Re: question on 4.1 explicit intents

Can you elaborate? The risk the language about intent delivery is
addressed to is not a security concern, but to maintain a specific
model of registration within the UA -- that it not silently register
services and then dispatch to them without user involvement. For
explicit intents, though, the client is specifically directing the
user to a particular service -- there's no registration involved.

Do you think the same thinking ought to apply here, though? That is,
any dispatch, even explicit, to a particular service ought to be
approved by the user?


On Tue, Jun 12, 2012 at 4:09 AM, Jean-Claude Dufourd
<jean-claude.dufourd@telecom-paristech.fr> wrote:
> Dear all,
>
> In section 4.1, the first paragraph is:
>
> When handling an Intent marked as explicit (that is, constructed with the
> object literal constructor with a non-empty service field), the expected
> User Agent behavior is that if this "service" attribute is present,
> it should not display a service selection mechanism to the user. Instead,
> the service url should be loaded directly to handle the intent. (This is not
> a hard restriction. The User Agent may provide a way for the user to
> intercept even an explicit invocation.)
>
> This is a security risk.
> Why is security more relaxed here than in the previous section ?
> Why does " The User Agent must not deliver an intent to a Service discovered
> in this way before the user has made a specific action allowing it." not
> apply here too ?
> Best regards
> JC
>
> --
> JC Dufourd
> Directeur d'Etudes/Professor
> Groupe Multimedia/Multimedia Group
> Traitement du Signal et Images/Signal and Image Processing
> Telecom ParisTech, 37-39 rue Dareau, 75014 Paris, France
> Tel: +33145817733 - Mob: +33677843843 - Fax: +33145817144

Received on Wednesday, 13 June 2012 05:38:39 UTC