[cap-talk] solve CSRF by making references unforgeable, not unshareable

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Thu Mar 26 22:00:50 EDT 2009


Mark Miller wrote:
> On Wed, Mar 25, 2009 at 10:49 AM, Kevin Reid <kpreid at mac.com> wrote:
>> Indeed. My E-on-JavaScript implementation suffers from the lack of AST
>> libraries for HTML and JavaScript (though I built a half-baked output-
>> only system for JS).
>>
>> Are there existing ones that it would be good to borrow design or tame
>> implementation of? (DOM need not apply as it uses mutable nodes tied
>> to a specific Document.)
> 
> For HTML / XML / DOM, see http://jsonml.org/

This is the kind of specification I like: essentially the whole spec [the
Usage Recommendations, XML Namespaces, DOM Quirks, and Grammar subheadings]
fits on a single screen. A welcome change from 50 screenfuls to do something
that should be trivial in a typical W3C spec (I'm not exaggerating,
unfortunately).

Notice that, apart from having a (pretty reasonable and straightforward)
way of encoding attributes, this is essentially the same as the
S-expressions-as-JSON approach suggested in my reply. It also handles
namespaces just as a convention, without the nonsense that XML 1.1 added
to conplexify them. So it gets my wholehearted approval.

-- 
David-Sarah Hopwood ⚥



More information about the cap-talk mailing list