Re: [widgets] MWBP WG Comments of Widgets Reqs LC WD, was Re: Request for Comments on Widgets 1.0 Requirements Last Call WD

[Marcos Caceres]

Hi Bryan,

On Thu, Sep 4, 2008 at 6:42 AM, Sullivan, Bryan [EMAIL PROTECTED] wrote:
 Hi Marcos,
 I was starting to respond and thank you for the inclusion in the previous 
 email when I saw this... having been out for vacation etc I did not get a 
 chance to respond earlier.


Yeah... as you know, I did include the requirements in the
Requirements doc, but I was overruled by the working group and the
consensus was reached to remove them.

 I would like the opportunity to discuss these in detail and support the 
 rationale on the Widgets call. I don't understand the justification for 
 rejection you have described. Overall the requirements represent the core (a 
 limited set) of some pragmatic considerations that will affect the success of 
 widget frameworks in real-world deployments, especially in the mobile device 
 context.

 As you stated: The main reason for rejecting the feedback was that the 
 proposed requirements were: (a) had limited impact on the actual specs (in 
 normative terms),  (b) were overly prescriptive and should really be left as 
 an implementation detail on which implementations can compete, (c) added 
 complexity on either the client side or the server side.

 (a) Is unclear (which specs are you talking about?). The Widget Requirements 
 spec is the one being commented on, and it is giving direction to conforming 
 specification writers (presumably in W3C and externally). Several of the 
 proposed additions were written in normative terms and meant to be so.


At the top of the Widget Requirements document, I list the specs that
make up the Widgets 1.0: Family of Specifications. Those are the
specifications that, possibly in conjunction with other W3C or
external standards, will collectively address the requirements.

During our August 14 teleconf [1], the Working Group reached consensus
that we could not address the requirements within the specs we are
producing or we disagreed with the requirement.  Please refer to the
teleconf minutes [1].

 (b) In which cases were they overly prescriptive. This seems to me to be a 
 value judgment based upon some criteria. The criteria I use is whether there 
 will be significant negative effects on usability, interoperability, or 
 efficiency if the requirements are not supported. Especially in the mobile 
 case, the normative requirements I proposed can be supported in one or more 
 of those terms.


Again, it's not that we disagree with the requirements. It's just that
some of them where prescriptive of technologies that the working group
did not believe actually addressed the requirement (eg. CC/PP, etc.)

 (c) Re complexity, little of value comes free. But overall I don't think any 
 of the proposed normative requirements could reasonably be called complex. I 
 am willing to explain why if given the opportunity.


We welcome all feedback and I'm personally happy to continue
discussing any issues further. However, please be mindful that the
working group is on a very tight deadline for these specifications
(October's TPAC) and we would like to get MWBP's working group's
approval or formal objections (if any) ASAP so we can move the
Requirements forward along the publication track. If possible, we
would really appriciate a formal response on behalf of MWBP by the end
of next week.

Kind regards,
Marcos

[1] http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0417.html
-- 
Marcos Caceres
http://datadriven.com.au

Re: XDomainRequest Integration with AC

[Jonas Sicking]

Anne van Kesteren wrote:


On Fri, 08 Aug 2008 20:44:04 +0200, Jonas Sicking [EMAIL PROTECTED] wrote:
The big worry I have though is if there is any possibility to puny 
encode the same origin in multiple ways (other than with or without 
default port). This could lead to different UAs encoding the same 
origin in different ways, which could lead to interoperability issues 
if sites rather than echoing the 'Origin' header always send out a 
static value for the Access-Control-Allow-Origin header.


Is that possible? I don't think it is. Domain names follow a strict set 
of normalization rules. (That would also mean the Origin header could 
contain different values depending on the implementation, which is not 
the case.)


The only thing that i _know_ of is that:

http://foo.com
and
http://foo.com:80

are the same origin but have different string representations. I have 
also heard that some UAs are able to handle non-ascii characters in 
header values by somehow specifying an encoding. I don't really know how 
that works, but for those UAs the following to origins would be equivalent:


http://www.xn--jrnspikar-v2a.com
and
http://www.järnspikar.com

/ Jonas

Re: XDomainRequest Integration with AC

[Anne van Kesteren]

On Fri, 05 Sep 2008 09:43:29 +0200, Jonas Sicking [EMAIL PROTECTED] wrote:

The only thing that i _know_ of is that:

http://foo.com
and
http://foo.com:80

are the same origin but have different string representations.


Yes, authors would have to use the former. (The former is also what Origin  
will tell them as well.)



