Works for me, too.
--
Thomas Roessler, W3C t...@w3.org (@roessler)
On 2011-12-13, at 22:14 +0100, Philippe Le Hegaret wrote:
On Tue, 2011-12-13 at 13:14 -0500, Arthur Barstow wrote:
Hi All,
The Widgets DigSig spec [W-DigSig] has been sitting in PR for over 4
months now, blocked
On Aug 3, 2011, at 10:21 , Anne van Kesteren wrote:
On Tue, 02 Aug 2011 14:37:31 +0200, Arthur Barstow art.bars...@nokia.com
wrote:
The From-Origin spec is WebApps'; it is _not_ a joint deliverable with the
proposed WebAppSec WG.
I assumed it was because of Secure Cross-Domain Framing
On Aug 1, 2011, at 20:05 , Maciej Stachowiak wrote:
On Jul 15, 2011, at 7:51 AM, Thomas Roessler wrote:
Joint deliverable seems even worse than moving it.
The goal of making this a joint deliverable is to preserve the patent
commitments out of webapps. This was a concern that came up when
Adding the Web Apps WG (list: public-webapps@w3.org) which has responsibility
for the Web Messaging spec.
--
Thomas Roessler, W3C t...@w3.org (@roessler)
On Aug 2, 2011, at 08:30 , Philippe De Ryck wrote:
The following comment contains detailed information about an issue
to the CC list.
Regards,
--
Thomas Roessler, W3C t...@w3.org (@roessler)
On Jul 26, 2011, at 15:18 , bugzi...@jessica.w3.org wrote:
http://www.w3.org/Bugs/Public/show_bug.cgi?id=13373
Summary: Privacy: Limit SharedWorker connections to same
top-level
Gack, that's what I get for reading the subject and first paragraph.
--
Thomas Roessler, W3C t...@w3.org (@roessler)
On Jul 26, 2011, at 15:29 , Anne van Kesteren wrote:
On Tue, 26 Jul 2011 12:25:16 -0700, Thomas Roessler t...@w3.org wrote:
I suspect you mean second-level domain
,
--
Thomas Roessler, W3C t...@w3.org (@roessler)
The web...@ietf.org mailing list would probably be an appropriate place for
discussion about x-frame-options.
(It's right now an individual internet draft.)
--
Thomas Roessler, W3C t...@w3.org (@roessler)
On Jul 22, 2011, at 17:43 , Arthur Barstow wrote:
On 7/22/11 11:08 AM, ext Anne
I recommend reading the relevant Internet-Draft:
http://tools.ietf.org/html/draft-gondrom-frame-options-01
The draft formalizeds X-Frame-Options as Frame-Options. The issue is on the
side of the headers' technical design.
Regards,
--
Thomas Roessler, W3C t...@w3.org (@roessler
On Jul 15, 2011, at 16:47 , Anne van Kesteren wrote:
On Fri, 15 Jul 2011 14:43:13 +0200, Arthur Barstow art.bars...@nokia.com
wrote:
As indicated a year ago [1] and again at the end of last month [2], the
proposal to create a new Web Application Security WG has moved forward with
a formal
this to the
membership.
--
Thomas Roessler, W3C t...@w3.org (@roessler)
On Jul 8, 2011, at 01:07 , David Ross wrote:
#3 is a narrowly scoped effort to standardize something that works pretty
well today in practice (X-FRAME-OPTIONS). A conflict with CSP would be bad,
but per Adam it seems like
be to see whether we can agree now on what forum to
take these things forward in (and what the coordination dance might look like).
Thoughts welcome.
Regards,
--
Thomas Roessler, W3C t...@w3.org (@roessler)
On 4 May 2010, at 14:10, Marcos Caceres wrote:
Right. I have clarified this:
[[
A user agent must not navigate the browsing context of a widget
instance through the openURL() method: the concept of navigate is
defined in [HTML5]. This restriction is imposed so an arbitrary web
site cannot
kue...@trustable.de wrote:
from the implementors perspective these modifications don't introduce too much
trouble. But I'm a little bit concerned about the explicit ban of
canonicalizations for 'external' documents like config.xml.
It is, in the first place, the default behavior of the XML
On 31 Mar 2010, at 15:07, Frederick Hirsch wrote:
Note that this specifically means that a ds:Reference to the ds:Object
element and the ds:Reference to config.xml will each require a ds:Transform
element to specify canonicalization method.
That's not true for config.xml -- that file is not
1034 sounds like the appropriate normative reference for this sort of thing.
--
Thomas Roessler, W3C t...@w3.org
On 4 Mar 2010, at 15:51, Robin Berjon wrote:
Hi Dom,
On Dec 10, 2009, at 16:51 , Dominique Hazael-Massieux wrote:
A quick comment after re-reading WARP at the invitation
that isn't safe, e.g., assuming that just because a
scheme has a particular syntax that syntax is actually followed.
Regards,
--
Thomas Roessler, W3C t...@w3.org
On 8 Feb 2010, at 17:36, Marcos Caceres wrote:
At Opera we've been discussing some of the security implications around
On 11 Feb 2010, at 08:37, Arve Bersvendsen wrote:
- inter-widget communication (both single-user and multi-user, e.g.
collaboration)
I find this item to be interesting and worth taking on, but I think we ought
to also evaluate it in a wider context than widgets.
+1
If this particular use
On 8 Feb 2010, at 17:50, Anne van Kesteren wrote:
- Somewhat detailed considerations around CONNECT, TRACE, and TRACK
(flagged in the text of the specification, but not called out in the
security section; 4.6.1).
What is the reason for duplicating this information?
It will be useful
On 9 Feb 2010, at 14:30, Anne van Kesteren wrote:
Again, please explain within the spec what the security reasons are for this
specific profile of HTTP. It'll help people understand the spec a few years
down the road.
I'm not an expert on the reasons so I'd prefer not to. I believe I
On 31 Jan 2010, at 14:23, Anne van Kesteren wrote:
On Tue, 19 Jan 2010 08:01:12 +0100, Thomas Roessler t...@w3.org wrote:
With apologies for the belated Last Call comment -- the XMLHttpRequest
specification
http://www.w3.org/TR/XMLHttpRequest/
... doesn't have meaningful security
On 3 Dec 2009, at 01:09, =JeffH wrote:
ThomasR pointed out...
FYI. The focus of this new mailing list is broader than the focus of the
current mailing list. If you're interested in joining, send an e-mail with
the subject subscribe to public-web-security-requ...@w3.org.
Does this imply
FYI. The focus of this new mailing list is broader than the focus of the
current mailing list. If you're interested in joining, send an e-mail with the
subject subscribe to public-web-security-requ...@w3.org.
--
Thomas Roessler, W3C t...@w3.org
Begin forwarded message:
From: Thomas
for
the user agent to abort all processing, full stop. (One could add
some wishy-washy language about appropriate error reporting, or
something, but I don't see how that adds much value here.)
Thanks,
--
Thomas Roessler, W3C t...@w3.org
On 1 Jul 2009, at 19:01, Marcos Caceres wrote
4. Every Signature Property required by this specification MUST be
incorporated into the signature as follows:
b. A widget signature MUST include a ds:Object element within the
ds:Signature element. This ds:Object element MUST have an Id attribute
that is referenced by a ds:Reference element
On 27 May 2009, at 09:34, Arve Bersvendsen wrote:
The main issue here, I think, is one of being proactive on this
front. Given that absolute URIs are required for resolution, and
that UA vendors will, unless specified, have to pick a URI scheme of
their own, the situation may well arise
On 27 May 2009, at 10:58, timeless wrote:
On Wed, May 27, 2009 at 10:44 AM, Thomas Roessler t...@w3.org wrote:
2. Where does the requirement for query strings suddenly come
from? I can't
find it in the current editor's draft, and (beyond a side
discussion with
timeless) don't recall
URI need to match within
widgets? Section 4.4 seems to indicate that URIs with scheme widget
don't ever leave the specific widget instance. So, why?)
Thanks,
--
Thomas Roessler, W3C t...@w3.org
On 22 May 2009, at 10:24, Marcos Caceres wrote:
Just a heads up that the widget URI scheme
On 21 May 2009, at 03:32, Arthur Barstow wrote:
One of the problems that at least Arve, Thomas and others have
raised, is the lack of clear use case(s) and requirements. I think
that information should be included in the FPWD. It would not only
help the group work through the details of
On 20 May 2009, at 11:34, Marcos Caceres wrote:
On Wed, May 20, 2009 at 10:28 AM, Robin Berjon ro...@berjon.com
wrote:
Hi all,
I'd like us to agree to a plan to get WAR to FPWD as soon as
possible. I
would suggest the following that we build on the document that
Marcos has
already put
?
