- From: James Hawkins <jhawkins@google.com>
- Date: Wed, 30 May 2012 09:58:50 -0700
- To: Jean-Claude Dufourd <jean-claude.dufourd@telecom-paristech.fr>
- Cc: Greg Billock <gbillock@google.com>, "public-web-intents@w3.org" <public-web-intents@w3.org>
Thanks for your comments, Jean-Claude. On Wed, May 30, 2012 at 9:12 AM, Jean-Claude Dufourd <jean-claude.dufourd@telecom-paristech.fr> wrote: > On 30/5/12 17:21 , Greg Billock wrote: >> >> That's a good question, but I don't know if we need to restrict >> behavior there. Here's two scenarios where user interaction is >> required, but have different implications: >> >> 1. The UA collects service registrations silently, but no intent is >> dispatched to them until the user selects one after invocation. > > JCD: This sounds like "lazy" authorization. Yes, this is meaningful. > But there is a danger of a (sort of) DOS attack by flooding the UA with > registrations, then the user gets an unmanageable choice menu. > Correct. For Chrome at least, we've taken the stance that we can solve this issue in a few ways: * Limiting the number of services displayed in the picker. * Displaying the services the user is most likely to use, based on an as-yet-undetermined heuristic: - Most-recently used. - Usage histogram. - Malware detection (e.g., Safe Browsing DB). We should probably add more non-normative text to back up this point for UAs. What do you think? > >> >> 2. The UA prompts for user acceptance of the registration when the >> service page is visited. > > JCD: Here authorization happens even later, but it is not different from the > user point of view. > Why not... > > >> >> How about this language: >> >> "The User Agent MUST NOT deliver an intent to a service discovered in >> this way before the user has made a specific action allowing it." >> >> Would that cover both these possible implementations (and others as >> well), and also express the reliance on user action that we want to >> make necessary? > > JCD: I believe this addresses my concern. Thanks. > Best regards > JC > > > >> >> >> On Wed, May 30, 2012 at 5:58 AM, Jean-Claude Dufourd >> <jean-claude.dufourd@telecom-paristech.fr> wrote: >>> >>> Dear all, >>> >>> The section 4 of the current draft begins with: >>> >>> "When the User Agent loads a page with registration markup, it should >>> allow >>> the user to configure that page as a web intents service. The details of >>> this process is left up to the User Agent. The model is that the page >>> advises of the ability to handle intents, and the User Agent may remember >>> that." >>> >>> It does not imply that user action is required for the intent to be >>> registered. >>> I think it should be made explicit whether silent registration is allowed >>> or >>> not. >>> Best regards >>> JC >>> >>> -- >>> JC Dufourd >>> Directeur d'Etudes/Professor >>> Groupe Multimedia/Multimedia Group >>> Traitement du Signal et Images/Signal and Image Processing >>> Telecom ParisTech, 37-39 rue Dareau, 75014 Paris, France >>> Tel: +33145817733 - Mob: +33677843843 - Fax: +33145817144 > > > > -- > JC Dufourd > Directeur d'Etudes/Professor > Groupe Multimedia/Multimedia Group > Traitement du Signal et Images/Signal and Image Processing > Telecom ParisTech, 37-39 rue Dareau, 75014 Paris, France > Tel: +33145817733 - Mob: +33677843843 - Fax: +33145817144 > >
Received on Wednesday, 30 May 2012 16:59:51 UTC