
thinking about whether to abandon the work, or use a very different approach.
If you just propose an idea to me, we can talk about it more freely than if you
had already invested a lot of effort on implementing the idea and asked me to
review the idea after the fact.
(~ "Die normative Kraft des Faktischen")
Realizing something is a bad idea early is therefore very important and not
objecting to progress. Not wasting time on bad ideas is certainly progress,
even if only indirectly as you'd work on other things instead.
As such it is quite important to react timely to design critique with care and
detail. Psychologically, if you press ahead, you communicate that you care more
about moving on than discussing details, which is likely to turn away the
people more interested in details and quality; and the same is of course true
for draft of genuinely bad quality.
Which is just to say this is actually an important matter; sometimes it is best
to go ahead and put your ideas into practise whatever others may be saying,
other times it turns out that you should have listened more.
That is why we allow people to block actions, not necessarily progress, but
only up to the point where arguments have been duly considered. And here we
have yet to do that. Until that happens, short of someone making the case for
urgency, I would agree the group should not publish and talk about this instead.
--
Björn Höhrmann · mailto:bjo...@hoehrmann.de · http://bjoern.hoehrmann.de Am
Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
