Re: [widgets] Widgets URI scheme... it's baaaack!

On Fri, 22 May 2009 15:25:40 +0200, Mark Baker <distobj@acm.org> wrote:

> I'm curious to learn where the requirement that "Must not allow
> addressing resources outside a widget" came from?  Can you point to a
> precedent for such a restriction in any other protocol?  I remember
> TimBL writing something to the effect of "Anywhere you can use a URI,
> you can use any URI", possibly in his design issues, but I can't find
> a reference right now.

The point here is that the widget URI scheme is only supposed to be used  
to synthesise an origin so nodes in the DOM can be sensibly resolved for  
resources inside the package.  The reason for choosing a synthetic scheme  
are:

1. A web (http(s?)) origin will not work, because a widget MAY be  
distributed over other channels than the web (such as bluetooth,  
pre-bundled on devices, installed through third-party package managment  
systems (debian packages/repositories)).
2. Further, (some) widgets might not provide an authorative means of  
determining the web origin of the widget, if any such origin existed in  
the first place.
3. A well-behaved widget runtime should provide complete isolation from  
the underlying operating system, including the layout of the file system
4. It must not be possible for a widget to resolve and reference resources  
in other widget packages on the same system (The underlying assumption  
here is that it should not be possible for a widget running on a user  
agent to determine which other widgets are running or installed on the  
same system.

Points 1/2 pretty much invalidate http as a valid origin, while 3/4  
invalidates the use of file: (which also has an entirely different set of  
compatibility issues between web ua's that I doubt will be resolved  
anytime soon.)


-- 
Arve Bersvendsen

Opera Software ASA, http://www.opera.com/

Received on Friday, 22 May 2009 13:41:56 UTC