RE: Mozilla security review of Access Control from Ian Hickson on 2008-02-21 (public-appformats@w3.org from February 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 21 Feb 2008 18:20:12 +0000 (UTC)
To: "Close, Tyler J." <tyler.close@hp.com>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <Pine.LNX.4.62.0802211816580.6407@hixie.dreamhostps.com>

On Thu, 21 Feb 2008, Close, Tyler J. wrote:
> >
> > If the command is something simple like adding an event to a calendar, 
> > the ideal UI doesn't involve the user doing anything in the way of 
> > giving credentials -- or indeed anything else -- to anyone. Just a 
> > click "add this event to my calendar" or some such. We still need to 
> > know who the user is.
> 
> I gather this means you're assuming the third party web page is coded to 
> only add events to calendars maintained by a single web site.

It's only an example, but yes, I am -- for example, it could be a widget 
specific to this calendar mechanism.

Or another example could be a button for Facebook that adds someone as 
your friend when you click it. Or a button for players of a MMORPG where 
it adds the person to the user's address book. Or any number of other 
things where the Web page is not being trusted by the service provider to 
do anything risky, where the user has already authenticated with the 
service provider, and where no additional UI is to be shown.

> I can see where this is an attractive design for a company that hosts 
> calendars, but may not be so appealing to others. In a better design, 
> the third party web page would accept a reference to the calendar to be 
> updated. This reference could then include the necessary authorization 
> token. From a UI perspective, the user might have a bookmark for their 
> calendar. To add an event to their calendar, the user would drag and 
> drop this bookmark onto the calendar update widget provided by the third 
> party web page. By supporting a common protocol, perhaps something like 
> AtomPub, multiple web sites could then offer calendar services 
> compatible with the third party web page.

Sure, but even in such a case, you STILL don't want to provide the site 
with additional credentials, whether one-time-use or not.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 21 February 2008 18:20:32 UTC