- From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
- Date: Wed, 13 Jan 2010 14:48:32 -0500
- To: ext John Kemp <john@jkemp.net>
- Cc: Frederick Hirsch <Frederick.Hirsch@nokia.com>, "ext Mark S. Miller" <erights@google.com>, ext Robin Berjon <robin@robineko.com>, "public-device-apis@w3.org" <public-device-apis@w3.org>
is localhost "free" or is there an efficiency penalty - I believe I've heard it said that there is a real performance cost, but could be mistaken. regards, Frederick Frederick Hirsch Nokia On Jan 13, 2010, at 2:31 PM, ext John Kemp wrote: > Hi Frederick, > > On Jan 13, 2010, at 2:05 PM, Frederick Hirsch wrote: > >> Mark, my concern was that these (e.g. OAuth others noted) all seem >> to imply network connectivity, yet there might be a requirement to >> have contact book access (to give an example) without network access. > > If you imagine that you have a local Web server running, and > providing the contacts API, then if a remote site were to access > that service (from off-device), it might send an HTTP request to do. > This would be a standard Web scenario, and the remote requester > would have to know the DNS name or IP address of the device if it > wished to make an HTTP request. > > However, imagine if that same Web server, running on the device, is > accessed from some other piece of software (like a browser ;), > running on the same device. It might still be secured by OAuth, > CORS, UMP or something else. The method of access, however, will not > be over a network as such - it will be a "localhost" connection > essentially (either to a local Web server, or a cached copy of a > document acquired from somewhere else). I believe that is the case > you are thinking of? > > The difference in the use of device Javascript APIs is that the > requester in these cases is the one who has written some Javascript > using the Device API specifications. That requester won't need to > know the IP address of the device in order to use that device's > services, because the device requested a page that contains the > Javascript calls, and makes a response containing the API calls > (which are essentially then a request whose results don't have to > leave the device). > > In all of these cases, though, I am not sure that any extra network > connection is needed in order to use OAuth tokens, or any of the > other mechanisms suggested to secure the APIs. The requester should > be authorized to access the API of course. In the "offline" case, if > you were to use OAuth tokens, then the device would ask the user > whether the cached page could access her contacts, and give the > cached/localhost page an OAuth token to use in accessing that API. > > Regards, > > - johnk > >> >> regards, Frederick >> >> Frederick Hirsch >> Nokia >> >> >> >> On Jan 13, 2010, at 1:23 PM, ext Mark S. Miller wrote: >> >>> Still catching up. Answering out of order. >>> >>> >>> On Wed, Jan 13, 2010 at 7:26 AM, Frederick Hirsch <Frederick.Hirsch@nokia.com >>> > wrote: >>> use of OAuth. >>> >>> >>> That was just an example of one approach to the inter-site >>> authorization problem. Others are CORS and UMP. As I said in the >>> initial proposal, I don't think this WG should try to pick a >>> winner in this debate. They should just position device APIs so >>> that they can leverage whatever the winner is, by recasting >>> devices as RESTful GET/POST apis. By so doing, we reduce the >>> security issues to a previously unsolved problem ;). >>> >>> >>> >>> regards, Frederick >>> >>> Frederick Hirsch >>> Nokia >>> >>> >>> >>> On Jan 13, 2010, at 9:55 AM, ext Robin Berjon wrote: >>> >>> On Jan 13, 2010, at 15:50 , Frederick Hirsch wrote: >>> Is there a requirement to allow local access to contacts, for >>> example, even when disconnected from the network? How would this >>> work in this model, or is disconnected operation not a >>> requirement? It seems a mobile device should still operate as much >>> as possible when disconnected. >>> >>> That's entirely orthogonal. Either the web server is local, or >>> (perhaps more likely) it is emulated by the user agent. You never >>> go to the network, whether connected or not. >>> >>> I thought the proposal was to go to the network for authorization, >>> in which case it is not orthogonal. >>> >>> I don't read that in the original proposal, can you clarify which >>> part you're thinking of? >>> >>> -- >>> Robin Berjon >>> robineko — hired gun, higher standards >>> http://robineko.com/ >>> >>> >>> >>> >>> >>> >>> >>> >>> -- >>> Cheers, >>> --MarkM >> >> >
Received on Wednesday, 13 January 2010 19:49:24 UTC