Re: [public-webapps] Comment on Widget URI (1)
Hi Larry, On Dec 7, 2009, at 19:59 , Larry Masinter wrote: If the purpose of the authority and query components is that they are supposed to be processed by scripts in pages that use widget URIs, then the specification should say so. Opaque fields with no semantics and no identified purpose are not well-defined, in my opinion. There is some reasonable risk that implementors will take what is currently defined as opaque in the authority field and use it for cross-widget references. Without clear definition of these semantics, to merely leave it as out of scope introduces a security risk. If implementations MUST completely ignore the authority field and MUST treat any reference as if it ONLY applied to the local widget, then that would address the security concern. The intent is that they are reserved for future use (and therefore that implementers doing anything with them now do so at the risk of being railroaded later). Would making this clearer address your concerns? -- Robin Berjon - http://berjon.com/
RE: [public-webapps] Comment on Widget URI (1)
Sorry I missed the messages earlier... If the purpose of the authority and query components is that they are supposed to be processed by scripts in pages that use widget URIs, then the specification should say so. Opaque fields with no semantics and no identified purpose are not well-defined, in my opinion. There is some reasonable risk that implementors will take what is currently defined as opaque in the authority field and use it for cross-widget references. Without clear definition of these semantics, to merely leave it as out of scope introduces a security risk. If implementations MUST completely ignore the authority field and MUST treat any reference as if it ONLY applied to the local widget, then that would address the security concern. Larry -- http://larry.masinter.net -Original Message- From: Robin Berjon [mailto:ro...@berjon.com] Sent: Thursday, November 19, 2009 6:13 AM To: Larry Masinter Cc: public-webapps@w3.org Subject: Re: [public-webapps] Comment on Widget URI (1) Dear Larry, thank you for your comments. On Oct 10, 2009, at 19:44 , Larry Masinter wrote: 1) ** WELL DEFINED QUERY AND AUTHORITY ** http://www.w3.org/TR/webarch/#URI-scheme points to RFC 2617, which has been replaced by RFC 4395. I think WebArch should be updated to recommend that W3C recommendations must use permanent schemes and not provisional ones. Does this apply in any way to us? RFC 4395 requires that permanent scheme definitions be Well-defined. Leaving in syntactic components and declaring them out of scope is leaving them undefined. The only parts the semantics of which were flagged as outside the scope were fragment and query - this section has been removed. Suggestion: Remove 'authority' from the syntax, and any sections that refer to them; disallow query components Alternate Suggestion: define the meaning of authority and query components. Neither the authority nor the query components are undefined or out of scope. Authority is syntactically defined, and is clearly specified as being devoid of semantics (opaque). Stating that this makes the scheme not well-defined is untrue - it is like saying that XML Namespaces aren't well-defined because they are equally opaque. The query component is equally defined as to its syntax, and its meaning is left to the processor (typically, a script inside an HTML page, but for other resources it could be different). I can't see how this differs from the http scheme. -- Robin Berjon - http://berjon.com/
Re: [public-webapps] Comment on Widget URI (1)
Dear Larry, thank you for your comments. On Oct 10, 2009, at 19:44 , Larry Masinter wrote: 1) ** WELL DEFINED QUERY AND AUTHORITY ** http://www.w3.org/TR/webarch/#URI-scheme points to RFC 2617, which has been replaced by RFC 4395. I think WebArch should be updated to recommend that W3C recommendations must use permanent schemes and not provisional ones. Does this apply in any way to us? RFC 4395 requires that permanent scheme definitions be Well-defined. Leaving in syntactic components and declaring them out of scope is leaving them undefined. The only parts the semantics of which were flagged as outside the scope were fragment and query — this section has been removed. Suggestion: Remove 'authority' from the syntax, and any sections that refer to them; disallow query components Alternate Suggestion: define the meaning of authority and query components. Neither the authority nor the query components are undefined or out of scope. Authority is syntactically defined, and is clearly specified as being devoid of semantics (opaque). Stating that this makes the scheme not well-defined is untrue — it is like saying that XML Namespaces aren't well-defined because they are equally opaque. The query component is equally defined as to its syntax, and its meaning is left to the processor (typically, a script inside an HTML page, but for other resources it could be different). I can't see how this differs from the http scheme. -- Robin Berjon - http://berjon.com/