Great! Thank you for confirming the assumptions I've made. I'm pleased to see you're considering implementation in the Mozilla Firefox user agent. Once that's underway, would you be willing to help write the guidelines on the basis of that work? I'll work with the Forms WG to find the right publication avenue (W3C Note, one of our recommendation-track documents, etc.)
Leigh. -----Original Message----- From: Jonas Sicking [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 06, 2008 6:20 PM To: Klotz, Leigh Cc: Anne van Kesteren; [email protected]; Forms WG Subject: Re: [access-control] Forms WG comments on Access Control WD Klotz, Leigh wrote: > Anne, > > We discussed this issue today at the Forms WG F2F meeting, and decided that > we would abstain from any comment on the access-control protocol per se; > however, we remain interested in enabling the implementation of > access-control in XForms user agents. > > While it appears that it would be possible to express the current WD protocol > operations (resource GET, header tests, etc.) directly as XForms markup, it > would seem to be pointless, as the its raison d'ĂȘtre is user agent > enforcement, not optional compliance by authored markup. Yes, I think it would in fact only be confusing if XForms markup was used to "implement" the spec as it might only lead to a false sense of security. > Therefore, we believe that recommendations to XForms user agent authors are > in order. (We note that the fact that XForms cross-site access is supported > by some implementations was discussed at the 2007/11/05 WAF meeting [1].) Absolutely. It should be fairly easy to integrate the access-control implementation in firefox into the firefox XForms extension. > As noted in Requirement 10 of your current WD, it's likely that no changes to > markup XForms markup will be required. However, the XForms WG or WAF (or > both) may choose to issue a note offering guidance to user agent > implementers. Yup, that was the exact intent. The XForms markup should simply be able to point to a different server as target uri. Best Regards, Jonas Sicking
