Re: Native messaging document. Re: Minutes of the 2016-10-06 teleconf from Florian Rivoal on 2016-10-12 (public-browserext@w3.org from October 2016)

From: Florian Rivoal <florian@rivoal.net>
Date: Wed, 12 Oct 2016 22:03:11 +0900
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: public-browserext@w3.org
Message-Id: <B07ABB1F-32F5-439E-8459-03C7F57FBA2F@rivoal.net>

Hi,

Thanks for the feedback. For the use cases, I think we need to simplify a lot for the initial message. If we get interested responses, we can elaborate on the details later, but for now we're only trying to grab attention, and the simpler the message, the easier that will be.

As for security considerations, I would put it in a different way. Since security is a very subtle affair, I'd try to stay way for now about making statements about what is and isn't safe, otherwise we might get pushback on that specific point instead of opening up a conversation on the merits of the broader idea. Instead, we could say that given that security is an important consideration, we would welcome a broader review, to determine what whether the current approaches being explored are up the the expectations of the web platform. How does that sound?

 - Florian


> On Oct 6, 2016, at 15:35, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
> 
> On 2016-10-06 06:58, Florian Rivoal wrote:
> 
> Thanx, I'm sorry I couldn't participate this time.
> 
> I read the native messaging rationale document with interest.
> I guess we still have a little bit of a hassle with the architectural
> vision but we can leave that to the TAG to think about...
> 
> 
> There should probably be another section in this document:
> 
> 
> Security Considerations
> 
> Currently most browsers permit invocation of specific native applications from the
> Web through a URI protocol scheme.
> 
> It is not obvious that the ability to "talk back" to an invoking page or extension
> would introduce additional vulnerabilities; misbehaving native applications can usually
> already send data to any server without (locally implied) restrictions.
> 
> 
> Use Cases
> 
> When it comes to use-cases I believe the list specified on the first page in
> https://cyberphone.github.io/doc/web/web2native-bridge.pdf
> is fairly exhaustive.  There's no need using localhost schemes if you
> have a working native messaging solution since it (properly designed)
> gives better control both to the platform and the application.
> 
> WDYT?
> 
> Best regards,
> Anders
> 
>> Minutes of the 2016-10-06 teleconf are available here:
>> 
>> http://browserext.github.io/minutes/2016-10-06.html
>> 
>> If you wish to correct the minutes, please submit a pull request on the CG's github repository: https://github.com/browserext/browserext.github.io
>> 
>> Resolutions taken during teleconfs or face to face meeting are tentative, and have a github issue associated with them. You can find these issues by following the links from the minutes. Comments in these issues are welcome. Resolutions will be considered to be the consensus of the Community Group unless dissenting opinions are expressed within 10 days.
>> 
>> Work on based on tentative resolutions may begin before the 10 days are elapsed, but any such work will be rescinded if the eventual consensus disagrees with the tentative resolution.
>> 
>> Best regards,
>> Florian
>> 
> 
>

Received on Wednesday, 12 October 2016 13:03:41 UTC