--
Thomas Roessler, W3C t...@w3.org
On 19 May 2009, at 11:18, Marcos Caceres wrote:
With my editor hat on, I would like to propose the following
security model for widgets:
1. If no access element is used, the application type (e.g., HTML,
Flash, whatever) is responsible for providing
On 7 May 2009, at 13:47, Robin Berjon wrote:
Hi Thomas,
On May 2, 2009, at 13:31 , Thomas Roessler wrote:
1. What does access to network resources mean? Does this refer
to the use of inline resources, stylesheets, images,
XMLHttpRequest, form submissions, some of these, all
On 1 May 2009, at 12:49, Kai Hendry wrote:
http://dev.w3.org/2006/waf/widgets-digsig/#identifier-signature-property
I'm not sure what signature management is exactly, though can
someone please inform me what a UA is supposed to do with
dsp:Identifier?
The primary use case here is not the
On 4 May 2009, at 18:42, Marcos Caceres wrote:
On Mon, May 4, 2009 at 4:13 PM, Frederick Hirsch
frederick.hir...@nokia.com wrote:
The Identifier property is useful for audit and management in the
backend.
I believe this should remain in the specification and should
remain a
normative
?
*) http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/0204.html
Happy to talk more about this on next Thursday's call; I believe that
this discharges ACTION-337.
Regards,
--
Thomas Roessler, W3C t...@w3.org
Hi Frederick,
Some tiny editorial changes
I think we should add the following sub-section to the Status of
This Document:
[[
h3 class=no-num no-tocNote to Last Call Reviewers/h3
pemThis section is non-normative./em/p
pThe editors of this specification respond rapidly to all feedback
and
On 29 Apr 2009, at 13:55, Marcos Caceres wrote:
Well... Doesn't Last Call suggest that you're actually beyond the
phase of
rapid changes?
LOL! hell no, that's when most changes happen because it's the only
time people pay enough attention to do an actual review. That's why
Last Call should
the one around absolutizing URI references and generating origins. In
other words:
- How are relative URI references absolutized?
- How do widgets interact with the HTML5 security policy?
Thanks,
--
Thomas Roessler, W3C t...@w3.org
easily within the currently proposed framework.
I'm not sure whether the current requirements document actually
answers this question.
--
Thomas Roessler, W3C t...@w3.org
On 24 Apr 2009, at 18:02, Scott Wilson wrote:
In our system when a widget is instantiated we generate our own
instance
On 24 Apr 2009, at 10:54, Marcos Caceres wrote:
It would be really helpful if you could enumerate these
complexities, please?
What I'm proposing currently (and I think other proposals are having
the same effect) implies that there is a new and separate origin every
time a widget is newly
On 24 Apr 2009, at 13:19, Marcos Caceres wrote:
We need to figure out what the baseline policy is for access to
persistent
storage that is shared across several instances, or even several
widgets.
Agreed. We are unsure if that goes into our spec or into the
WebStorage spec.
I suspect
Guido Grassel is reminding me that the HTML5 storage API keys off
origin. Thy means another wrinkle or the uri scheme/origin discussion.
--
Thomas Roessler, W3C (mobile) t...@w3.org
On 19 Apr 2009, at 16:24, Robin Berjon wrote:
On Apr 16, 2009, at 17:23 , Thomas Roessler wrote:
1. How is the information in this access element going to be used
at installation time or distribution time? I'd like to see some
spec text that explains this.
My understanding
/MobileWidgetsCampW3CTrack
Please spread the word; also, if you're coming to the conference, I
hope to see you at the mobile widget camp.
Regards,
--
Thomas Roessler, W3C t...@w3.org
On 15 Apr 2009, at 21:00, Jonas Sicking wrote:
For example the fact that it relies on XSD means that
it's a non-started for me.
The schema datatypes used in XML Signature are: ID, anyURI, string,
integer, base64Binary.
The signature properties document adds a dependency on xsd:dateTime.
