W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

RE: Transferring File* to WebApps - redux

From: SULLIVAN, BRYAN L (ATTCINW) <BS3131@att.com>
Date: Tue, 15 Jun 2010 15:11:43 -0700
Message-ID: <8080D5B5C113E940BA8A461A91BFFFCD127BF6A2@BD01MSXMB015.US.Cingular.Net>
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: <arun@mozilla.com>, "Robin Berjon" <robin@berjon.com>, <public-device-apis@w3.org>, "Ian Fette" <ifette@google.com>, "Web Applications Working Group WG" <public-webapps@w3.org>
Jonas,
I guess there might be a parting of the ways here, resulting from
differing (I guess some would say, incompatible) use cases and the APIs
that support them. 

If the current File APIs in DAP are expected to only serve the
user-centric browser paradigm then I agree they will not meet the DAP
requirements and could be finalized in Webapps. But in DAP we will still
need to define an API that *does* meet the use cases and requirements as
envisioned in BONDI (which are focused more on mobile use cases and
security models, as compared to a desktop browser focus) and that are
now being carried forward in the WAC. 

So to help move us forward with the use cases that matter most to us in
DAP, AT&T will draft a new API (filesystem) and provide that as input to
the upcoming DAP F2F.

Thanks, 
Bryan Sullivan | AT&T


-----Original Message-----
From: Jonas Sicking [mailto:jonas@sicking.cc] 
Sent: Tuesday, June 15, 2010 2:48 PM
To: SULLIVAN, BRYAN L (ATTCINW)
Cc: arun@mozilla.com; Robin Berjon; public-device-apis@w3.org; Ian
Fette; Web Applications Working Group WG
Subject: Re: Transferring File* to WebApps - redux

On Tue, Jun 15, 2010 at 2:24 PM, SULLIVAN, BRYAN L (ATTCINW)
<BS3131@att.com> wrote:
> Arun,
>
> The basic concern I have is with the notion of "browsers" as the only
> Web context and use-case that matters. The browser-based model for API
> integration view (as I understand your position) is that the user must
> be actively involved in every significant action, and choose
explicitly
> the actions that enable integration with browser-external resources
> (including local and remote). Step back and you will see the
> inconsistency in that (what would Ajax be if the user had to approved
> every HTTP API request via an <input> element?).
>
> Webapps are much more than just dynamic Web pages. They are
> applications, and with HTML5 will have the ability to rival desktop
> applications, as is clearly the vision of many in the industry. It
might
> even enable a return to a thin client world (e.g. browser as OS) in
> which most significant resources are cloud-based. I see the logic and
> value in that, but it's not the only valid (and valuable) model.
>
> W3C focuses on the Web, and the Web is bigger than the browser
use-case.
> HTML5 and the APIs that attach HTML-based applications to the world
can
> actually be the application platform for the next era of the Web, but
> only if we do not limit the options to the user-centric/control
> paradigms of the past.

Hi Sullivan,

I certainly agree that browsers aren't the only web context or
use-case. However I strongly feel that we should design APIs for
browsers separately from APIs where the security model is different
from that of browsers.

For example in a browser it is unacceptable for the web page to read
the users file system without the user first granting access to this.
And even then there are likely restrictions as to prevent users from
getting hacked just because they clicked "yes" on a dialog they didn't
understand and just wanted to go away (aka the "whatever dialog"
problem).

On the flip side, it might make a lot of sense for a widget running on
a mobile phone, which some authority has authorized, to have read
access to large parts of the phones file system. And possibly even
write access to parts of it.

However these differences in security model will likely lead to
differences in API. This is ok. Lessons from the past, with for
example the DOM-Core spec, show that if we try to create an API that
fit too many different audiences (in that case it was both server-side
environments, as well as web pages). I would really like to avoid
repeating similar mistakes.

So my suggestion is that we let the FileWriter and File System APIs be
ones that are designed for the browser security model. And let them be
designed in the webapps WG which is already working on several very
similar features (for example I would argue that IndexedDB should
supersede File system).

If you or anyone else wants to design similar file related
specifications, but that has different security model or otherwise
different requirements than what exists in the web browser context,
then this in no way should impact you. If this should happen in DAP,
BONDI, or even in WebApps is a separate question which I basically
don't have much of an opinion on at all.

/ Jonas
Received on Tuesday, 15 June 2010 22:12:30 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:39 GMT