W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [widgets] Please include a statement of purpose and user interaction expectations for <feature>

From: Marcos Caceres <marcosc@opera.com>
Date: Tue, 16 Jun 2009 14:42:30 +0200
Message-ID: <b21a10670906160542q36a48b71g31e0bc3d6ef744ba@mail.gmail.com>
To: Henri Sivonen <hsivonen@iki.fi>
Cc: public-webapps <public-webapps@w3.org>, Arve Bersvendsen <arveb@opera.com>
Hi Henri,

On Tue, Jun 2, 2009 at 3:19 PM, Arve Bersvendsen<arveb@opera.com> wrote:
> On Tue, 02 Jun 2009 14:57:46 +0200, Henri Sivonen <hsivonen@iki.fi> wrote:
>> Please state the purpose of <feature>. (That it's for authorizing features
>> that don't participate in the Web-oriented browser security model.)
>> Please include a corresponding UA requirement to obtain authorization from
>> the user for the features imported with <feature>. (It seems that the
>> security aspect requires an authorization and doesn't make sense if the
>> dangerous feature are simply imported silently.) As far as I can tell, the
>> spec doesn't currently explain what the UA is supposed to do with the
>> 'feature list' once built.
> Such authorization may be made in a number of other ways than 'from the
> user'.  A user agent distributor may for instance use signatures on
> applications to determine that the feature is safe[1] to access.
> [1] «Safe»: here meaning that an application signed with a particular
> signature is in compliance with criteria regarding both security and
> privacy-related concerns.

Based on Arve and Robin's additional feedback, I've added  the
following to the spec as part of "The Feature Element" section:

"How a user agent makes use of features depends on the user agent's
security policy, hence activation and authorization requirements for
features are beyond the scope of this specification."

Is that satisfactory?

Marcos Caceres
Received on Tuesday, 16 June 2009 12:43:24 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 14:36:35 UTC