W3C home > Mailing lists > Public > public-nextweb@w3.org > July 2013

Re: Web Wishes (was: Blog post for review)

From: François REMY <francois.remy.dev@outlook.com>
Date: Mon, 1 Jul 2013 11:54:45 +0200
Message-ID: <DUB120-DS7B0B1731BF85C3D405648A5710@phx.gbl>
To: "Robin Berjon" <robin@w3.org>, "Marcos Caceres" <w3c@marcosc.com>
Cc: <public-nextweb@w3.org>
> var wish = new Wish({ action: "EDIT", type: "image/jpeg" });
>
> What you get back is an object that has a field which is a magic opaque 
> URL (like Blob URLs) that you can assign anywhere that makes sense in your 
> UI:
>
>    • iframe.src = wish.src
>    • window.open(wish.src)
>    • navigator.lauchURL(wish.src) (see 
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=20799)
>    • ...
>
> Loading that URL can display a service picker for the user (the calling 
> page gets no event from that), and only once the service is picked and 
> loaded do you get a load event. Then you just communicate with 
> postMessage().
>
> This of course still leaves clickjacking attacks open. But no more than 
> what is possible using existing services. We could possibly think of ways 
> of mitigating that, too.
>
> Thoughts?

The problem is that you make the assumption the image editor is an HTML 
page. Most moderns operating systems will probably want to hook native apps 
into this system, which you probably can't embed in an IFRAME nor 
communicate with using postMessage.

Clickjacking is also an issue but in my opinion not the worse. 
Received on Monday, 1 July 2013 09:55:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:05:54 UTC