Re: FW: problems using http://bondi.omtp.org/

2009/3/18 David Rogers <david.rogers@omtp.org>:
> I haven't heard anything back from you - do you have some comments to
> submit? The deadline is the 23rd of March.

sorry, i've been buried.

BONDI_Architecture_Security_Task_CR10.pdf
   2.1.1    WIDGET

As   described   in   Widgets   1.0:   The   Widget   Landscape   [2],
  a  Widget   is   an
interactive application for displaying and/or updating local data or
data on the
Web,   packaged   in   a   way   to   allow   a   single   download
and   installation   on   a
user's    machine      or  mobile    device.    A Widget      may
run   as   a  standalone
application   (meaning   it   can   run   outside   of   a  web
Browser)   hosted   in   the
Widget   User   Agent  (see   below).

the spec no longer talks about "Widget User Agent", and this is a good
example of why trying to drive other independent but dependent
documents to finalization sooner is a bad idea.

? JavaScript        extension:     the   mechanisms      whereby
JavaScript     code
        executing   within   the   Web   engine   is   bound   to,
and   therefore   able   to
        invoke, JavaScript APIs;

That "extension" isn't capitalized and means something totally
different from what it means in other areas are both unfortunate.

    ? Access        Control:     the   system     that    enforces
a  Security    Policy,
        responsible for determining whether, and under what circumstances, a
        Web     Application    is   allowed    to  use   a   specific
JavaScript     API  or
        associated underlying Device Capability.

That "access control" sounds like a w3 spec but means something
different is also unfortunate.

it  is  not   prescriptive     about    who    should     be    the
management authority of any particular aspect of terminal security policy.

"terminal security policy" is not defined within this document and
isn't a term with which I'm familiar.
("terminal Security Policy" is also used once later)

Note that "Terminal" doesn't appear to be defined either.

The     established
principles and experience of the deployment of the existing OMTP Application
Security Framework [4])

I can't find an open parenthesis, I'm using Foxit Reader 3.0 build 1301

If the BONDI format version
                indicated in a <bondi>
                element is greater (later)
                than that supported a Web

So far parsing hasn't defined numbers and greater than.

        xmlns:bondi=‘http://bondi.omtp.org/ns/widgets’

using fancy quotes in examples is poor form (something has removed the
fancy quotes from my paste, but they were fancy) as iirc xml doesn't
allow random quotes.


        where <version> is a version string of the form <major>.<minor>,
        where each of <major> and <minor> are numeric strings of at least
        one
            digit.

May I use Arabic, Farsi or Indic numerals?

if  either  the <presentation> or            <resources>
elements are

[either] are => is :)

    ? background-operation
    ? hidden-operation

I would strongly caution against using hyphens anywhere, as it's
likely someone will use some random dash which isn't the one you want
and complain.

? automatic

        ? indicates   that   the Widget   may   initiate   access   to
  the   network as   a
            result of an internal action not triggered by user interaction

unattended sounds like a better name


    ? frequency

        ? indicates the typical frequency of attempted network connection for
            data   transfer,  measured     as  the number     of
network   connection
            attempts made per hour

is a very strange name for what it does. I'm not certain how the name
will be misinterpreted, but I expect it to be :).

    ? min-volume

        ? indicates the typical minimum aggregate upload and download data
            transfer volume size per hour in kilobytes

Volume is likely to be confused with audio. And again hyphens are a
bad idea. Something that has the word 'data' or 'bandwidth' or
something similar seems like a better choice.

    ? host

        ? indicates the internet domain  or IP address of this target external
            site.

Does this support ipv6 notation? does it support 32bit numbers?

You haven't indicated any port restrictions which worries me.

    ? min-private

         ? indicates the   typical minimum   requirement of   the
Widget for local
            persistent storage of private data, expressed in Kbytes.

Is a very strange name. I also see no reason to use kilobytes here.
I'd recommend using Megabytes throughout.

(ie APIs in addition to the standardised client-
side DOM APIs supported in the browser environment).

i.e.
-- note that you spell e.g. with periods (as required...) and
sometimes spell i.e. correctly..., sadly you're also missing a
mandatory period from 'etc.', and often punctuation before/after
them....


errorCallback              Function                Function object
taking a single String argument.
                                                   This is called at
most once for each invocation of
                                                   requestFeature(),
possibly asynchronously, and
                                                   signifies that the
request has failed.

Providing only one argument is bad. You need at least two.

If I make two requestFeature calls and they're both processed
asynchronously and they both fail, but can fail in either order, i
will have to use distinct functions or closures to properly guess for
which i'm being called. I shouldn't have to do this.

root                       String                  String identifier
of global variable to bind to the
                                                   root object
associated with the requested
                                                   Feature, if the
object(s) implementing the API are
                                                   not bound to
specific globals implicitly in the
                                                   definition of the Feature.

If I request that a feature be bound to an object that wasn't
expecting it, are there security considerations that will be ignored?



 AS-0450        A Website shall indicate its      requestFeature()may be
                Feature dependencies              called at any time
between initial
                programmatically by calling       launch of the Website and the
                requestFeature().                 attempt to invoke
the associated
                                                  JavaScript API.

Website? I thought it was a bondi api for widgets.

Received on Monday, 23 March 2009 14:17:22 UTC