W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [WARP] Comments to WARP spec

From: Marcos Caceres <marcosc@opera.com>
Date: Sat, 14 Nov 2009 04:37:51 +0100
Message-ID: <b21a10670911131937u4c7e4d50h2256748a4e9eb783@mail.gmail.com>
To: "SULLIVAN, BRYAN L (ATTCINW)" <BS3131@att.com>
Cc: WebApps WG <public-webapps@w3.org>
On Fri, Nov 13, 2009 at 6:39 AM, SULLIVAN, BRYAN L (ATTCINW)
<BS3131@att.com> wrote:
> Hi Marcos,
> Opera 9.5 running on Windows Mobile 6.1 and Opera 10 running on PC both allow access to scripts and images from different domains than a widget was obtained from. I have tested this and can provide a working example (see below for the index.html - package it yourself and see).

Touché  :)

> Thus the same-origin restriction does not apply in current Opera implementations for externally referenced scripts and images. The processing of the <access> element as defined in WARP is not consistent with the current Opera implementation.
> So what do you mean by "We've had a similar model in place for a long time in our proprietary implementation"?
> <!DOCTYPE html>
> <html>
>        <head>
>                <meta charset="utf-8" />
>                <link rel="stylesheet" type="text/css" href="style.css" />
>                <script src="http://www.json.org/json2.js"></script>
>                <script>
>                function bodyLoad() {
>                        var str = "boohoo!";
>                        try { str = JSON.stringify(['e', {pluribus: 'unum'}]); str = "hooray!";}
>                        catch (e) { }
>                        document.getElementById("test1").innerHTML = str;
>                }
>                </script>
>        </head>
> <body onload="javascript:bodyLoad();">
>        <p>Not Same-Origin Resource Access Test: a test of the same-origin rule for resources
>        accessed from domains other than where the widget was obtained.</p>
>        <hr/>
>        <p>Test 1: If the widget engine does not allow external script references, no you will
>        see "boohoo!" below:</p>
>        <div id=test1></div>
>        <hr/>
>        <p>Test 2: If the widget engine does not allow external image references, no image will
>        be shown below:</p>
>        <img src="http://dev.opera.com/img/logo-beta.gif"/>
>        </body>
> </html>
> Best regards,
> Bryan Sullivan | AT&T
> -----Original Message-----
> From: Marcos Caceres [mailto:marcosc@opera.com]
> Sent: Tuesday, November 10, 2009 1:02 PM
> Cc: WebApps WG
> Subject: Re: [WARP] Comments to WARP spec
>> Placing broad restrictions on widget-context webapp access to network resources (substantially different from browser-context webapps) is not an effective approach to creating a useful widget-context webapp platform. That would create a significant barrier to market acceptance of the W3C widget standards.
> Opera does not agree. We've had a similar model in place for a long time
> in our proprietary implementation and we have not faced any issues in
> the marketplace.
> The WARP spec solves many problems that arise from not actually having a
> network established origin, and may even avoid the confused deputy
> problem CORS is currently facing (which locally running widgets won't be
> able to use anyway).
> I think that technically we are in agreement; but we are just in
> disagreement about the level of granularity that the WARP spec affords
> to authors. For the record, I like the way WARP is currently specified:
> it's easy to use, and essentially works in much the same way as the same
> origin policy does for Web documents... but with the added bonus of
> being able to do cross origin - but with the restriction of not being
> unrestricted, like it's the case for web documents.

Marcos Caceres
Received on Saturday, 14 November 2009 03:38:44 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:20 UTC