W3C home > Mailing lists > Public > public-web-intents@w3.org > June 2012

Re: question on 4.1 explicit intents

From: Greg Billock <gbillock@google.com>
Date: Tue, 12 Jun 2012 22:38:10 -0700
Message-ID: <CAAxVY9cZ_W7UdpuoE5Ny8dF++T67QGSts5QSM=H1v=6H1VK=fw@mail.gmail.com>
To: Jean-Claude Dufourd <jean-claude.dufourd@telecom-paristech.fr>
Cc: "public-web-intents@w3.org" <public-web-intents@w3.org>
Can you elaborate? The risk the language about intent delivery is
addressed to is not a security concern, but to maintain a specific
model of registration within the UA -- that it not silently register
services and then dispatch to them without user involvement. For
explicit intents, though, the client is specifically directing the
user to a particular service -- there's no registration involved.

Do you think the same thinking ought to apply here, though? That is,
any dispatch, even explicit, to a particular service ought to be
approved by the user?

On Tue, Jun 12, 2012 at 4:09 AM, Jean-Claude Dufourd
<jean-claude.dufourd@telecom-paristech.fr> wrote:
> Dear all,
> In section 4.1, the first paragraph is:
> When handling an Intent marked as explicit (that is, constructed with the
> object literal constructor with a non-empty service field), the expected
> User Agent behavior is that if this "service" attribute is present,
> it should not display a service selection mechanism to the user. Instead,
> the service url should be loaded directly to handle the intent. (This is not
> a hard restriction. The User Agent may provide a way for the user to
> intercept even an explicit invocation.)
> This is a security risk.
> Why is security more relaxed here than in the previous section ?
> Why does " The User Agent must not deliver an intent to a Service discovered
> in this way before the user has made a specific action allowing it." not
> apply here too ?
> Best regards
> JC
> --
> JC Dufourd
> Directeur d'Etudes/Professor
> Groupe Multimedia/Multimedia Group
> Traitement du Signal et Images/Signal and Image Processing
> Telecom ParisTech, 37-39 rue Dareau, 75014 Paris, France
> Tel: +33145817733 - Mob: +33677843843 - Fax: +33145817144
Received on Wednesday, 13 June 2012 05:38:39 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:14:47 UTC