- From: Robert O'Callahan <robert@ocallahan.org>
- Date: Tue, 30 Sep 2008 12:32:30 +1300
On Tue, Sep 30, 2008 at 12:09 PM, Michal Zalewski <lcamtuf at dione.cc> wrote: > On Tue, 30 Sep 2008, Robert O'Callahan wrote: > > If the chat gadget is configured to only talk to the site owner, how can >> it >> be abused? I suppose the site owner can discover the chat nick of a >> visitor >> who otherwise wouldn't want to disclose it. That's a risk that the chat >> system developers might very well be willing to accept. >> > > Assume you are logged in with Facebook, Google, or any other "common" party > that provides general chat / calendar services or anything of that kind; and > let's say this party permits site operators embed a gadget that shows every > visitor a schedule of events advertised on a page overlaid on top of > visitor's schedule (with the option to add these to your calendar, or edit > your calendar data - it does not have to be read-only); I don't see what's so terrible about showing the user's calendar and the overlaid events inline, and having the "Add to Calendar" button open a new page for confirmation. Note that GMail's "add to Google Calendar" functionality already takes me to a new tab for confirmation, even though presumably Google could avoid that if they wanted to. or gives you the opportunity to chat, review and annotate documents, or > otherwise collaborate with site owners using similar facilities provided by > gadget operator in their third-party domain, in your capacity as the user > logged in with said services. If these services are limited to specific chat channels or documents that are associated with the site owner (which can be ensured by the gadget operator), then I don't see a problem; site owner "UI redress" would be pointless. > That's a terrible user experience, by most accounts, and goes against the >>> concept of a gadget; I believe it is often avoided at all costs except >>> when >>> absolutely necessary (e.g., login, where the user needs the opportunity >>> to >>> verify URL, SSL status, etc). >>> >> >> Maybe we can make it a better user experience, for example, by allowing >> the new window/tab to appear as a new pane at the top or bottom of the >> existing tab. That would nicely handle your chat example, IMHO. >> > > Possibly. > Think it over :-) Rob -- "He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6] -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080930/3eb9f593/attachment.htm>
Received on Monday, 29 September 2008 16:32:30 UTC