W3C home > Mailing lists > Public > public-web-intents@w3.org > August 2012

Re: Passing "origin" with intents

From: Paul Kinlan <paulkinlan@google.com>
Date: Mon, 27 Aug 2012 09:16:33 -0700
Message-ID: <CADGdg3BZCJaYDK+K3p8inQgskA5aqwBnHS-kOuM00R4WpWE3yQ@mail.gmail.com>
To: James Hawkins <jhawkins@google.com>
Cc: Conrad Irwin <conrad.irwin@gmail.com>, WebIntents <public-web-intents@w3.org>, Greg Billock <gbillock@google.com>
I was thinking an attribute on the constructor object along the lines of

new Intent({action:... , type: ... , data:..., useOrigin: true});

Would you want to restrict your list of services to those that don't
require origin when useOrigin is false?

P
On 27 Aug 2012 17:11, "James Hawkins" <jhawkins@google.com> wrote:

> The key thing to keep in mind is that exposing the client's origin is a
> decision that must be left to the client.
>
> We could say that the client must pass its origin through the payload, but
> the service can't trust that data; consequently, that means the browser
> must pass the origin to the service.  I think we're in agreement that there
> are compelling use cases for this addition, so now we must figure out how
> the client tells the browser to send its origin.  Any ideas?
>
> James
>
> On Sun, Aug 26, 2012 at 9:19 PM, Greg Billock <gbillock@google.com> wrote:
>
>> We've discussed this, but there's no formal proposal yet. Do you want
>> to draw one up? Certainly for explicit intents this seems like it'd be
>> a good addition.
>>
>> With an origin to establish an out-of-band shared secret, you can do
>> Oauth-style flows. Without it, you can do OpenId type flows where you
>> basically get a warrant that the bearer controls some namespaced
>> token.
>>
>>
>>
>> On Sun, Aug 26, 2012 at 7:32 PM, Conrad Irwin <conrad.irwin@gmail.com>
>> wrote:
>> > Hi all,
>> >
>> > I saw some earlier mention [1] of the inability for web-intents to
>> > obtain the origin of the calling site.
>> >
>> > Is this something that will be added?
>> >
>> > I am also working on an authentication protocol; and without the
>> > ability to verify the origin of a message, WebIntents are almost
>> > useless. (I can work around it by making the call to the intent from a
>> > content-script running in my chrome extension that shares a secret
>> > with the intent; but that feels very fragile).
>> >
>> > A couple of other use-cases for including the origin could be:
>> >  Content-filtering: If I am running an image sharing web-intent, I
>> > might want to block content from http://*.xxx.
>> >  UI enhancement: If I am running an editing web-intent, it would be
>> > nice to be able to tell the user "return to <origin>"
>> >  Authentication: If I am running an authentication web-intent, it's
>> > essential to know which website is asking for the user's identity (I
>> > don't want to give it to a malicious 3rd-party by accident).
>> >
>> > Conrad
>> >
>> > [1]
>> http://lists.w3.org/Archives/Public/public-web-intents/2012May/0012.html
>> >
>>
>>
>
Received on Monday, 27 August 2012 16:17:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:14:47 UTC