Re: XBL2

2010-09-03 Thread Jon Ferraiolo 

Ian,
It's good news that you have re-opened the XBL2 effort. We still don't have
a reasonable component model for HTML, and XBL1 has proven its value for 10
+ years in the Mozilla world.

My first question is how to deal with the chicken-and-egg problem where
developers won't touch it until 95% of deployed browser support this
feature, and browser teams won't touch it until developers show strong
interest. Is the idea that if the features goes into the HTML5 spec and one
or two browsers implement it right away, then maybe the other browsers will
follow? One other option for dealing with the chicken-and-egg problem is to
make sure that the XBL2 spec is implementable in JavaScript. If a good
JavaScript library existed and the browser teams agreed that native support
for XBL2 will be offered as a native feature for HTML5 in the future, then
developers could use XBL2 right away in current browsers and then find
improved performance in future browsers.

Jon

PS - I still have a nervous tick from our efforts on sXBL



   
  From:   Ian Hickson i...@hixie.ch   
   
  To: public-webapps@w3.org
   
  Cc: hy...@apple.com  
   
  Date:   09/02/2010 06:24 PM  
   
  Subject:XBL2 
   
  Sent by:public-webapps-requ...@w3.org
   






Since XBL2 wasn't getting much traction, I've taken an axe to the spec and
made a number of changes to the spec based on some discussions with some
browser vendors:

   http://dev.w3.org/2006/xbl2/Overview.html

The main changes are simplification: I've dropped namespace support, made
it part of HTML rather than its own language, dropped style and script
in favour of HTML equivalents, dropped all the handler syntactic sugar
(and redirected event forwarding to internal object instead), dropped
preload, dropped mentions of XForms and XML Events, and so on. I've
updated all the examples to use the new syntax, so if you're curious about
the differences, comparing the examples in the spec above to those in the
TR version is probably a good way to get an idea of what I did.

If this ends up being more successful than the previous work on this
specification, I'll have to merge it with the HTML spec to more properly
define how it works. Right now it leaves a lot of the detail a bit vague
(e.g. integration with the event loop, the parser, authoring conformance
definitions, etc). If this happens, I don't yet know how much this will
lend itself to being extracted back out into a separate module (for
publication by this working group), versus being just published as a core
part of the HTML spec, but I will be happy to update the group on this
matter as it becomes clearer.

I don't think the draft above would be suitable for publication as a TR/
draft, because of the aforementioned rough edges. I mostly just wanted to
provide this for discussion, to see whether people considered this a move
in a good direction or a significant step backwards.

--
Ian Hickson   U+1047E)\._.,--,'``.fL
http://ln.hixie.ch/   U+263A/,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'


inline: graycol.gifinline: ecblank.gif

Re: [cors] unaddressed security concerns

2009-10-26 Thread Jon Ferraiolo 

Hi Jonathan,
I was one of the people who complained a long time ago about the dangers of
sending cookies with cross-site requests, but the WG responded to my
concerns and now I'm satisfied with the spec as it stands today.

CORS requires servers to explicitly add a new HTTP header
(Access-Control-Allow-Credentials:true) to the response before credentials
(cookies) to be sent from browser to a (cross-site) server. If this header
is not included, then CORS-conformant browsers will not send cookies. This
approach helps to minimize the chance that unsophisticated server
developers (who are uninformed about CSRF protection) might introduce new
vulnerabilities as they open up their sites to cross-site requests because
the default is that credentials are not sent.

While the Access-Control-Allow-Credential header helps to minimize CSRF
vulnerabilities in the face of CORS, it doesn't represent a complete
solution to CSRF problems. Servers that enable cross-site requests with
credentials around sensitive information should include appropriate CSRF
bulletproofing, such as using random session-specific tokens (not stored in
cookies) to ensure that cross-site requests are coming from properly
authenticated users who are involved in properly managed sessions.

While it is impossible to be certain about the security implications of
CORS, which represents a major enhancement to the Web communications, it
looks to me that the potential CSRF problems have been addressed in an
adequate manner, at least to the same level as existing same-site XHR
requests. Servers have to opt-in for credentials to be sent. Once they
opt-in, then the same CSRF bulletproofing techniques that are required for
same-site XHR requests could be used to safeguard cross-site XHR requests.

