- From: David Rogers <david.rogers@omtp.org>
- Date: Mon, 23 Mar 2009 15:01:47 -0000
- To: <timeless@gmail.com>
- Cc: "WebApps WG" <public-webapps@w3.org>, "Nick Allott" <nick.allott@omtp.org>
Hi Josh,
Many thanks for your input, again I'll ensure your comments are
considered.
Thanks,
David.
-----Original Message-----
From: timeless.bmo1@gmail.com [mailto:timeless.bmo1@gmail.com] On Behalf
Of timeless
Sent: 23 March 2009 14:17
To: David Rogers
Cc: WebApps WG
Subject: Re: FW: problems using http://bondi.omtp.org/
2009/3/18 David Rogers <david.rogers@omtp.org>:
> I haven't heard anything back from you - do you have some comments to
> submit? The deadline is the 23rd of March.
sorry, i've been buried.
BONDI_Architecture_Security_Task_CR10.pdf
2.1.1 WIDGET
As described in Widgets 1.0: The Widget Landscape [2],
a Widget is an
interactive application for displaying and/or updating local data or
data on the
Web, packaged in a way to allow a single download
and installation on a
user's machine or mobile device. A Widget may
run as a standalone
application (meaning it can run outside of a web
Browser) hosted in the
Widget User Agent (see below).
the spec no longer talks about "Widget User Agent", and this is a good
example of why trying to drive other independent but dependent
documents to finalization sooner is a bad idea.
? JavaScript extension: the mechanisms whereby
JavaScript code
executing within the Web engine is bound to,
and therefore able to
invoke, JavaScript APIs;
That "extension" isn't capitalized and means something totally
different from what it means in other areas are both unfortunate.
? Access Control: the system that enforces
a Security Policy,
responsible for determining whether, and under what
circumstances, a
Web Application is allowed to use a specific
JavaScript API or
associated underlying Device Capability.
That "access control" sounds like a w3 spec but means something
different is also unfortunate.
it is not prescriptive about who should be the
management authority of any particular aspect of terminal security
policy.
"terminal security policy" is not defined within this document and
isn't a term with which I'm familiar.
("terminal Security Policy" is also used once later)
Note that "Terminal" doesn't appear to be defined either.
The established
principles and experience of the deployment of the existing OMTP
Application
Security Framework [4])
I can't find an open parenthesis, I'm using Foxit Reader 3.0 build 1301
If the BONDI format version
indicated in a <bondi>
element is greater (later)
than that supported a Web
So far parsing hasn't defined numbers and greater than.
xmlns:bondi='http://bondi.omtp.org/ns/widgets'
using fancy quotes in examples is poor form (something has removed the
fancy quotes from my paste, but they were fancy) as iirc xml doesn't
allow random quotes.
where <version> is a version string of the form <major>.<minor>,
where each of <major> and <minor> are numeric strings of at
least
one
digit.
May I use Arabic, Farsi or Indic numerals?
if either the <presentation> or <resources>
elements are
[either] are => is :)
? background-operation
? hidden-operation
I would strongly caution against using hyphens anywhere, as it's
likely someone will use some random dash which isn't the one you want
and complain.
? automatic
? indicates that the Widget may initiate access to
the network as a
result of an internal action not triggered by user
interaction
unattended sounds like a better name
? frequency
? indicates the typical frequency of attempted network
connection for
data transfer, measured as the number of
network connection
attempts made per hour
is a very strange name for what it does. I'm not certain how the name
will be misinterpreted, but I expect it to be :).
? min-volume
? indicates the typical minimum aggregate upload and download
data
transfer volume size per hour in kilobytes
Volume is likely to be confused with audio. And again hyphens are a
bad idea. Something that has the word 'data' or 'bandwidth' or
something similar seems like a better choice.
? host
? indicates the internet domain or IP address of this target
external
site.
Does this support ipv6 notation? does it support 32bit numbers?
You haven't indicated any port restrictions which worries me.
? min-private
? indicates the typical minimum requirement of the
Widget for local
persistent storage of private data, expressed in Kbytes.
Is a very strange name. I also see no reason to use kilobytes here.
I'd recommend using Megabytes throughout.
(ie APIs in addition to the standardised client-
side DOM APIs supported in the browser environment).
i.e.
-- note that you spell e.g. with periods (as required...) and
sometimes spell i.e. correctly..., sadly you're also missing a
mandatory period from 'etc.', and often punctuation before/after
them....
errorCallback Function Function object
taking a single String argument.
This is called at
most once for each invocation of
requestFeature(),
possibly asynchronously, and
signifies that the
request has failed.
Providing only one argument is bad. You need at least two.
If I make two requestFeature calls and they're both processed
asynchronously and they both fail, but can fail in either order, i
will have to use distinct functions or closures to properly guess for
which i'm being called. I shouldn't have to do this.
root String String identifier
of global variable to bind to the
root object
associated with the requested
Feature, if the
object(s) implementing the API are
not bound to
specific globals implicitly in the
definition of the
Feature.
If I request that a feature be bound to an object that wasn't
expecting it, are there security considerations that will be ignored?
AS-0450 A Website shall indicate its requestFeature()may be
Feature dependencies called at any time
between initial
programmatically by calling launch of the Website
and the
requestFeature(). attempt to invoke
the associated
JavaScript API.
Website? I thought it was a bondi api for widgets.
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.238 / Virus Database: 270.11.23/2016 - Release Date:
03/22/09 17:51:00
Received on Monday, 23 March 2009 15:02:36 UTC