- From: Kenton Varda <kenton@google.com>
- Date: Wed, 16 Dec 2009 21:36:00 -0800
- To: Ian Hickson <ian@hixie.ch>
- Cc: public-webapps <public-webapps@w3.org>
- Message-ID: <4112ecad0912162136r67a9d8dbx4f90eb4d6646720d@mail.gmail.com>
On Wed, Dec 16, 2009 at 9:25 PM, Ian Hickson <ian@hixie.ch> wrote: > A concrete example of the example I was talking about is Google's Finance > GData API. There's a fixed URL on A (Google's site) that represents my > finance information. There's a site B (my portal page) that is hard-coded > to fetch that data and display it. I'm logged into A, I'm not logged into > B, and I've told A (Google) that it's ok to give B access to my financial > data. Today, this involves a complicated set of bouncing back and forth. > With CORS, it could be done with zero server-side scripting -- the file > could just be statically generated with an HTTP header that grants > permission to my portal to read the page. > > ... > > As a user, in both the finance case and XBL case, I don't want any UI. I > just want it to Work. > Yet you must go through a UI on site A to tell it that it's OK to give your data to B. Obviously this step cannot be altogether eliminated. What I am suggesting is a slightly different UI which I think would be no more difficult to use, but which would avoid the need to hard-code. In fact, I think my UI is easier for users, because in all likelihood, when you decide "I want site B to access my data from site A", you are probably already on site B at the time. In your UI, you have to navigate back to A in order to grant permission to B (and doesn't that also require copy-pasting the host name?). In my UI, you don't have to leave site B to make the connection, because the browser remembers that site A provided the desired capability and thus can present the option to you directly. The down side is that I don't know how to implement my UI in today's browsers.
Received on Thursday, 17 December 2009 05:36:58 UTC