Jon




|
| From:  |
|
  
-|
  |Jonathan Rees j...@creativecommons.org 
 |
  
-|
|
| To:|
|
  
-|
  |Doug Schepers schep...@w3.org  
|
  
-|
|
| Cc:|
|
  
-|
  |Maciej Stachowiak m...@apple.com, Mark S. Miller erig...@google.com, 
Adam Barth w...@adambarth.com, Anne van Kesteren  |
  |ann...@opera.com, Henry S. Thompson h...@inf.ed.ac.uk, Jonas Sicking 
jo...@sicking.cc, Arthur Barstow art.bars...@nokia.com, |
  |public-webapps public-webapps@w3.org   
|
  
-|
|
| Date:  |
|
  
-|
  |10/23/2009 02:06 PM  
|
  
-|
|
| Subject:   |
|
  
-|
  |Re: [cors] unaddressed security concerns 
|
  
-|
|
| Sent by:   |
|
  
-|
  |public-webapps-requ...@w3.org
|
  
-|





Comments below

On Thu, Oct 22, 2009 at 6:12 PM, Doug Schepers schep...@w3.org wrote:

 Let's take it a step further, and

Re: [Widgets] Widget Gallery RSS like sharing format

2009-03-13 Thread Jon Ferraiolo 

(A little slow on my response)

Hi Robin,
I was pointing to the *response* part of OpenSearch. The URL below shows
the RSS and Atom formats that they use to reflect the list of things found
from the search query.

Over in OpenAjax Alliance, we are working with various players in the
industry to establish widget repositories. We have been using OpenSearch
for both the search query and the response. If you go to:

http://www.openajax.org/2008_InteropFest/mashupapp/gadgets/samples/newmashup.php

and click at the top left on the hour glass icon, a list of widgets will
appear. That list of widgets is built from an OpenSearch response. We find
it works quite well.

Jon




   
 Robin Berjon  
 ro...@berjon.com 
   To
   Jon Ferraiolo/Menlo Park/i...@ibmus
 03/11/2009 10:16   cc
 AMSUZANNE Benoit RD-SIRP-ISS  
   benoit.suza...@orange-ftgroup.com
   , public-webapps@w3.org,
   public-webapps-requ...@w3.org   
   Subject
   Re: [Widgets] Widget Gallery RSS
   like sharing format 
   
   
   
   
   
   




On Mar 11, 2009, at 16:44 , Jon Ferraiolo wrote:
 How about adopting OpenSearch response?


http://www.opensearch.org/Specifications/OpenSearch/1.1#OpenSearch_response_elements


 In fact, how about simply adopting OpenSearch in its entirety?


Well my understanding of the use case is that it's about sharing the
content of a widget gallery, which isn't really a search, but if the
idea is to support discoverable repositories or that sort of stuff, it
might be something worth looking at.

--
Robin Berjon - http://berjon.com/
 Feel like hiring me? Go to http://robineko.com/





inline: graycol.gifinline: pic14041.gifinline: ecblank.gif

Re: ACTION-315: Widget URI scheme thoughts

2009-02-26 Thread Jon Ferraiolo 

My opinion is that having a widget URI scheme is not worth all of this
complexity. I propose that the W3C ship Widgets 1.0 as quickly as possible
with less flexibility on URI addressing. I think it is acceptable for a 1.0
release if all assets in the ZIP can only be addressed by relative
addressing without allowing / at the front of the relative URL. In my
experience a few years ago at Adobe which used ZIP packaging for its
Digital Editions products (based on IDPF standards) and its Mars technology
(PDF in XML/ZIP), people were able to deal with the restriction that
relative addressed could not start with /. I definitely know that
OpenAjax Widgets get by without a widget URI scheme, and I'll 99% sure that
Google/OpenSocial Gadgets doesn't have such a mechanism.

Jon




   
 Thomas Roessler   
 t...@w3.org  
 Sent by:   To
 public-webapps-re Thomas Roessler t...@w3.org
 qu...@w3.org   cc
   public-webapps@w3.org WG  
   public-webapps@w3.org,
 02/26/2009 04:54  public-pkg-uri-sch...@w3.org
 AMSubject
   Re: ACTION-315: Widget URI scheme
   thoughts
   
   
   
   
   
   




As a follow-up from trashing this through with Josh, the one open issue is
navigation of iframes:  Assume a widget frames a resource that is retrieved
from the Web.  Would navigation of that iframe have to go through the
manifest based indirection or not?


The sense in our conversation was that it should *not* go through that
indirection, but that that would probably have the potential to cause some
surprises.

The basic behavior would be that the manifest is only used for resolution
of URI references that have the widget instance's unique origin; anything
else would bypass the manifest mechanism.


The other point would be HTTP POST (from forms): The manifest mechanism is
right now scoped to the *retrieval* of resources.

Form posts, XMLHttpRequest and other mechanisms are out of scope,
therefore, standard HTML behavior (e.g., going out on the network) would
apply.  The synthetic origin approach seems to lead to the intended results
in terms of security policy as far as the discussion between Josh and
myself was concerned; I understand that Josh has some ideas about writing
POST-like handlers in JavaScript, but that would be another extension.

--
Thomas Roessler, W3C  t...@w3.org:







On 26 Feb 2009, at 13:23, Thomas Roessler wrote:

  Getting back to the URI scheme discussion, here's a strawman proposal
  that's inspired by the Widget case, where scripting and navigation
  add a few more complexities.  I'll be interested in seeing Marcos,
  Arve and Josh shoot this one down. :)

  Specifically, we need to say:

  - how to dereference a URI reference that occurs within a widget
  resource, and for which the identified resource is included within
  the widget package

  - what the base URI property is for any DOM created from a resource
  within a widget package

  - what the origin is for any DOM created by the Widget. (e.g., for
  cross-frame scripting)

  The critically important point here is that we separate the Origin
  consideration from the identification and retrieval of resources in
  the package.

  Design assumptions:

  - we can synthesize origins to be globally unique identifiers (as
  HTML5 does)
  - we have unique identifiers resources within the package. Typically,
  these will look filesystem path like, but for the purposes of this
  proposal, they're opaque identifiers, and totally depend on the
  package format.

  Proposal:

  1. The manifest is turned into a generic indirection tool that can
  aim inside the widget.  For each resource (identified by absolute
  URI), the following properties are defined:

   - Content-Type
   - Parameters for said Content-Type
   - identifier for the packaged file that includes a representation of
  this resource

  E.g.:

Resource Identifier=http://www.w3.org/;

Re: [widgets] OAuth and openID

2009-02-22 Thread Jon Ferraiolo 

Hi Marcos,
I'll take a crack at this.

OpenID is a technology that authenticates your identity. The cool thing
about OpenID is that multiple web sites can share the same identity system,
which makes it so that there can be a single mar...@myopenidwhatever.com
instead of dozens of separate IDs for you (mar...@google.com,
mar...@yahoo.com, etc.). A competitor to OpenID is a login/password
screen served by a single web site. With W3C Widgets, you might use OpenID
if you have to establish an identity before a widget can be installed; for
example, you might have to login to the Apple AppStore (or some other
store) before you downloaded a widget from there, and maybe the store
supports OpenID. After installation, while a widget runs, the widget (or
its server) might periodically need to ask you to enter a login/password to
confirm who you are. The login/password software might use OpenID. This
might be where Dan sees a problem - OpenID requires browser redirects to do
its magic. You might need a list of allowed domains (i.e., at least 2) to
support OpenID for this sort of repeated server login.

OAuth is a technology that authorizes someone to do something. For example,
an OAuth server might authorize you to cast a vote in an election.
Regarding authorization, in the most common case of W3C Widgets, you would
most likely use something like an OMTP/BONDI policy file or some sort of
platform-specific (maybe implicit) policy to control authorization instead
of OAuth. My thinking is that you can ignore OAuth for now.

If I were on the committee, I would push to finish Widgets 1.0 as quickly
as possible, and then put OpenID and OAuth on the list for things to
consider for Widgets 1.1.

