- From: timeless <timeless@gmail.com>
- Date: Mon, 23 Mar 2009 16:16:42 +0200
- To: David Rogers <david.rogers@omtp.org>
- Cc: WebApps WG <public-webapps@w3.org>
2009/3/18 David Rogers <david.rogers@omtp.org>: > I haven't heard anything back from you - do you have some comments to > submit? The deadline is the 23rd of March. sorry, i've been buried. BONDI_Architecture_Security_Task_CR10.pdf 2.1.1 WIDGET As described in Widgets 1.0: The Widget Landscape [2], a Widget is an interactive application for displaying and/or updating local data or data on the Web, packaged in a way to allow a single download and installation on a user's machine or mobile device. A Widget may run as a standalone application (meaning it can run outside of a web Browser) hosted in the Widget User Agent (see below). the spec no longer talks about "Widget User Agent", and this is a good example of why trying to drive other independent but dependent documents to finalization sooner is a bad idea. ? JavaScript extension: the mechanisms whereby JavaScript code executing within the Web engine is bound to, and therefore able to invoke, JavaScript APIs; That "extension" isn't capitalized and means something totally different from what it means in other areas are both unfortunate. ? Access Control: the system that enforces a Security Policy, responsible for determining whether, and under what circumstances, a Web Application is allowed to use a specific JavaScript API or associated underlying Device Capability. That "access control" sounds like a w3 spec but means something different is also unfortunate. it is not prescriptive about who should be the management authority of any particular aspect of terminal security policy. "terminal security policy" is not defined within this document and isn't a term with which I'm familiar. ("terminal Security Policy" is also used once later) Note that "Terminal" doesn't appear to be defined either. The established principles and experience of the deployment of the existing OMTP Application Security Framework [4]) I can't find an open parenthesis, I'm using Foxit Reader 3.0 build 1301 If the BONDI format version indicated in a <bondi> element is greater (later) than that supported a Web So far parsing hasn't defined numbers and greater than. xmlns:bondi=‘http://bondi.omtp.org/ns/widgets’ using fancy quotes in examples is poor form (something has removed the fancy quotes from my paste, but they were fancy) as iirc xml doesn't allow random quotes. where <version> is a version string of the form <major>.<minor>, where each of <major> and <minor> are numeric strings of at least one digit. May I use Arabic, Farsi or Indic numerals? if either the <presentation> or <resources> elements are [either] are => is :) ? background-operation ? hidden-operation I would strongly caution against using hyphens anywhere, as it's likely someone will use some random dash which isn't the one you want and complain. ? automatic ? indicates that the Widget may initiate access to the network as a result of an internal action not triggered by user interaction unattended sounds like a better name ? frequency ? indicates the typical frequency of attempted network connection for data transfer, measured as the number of network connection attempts made per hour is a very strange name for what it does. I'm not certain how the name will be misinterpreted, but I expect it to be :). ? min-volume ? indicates the typical minimum aggregate upload and download data transfer volume size per hour in kilobytes Volume is likely to be confused with audio. And again hyphens are a bad idea. Something that has the word 'data' or 'bandwidth' or something similar seems like a better choice. ? host ? indicates the internet domain or IP address of this target external site. Does this support ipv6 notation? does it support 32bit numbers? You haven't indicated any port restrictions which worries me. ? min-private ? indicates the typical minimum requirement of the Widget for local persistent storage of private data, expressed in Kbytes. Is a very strange name. I also see no reason to use kilobytes here. I'd recommend using Megabytes throughout. (ie APIs in addition to the standardised client- side DOM APIs supported in the browser environment). i.e. -- note that you spell e.g. with periods (as required...) and sometimes spell i.e. correctly..., sadly you're also missing a mandatory period from 'etc.', and often punctuation before/after them.... errorCallback Function Function object taking a single String argument. This is called at most once for each invocation of requestFeature(), possibly asynchronously, and signifies that the request has failed. Providing only one argument is bad. You need at least two. If I make two requestFeature calls and they're both processed asynchronously and they both fail, but can fail in either order, i will have to use distinct functions or closures to properly guess for which i'm being called. I shouldn't have to do this. root String String identifier of global variable to bind to the root object associated with the requested Feature, if the object(s) implementing the API are not bound to specific globals implicitly in the definition of the Feature. If I request that a feature be bound to an object that wasn't expecting it, are there security considerations that will be ignored? AS-0450 A Website shall indicate its requestFeature()may be Feature dependencies called at any time between initial programmatically by calling launch of the Website and the requestFeature(). attempt to invoke the associated JavaScript API. Website? I thought it was a bondi api for widgets.
Received on Monday, 23 March 2009 14:17:22 UTC