I have also heard that some UAs are able to handle non-ascii characters  
in header values by somehow specifying an encoding. I don't really know  
how that works, but for those UAs the following to origins would be  
equivalent:


http://www.xn--jrnspikar-v2a.com
and
http://www.järnspikar.com


Using the latter is non-conforming for Origin and also non-conforming for  
Access-Control-Allow-Origin, which per its current definition either  
mathces Origin literally or is a wildcard. So currently RFC 2047  
extensions are simply not supported (and not needeD) by the specification.  
Given that interoperability on encoded-word is very poor I suggest we keep  
it that way.



--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/

[xmlhttprequest2] timeout and JSON

[Anne van Kesteren]

On Fri, 05 Sep 2008 02:36:58 +0200, Jonas Sicking [EMAIL PROTECTED] wrote:

1. A timeout property like the one on microsofts XDR. I haven't looked
into the specifics of XDRs property, but I would think that an
'abort' event should fire as well as readystate transitioning to
something if the timeout is reached.


What's wrong with using setTimeout?



2. A .responseJSON property. This would return the same thing as the
following code:

if (xhr.readyState != 4) {
  return null;
}
return JSON.parse(xhr.responseText);

However there are a few details that can be quibbled about:
a) Should a partial result be returned during readystate 3
b) If the property is gotten multiple times, should that return the
   same or a new object every time.


What's wrong with using JSON.parse?


(I'm not necessarily opposed, but I'd like to only add features that are  
necessary.)



--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/

Re: XDomainRequest Integration with AC

[Julian Reschke]

Anne van Kesteren wrote:

...
Using the latter is non-conforming for Origin and also non-conforming 
for Access-Control-Allow-Origin, which per its current definition either 
mathces Origin literally or is a wildcard. So currently RFC 2047 
extensions are simply not supported (and not needeD) by the 
specification. Given that interoperability on encoded-word is very poor 
I suggest we keep it that way.

...


By all means, please do so. Maybe add a warning that RFC 2047 encoding 
is *not* allowed?


BR, Julian

Re: XDomainRequest Integration with AC

[Boris Zbarsky]

Anne van Kesteren wrote:

On Fri, 05 Sep 2008 09:43:29 +0200, Jonas Sicking [EMAIL PROTECTED] wrote:

http://foo.com
and
http://foo.com:80

are the same origin but have different string representations.


Yes, authors would have to use the former. (The former is also what 
Origin will tell them as well.)


I might be missing some context here... but use the former where, 
exactly?  Would a page loaded from the latter not be able to do AC stuff?


In general, I think forcing authors to think about whether the port is 
included is really poor practice and sounds like it would break 
real-world systems (e.g. any system that wants to run HTTP servers on 
multiple ports and just always specifies ports everywhere instead of 
specifying 8080 but not 80).


Handling this in UAs is almost certainly reasonably straightforward 
(have to replace string compares with origin object compares, with the 
objects doing port normalization as needed).  It doesn't seem like it 
would be hard to deal with in the spec either, though obviously it's a 
bit more work than just not dealing.  So I'm not sure why we want to 
break the long-standing (and imo obvious per the relevant RFCs) 
convention that you get the same behavior for http:// no matter whether 
the port is explicitly listed as 80.


-Boris

Re: XDomainRequest Integration with AC

[Anne van Kesteren]

On Fri, 05 Sep 2008 14:42:45 +0200, Boris Zbarsky [EMAIL PROTECTED] wrote:

Anne van Kesteren wrote:
On Fri, 05 Sep 2008 09:43:29 +0200, Jonas Sicking [EMAIL PROTECTED]  
wrote:

http://foo.com
and
http://foo.com:80

are the same origin but have different string representations.
 Yes, authors would have to use the former. (The former is also what  
Origin will tell them as well.)


I might be missing some context here... but use the former where,  
exactly?


In the Access-Control-Allow-Origin header.



 Would a page loaded from the latter not be able to do AC stuff?


That wouldn't matter.


In general, I think forcing authors to think about whether the port is  
included is really poor practice and sounds like it would break  
real-world systems (e.g. any system that wants to run HTTP servers on  
multiple ports and just always specifies ports everywhere instead of  
specifying 8080 but not 80).


Handling this in UAs is almost certainly reasonably straightforward  
(have to replace string compares with origin object compares, with the  
objects doing port normalization as needed).  It doesn't seem like it  
would be hard to deal with in the spec either, though obviously it's a  
bit more work than just not dealing.  So I'm not sure why we want to  
break the long-standing (and imo obvious per the relevant RFCs)  
convention that you get the same behavior for http:// no matter whether  
the port is explicitly listed as 80.


That sounds reasonable. What's currently specified is equivalent to what  
HTML 5 specifies for the WebSocket protocol. It seemed reasonable to keep  
the two synchronized somewhat though maybe they should both change.


Though do note that the value authors get (through the Origin header) will  
be without the default port so authors will have to deal with this anyway.