On 14 Apr 2009, at 11:42, Henri Sivonen wrote:
I don't find the string anyURI in the spec, but anyURI is a great
example of why defining syntax in terms of XSD datatypes is a bad
idea:
http://hsivonen.iki.fi/thesis/html5-conformance-checker#iri
anyURI is used in XML Signature. I don't
Roessler, W3C t...@w3.org
On 8 Apr 2009, at 20:07, Jonas Sicking wrote:
On Wed, Apr 8, 2009 at 2:23 AM, Thomas Roessler t...@w3.org wrote:
Incidentally, just framing this as XHR vs XDR is a bit
simplistic: E.g.,
one could imagine a method enableCrossSiteRequests (or something
like
On 14 Apr 2009, at 10:27, Henri Sivonen wrote:
Wouldn't it be simpler to use jar signing instead of inventing a new
way of signing zip files with implementation dependencies on XML
signatures and spec dependencies on XSD? (Why does the spec have
dependencies on XSD?)
Which XSD dependency
FYI, the message below just went to the public-device-a...@w3.org
list. Please follow up there.
http://lists.w3.org/Archives/Public/public-device-apis/2009Apr/
Regards,
--
Thomas Roessler, W3C t...@w3.org
Begin forwarded message:
From: Thomas Roessler t...@w3.org
Date: 14 April
On 14 Apr 2009, at 16:19, Henri Sivonen wrote:
Instead of canonicalizing the manifest XML and using XML signature,
you could treat the manifest XML as a binary file and sign it the
traditional way leaving a detached binary signature in the format
customary for the signing cipher in the zip
On 8 Apr 2009, at 02:29, Jonas Sicking wrote:
But it's for a limited time. In a few years hopefully all browsers
supports cross site XHR. And if you can already today follow the
advice that you should not rely on XHR not honoring your request just
because it's a cross site URI.
You are
On 26 Mar 2009, at 14:44, Anne van Kesteren wrote:
On Thu, 26 Mar 2009 14:40:16 +0100, Thomas Roessler t...@w3.org
wrote:
1. I think it's a good thing to phrase this in terms of the BNF from
3986 and 3987. I don't think it's obvious that this piece of the
spec
needs to reuse the HTML URI
What the author certificate lets you verify is whether a single party
is taking responsibility for two widgets.
There is indeed no *proof* of authorship here, but a statement that
the signer is willing to assume the blame for being the widget's
author. Which is all we need, no?
--
Thomas
On 20 Mar 2009, at 10:46, Marcos Caceres wrote:
To compliment the new i18n model, I've added the following
restrictions on XML base:
[[
xml:base attribute
The xml:base attribute may be used in a configuration document to
specify a base URI other than the base URI of the document. For the
I wonder what the interaction between this and a manifest approach for
URI dereferencing would be. I could argue the case both ways, but
would be interested in your thoughts.
--
Thomas Roessler, W3C t...@w3.org
On Mar 18, 2009, at 20:53, Frederick Hirsch
frederick.hir...@nokia.com
? I'm having a hunch here that
having the JavaScript code setting that parameter is going to be a
source of gratuitous interoperability problems. Is that covered in
the XHR spec already, has it been considered at all, .?
Excuse my ignorance,
--
Thomas Roessler, W3C t...@w3.org
On 16
This thread seems to have died out without further follow-up. What
are the next steps?
--
Thomas Roessler, W3C t...@w3.org
On 26 Feb 2009, at 13:23, Thomas Roessler wrote:
Getting back to the URI scheme discussion, here's a strawman
proposal that's inspired by the Widget case, where
Regrets, in a meeting.
--
Thomas Roessler, W3C t...@w3.org
On 10 Mar 2009, at 19:09, Arthur Barstow wrote:
Below is the draft agenda for the March 12 Widgets Voice Conference
(VC).
Inputs and discussion before the meeting on all of the agenda topics
via public-webapps is encouraged
On 23 Feb 2009, at 15:31, Scott Wilson wrote:
Because many widgets are small local applications offered for remote
services that use different user accounts, oAuth is a very important
and relevant technology. Which is why, for example, it has been a
major task in the oAuth and
.
--
Thomas Roessler, W3C t...@w3.org
On 26 Feb 2009, at 13:23, Thomas Roessler wrote:
Getting back to the URI scheme discussion, here's a strawman
proposal that's inspired by the Widget case, where scripting and
navigation add a few more complexities. I'll be interested in
seeing
Jon,I was proposing to *not* have a widget URI scheme, and outlining how to make that work. Note that, since we're talking about DOM-based technology, both the origin and the base URI are actually important properties to consider.Regards, --Thomas Roessler, W3C t...@w3.org On 26 Feb 2009, at 15:52
a widget package.
