W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [widgets] API - openURL security considerations

From: Arve Bersvendsen <arveb@opera.com>
Date: Thu, 18 Feb 2010 22:52:19 +0100
To: "Scott Wilson" <scott.bradley.wilson@gmail.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <op.u8ce1exlbyn2jm@galactica>
On Thu, 18 Feb 2010 22:09:00 +0100, Scott Wilson  
<scott.bradley.wilson@gmail.com> wrote:

> Hi both,
> Apache Wookie (incubating) currently implements the widget.openURL
> method by directly calling the browser's window.open() function - in
> this example is there anything particularly special about the fact its
> being called by a widget? Should our implementation do anything extra,
> or is it better just leaving it to the browser to handle any problems?

The way I view this is roughly as follows:

1. window.open() opens a URL within the context of the widget, for  
instance for the purpose of authenticating a widget using something like  

2. widget.openURL() is used to pass a URL from a widget to the default  
protocol handler on a system for any given protocol, for instance to pass  
a URL from the widget to the web browser on the system, to place a phone  
call or pass a magnet link to a bittorrent client

The underlying difference here is that window.open would retain a  
reference to the widget, usually through window.opener, while  
widget.openURL is fire and forget.
Arve Bersvendsen

Opera Software ASA, http://www.opera.com/
Received on Thursday, 18 February 2010 21:52:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:05 UTC