- From: Greg Billock <gbillock@google.com>
- Date: Sun, 26 Aug 2012 21:19:01 -0700
- To: Conrad Irwin <conrad.irwin@gmail.com>
- Cc: public-web-intents@w3.org
We've discussed this, but there's no formal proposal yet. Do you want to draw one up? Certainly for explicit intents this seems like it'd be a good addition. With an origin to establish an out-of-band shared secret, you can do Oauth-style flows. Without it, you can do OpenId type flows where you basically get a warrant that the bearer controls some namespaced token. On Sun, Aug 26, 2012 at 7:32 PM, Conrad Irwin <conrad.irwin@gmail.com> wrote: > Hi all, > > I saw some earlier mention [1] of the inability for web-intents to > obtain the origin of the calling site. > > Is this something that will be added? > > I am also working on an authentication protocol; and without the > ability to verify the origin of a message, WebIntents are almost > useless. (I can work around it by making the call to the intent from a > content-script running in my chrome extension that shares a secret > with the intent; but that feels very fragile). > > A couple of other use-cases for including the origin could be: > • Content-filtering: If I am running an image sharing web-intent, I > might want to block content from http://*.xxx. > • UI enhancement: If I am running an editing web-intent, it would be > nice to be able to tell the user "return to <origin>" > • Authentication: If I am running an authentication web-intent, it's > essential to know which website is asking for the user's identity (I > don't want to give it to a malicious 3rd-party by accident). > > Conrad > > [1] http://lists.w3.org/Archives/Public/public-web-intents/2012May/0012.html >
Received on Monday, 27 August 2012 04:19:29 UTC