W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [widgets] Please include a statement of purpose and user interaction expectations for <feature>

From: Robin Berjon <robin@berjon.com>
Date: Tue, 2 Jun 2009 15:02:57 +0200
Cc: public-webapps <public-webapps@w3.org>
Message-Id: <95D1813B-4813-4E1E-B824-DF8A62E67792@berjon.com>
To: Henri Sivonen <hsivonen@iki.fi>
On Jun 2, 2009, at 14:57 , Henri Sivonen wrote:
> Please include a corresponding UA requirement to obtain  
> authorization from the user for the features imported with  
> <feature>. (It seems that the security aspect requires an  
> authorization and doesn't make sense if the dangerous feature are  
> simply imported silently.) As far as I can tell, the spec doesn't  
> currently explain what the UA is supposed to do with the 'feature  
> list' once built.

I don't think that that is a good idea. The purpose of <feature> is to  
provide a hook through which a widget may communicate with a security  
policy. What's in the security policy really isn't up to P+C to define  
(though it certainly should be defined somewhere else). Maybe it could  
ask the user, as you state, but maybe it could see that the widget was  
signed by a trusted party, or know that the device doesn't have any  
sensitive data for a given API, or maybe anything goes on the full moon.

Robin Berjon - http://berjon.com/
     Feel like hiring me? Go to http://robineko.com/
Received on Tuesday, 2 June 2009 13:03:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:53 UTC