W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [widgets] Widgets URI scheme... it's baaaack!

From: Arve Bersvendsen <arveb@opera.com>
Date: Wed, 27 May 2009 09:34:50 +0200
To: "Jean-Claude Dufourd" <jean-claude.dufourd@telecom-paristech.fr>, public-webapps <public-webapps@w3.org>
Cc: public-pkg-uri-scheme <public-pkg-uri-scheme@w3.org>
Message-ID: <op.uukvcc1lbyn2jm@galactica>
On Tue, 26 May 2009 17:38:48 +0200, Jean-Claude Dufourd  
<jean-claude.dufourd@telecom-paristech.fr> wrote:

> 2- the browser will have to resolve the relative URI to an absolute URI  
> because of the DOM spec, hence a possible vulnerability by divulging  
> private information (e.g. actual name of current user in file: URI  
> example of Apple Dashboard widgets) to scripts running in the widget.
> Marcos mentions the widget V2 spec and extensibility as one reason for  
> adopting the proposed URI scheme. I would like to understand how V2 and  
> extensibility could make the URI scheme either seen by the author or  
> exchanged between implementations, or make its absence otherwise imperil  
> implementations.
> Thanks.

The main issue here, I think, is one of being proactive on this front.   
Given that absolute URIs are required for resolution, and that UA vendors  
will, unless specified, have to pick a URI scheme of their own, the  
situation may well arise where they have specified something that would  
either be insecure (eg. file:), incompatible ( again, file:) or  
inappropriate (all schemes that fail to make query strings and fragment  
identifiers useful)

Arve Bersvendsen

Opera Software ASA, http://www.opera.com/
Received on Wednesday, 27 May 2009 07:35:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:53 UTC