- From: Mark S. Miller <erights@google.com>
- Date: Thu, 7 Jan 2010 20:03:24 -0800
- To: Doug Turner <w3c@dougt.org>
- Cc: public-device-apis@w3.org
- Message-ID: <4d2fac901001072003l4a62642q5806ea362b4d866c@mail.gmail.com>
On Thu, Jan 7, 2010 at 7:00 PM, Doug Turner <w3c@dougt.org> wrote: > i am trying to follow what you are suggesting, but I think I am making too > many assumptions. Lets make this idea concrete, are you suggesting that > something like PowerState be expressed in terms of some sort of url that the > developer would use xhr to access? > > Yes, exactly. > Doug > > > On Jan 7, 2010, at 6:47 PM, Mark S. Miller wrote: > > > Hi, > > > > I'm new to this working group. I recently joined because a number of > people had privately expressed alarm to me over the approaches to security > being taken in this WG. Several of them made the same suggestion, I think > independently. Of the others, they found this suggestion plausible, so I > thought I'd pass it on. For most devices, why not treat each device as a > virtual web service, exposing its API as a RESTful API in terms of GETs and > POSTs. This would reduce the present security problems to a previously > unsolved problem, of how one web site becomes authorized to use web services > provided by another site. > > > > The case is clearest for contacts. Why should authorizing Facebook to > access my local contacts be different than, for example, authorizing > Facebook to access my gmail contacts? There are already several proposed > solutions to this problem, including the debate between CORS and UMP at the > public-webapps group. For current browsers, it is also the motivating > problem behind OAuth. I am *not* suggesting that we at the > public-device-apis WG attempt to pick a winner among these three. Rather, > that we should merely provide device APIs as RESTful GET/POST APIs, so that > we can make use of whatever comes to be the resolution of this debate. The > scheme of device URLs might be something other than http: or https:, but > they should still be accessible through XHR and its successors. > > > > For some devices, an objection that has been raised: receiving and > reacting to notifications from RESTful web services is awkward. However, > once again, the problem is a problem with web services in general. It should > be solved for web services in general. Then, devices can again be made > polymorphic with web services providing similar functionality. > > > > Let's please avoid introducing unnecessary cases into web standards. > KISS. > > > > -- > > Cheers, > > --MarkM > > > > -- Cheers, --MarkM
Received on Friday, 8 January 2010 04:03:57 UTC