- From: Bjartur Thorlacius <svartman95@gmail.com>
- Date: Tue, 17 May 2011 00:20:01 +0000
On 5/16/11, Ian Hickson <ian at hixie.ch> wrote: > On Mon, 16 May 2011, Adam Shannon wrote: >> I'd rather see UA's implement better controls on their end than see an >> API which could be largely abused. (Drag and drop browser controls over >> tons of sites asking for permission to be the default.) > > I agree. Note that the spec doesn't say there should be a dialog box at > all; it's left entirely up to the UAs. > Then why add an API when we've already got (IMO superior) declarative markup? The user has to consent. Even confirmation prompts may not be a usable authorization mechanism (as most users generally don't understand them). Use case: User wants to add a search provider. Requirements: A GET form from a site & user's consent The chosen solution should be easily adaptable if not usable for publishing as well as searching. Creating a hyperlink to a POST form (without the "search" relation) should be suitable for microblogging. Solutions: A document advertises a form to the browser; if not installed: the browser advertises the form to the user; the user commands the browser to install the form. document -> browser & browser <-> user -- the site is never informed A document ask the browser if the user has installed the form; if not: begs the user to install it; the user asks the document to ask the browser to install the form; the document ask the browser; the browser asks the user whether it should proceed; the user consents. Or do you mean that a script is to ask the browser without user interaction? document <-> browser & document <-> user & browser <-> user Security considerations: In the case of an API a script bundled with a document may at any point ask for form installation, irrespective of isSearchProviderInstalled making isSearchProviderInstalled redundant, as if it's installed (or blacklisted as in explicit user refusal to install) the call would be ignored anyway. Also, my UA would probably always act as if the form was installed, to protect agaisnt blackmailing ? la Facebook scams and sites funded by getting money for endorsing (unwanted) forms.
Received on Monday, 16 May 2011 17:20:01 UTC