A revised version (but still a draft) of the Enough With Default Allow in Web Applications! paper is now available for download. (My previous post on this topic is here.) The major changes in this version include:
- Decided to use a flat model of resources, rather than a hierarchical one, after realising the nested approach would make models very difficult to read for any non-trivial application. Also, we wanted to support the virtual patching case, which doesn't work with nesting very well.
- Behaviours can now specify character encodings, which is very important in order to properly parse parameters.
- We've allowed for a per-model data dictionary, which would allow parameter types to be defined once and reused throughout the model.
- Many clarifications and small fixes throughout.
Update (4 Aug 2008): Updated links to point to the final version (spell-checked, reviewed and branded) of the paper.
