- From: Greg Billock <gbillock@google.com>
- Date: Tue, 12 Jun 2012 22:38:10 -0700
- To: Jean-Claude Dufourd <jean-claude.dufourd@telecom-paristech.fr>
- Cc: "public-web-intents@w3.org" <public-web-intents@w3.org>
Can you elaborate? The risk the language about intent delivery is addressed to is not a security concern, but to maintain a specific model of registration within the UA -- that it not silently register services and then dispatch to them without user involvement. For explicit intents, though, the client is specifically directing the user to a particular service -- there's no registration involved. Do you think the same thinking ought to apply here, though? That is, any dispatch, even explicit, to a particular service ought to be approved by the user? On Tue, Jun 12, 2012 at 4:09 AM, Jean-Claude Dufourd <jean-claude.dufourd@telecom-paristech.fr> wrote: > Dear all, > > In section 4.1, the first paragraph is: > > When handling an Intent marked as explicit (that is, constructed with the > object literal constructor with a non-empty service field), the expected > User Agent behavior is that if this "service" attribute is present, > it should not display a service selection mechanism to the user. Instead, > the service url should be loaded directly to handle the intent. (This is not > a hard restriction. The User Agent may provide a way for the user to > intercept even an explicit invocation.) > > This is a security risk. > Why is security more relaxed here than in the previous section ? > Why does " The User Agent must not deliver an intent to a Service discovered > in this way before the user has made a specific action allowing it." not > apply here too ? > Best regards > JC > > -- > JC Dufourd > Directeur d'Etudes/Professor > Groupe Multimedia/Multimedia Group > Traitement du Signal et Images/Signal and Image Processing > Telecom ParisTech, 37-39 rue Dareau, 75014 Paris, France > Tel: +33145817733 - Mob: +33677843843 - Fax: +33145817144
Received on Wednesday, 13 June 2012 05:38:39 UTC