W3C home > Mailing lists > Public > public-web-intents@w3.org > August 2012

Re: Passing "origin" with intents

From: Greg Billock <gbillock@google.com>
Date: Wed, 29 Aug 2012 12:34:31 -0700
Message-ID: <CAAxVY9c08duufhd8whDVhAd3nwnVP4EgcdYLsFsbnVsR+Zdp1g@mail.gmail.com>
To: Josh Soref <jsoref@rim.com>
Cc: WebIntents <public-web-intents@w3.org>
A couple related notes:

Services can't rely on origin for security purposes -- it is trivial
for a malicious UA to load a service and pass an incorrect origin
parameter, so it is not a valid security token from the perspective of
the service. The most that can be guaranteed is that a malicious
client couldn't prepare an incorrect origin on a UA of the user's
choice. So services will need to rely on shared secrets anyway, passed
through the payload data as part of the protocol.

Talking separately to some people interested in using intents as an
IPC mechanism, having 'origin' on explicit intents (my suggestion 4
above) would satisfy their needs. Would this also satisfy the use case
of making Oauth-style authentication? If so, perhaps we should limit
'origin' to that for the time being -- it's seems fair that an
explicit intent carry the origin of the requester, since it is
directed at a specific service anyway.


On Wed, Aug 29, 2012 at 10:16 AM, Josh Soref <jsoref@rim.com> wrote:
> Conrad wrote:
>> A couple of other use-cases for including the origin could be:
>> * Content-filtering: If I am running an image sharing web-intent, I
>> might want to block content from http://*.xxx.
>
> I don't think this as described is a valid use case. If you want to block content, you'll need to block the content anyway. Just discriminating against its origin won't do the right thing. It'll be a case of whack-a-mole.
>
>> * UI enhancement: If I am running an editing web-intent, it would be
>> nice to be able to tell the user "return to <origin>"
>
> This is flawed. The UX we're designing handles this automatically. You're in a tab/subframe, the user closes you and is automatically returned.
>
>> * Authentication: If I am running an authentication web-intent, it's
>> essential to know which website is asking for the user's identity (I
>> don't want to give it to a malicious 3rd-party by accident).
>
> I think this is also flawed. If you're an identity provider, then it's your job to do what your client, which is the user, asks you to do, not to do what you think is right. If I, the user, ask you to identify me to Cops in Cuba or Iran, and you feel opposed to that, tough, the fact that you're an American organization doesn't magically entitle you to refuse partial service to me (I'm picking on the hypothetical American, I'm an American too).
>
> There's nothing *accidental* about the user selecting your provider. The user is consciously choosing you, if the UA fails to get this part right, then WebIntents have totally failed (in that UA) -- and that needs to be fixed.
>
> ---------------------------------------------------------------------
> This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
>
Received on Wednesday, 29 August 2012 19:34:59 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:14:47 UTC