--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/

Re: [widgets] OMTP input to W3C Widget Requirements (1 of 2)

[Marcos Caceres]

Hi All,
I've now integrated the OMTP requirements into the Req spec. OMTP
crew, I'm made lots of edits (and dropped some of your requirements
with Mark's permission) so please check to see that your intent is
still conveyed (and that I haven't introduced any new typos, etc.).

Apologies to those who are still waiting for me to respond to your
comments, I'm going as fast as I can and will do my best to address
everyone's comments within the next week.

Kind regards,
Marcos
[1] http://dev.w3.org/2006/waf/widgets-reqs/
On Fri, Aug 1, 2008 at 12:30 PM, David Rogers [EMAIL PROTECTED] wrote:
 Dear Art, Marcos and all,



 Please find attached the OMTP BONDI input to the W3C Web Applications WG
 Widget Requirements last call. I've extracted the text of the input below.
 Please note this is the first of two sets of input. This first input
 contains comments to existing requirements and proposals for new
 requirements. The second document contains more general comments, applicable
 to the Widget Requirements and also the Packaging and Configuration work.



 Introduction



 OMTP is a forum backed by many of the largest mobile operators and has
 members from many hardware and software vendors across the value chain.

 It was set up with the aim of gathering and driving mobile terminal
 requirements to ensure consistent and secure implementations, thereby
 reducing fragmentation and simplifying the customer experience of mobile
 data services. OMTP recommendations benefit carriers, content providers,
 middleware vendors and handset manufacturers to develop open and compatible
 mobile devices.  OMTP have created their BONDI initiative to specifically
 address the problem of fragmentation in the evolution of the mobile web and
 to ensure the protection of the user from malicious web based services. The
 BONDI initiative will be delivering documentation throughout 2008 with the
 aim of driving activities in other appropriate standardisation and industry
 bodies such as W3C.

 Devices supporting some of the features of BONDI will become available in
 2009.

 This document forms the input from BONDI relating to the security aspects of
 the W3C Widgets: 1.0 Requirements found at
 http://www.w3.org/TR/2008/WD-widgets-reqs-20080625/.

 The document is divided into two parts; the first part details proposed
 changes to existing W3C requirements, the second part proposes new
 requirements that for inclusion.



 Part I - Changes to Existing Requirements Proposed By BONDI



 R11. Digital Signature

 We suggest the following re-wording of the existing requirement so that it
 reads:

 A conforming specification MUST specify a means to verify the authenticity
 and integrity of all resources in a widget resource, with the exception of
 any resources explicitly excluded by the specification. A conforming
 specification MUST provide this capability by specifying a processing model
 for generating and verifying a digital signature associated to a widget
 resource. The digital signature scheme MUST be compatible with existing
 Public Key Infrastructures (PKI), particularly X.509 digital certificates.
 In addition, the recommended digital signature format SHALL support the
 ability to include a certificate chain with a digital signature to enable
 the receiving device to build a certificate chain from the end entity
 certificate used to generate the signature to a locally stored root
 certificate. In addition, the recommended digital signature format SHOULD
 support the ability for a widget resource to be signed using multiple end
 entity keys (i.e. it SHOULD be possible to include multiple signatures and
 associated certificate chains).

 The proposed changes attempt to tighten and clarify the use of digital
 signatures and certificate chains. In addition we suggest that the following
 text should be added to the existing requirement:

 A conforming specification SHALL specify the expected behaviour when
 multiple signatures and certificate chains are provided. A conforming
 specification SHALL specify that if none of the signatures and certificate
 chains can be verified, e.g. because of missing root certificates or where
 any certificates in the chain have expired or are not yet valid, then the
 widget resource SHALL be treated as unsigned. A conforming specification
 SHALL specify that the widget environment SHALL not install or load a
 widget resource when it can determine that any certificate in the chain has
 been revoked.

 This addition is to ensure that there is a consistent behaviour when
 verifying signatures and certificate chains, especially in error cases in
 which the verification fails because of missing certificates and in which
 one of the certificates has been revoked.  We use the term load to cover the
 case in which a widget is not subject to an installation event.



 In addition, we suggest the following changes to the Rationale:



 To provide a means to verify authenticity, check data integrity, and
 

Re: Comments on Widgets 1.0: Requirements - Editor's Draft 15 August 2008

[Marcos Caceres]

Hi Josh,
Please approve the following corrections. Your comments did not
require any further clarification from my part.

