On Mon, Feb 8, 2010 at 6:36 PM, Marcos Caceres <marc...@opera.com> wrote: > At Opera we've been discussing some of the security implications around the > openURL method in the widgets API spec. We think the spec might benefit if > we were to add a non-normative security consideration section for openURL.
> The following text, which I did not write, can serve as a basis for the note > - we are presenting it here for discussion, and you'll note it uses > different terminology than the one found in the spec. In other words, please > don't consider the following to be spec text, it needs a fair amount of > editing but tries to get to the heart of the problem: Personally, I'd rather suggest that openURL not be treated as "openURL" but "add url to suggested links". I have a blog draft that tries to explain it, but basically, an application has no reason to ask another application to open urls. Instead it should have the ability to give the user a series of urls which the user can treat as a bookmark list. If the user chooses to open one or more of those bookmarks, fine, however, if the user closes the application, having decided that the bookmarks aren't interesting, then they're gone. http://viper.haque.net/~timeless/blog/2/popups/ is the write-up, it's actually the oldest thing in my blog :). Note that my opinion has nothing specifically to do with widgets, I don't approve of random applications on my computer launching my web browser and ordering it to go somewhere. I'd rather my web browser just collect those suggestions and enable me to decide whether *I* want to go to some of them, and if so, which, and of course, at the time of my choosing. Note that in the case where a user actually trusts another application on their system, the user is free to use drag and drop to pull a url into the web browser, that would bypass the suggestion behavior. In the case of widgets, I don't think that such a feature should be supported because there's too much risk that the user is tricked into dragging something dangerous and changing the security principals of the source.
