Re: [widgets] API - openURL security considerations

On Thu, 18 Feb 2010 22:09:00 +0100, Scott Wilson  
<scott.bradley.wilson@gmail.com> wrote:

> Hi both,
>
> Apache Wookie (incubating) currently implements the widget.openURL
> method by directly calling the browser's window.open() function - in
> this example is there anything particularly special about the fact its
> being called by a widget? Should our implementation do anything extra,
> or is it better just leaving it to the browser to handle any problems?

The way I view this is roughly as follows:

1. window.open() opens a URL within the context of the widget, for  
instance for the purpose of authenticating a widget using something like  
oAuth.

2. widget.openURL() is used to pass a URL from a widget to the default  
protocol handler on a system for any given protocol, for instance to pass  
a URL from the widget to the web browser on the system, to place a phone  
call or pass a magnet link to a bittorrent client

The underlying difference here is that window.open would retain a  
reference to the widget, usually through window.opener, while  
widget.openURL is fire and forget.
-- 
Arve Bersvendsen

Opera Software ASA, http://www.opera.com/

Received on Thursday, 18 February 2010 21:52:56 UTC