Re: Application Launcher (was: Rechartering Device APIs & Policy Working Group) from Robin Berjon on 2011-02-09 (public-device-apis@w3.org from February 2011)

From: Robin Berjon <robin@berjon.com>
Date: Wed, 9 Feb 2011 14:48:27 +0100
To: Bryan Sullivan <blsaws@gmail.com>
Cc: "Dominique Hazael-Massieux" <dom@w3.org>, "public-device-apis" <public-device-apis@w3.org>
Message-Id: <E27F522B-3622-42E4-8FA9-C7BDF6E0D418@berjon.com>

Hi Bryan,

On Feb 9, 2011, at 09:01 , Bryan Sullivan wrote:
> I'm not sure why you say the ability to detect the registered registered/default for a purpose (e.g. music player) and launch it is "simply, deeply wrong".

This is a conversation that we need to get right, which requires making sure we're on the same page talking about the same thing. So since the above is not at all what I have said, I am going to ask you to please read my previous email in this thread more closely and either return with a rejoinder to what I actually did say, or a description of what you didn't find clear so that I may clarify (it may well be that I was unclear, but I need your help to figure out where).

> The only thing the requesting app could do is invoke that registered/default application, and possibly pass it some invocation parameters. This is essentially equivalent to launching any URI-handler with parameters as defined in the related RFCs.

If the goal of the API you are proposing is to be "essentially equivalent" to launching an application based on a URI scheme or media type, then we don't need an API at all. We already have everything that's needed.

If however the idea is that one could call arbitrary applications based on their paths (as exemplified in my original post) then we have a security death wish. In BONDI 1.1, you could do that:

// launch all the apps!
bondi.applauncher.getInstalledApplications(runAll);
function runAll (apps) {
  for (var i = 0, n = apps.length; i < n; i++)
    bondi.applauncher.launchApplication(null, null, "file://" + apps[i]);
}

That's just wrong. You can put all the policy you want on it, all it takes is a single, garden-variety XSS attack and you have full access to the platform of all the users who have widgets supporting the above code.

We have more elegant solutions for this that don't involve anywhere near as much risk. We should use those.

-- 
Robin Berjon - http://berjon.com/

Received on Wednesday, 9 February 2011 13:48:57 UTC