- From: Matthew Gaba <mgaba@google.com>
- Date: Wed, 29 Aug 2012 09:47:15 -0700
- To: Greg Billock <gbillock@google.com>
- Cc: Josh Soref <jsoref@rim.com>, WebIntents <public-web-intents@w3.org>
- Message-ID: <CAPJTx--Xw2pLTLLrar9GcO5=BUBHh3_=aEjkKUX1j8S0XVg86Q@mail.gmail.com>
IMHO, we don't want the user making a choice to disclose origin or not. It will be difficult to communicate the concept of "origin" to a user. I think that most users would not be able to understand the implications of disclosing the origin, so giving them this choice seems like it wouldn't really accomplish anything other than force an uncomfortable choice on the user. I think that option 4 is a clever way of solving this problem. Would always attaching the origin for explicit intents address all of the proposed use cases for needing to know the origin? On Wed, Aug 29, 2012 at 9:15 AM, Greg Billock <gbillock@google.com> wrote: > > Many use cases don't require that origin be disclosed, so I think > making a MUST requirement on origin disclosure isn't as good as making > the disclosure optional. It may be that for some intents, origin > disclosure is mandatory to make them work, but at the API level, it > ought to be optional. > > I think having the origin disclosed as an 'origin' property on the > intent object, the way Conrad proposed, is a good idea. How shall the > client cause the UA to attach that field? Some options: > > 1. a "useOrigin: true" member of the constructor literal. > 2. an "origin: xyz" member of the constructor literal. > 3. Set up out-of-band by the user as a property of the registered > service. (i.e. "always disclose origin to this service" registration > option) > 4. Possible exception: for explicit intents, always attach the origin. > > Does (3) (and possibly 4) solve all the use cases we know about? If > so, that's the least intrusive modification to the API. > > > On Wed, Aug 29, 2012 at 7:05 AM, Josh Soref <jsoref@rim.com> wrote: > > Paul wrote: > >> If the client is receiving data back from a service, it too should be > aware of the > >> origin. > > > > I object to this. > > > > If a service is sending back data, it should be able to say whether it > wants its origin to be shared with the client. And the user should be able > to have the UA strip the origin. > > > > If I'm using an internal secret service, my service's existence > shouldn't be leaked to the world just because I'm using it with external > sites. > > > > The design of intents should be such that I could hand fill in all the > values requested by the client and the client would accept it without > discriminating against me doing that. > > > > --------------------------------------------------------------------- > > This transmission (including any attachments) may contain confidential > information, privileged material (including material protected by the > solicitor-client or other applicable privileges), or constitute non-public > information. Any use of this information by anyone other than the intended > recipient is prohibited. If you have received this transmission in error, > please immediately reply to the sender and delete this information from > your system. Use, dissemination, distribution, or reproduction of this > transmission by unintended recipients is not authorized and may be unlawful. > > -- Matthew | Gaba | mgaba@google.com | 214-709-4720
Received on Saturday, 1 September 2012 11:43:16 UTC