W3C home > Mailing lists > Public > public-widgets-pag@w3.org > July to September 2011

More prior art: Konfabulator 3.1 has a security manager

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Thu, 29 Sep 2011 17:46:06 +0200
To: public-widgets-pag@w3.org
Message-ID: <DF7DD043AFE84013A5B22552EC5EE2BB@gmail.com>
 Web Archive, 27th of April, 2006  
http://web.archive.org/web/20060419021533/http://widgets.yahoo.com/gallery/dl_item.php?item=WidgetEngineReference_3.1.1.pdf

"IMPORTANT: In version 3.1 and later, you must specify the exact Yahoo! APIs your  
Widget wants to connect to in a <security> block (see the section on the security block in  
the XML reference for more info). This list of APIs will be confirmed by the user before  
your Widget is allowed to access them with Yahoo! credentials, and only those APIs will  
receive the Yahoo! credentials. If you were using yahooLogin() before 3.1, your Widget  
will no longer be able to access those APIs until it is modified to included the security  
block.

….

The second type of window is a 'sandbox' window. Currently, the only sandboxed  
action is logging into a user's Yahoo! account (more actions will be sandboxed in future  
releases). The first time a Widget attempts to log into a user's Yahoo! account, a window  
will appear to alert the user of this fact and ask whether the Widget should be granted  
permission to use their Yahoo! data. Sandbox windows cannot be disabled

….  

<security>
specifies security properties for an object
Attributes
api
Description
The security block tells the engine what the Widget can and cannot do. It is used to  
enforce behaviors to protect the user from a Widget from stepping outside its bounds at  
times.
Availability
Available in version 3.1 or later.
api
a Yahoo! API this Widget wants to connect to.
Description
The api element identifies to the engine the APIs a Widget wants to access. This list is  
presented to the user the first time the Widget tries to log in to their Yahoo! account.  
Only the APIs listed in these <api> items will get the user's Yahoo! credentials passed to  
them.
Most of the APIs are known by the engine and so they will automatically get a humanreadable name in the security dialog that's presented. If there's a new API added that  
the engine doesn't know about, you can specify a name attribute which tells us what to  
display in the dialog. If we use the name you specify, we also put the host you specify  
in the dialog as well so the user can see exactly what's being accessed. If no name is  
specified, the host is displayed.


Example
<security>
<!-- the notepad API the engine knows -->
<api>api.notepad.yahoo.com</api>
<!-- some future API below -->
<api name="Yahoo! Foozball">foozball.yahoo.com</api>
</security>
Availability
Available in version 3.1 or later.
"

As Steve Jobs says, "Booom!" the Security Patent is sooooo busted it is laughable :)
Received on Thursday, 29 September 2011 15:46:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 29 September 2011 15:46:41 GMT