Re: [widgets] Widgets URI scheme... it's baaaack!

On Tue, 26 May 2009 17:38:48 +0200, Jean-Claude Dufourd  
<jean-claude.dufourd@telecom-paristech.fr> wrote:

> 2- the browser will have to resolve the relative URI to an absolute URI  
> because of the DOM spec, hence a possible vulnerability by divulging  
> private information (e.g. actual name of current user in file: URI  
> example of Apple Dashboard widgets) to scripts running in the widget.
....
> Marcos mentions the widget V2 spec and extensibility as one reason for  
> adopting the proposed URI scheme. I would like to understand how V2 and  
> extensibility could make the URI scheme either seen by the author or  
> exchanged between implementations, or make its absence otherwise imperil  
> implementations.
> Thanks.

The main issue here, I think, is one of being proactive on this front.   
Given that absolute URIs are required for resolution, and that UA vendors  
will, unless specified, have to pick a URI scheme of their own, the  
situation may well arise where they have specified something that would  
either be insecure (eg. file:), incompatible ( again, file:) or  
inappropriate (all schemes that fail to make query strings and fragment  
identifiers useful)

-- 
Arve Bersvendsen

Opera Software ASA, http://www.opera.com/

Received on Wednesday, 27 May 2009 07:39:00 UTC