- From: Marcos Caceres <marcosc@opera.com>
- Date: Sat, 14 Nov 2009 04:37:51 +0100
- To: "SULLIVAN, BRYAN L (ATTCINW)" <BS3131@att.com>
- Cc: WebApps WG <public-webapps@w3.org>
On Fri, Nov 13, 2009 at 6:39 AM, SULLIVAN, BRYAN L (ATTCINW)
<BS3131@att.com> wrote:
> Hi Marcos,
> Opera 9.5 running on Windows Mobile 6.1 and Opera 10 running on PC both allow access to scripts and images from different domains than a widget was obtained from. I have tested this and can provide a working example (see below for the index.html - package it yourself and see).
>
Touché :)
> Thus the same-origin restriction does not apply in current Opera implementations for externally referenced scripts and images. The processing of the <access> element as defined in WARP is not consistent with the current Opera implementation.
>
> So what do you mean by "We've had a similar model in place for a long time in our proprietary implementation"?
>
> <!DOCTYPE html>
> <html>
> <head>
> <meta charset="utf-8" />
> <link rel="stylesheet" type="text/css" href="style.css" />
> <script src="http://www.json.org/json2.js"></script>
> <script>
> function bodyLoad() {
> var str = "boohoo!";
> try { str = JSON.stringify(['e', {pluribus: 'unum'}]); str = "hooray!";}
> catch (e) { }
> document.getElementById("test1").innerHTML = str;
> }
> </script>
> </head>
> <body onload="javascript:bodyLoad();">
> <p>Not Same-Origin Resource Access Test: a test of the same-origin rule for resources
> accessed from domains other than where the widget was obtained.</p>
> <hr/>
> <p>Test 1: If the widget engine does not allow external script references, no you will
> see "boohoo!" below:</p>
> <div id=test1></div>
> <hr/>
> <p>Test 2: If the widget engine does not allow external image references, no image will
> be shown below:</p>
> <img src="http://dev.opera.com/img/logo-beta.gif"/>
> </body>
> </html>
>
> Best regards,
> Bryan Sullivan | AT&T
>
> -----Original Message-----
> From: Marcos Caceres [mailto:marcosc@opera.com]
> Sent: Tuesday, November 10, 2009 1:02 PM
> To: SULLIVAN, BRYAN L (ATTCINW)
> Cc: WebApps WG
> Subject: Re: [WARP] Comments to WARP spec
>
>
>
> SULLIVAN, BRYAN L (ATTCINW) wrote:
>> Placing broad restrictions on widget-context webapp access to network resources (substantially different from browser-context webapps) is not an effective approach to creating a useful widget-context webapp platform. That would create a significant barrier to market acceptance of the W3C widget standards.
>
> Opera does not agree. We've had a similar model in place for a long time
> in our proprietary implementation and we have not faced any issues in
> the marketplace.
>
> The WARP spec solves many problems that arise from not actually having a
> network established origin, and may even avoid the confused deputy
> problem CORS is currently facing (which locally running widgets won't be
> able to use anyway).
>
> I think that technically we are in agreement; but we are just in
> disagreement about the level of granularity that the WARP spec affords
> to authors. For the record, I like the way WARP is currently specified:
> it's easy to use, and essentially works in much the same way as the same
> origin policy does for Web documents... but with the added bonus of
> being able to do cross origin - but with the restriction of not being
> unrestricted, like it's the case for web documents.
>
--
Marcos Caceres
http://datadriven.com.au
Received on Saturday, 14 November 2009 03:38:44 UTC