Re: XML and stateless protocols

[Mark Baker <distobj@xxxxxxx>]

On Tue, Jun 18, 2002 at 11:33:37AM +0100, Miles Sabin wrote:
> This is true, but it might be worth emphasizing, because XML provides 
> intrinsic mechanisms which allow a document instance to depend on non-
> local information.

Right.

> Not only that, those mechanisms might be abused in unexpected ways 
> (particularly if generic off-the-shelf XML parsers are used).
> 
> I mentioned a few cases a week or so ago on xml-dev,
> 
>   http://lists.xml.org/archives/xml-dev/200206/msg00240.html
>   http://lists.xml.org/archives/xml-dev/200206/msg00247.html

Well, I don't think those examples demonstrate what I'm getting at.
An example of what I'm talking about would be a HTTP message like
this;

POST /orders HTTP/1.1
Host: shop.example.org
Content-Length: 333
[blank line]
<purchase prod-id="23433"/>

If this "purchase order" was POSTed with the intent of purchasing a
single instance of product id #23433, but the document is validated
with a schema that fills in the default value for the absent
"quantity" attribute, then if the schema default changes after the
message is sent, the meaning of the message has been changed.  That's
bad for a number of reasons;

- it prevents the message from being meaningfully transferred with, say,
a store-and-forward system
- it reduces visibility to intermediaries like firewalls, who may want
to institute a policy that, for example, limits the number of items an
employee can purchase

MB
-- 
Mark Baker, CTO, Idokorro Mobile (formerly Planetfred)
Ottawa, Ontario, CANADA.               distobj@xxxxxxx
http://www.markbaker.ca        http://www.idokorro.com