- From: SULLIVAN, BRYAN L (ATTCINW) <BS3131@att.com>
- Date: Thu, 12 Nov 2009 21:39:41 -0800
- To: "Marcos Caceres" <marcosc@opera.com>
- Cc: "WebApps WG" <public-webapps@w3.org>
Hi Marcos,
Opera 9.5 running on Windows Mobile 6.1 and Opera 10 running on PC both allow access to scripts and images from different domains than a widget was obtained from. I have tested this and can provide a working example (see below for the index.html - package it yourself and see).
Thus the same-origin restriction does not apply in current Opera implementations for externally referenced scripts and images. The processing of the <access> element as defined in WARP is not consistent with the current Opera implementation.
So what do you mean by "We've had a similar model in place for a long time in our proprietary implementation"?
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<link rel="stylesheet" type="text/css" href="style.css" />
<script src="http://www.json.org/json2.js"></script>
<script>
function bodyLoad() {
var str = "boohoo!";
try { str = JSON.stringify(['e', {pluribus: 'unum'}]); str = "hooray!";}
catch (e) { }
document.getElementById("test1").innerHTML = str;
}
</script>
</head>
<body onload="javascript:bodyLoad();">
<p>Not Same-Origin Resource Access Test: a test of the same-origin rule for resources
accessed from domains other than where the widget was obtained.</p>
<hr/>
<p>Test 1: If the widget engine does not allow external script references, no you will
see "boohoo!" below:</p>
<div id=test1></div>
<hr/>
<p>Test 2: If the widget engine does not allow external image references, no image will
be shown below:</p>
<img src="http://dev.opera.com/img/logo-beta.gif"/>
</body>
</html>
Best regards,
Bryan Sullivan | AT&T
-----Original Message-----
From: Marcos Caceres [mailto:marcosc@opera.com]
Sent: Tuesday, November 10, 2009 1:02 PM
To: SULLIVAN, BRYAN L (ATTCINW)
Cc: WebApps WG
Subject: Re: [WARP] Comments to WARP spec
SULLIVAN, BRYAN L (ATTCINW) wrote:
> Placing broad restrictions on widget-context webapp access to network resources (substantially different from browser-context webapps) is not an effective approach to creating a useful widget-context webapp platform. That would create a significant barrier to market acceptance of the W3C widget standards.
Opera does not agree. We've had a similar model in place for a long time
in our proprietary implementation and we have not faced any issues in
the marketplace.
The WARP spec solves many problems that arise from not actually having a
network established origin, and may even avoid the confused deputy
problem CORS is currently facing (which locally running widgets won't be
able to use anyway).
I think that technically we are in agreement; but we are just in
disagreement about the level of granularity that the WARP spec affords
to authors. For the record, I like the way WARP is currently specified:
it's easy to use, and essentially works in much the same way as the same
origin policy does for Web documents... but with the added bonus of
being able to do cross origin - but with the restriction of not being
unrestricted, like it's the case for web documents.
Received on Friday, 13 November 2009 05:40:26 UTC