- From: Arve Bersvendsen <arveb@opera.com>
- Date: Fri, 20 Jun 2008 10:08:32 +0200
- To: "Marcos Caceres" <marcosscaceres@gmail.com>, "public-webapps@w3.org" <public-webapps@w3.org>
On Fri, 20 Jun 2008 09:11:42 +0200, Marcos Caceres <marcosscaceres@gmail.com> wrote: > On Fri, Jun 20, 2008 at 5:04 PM, Marcos Caceres > <marcosscaceres@gmail.com> wrote: >> To which Timeless replied... >>> >>> Yes, that is possible (using XHR to load the config from within the >>> package), but then you have to walk an XML tree which sucks. The other >>> way is to use the properties that we have bound to the Widget object. >>> Check out http://dev.w3.org/2006/waf/widgets-api/Overview.src.html >> >> yeah, i'm sure such things are possible in some theoretical sense, but >> i want to make sure that the API you're asking for doesn't >> specifically do/enable this. >> > > Arve? What does the proposed security policy say about this? Can XHR > be used to GET resources inside the package? The security policy proposed by Opera (and mostly implemented already) allows you to XHR any content stored within the package archive itself, just as it would allow you to include the contents of a package through <script src>, <img src> et al. This happens through treating a widget: protocol URI where the identifier-portion matches the instance ID of the widget as being same-origin. Thus, allowing XHR is an (intended) side-effect, so you can read other content from the widget (configuration data stored in an XML file or template snippets used throughout the application, for instance), and I don't think a specification will need to mention or reference XHR specifically, except perhaps informatively. -- Arve Bersvendsen Developer, Opera Software ASA, http://www.opera.com/
Received on Friday, 20 June 2008 08:10:09 UTC