Lists Home |
Date Index |
> Dare Obasanjo wrote:
> > SECURITY/PRIVACY:
> > HLink requires you to fetch a mapping file from a specified remote location w
> > hile XLink does not. Any web page that can make your browser make HTTP reques
> > ts other than the ones directly specified by the user are potential security
> > and privacy issues. For instance, I can imagine WebBugs going upscale and dre
> > ssing themselves up to look legit by using HLink.
> Hm. I didn't think HLink was intended to work that way.
> I thought the intent was something like: someone developing
> a new XML vocabulary wants to include HLink semantics,
> so includes an HLink mapping along with the rest of
> the vocabulary specification (schema, documentation, etc.)
> Application developers who want to use the new vocabulary
> consult the HLink mapping when building their own application.
> Something like how WSDL works -- web service clients don't
> download WSDL at runtime, the _developer_ does when _building_
> the client.
> Of course with this approach generic web browsers can't
> automatically discover the HLink links in arbitrary XML files,
> but it's not clear that this is even a requirement.
> We don't expect browsers to automatically figure out how
> to process *any* random XML documents they happen to download,
> only the ones that use a supported vocabulary.
I really don't understand any of this. I'll just latch on to the one concrete
thing that struck me.
If HLink is like WSDL, then Dare is right about the security issues. These
same security issues obtain with WSDL. Tainting a WSDL can cause subtle
application failures (for instance, messing with the data type definitions in
the <types> section). This is a security issue.
If HLink is not like WSDL, i.e. apps do not use it to affect processing during
instance processing, then it seems entirely useless to me. Why not just spell
out the meaning of attributes right in the XHTML spec?
In either case, I don't remotely see how HLink is a potential replacement for
Uche Ogbuji Fourthought, Inc.
http://uche.ogbuji.net http://4Suite.org http://fourthought.com
Apache 2.0 API - http://www-106.ibm.com/developerworks/linux/library/l-apache/
Python&XML column: Tour of Python/XML - http://www.xml.com/pub/a/2002/09/18/py.
Python/Web Services column: xmlrpclib - http://www-106.ibm.com/developerworks/w