W3C home > Mailing lists > Public > public-web-intents@w3.org > August 2012

Re: Passing "origin" with intents

From: Greg Billock <gbillock@google.com>
Date: Sun, 26 Aug 2012 21:19:01 -0700
Message-ID: <CAAxVY9f-xsSBVMF0Ux18yRmLq-MT-XVhOJTgyzTTDz_YMNVaqQ@mail.gmail.com>
To: Conrad Irwin <conrad.irwin@gmail.com>
Cc: public-web-intents@w3.org
We've discussed this, but there's no formal proposal yet. Do you want
to draw one up? Certainly for explicit intents this seems like it'd be
a good addition.

With an origin to establish an out-of-band shared secret, you can do
Oauth-style flows. Without it, you can do OpenId type flows where you
basically get a warrant that the bearer controls some namespaced
token.



On Sun, Aug 26, 2012 at 7:32 PM, ConradIrwin <conrad.irwin@gmail.com> wrote:
> Hi all,
>
> I saw some earlier mention [1] of the inability for web-intents to
> obtain the origin of the calling site.
>
> Is this something that will be added?
>
> I am also working on an authentication protocol; and without the
> ability to verify the origin of a message, WebIntents are almost
> useless. (I can work around it by making the call to the intent from a
> content-script running in my chrome extension that shares a secret
> with the intent; but that feels very fragile).
>
> A couple of other use-cases for including the origin could be:
>  Content-filtering: If I am running an image sharing web-intent, I
> might want to block content from http://*.xxx.
>  UI enhancement: If I am running an editing web-intent, it would be
> nice to be able to tell the user "return to <origin>"
>  Authentication: If I am running an authentication web-intent, it's
> essential to know which website is asking for the user's identity (I
> don't want to give it to a malicious 3rd-party by accident).
>
> Conrad
>
> [1] http://lists.w3.org/Archives/Public/public-web-intents/2012May/0012.html
>
Received on Monday, 27 August 2012 04:19:29 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:14:47 UTC