W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [widgets] Widgets URI scheme... it's baaaack!

From: Jean-Claude Dufourd <jean-claude.dufourd@telecom-paristech.fr>
Date: Tue, 26 May 2009 17:38:48 +0200
Message-ID: <4A1C0D08.1020005@telecom-paristech.fr>
To: public-webapps <public-webapps@w3.org>
CC: public-pkg-uri-scheme <public-pkg-uri-scheme@w3.org>
Marcos, Mark, all,

I am picking up the discussion where Cyril left it some months ago. I 
have read this thread, the Oct 08 one, the proposed URI scheme spec, 
even skimmed through the wam minutes. I still am leaning towards Mark's 
position. It seems to me that the URI scheme is not needed, or if 
needed, the reasons have not yet been "shown".
I am trying to reformulate the situation:

0- the author needs a way to point to resources within the widget package

1- the "URI scheme will never be used by the author" (written by 
Marcos), the author will use relative URIs for resources within the widget.

2- the browser will have to resolve the relative URI to an absolute URI 
because of the DOM spec, hence a possible vulnerability by divulging 
private information (e.g. actual name of current user in file: URI 
example of Apple Dashboard widgets) to scripts running in the widget.

3- Marcos seems to be deducing from 2- that a URI scheme must be defined 
for mandatory internal use in all widget UAs to guarantee that this 
vulnerability does not exist.

3- does not follow logically from 2-.
"Mandating the implementation in the widget UA of a URI resolution that 
does not divulge private information to the widget scripts" is 
sufficient to ensure that the vulnerability mentioned in 2- does not 
happen. The proposed URI scheme could be suggested as an option, but not 
more.

My understanding is that 3- mandates a particular URI scheme which will 
never be used by the author and will never be exchanged between two 
implementations.
My past standardization experience is that things which "will never be 
used by the author and will never be exchanged between two 
implementations" should not be standardized at all. Are there other 
predicates for the need for standardisation ?

Marcos mentions the widget V2 spec and extensibility as one reason for 
adopting the proposed URI scheme. I would like to understand how V2 and 
extensibility could make the URI scheme either seen by the author or 
exchanged between implementations, or make its absence otherwise imperil 
implementations.
Thanks.

Best regards
JC

-- 
JC Dufourd
Groupe Multimedia/Multimedia Group
Traitement du Signal et Images/Signal and Image Processing
TÚlÚcom ParisTech, 46 rue Barrault, 75 013 Paris, France 
Received on Tuesday, 26 May 2009 16:15:43 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT