W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [widgets] Please include a statement of purpose and user interaction expectations for <feature>

From: Marcos Caceres <marcosc@opera.com>
Date: Tue, 16 Jun 2009 14:42:30 +0200
Message-ID: <b21a10670906160542q36a48b71g31e0bc3d6ef744ba@mail.gmail.com>
To: Henri Sivonen <hsivonen@iki.fi>
Cc: public-webapps <public-webapps@w3.org>, Arve Bersvendsen <arveb@opera.com>
Hi Henri,

On Tue, Jun 2, 2009 at 3:19 PM, Arve Bersvendsen<arveb@opera.com> wrote:
> On Tue, 02 Jun 2009 14:57:46 +0200, Henri Sivonen <hsivonen@iki.fi> wrote:
>
>> Please state the purpose of <feature>. (That it's for authorizing features
>> that don't participate in the Web-oriented browser security model.)
>>
>> Please include a corresponding UA requirement to obtain authorization from
>> the user for the features imported with <feature>. (It seems that the
>> security aspect requires an authorization and doesn't make sense if the
>> dangerous feature are simply imported silently.) As far as I can tell, the
>> spec doesn't currently explain what the UA is supposed to do with the
>> 'feature list' once built.
>
> Such authorization may be made in a number of other ways than 'from the
> user'.  A user agent distributor may for instance use signatures on
> applications to determine that the feature is safe[1] to access.
>
>
> [1] «Safe»: here meaning that an application signed with a particular
> signature is in compliance with criteria regarding both security and
> privacy-related concerns.

Based on Arve and Robin's additional feedback, I've added  the
following to the spec as part of "The Feature Element" section:

"How a user agent makes use of features depends on the user agent's
security policy, hence activation and authorization requirements for
features are beyond the scope of this specification."

Is that satisfactory?


-- 
Marcos Caceres
http://datadriven.com.au
Received on Tuesday, 16 June 2009 12:43:24 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT