W3C home > Mailing lists > Public > public-web-intents@w3.org > August 2012

Re: Passing "origin" with intents

From: KOMATSU Kensaku <kensaku.komatsu@gmail.com>
Date: Tue, 28 Aug 2012 05:02:06 +0900
Message-ID: <CAKopxYyHAkJzRRtq3Yhbk5h3sxjuRYTcnCkb0hKs7OJOQ=A-rw@mail.gmail.com>
To: "SULLIVAN, BRYAN L" <bs3131@att.com>
Cc: James Hawkins <jhawkins@google.com>, Greg Billock <gbillock@google.com>, Conrad Irwin <conrad.irwin@gmail.com>, "public-web-intents@w3.org" <public-web-intents@w3.org>
Yep, most of modern browsers such as IE, chrome, safari and opera are
trusted and sends right origin to intent services. But there are other clients
their behavior is not trusted. So, I guess James pointed that origin info
from clients is not always trusted.

I agree that origin is convenient to keep generic security level, but
it is danger to
completely rely on it.

---
Ken
NTT Communications.


2012/8/28 SULLIVAN, BRYAN L <bs3131@att.com>:
> Why couldn’t the browser just send the client origin whenever it is
> different from the service origin, similar to how it decides to send the
> Origin header?
>
>
>
> Thanks,
>
> Bryan Sullivan
>
>
>
> From: James Hawkins [mailto:jhawkins@google.com]
> Sent: Monday, August 27, 2012 9:10 AM
> To: Greg Billock
> Cc: Conrad Irwin; public-web-intents@w3.org
> Subject: Re: Passing "origin" with intents
>
>
>
> The key thing to keep in mind is that exposing the client's origin is a
> decision that must be left to the client.
>
>
>
> We could say that the client must pass its origin through the payload, but
> the service can't trust that data; consequently, that means the browser must
> pass the origin to the service.  I think we're in agreement that there are
> compelling use cases for this addition, so now we must figure out how the
> client tells the browser to send its origin.  Any ideas?
>
>
>
> James
>
>
>
> On Sun, Aug 26, 2012 at 9:19 PM, Greg Billock <gbillock@google.com> wrote:
>
> We've discussed this, but there's no formal proposal yet. Do you want
> to draw one up? Certainly for explicit intents this seems like it'd be
> a good addition.
>
> With an origin to establish an out-of-band shared secret, you can do
> Oauth-style flows. Without it, you can do OpenId type flows where you
> basically get a warrant that the bearer controls some namespaced
> token.
>
>
>
>
> On Sun, Aug 26, 2012 at 7:32 PM, Conrad Irwin <conrad.irwin@gmail.com>
> wrote:
>> Hi all,
>>
>> I saw some earlier mention [1] of the inability for web-intents to
>> obtain the origin of the calling site.
>>
>> Is this something that will be added?
>>
>> I am also working on an authentication protocol; and without the
>> ability to verify the origin of a message, WebIntents are almost
>> useless. (I can work around it by making the call to the intent from a
>> content-script running in my chrome extension that shares a secret
>> with the intent; but that feels very fragile).
>>
>> A couple of other use-cases for including the origin could be:
>> • Content-filtering: If I am running an image sharing web-intent, I
>> might want to block content from http://*.xxx.
>> • UI enhancement: If I am running an editing web-intent, it would be
>> nice to be able to tell the user "return to <origin>"
>> • Authentication: If I am running an authentication web-intent, it's
>> essential to know which website is asking for the user's identity (I
>> don't want to give it to a malicious 3rd-party by accident).
>>
>> Conrad
>>
>> [1]
>> http://lists.w3.org/Archives/Public/public-web-intents/2012May/0012.html
>>
>
>
Received on Monday, 27 August 2012 20:02:34 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:14:47 UTC