- From: Doug Turner <w3c@dougt.org>
- Date: Thu, 7 Jan 2010 19:00:32 -0800
- To: Mark S. Miller <erights@google.com>
- Cc: public-device-apis@w3.org
i am trying to follow what you are suggesting, but I think I am making too many assumptions. Lets make this idea concrete, are you suggesting that something like PowerState be expressed in terms of some sort of url that the developer would use xhr to access? Doug On Jan 7, 2010, at 6:47 PM, Mark S. Miller wrote: > Hi, > > I'm new to this working group. I recently joined because a number of people had privately expressed alarm to me over the approaches to security being taken in this WG. Several of them made the same suggestion, I think independently. Of the others, they found this suggestion plausible, so I thought I'd pass it on. For most devices, why not treat each device as a virtual web service, exposing its API as a RESTful API in terms of GETs and POSTs. This would reduce the present security problems to a previously unsolved problem, of how one web site becomes authorized to use web services provided by another site. > > The case is clearest for contacts. Why should authorizing Facebook to access my local contacts be different than, for example, authorizing Facebook to access my gmail contacts? There are already several proposed solutions to this problem, including the debate between CORS and UMP at the public-webapps group. For current browsers, it is also the motivating problem behind OAuth. I am *not* suggesting that we at the public-device-apis WG attempt to pick a winner among these three. Rather, that we should merely provide device APIs as RESTful GET/POST APIs, so that we can make use of whatever comes to be the resolution of this debate. The scheme of device URLs might be something other than http: or https:, but they should still be accessible through XHR and its successors. > > For some devices, an objection that has been raised: receiving and reacting to notifications from RESTful web services is awkward. However, once again, the problem is a problem with web services in general. It should be solved for web services in general. Then, devices can again be made polymorphic with web services providing similar functionality. > > Let's please avoid introducing unnecessary cases into web standards. KISS. > > -- > Cheers, > --MarkM >
Received on Friday, 8 January 2010 03:01:04 UTC