- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 3 Apr 2013 13:32:40 -0700
- To: Janusz Majnert <j.majnert@samsung.com>
- Cc: "public-sysapps@w3.org" <public-sysapps@w3.org>
On Wed, Apr 3, 2013 at 1:16 AM, Janusz Majnert <j.majnert@samsung.com> wrote: > > > On 2013-04-03 08:21, Jonas Sicking wrote: >> >> On Tue, Apr 2, 2013 at 12:49 AM, Janusz Majnert <j.majnert@samsung.com> >> wrote: >>> >>> Hi Jonas, >>> On 2013-04-01 15:26, Jonas Sicking wrote: >>>> >>>> >>>> First off I think we should enable some way for packaged apps to be >>>> same-origin with their "home site". I.e. if a developer running a >>>> website on http://www.example.com it should be possible for this >>>> developer to somehow distribute a packaged app that is same-origin >>>> with http://www.example.com. >>> >>> >>> Why do you think it should be possible? Are there any use cases that this >>> would enable? >> >> >> It makes it dramatically easier to create a packaged app which >> interacts with a server component. While it is possible to interact >> with a cross-origin server using several technologies (CORS, >> postMessage, WebSockets, TCPSocket, JSONP), all have significant >> disadvantages. > > > There are several ideas in this thread that make using cross-origin > communication easier. I just don't see the advantage of packaged web app > sharing origin with some arbitrary site, for example when compared to using > WARP. Something like a WARP based solution requires signing by a trusted party. This has at least the following downsides * You can't distribute your app without going through a set of gate-keepers. And we're trying to avoid building a platform with gate-keepers. * Whoever does the signing can make mistakes. I.e. it's it's very hard to find a cleverly written program that looks harmless, but that actually steals the user's information. This doesn't mean that we should never rely on signing. It just means that we should always try to find options that doesn't. / Jonas
Received on Wednesday, 3 April 2013 20:33:43 UTC