On 5/24/09 7:25 AM, timeless wrote:
On Tue, May 19, 2009 at 12:18 PM, Marcos Caceres<[email protected]> wrote:
1. If no<access> element is used, the application type (e.g., HTML,
Flash, whatever) is responsible for providing the security
context/rules under which the widget runs. For HTML this means that a
widget runs as if you had dragged a HTML file from your hard-drive
into the Web browser.
this part is scary. since historically that meant a web page with full
file system access even though this wasn't usually what users wanted,
expected, or understood.
Of course, that is not what I meant.
(it's true that browsers are evolving to a different model, but...)
I should have made myself more clear. I meant that the widget would
behave as if it had been dragged from the hard-drive with respect to
access to HTTP resources via inline content. The model I am proposing is
dependent on the widget:// URI scheme and the assumption that widget://
acts a mounted drive for the widget. Access to the file system would be
forbidden. No way was I intending to imply otherwise.
