[whatwg] Suggestion for a Specification: XUL Basic from Ian Hickson on 2004-06-10 (public-whatwg-archive@w3.org from June 2004)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 10 Jun 2004 19:18:23 +0000 (UTC)
Message-ID: <Pine.LNX.4.58.0406101910440.26930@dhalsim.dreamhost.com>
On Thu, 10 Jun 2004, Jose Dinuncio wrote:
>
> I think I've understood the reason of our divergences. If I interpret
> you rightly, the problem is that a intranet user is visiting a insecure
> site inside the intranet and a web app pops up and he is fooled to use
> this app.

Right. Where "insecure" doesn't mean it has any way of doing anything
actively hostile, it just fakes the user into entering his credit card
details, for example.


> The scenario I have in mind is another one: you need to do your job
> using several well known web apps in your intranet. You know that the
> CRM apps is at http://mydoamin.com/crm. That's it: navigation vs. app
> delivery.

Oh, I totally understand the requirement.


>> Presentational markup is very bad for accessibility. Whatever language
>> you use, you would want it to be semantic. And luckily we have this
>> semantic language right here and already supported in several
>> browsers... HTML. :-)

> Ok. But if web apps outside the browser are to be implemented, it would
> be necessary a way to attach info to the window (again, menu bar,
> control bar, status bar, close button...)

Yeah, those would just be extensions to HTML in web-apps 1.0.


>> No but it will tell you whether the application is from www.paypal.com
>> or hostile.intranet.example.com, even if the actual content looks
>> identical in both.
>
> Security by browser chrome doesn't seem the way to go.

How would you do it then?


> I'm trying to keep open a path to WAOB. I think this feature can play an
> important role in the future of this project.

I agree.

One possibility would be for the application to be able to "request" WAOB
status, maybe using an attribute or something:

   <html application="application">

...and this would pop up a dialog box saying:

   :: Security Warning :::::::::::::::::::::::::::::::::::
   |                                                     |
   | The Web page at this domain:                        |
   |                                                     |
   |    paypcl.com                                       |
   |                                                     |
   | ...wishes to launch an application in a separate    |
   | window. Do you trust this domain?                   |
   |                                                     |
   | [x] Remember this decision.                         |
   |                                                     |
   |     (( Trust paypcl.com ))  ( Display as Web page ) |
   |                                                     |
   '-----------------------------------------------------'

What do people think? Would this solve the problem?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 10 June 2004 12:18:23 UTC