Re: current draft, beginning of section 4 from Jean-Claude Dufourd on 2012-05-30 (public-web-intents@w3.org from May 2012)

From: Jean-Claude Dufourd <jean-claude.dufourd@telecom-paristech.fr>
Date: Wed, 30 May 2012 18:12:44 +0200
To: Greg Billock <gbillock@google.com>
CC: "public-web-intents@w3.org" <public-web-intents@w3.org>
Message-ID: <4FC646FC.1080901@telecom-paristech.fr>

On 30/5/12 17:21 , Greg Billock wrote:
> That's a good question, but I don't know if we need to restrict
> behavior there. Here's two scenarios where user interaction is
> required, but have different implications:
>
> 1. The UA collects service registrations silently, but no intent is
> dispatched to them until the user selects one after invocation.
JCD: This sounds like "lazy" authorization. Yes, this is meaningful.
But there is a danger of a (sort of) DOS attack by flooding the UA with 
registrations, then the user gets an unmanageable choice menu.

>
> 2. The UA prompts for user acceptance of the registration when the
> service page is visited.
JCD: Here authorization happens even later, but it is not different from 
the user point of view.
Why not...

>
> How about this language:
>
> "The User Agent MUST NOT deliver an intent to a service discovered in
> this way before the user has made a specific action allowing it."
>
> Would that cover both these possible implementations (and others as
> well), and also express the reliance on user action that we want to
> make necessary?
JCD: I believe this addresses my concern. Thanks.
Best regards
JC


>
>
> On Wed, May 30, 2012 at 5:58 AM, Jean-Claude Dufourd
> <jean-claude.dufourd@telecom-paristech.fr>  wrote:
>> Dear all,
>>
>> The section 4 of the current draft begins with:
>>
>> "When the User Agent loads a page with registration markup, it should allow
>> the user to configure that page as a web intents service. The details of
>> this process is left up to the User Agent. The model is that the page
>> advises of the ability to handle intents, and the User Agent may remember
>> that."
>>
>> It does not imply that user action is required for the intent to be
>> registered.
>> I think it should be made explicit whether silent registration is allowed or
>> not.
>> Best regards
>> JC
>>
>> --
>> JC Dufourd
>> Directeur d'Etudes/Professor
>> Groupe Multimedia/Multimedia Group
>> Traitement du Signal et Images/Signal and Image Processing
>> Telecom ParisTech, 37-39 rue Dareau, 75014 Paris, France
>> Tel: +33145817733 - Mob: +33677843843 - Fax: +33145817144


-- 
JC Dufourd
Directeur d'Etudes/Professor
Groupe Multimedia/Multimedia Group
Traitement du Signal et Images/Signal and Image Processing
Telecom ParisTech, 37-39 rue Dareau, 75014 Paris, France
Tel: +33145817733 - Mob: +33677843843 - Fax: +33145817144

Received on Wednesday, 30 May 2012 16:13:14 UTC