Kind regards,
Marcos

On Thu, Aug 21, 2008 at 2:57 PM, timeless [EMAIL PROTECTED] wrote:

 http://dev.w3.org/2006/waf/widgets-reqs/ - Editor's Draft  15 August 2008

 I'm very sorry about the delay, other things came up, most of my
 comments below are really English grammar notes and aren't
 particularly important (some are spelling which are just embarrassing)

I put them in on purpose to keep you on your toes:)

 I believe my only major comment, which I didn't learn until last week
 (i.e. I wouldn't have known to comment about before the expiry period)
 is this point on 4-R12:

 I ran across a problem here (in 4-R12); we're internally discussing
 proxies (for mobile devices) that want to recompress data on the fly,
 they'd *love* to compress the files in a zip (thereby reducing the
 download size to the device), but in order for that to work, we'd need
 to make sure it doesn't break the signing. In general, keeping the
 radio on for larger downloads is a significant drain on device use
 time, and as such anything that can enable devices to leave it on for
 shorter periods is seen as a significant win (note this isn't asking
 that people use BZ2 or some extremely expensive to decompress
 algorithm, although I'm not actually sure if even that would be more
 expensive than the radio, but simple compression algorithms are
 definitely cheaper).

(This now refers to R11). The spec is designed in such a way that
recompressing will not break the signature.

 And yes, I'm aware that some people may download archives which have
 external pgp signatures. I don't expect mobile devices behind such
 proxies to have any interest in doing that, whereas I do expect them
 to want to access widgets. Given some of the things that the proxies
 have considered doing, I'm fairly certain they're not particularly
 worried about breaking a pgp signature (they don't seem to mind lossy
 image compression) .

 3-Web and offline distribution:
 It must be possible to perform updates from either an online or offline 
 source.

 but not both?

True. Changed to It must be possible to perform updates from online
and offline sources

 * Already a de facto standard on market-leading widget user agents on both 
 desktops and mobile devices.

 this sounds wrong w/o included or supported, but i don't know how to fix 
 it.

Changed to already the supported de facto standard on market-leading
widget user agents 

 4-R7-Rationale:
 ...variation in character encoding ...may render a widget ...inoperable 
 ...unless a comment character encoding is used.

 'comment'?

Fixed.

 4-R12

 authorities (i.e., multiple signatures).

 drop the comma here - only use it for lists - see (e.g. 100 years from
 date of the a specification reaching Recommendation Status W3C
 Process)

fixed.

 4-R16-Copyright Notice and License Metadata

 A conforming specification MUST specify the structure and semantics of 
 fields that explicitly reference, or otherwise include, a software license 
 agreement or notice, and declare who holds the copyright for the widget, as 
 well as a model for how this data must be processed by a widget user agent.

 the English here seems wrong 'and' again seems to be in the wrong
 place  actually the sentence is just too long and complicated. :)

Broke it up into two sentences.

 R17. Visual Rendering Dimensions

 or any dimensional values implicitly computed by the widget user agent.

 should we make sure there's a way to let user specified styles
 override application styles?

 ...

 4-R18-Rationale:
 ... (e.g., '/ui/clock.svg').

 drop , (see earlier)

fixed

 Alternatively, the bootstrap might be a Web page that when combined with the 
 visual rendering dimensions requirement displays at the appropriate size.

 the bootstrap _process|file|?_

Changed to resource might be a HTML document that when..

 4-R25-Rationale:
NOT A RATIONALE!!

 this doesn't look like something that should be published :(

Sorry, that was note to myself. Removed.

 R33. Cross-Widget Communication
 (pairing and unparring).

 unpairing.

fixed.

 R34. Icon API
To allow widget to

 widgets (please check globally)


Fixed. Checked.

 R36. Open Default System Web Browser
 To allow author to open a URL in the default system web browser.

 authors (please check this globally)

Fixed. Checked.

 R38. Additional Digital Certificates
 A conforming specification SHOULD NOT recommend that,
 aside from including standard root certificates,
 widget user agent allow end-users to install digital certificates
 from other trusted sources.

 Rationale:
 To allow authors and publisher to sign widgets.

 the requirement and the rationale don't seem to match.

Good point. This was a SHOULD and got changed to a SHOULD NOT...
this is now an open issue AFAIK.

 R40. Automatic Updates

 what happens if i have 3 instances of a widget? do they all get 

FileUpload Editor | Re: File Upload Status ?

[Arun Ranganathan]

All,

On behalf of Mozilla, I'd like to take over as editor of the FileUpload 
spec., which was actually once assigned to me quite some time ago :)


Of course, I think that

form.getDataAsString();
  
form serialization is out of scope of this particular specification, but 
I think other things like Blobs (as per the Google Gears proposal -- 
maybe a File interface can have a getBlobs on it) are probably in, as 
well as some other interface proposals by Opera, etc.  Security makes or 
breaks all of this, so I'll start with the restrictions we've put on 
this as a strawperson.  After talking to Jonas, I also think File 
Download should be in scope, again modulo security which, following a 
straw person, is a welcome group discussion.


I've gotten CVS access from Mike.  I'd like till the end of the week 
(next week) to turn around a a first revision.


-- A*