Regards,
--
Thomas Roessler, W3C t...@w3.org
On 25 Feb 2009, at 13:50, Frederick Hirsch wrote:
- 5.2 and 5.3 have an issue about additional algorithms. I suggest
just being silent about them.
ok to remove the issues?
To the extent to which these are about unspecified additional
algorithms, that's what I'm proposing. The second
On 23 Feb 2009, at 05:15, Jon Ferraiolo wrote:
OAuth is a technology that authorizes someone to do something. For
example, an OAuth server might authorize you to cast a vote in an
election. Regarding authorization, in the most common case of W3C
Widgets, you would most likely use something
Hi Art,
regrets from me -- there is a conflict for me at the chosen time slot.
(Apologies for not having sent these earlier, but I only noticed the
new times lot now.)
Regards,
--
Thomas Roessler, W3C t...@w3.org
On 11 Feb 2009, at 14:10, Arthur Barstow wrote:
Below is the draft
On 9 Feb 2009, at 13:57, Anne van Kesteren wrote:
* There was a logic error in the cache processing model.
I wonder whether that part of the spec is actually being implemented
(or found useful by implementors).
If not, I'm all for dropping it.
--
Thomas Roessler, W3C t...@w3.org
On Mon, 09 Feb 2009 14:25:37 +0100, Thomas Roessler t...@w3.org
wrote:
On 9 Feb 2009, at 13:57, Anne van Kesteren wrote:
* There was a logic error in the cache processing model.
I wonder whether that part of the spec is actually being
implemented (or found useful by implementors
OCSP responders (and CRLs) as part of certificate
validation
I'd argue that the latter is more important than the former.
--
Thomas Roessler, W3C t...@w3.org
On 13 Jan 2009, at 09:58, Doug Schepers wrote:
Since it can be about more than just data, e.g. images, Cross-Origin
Resource Sharing might be more appropriate. Keeping the header names
the same seems fine, they're just opague strings, but at least
making it
more clear what the specification
On 12 Jan 2009, at 16:31, Jonas Sicking wrote:
There are 3 possible solutions that I can see to this:
1. Change the name of the Origin header in Access-Control
2. Change the name of the Origin header used for CSRF protection
3. Change the behavior of one (or both) of the specs such that they
/
http://www.ietf.org/rfc/rfc4946.txt
I'd suggest that it's a good idea to enable this pattern for widgets;
the issue that you point out (licenses changing after the fact) is one
that's being dealt with on a social level.
--
Thomas Roessler, W3C [EMAIL PROTECTED]
You'll want to define what it means for one version string to be
greater than another one.
--
Thomas Roessler, W3C [EMAIL PROTECTED]
On 27 Oct 2008, at 17:27, Marcos Caceres wrote:
Hi All,
I would like to relax a valid version string to be any string. The
reason I want to do
Archiving, with permission of all those involved, and with apologies
for having let this turn into a technical discussion off-list.
Mark's message (the topmost one) includes a number of interesting
design points, that should be further pursued.
Regards,
--
Thomas Roessler, W3C [EMAIL
of the two groups.
Sorry, and regards,
--
Thomas Roessler, W3C [EMAIL PROTECTED]
My reaction is that this is local error handling and therefore out
of scope for the specification.
--
Thomas Roessler, W3C [EMAIL PROTECTED]
On 2008-07-04 03:29:37 +, Web Applications Working Group Issue Tracker
wrote:
From: Web Applications Working Group Issue Tracker [EMAIL
will work significantly better than
what's proposed above.
--
Thomas Roessler, W3C [EMAIL PROTECTED]
will be
clueless about the policies.
Hope this helps,
--
Thomas Roessler, W3C [EMAIL PROTECTED]
On 2008-06-11 15:30:22 -0700, Jonas Sicking wrote:
From: Jonas Sicking [EMAIL PROTECTED]
To: Jonas Sicking [EMAIL PROTECTED],
WAF WG (public) [EMAIL PROTECTED], public-webapps@w3.org
Date: Wed, 11
77 matches
Mail list logo