Jon





   
 Marcos Caceres
 marc...@opera.co 
 m To
 Sent by:  public-webapps@w3.org 
 public-webapps-re public-webapps@w3.org 
 qu...@w3.org   cc
   Dan Brickley dan...@danbri.org
   Subject
 02/22/2009 07:11  [widgets] OAuth and openID  
 AM
   
   
 Please respond to 
 marc...@opera.com 
   
   




Hi,
I recently spoke to Dan Brickley who raised concerns wrt to using
OAuth authentication flows and support open ID. I've only had very
limited exposure to these technologies, so I am not the best to
comment about how they would work with widgets, but I'm starting this
thread so we can discuss ideas.

Dan, it would be great if you could outline the problem as you see it?

Kind regards,
Marcos

--
Marcos Caceres
http://datadriven.com.au

inline: graycol.gifinline: pic14024.gifinline: ecblank.gif

Re: Required support for SVG in widgets

2009-02-04 Thread Jon Ferraiolo 

The Web Apps WG should create yet another (short) widget spec, which would
be an Open Web profile spec that simply provides a checklist for two
interoperability levels for conformance. In both profiles, the user agent
would be required to implement all of the various Widgets spec. One
interoperability profile would require support for the vague notion of
HTML (defacto standard HTML, not XHTML) and the other profile would
require support for SVG Tiny 1.2. Both profiles should mandate OMTP BONDI.

To me, such a spec would help promote open, interoperability technologies
in the widget space. This spec could be on a delayed timeline (i.e.
approved after the other widget specs), particularly to allow BONDI to
reach completion, but just having drafts out there would show the community
what the interoperability target is.

Jon



   
 Robin Berjon  
 ro...@berjon.com 
   To
 Sent by:  Marcos Caceres  
 public-webapps-re marcosscace...@gmail.com  
 qu...@w3.org   cc
   public-webapps@w3.org   
   Subject
 02/04/2009 03:29  Re: Required support for SVG in 
 AMwidgets 
   
   
   
   
   
   





On Feb 4, 2009, at 02:20 , Marcos Caceres wrote:
 On Tue, Feb 3, 2009 at 11:22 PM, Jonas Sicking jo...@sicking.cc
 wrote:
 Is there a reason to require any formats? In very few places we do
 this. For example the HTML and CSS specs don't require support for
 JPEG, GIF or PNG. Neither HTML or SVG require support for javascript.

 Is there a reason for the widget spec to be different?

 I guess it's not really about mandating that the widget user agent
 support SVG, just that it look for SVG as a default start file.

My request actually covered both. But apparently you've now removed
the requirement to support HTML, so maybe I can withdraw that part of
my objection. I would prefer if HTML and SVG were both required
because it makes widgets more useful when you know what you can rely
on, but I can live with nothing specific being required.

--
Robin Berjon - http://berjon.com/
 Feel like hiring me? Go to http://robineko.com/



inline: graycol.gifinline: pic04476.gifinline: ecblank.gif

Re: ISSUE-80: Runtime localization model for widgets [Widgets]

2009-02-04 Thread Jon Ferraiolo 

I am all in favor of *not* having to replicate many files in the widget
distribution just so you can create localized versions of a single image.

One more thing I'll add. One of the URL techniques in the Widgets spec,
using / as the first character in a relative address, works OK in widget
workflows where the content is always wrapped in a ZIP, but in various Web
Widget workflows, the widget contents are often exploded into a file system
where the root of the widget is not the root of the file system or the root
of the Web site. In those scenarios, you can't use / as the first
character in a relative address, which means the entire set of files would
have to be duplicated for each locale. Hardly ideal.

Jon




   
 Web Applications  
 Working Group 
 Issue Tracker  To
 sysbot   public-webapps@w3.org   
 +trac...@w3.org   cc
 Sent by:  
 public-webapps-re Subject
 qu...@w3.org  ISSUE-80: Runtime localization  
   model for widgets [Widgets] 
   
 02/02/2009 03:51  
 PM
   
   
 Please respond to 
 Web Applications  
 Working Group WG  
 public-weba...@w 
  3.org   
   
   






ISSUE-80: Runtime localization model for widgets [Widgets]

http://www.w3.org/2008/webapps/track/issues/80

Raised by: Josh Soref
On product: Widgets

Below is a discussion I had with Josh about the localization model for
widgets. Josh identifies an issue that may affect localization at
runtime that may be overcome by having the widget engines dynamically
change folders when it can't find resources.

timeless.b...@gmail.com:  how do localized folders work anyway?
 Sent at 12:01 AM on Sunday
 timeless.b...@gmail.com:  oh, it's hidden in base folder
 me:  you put folders that follow the lang-place pattern into a
folder called locale. The UA looks for a folder that matches the
user's locale prefs
 timeless.b...@gmail.com:  i'm not quite sure i understand or like that
imagine i have 100 images
and only want to localize 2
if base-folder means that i have to copy the whole set, i'm unhappy
 me:  no, just make all your refs absolute. it's no problem
 timeless.b...@gmail.com:  no, definitely bad
that means i have to know in advance if i need to localize a path
instead of just having 1 locale that needs to localize a file
 me:  yes. But it supports multiple models of localization. So the
model is quite flexible.
 timeless.b...@gmail.com:  supporting a virtual mapping would have
been better :(
 me:  we can always change it if you have a better proposal
 timeless.b...@gmail.com:  i guess the simplest question is would you
ever have a localized file foo.bar and want access to the original
unlocalized file
 timeless.b...@gmail.com:  i claim no
 me:  no, you wouldn't
the idea is that you only localize what you want.
 timeless.b...@gmail.com:  yeah
so, in my model, instead of 'base folder'
a localized file i18n/en-GB/index.html appears as /index.html if the
UA selects en-GB
 me:  I'm sure we are thinking of the same thing here, but now I'm
worried I've done this wrong.
 timeless.b...@gmail.com:  (so searches go first to i18n/en-GB/ and then
to /)
if index.html has img src=flag.png
 me:  flag.png gets resolved to  i18n/en-GB/flag.png
 timeless.b...@gmail.com:  then whether it's /index.html, or
/i18n/fr-FR/index.html if the UA locale is fr-FR, it first looks in
/i18n/fr-FR/flag.png and then /flag.png
yeah, but that's not what i want
it's a disaster
 me:  no, it only goes to one location
 timeless.b...@gmail.com:  yeah, that sucks.
you end up w/ millions of included files in dozens of locales
because only one needed an override
or you have to fork each html file just to make something happy
 me:  hmmm
I'm not convinced... I thought I had sorted this out
I need to do some tests
 timeless.b...@gmail.com:  we have a VFS, and our UA has a cache,
which

Re: Required support for SVG in widgets

2009-02-03 Thread Jon Ferraiolo 

Hi Marcos,
*IF* the WG decides to somehow promote SVG into a required format for some
features in the widgets spec, then either the spec or implementations have
to figure out how to deal with time-based behaviors (e.g., animations) and
interactive behaviors (e.g., hyperlinks, onload, onclick, other JavaScript)
for the scenarios where SVG is used.

One thing to remember about SVG is that there is well-defined rendering
behavior when time-based behaviors and interactive behaviors are turned
off, which is to render the SVG content as if the animation elements and
all interactive features were removed from the file. This is what we
sometimes call static SVG. It is pretty much the same as a PNG, except
the graphics are defined via vector graphic commands instead of colored
bits.

Jon




   
 Marcos Caceres
 marcosscace...@g 
 mail.com  To
 Sent by:  Robin Berjon ro...@berjon.com 
 public-webapps-re  cc
 qu...@w3.org  public-webapps@w3.org   
   Subject
   Re: Required support for SVG in 
 02/03/2009 11:54  widgets 
 AM
   
   
   
   
   





Hi Robin,
On Tue, Feb 3, 2009 at 5:54 PM, Robin Berjon ro...@berjon.com wrote:

 Hi,

 I'm sorry if this was discussed earlier, but I have no recollection of it
 being brought up and I can't seem to dig up a reference to this issue
from
 the archives of the public lists of this WG or its previous incarnations.
 Then again, I have a pretty poor memory and am not so good with
computers.

 Is there any specific reason not to require SVG support in widgets? The
 draft has everything defined in terms of how it would work, but has it
 optional both for icons and for the start page. Given the implementations
 that we're likely to see, I doubt that there would be any problem getting
 out of CR with SVG being required, even on mobile devices. Making it
 required has all the usual advantages of reassuring authors that they can
 indeed use it.

 If there is no overarching concern with requiring SVG (or if there was
when
 the spec was started, but it's now gone) I would kindly urge the working
 group to require SVG and add an index.svg default start file.

Ok, I've added SVG as a default start file type to the editor's draft
(I'll commit it to CVS later today). However, as this is a significant
addition, the Working Group will have to reach a resolution on this
(or raise objections here, ASAP).

If WebApps agrees (which I'm confident sure they will), could we ask
in return that someone from the SVG WG do a review of the Widget PC
spec to make sure that all the right bits are in place to make SVG
work. We are currently in the middle of responding to LC comments, so
we would ask that the SVG review is done in the Second Last Call
period (one month from now).

Kind regards,
Marcos

--
Marcos Caceres
http://datadriven.com.au,

inline: graycol.gifinline: pic21269.gifinline: ecblank.gif

Re: [widgets] Version string

2008-10-27 Thread Jon Ferraiolo 

We came up with an approach at OpenAjax Alliance for version strings where
the string must begin with N.N (or N.N.N or N.N.N.N) but can contain
arbitrary alpha text after the number value. Then we defined how to do
numeric comparisons between the leading numeric parts of two different
version strings.

*
http://www.openajax.org/member/wiki/OpenAjax_Hub_1.0_Specification_Libraries

Jon




   
 Thomas Roessler   
 [EMAIL PROTECTED]  
 Sent by:   To
 public-webapps-re Marcos Caceres  
 [EMAIL PROTECTED]  [EMAIL PROTECTED]  
cc
   public-webapps  
 10/27/2008 11:13  public-webapps@w3.org 
 AMSubject
   Re: [widgets] Version string
   
   
   
   
   
   





You'll want to define what it means for one version string to be
greater than another one.
--
Thomas Roessler, W3C  [EMAIL PROTECTED]







On 27 Oct 2008, at 17:27, Marcos Caceres wrote:


 Hi All,
 I would like to relax a valid version string to be any string. The
 reason I want to do this is to make it easier to parse a version
 string without requiring any special processing (any string will do).
 We will still recommend the  MIDlet Suite Versioning where Version
 numbers have the format Major.Minor[.Micro] (X.X[.X]).

 This affects the widget element's version attribute and parts of the
 Updates spec in a minor way.

 Kind regards,
 Marcos

 --
 Marcos Caceres
 http://datadriven.com.au



inline: graycol.gifinline: pic20792.gifinline: ecblank.gif

Re: Opting in to cookies - proposal

2008-06-19 Thread Jon Ferraiolo 




 Maciej Stachowiak wrote:
 
 
  On Jun 14, 2008, at 4:23 AM, Jonas Sicking wrote:

...snip...


  I mean, I guess
  it's possible people will do this, but people could add
  Access-Control-Allow-Credentials site-wide too. And if we add
  Access-Control-Allow-Credentials-I-Really-Mean-It, they'll add even
more.

 Yes, this is certainly a possibility. But my hope is that this will
 happen to a smaller extent.


I share the hope smaller extent hope with Jonas, and his latest proposals
look good to me.

My assumption is that 99% of all cross-site XHR usage will not require
credentials/cookies. Therefore, what makes sense is a simple way that
server developers can opt-in to credential-free cross-site XHR which tells
the browser to allow cross-site credential-free XHR to their site. Then, in
an advanced section of the AC spec, talk about how some workflows might
want credentials to be sent, and here is the extra header to enable
credentials (Access-Control-Allow-Credentials), but this section of the
spec should include SHOUTING TEXT about potential dangers and instruct the
developer that he should not enable transmission of credentials unless he
is sure that he needs it and he is sure that he knows what he is doing
(such as understanding what a CSRF attack is). I realize that some
developers won't read the spec carefully or notice the shouting text, but I
expect most tutorials and examples on the Web will follow the lead from the
spec and help to teach people steer clear of the
Access-Control-Allow-Credentials header unless they know what they are
doing.

Jon