- From: Mounir Lamouri <mounir@lamouri.fr>
- Date: Mon, 12 Aug 2013 14:48:28 +0100
- To: "public-sysapps@w3.org" <public-sysapps@w3.org>
- CC: SUWIRYA Darmawan <Darmawan.SUWIRYA@gemalto.com>
On 03/07/13 16:39, SUWIRYA Darmawan wrote: > Hi, > > We would like to seek for clarification regarding chapter 7 of the > runtime spec. > > Use case example : > > 1. App-1 is a hosted app, with origin from www.myapp.com > <http://www.myapp.com>. > > 2. In its manifest, it declares for permission to access Messaging and > Raw Socket APIs. > > 3.. In its manifest, it also declares to allow-navigation to > www.myapp-service.com <http://www.myapp-service.com>. > > 4. Messaging API is used in : www.myapp.com/run1.html > <http://www.myapp.com/run1.html>. > > 5. Raw Socket API is used in : www.myapp-service.com/run2.html > <http://www.myapp-service.com/run2.html>. > > 6. User installed this App-1. > > 7. User executes this App-1. > > 8. User hits www.myapp.com/run1.html <http://www.myapp.com/run1.html> > page, and messaging API access works fine. > > 9. User then hits www.myapp-service.com/run2.html > <http://www.myapp-service.com/run2..html> page. Will Raw Socket API > access works fine also here ? No. myapp-service.com isn't part of the application origin even if the navigation there is allowed. > 10. Then finally, how if the App-1 above is actually a packaged-app ? > Will the behavior be exactly the same ? Yes. The idea of allow-navigation is to allow the user to leave the application origin to go to a third party website. For example, you might want your user to be able to navigate to a-payment-provider.com so he/she can complete the payment of an item. It's worth mentioning that this feature is an idea that has been thrown in this specification. I am not aware of any implementation. This said, you question seems more related to the origin and security model related to permissions. Cheers, -- Mounir
Received on Monday, 12 August 2013 13:49:01 UTC