- From: Arve Bersvendsen <arveb@opera.com>
- Date: Fri, 22 May 2009 15:41:09 +0200
- To: "Mark Baker" <distobj@acm.org>, marcosc@opera.com
- Cc: public-webapps <public-webapps@w3.org>
On Fri, 22 May 2009 15:25:40 +0200, Mark Baker <distobj@acm.org> wrote: > I'm curious to learn where the requirement that "Must not allow > addressing resources outside a widget" came from? Can you point to a > precedent for such a restriction in any other protocol? I remember > TimBL writing something to the effect of "Anywhere you can use a URI, > you can use any URI", possibly in his design issues, but I can't find > a reference right now. The point here is that the widget URI scheme is only supposed to be used to synthesise an origin so nodes in the DOM can be sensibly resolved for resources inside the package. The reason for choosing a synthetic scheme are: 1. A web (http(s?)) origin will not work, because a widget MAY be distributed over other channels than the web (such as bluetooth, pre-bundled on devices, installed through third-party package managment systems (debian packages/repositories)). 2. Further, (some) widgets might not provide an authorative means of determining the web origin of the widget, if any such origin existed in the first place. 3. A well-behaved widget runtime should provide complete isolation from the underlying operating system, including the layout of the file system 4. It must not be possible for a widget to resolve and reference resources in other widget packages on the same system (The underlying assumption here is that it should not be possible for a widget running on a user agent to determine which other widgets are running or installed on the same system. Points 1/2 pretty much invalidate http as a valid origin, while 3/4 invalidates the use of file: (which also has an entirely different set of compatibility issues between web ua's that I doubt will be resolved anytime soon.) -- Arve Bersvendsen Opera Software ASA, http://www.opera.com/
Received on Friday, 22 May 2009 13:41:56 UTC