I suspect that that's a discrepancy between what the spec says, and
what it's meant to say.
However, there is indeed a choice to be made between having a single
"origin" for all widgets signed with the same key (with corresponding
mutual access rights), having a boundary between different widgets
signed with the same key, and having a boundary between widget
instances.
While I really like the "public-key-as-origin" idea, I wonder whether
the most conservative path for the current round of widget
specifications isn't to just stick to the random per-instance (!)
origin, and relax later.
Cheers,
--
Thomas Roessler, W3C <[email protected]>
On 27 May 2009, at 18:23, Adam Barth wrote:
On Wed, May 27, 2009 at 9:05 AM, Henri Sivonen <[email protected]>
wrote:
On May 27, 2009, at 18:32, Adam Barth wrote:
3) A developer can write two widgets that occupy the same origin
(again, but re-using the public key). These widgets will be able to
interact more freely, for example by sharing the same localStorage,
etc.
I though the point of the UUID was to isolate even different
instances of
the same widget.
The spec says the UUID is picked at install-time, so two instances of
the widget will get the same UUID.
Adam
