W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

[widgets] Public keys in widgets URI scheme?

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 27 May 2009 08:32:14 -0700
Message-ID: <7789133a0905270832q22665c12y1d5de443cbabb4f7@mail.gmail.com>
To: public-webapps <public-webapps@w3.org>
I haven't read all the threads about the widget URI scheme, but I
wanted to contribute this thought:

Instead of using a UUID as the authority, you might consider using a
public key.  You could then require that the widget is signed by the
cooresponding private key.

Using a public key has several advantages:

1) The widget URI scheme is now actually capable of designating
identifying resources (because the UUID isn't generated separately for
each device).

2) A developer can provide an updated version of the widget with the
same origin as the original widget (by using the same public key).
This lets the developer update the widget without losing access to the
widget's localStorage, etc.

3) A developer can write two widgets that occupy the same origin
(again, but re-using the public key).  These widgets will be able to
interact more freely, for example by sharing the same localStorage,

4) When one widget uses postMessage to communicate with another
widget, the second widget actually gets some meaningful information
about where the message came from (e.g., it can have a whitelist of
approved public keys).


Received on Wednesday, 27 May 2009 15:33:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:53 UTC