On Thu, Apr 19, 2012 at 9:04 AM, Glenn Adams <gl...@skynav.com> wrote:
> > On Thu, Apr 19, 2012 at 9:02 AM, Marcos Caceres > <marcosscace...@gmail.com>wrote: > >> On Thursday, 19 April 2012 at 15:58, Glenn Adams wrote: >> >> > >> > On Thu, Apr 19, 2012 at 7:06 AM, Marcos Caceres < >> marcosscace...@gmail.com (mailto:marcosscace...@gmail.com)> wrote: >> > > On Thursday, 19 April 2012 at 13:48, Arthur Barstow wrote: >> > > > Marcos - would you please enumerate the CR's uses of HTML5 and state >> > > > whether each usage is to a stable part of HTML5? >> > > >> > > 3. "When getting or setting the preferences attribute, if the origin >> of a widget instance is mutable (e.g., if the user agent allows >> document.domain to be dynamically changed), then the user agent must >> perform the preference-origin security check. The concept of origin is >> defined in [HTML]." >> > > Origin is concept that is well understood - as is the same origin >> policy used by browsers. >> > >> > >> > TWI [1] does not define "the origin of a widget instance". >> That's because they are not bound to any particular URI scheme. Just to >> some origin. >> > Nor does HTML5. It is also confusing to say that HTML5 defines the >> 'concept of origin', given that it normatively refers to The Web Origin >> Concept [2]. TWI needs to be more specific about what aspect of Origin is >> being referenced and where that specific aspect is defined. >> >> As there are no interoperability issues, I don't agree the TWI spec needs >> to be updated any further. It's just a simple spec and any further >> clarifications would just be academic. >> > >> > [1] http://www.w3.org/TR/2011/CR-widgets-apis-20111213/ >> > [2] http://tools.ietf.org/html/rfc6454 >> > > in that case, please record an objection on my part > just to be clear, I mean an objection to publishing as PR unless this is clarified; i believe this is an issue because the concept and use of origin is (1) very complex and (2) thus prone to misinterpretation; for example, it is not well recognized that HTML5 itself does not require a UA to send an Origin header in a URL request (see [3]) [3] https://www.w3.org/Bugs/Public/show_bug.cgi?id=16574