On 02/02/07, Marcos Caceres <[EMAIL PROTECTED]> wrote:
I agree; the security API requirements are still fairly underspecified and maybe it should be a MUST that all widgets include a manifest (R11). My feeling is that we need to make a whole new requirements section just devoted to the security context at large (including APIs).
That would be great.
Is this kinda what you mean by "fully addressing"? Or are you also saying that it would be required that some kind of user intreface alert is presented to the user? Should this be part of the requirement's document or part of the Widgets 1.0 spec itself?
I don't think it would be useful to specify specific UI's or anything, implementors are best placed to know the best way to handle it for their situation. What I would like to be able to see is something that says provided APIs should be at more than just FULL TRUST, so I could have a widget on my phone that was allowed to make a web request, but not one that was allowed to make a phone call. I'm afraid I have nothing to help you though.
Nevertheless, I don't agree that widget should be able to change the update IRI as I see that as a security issue
I didn't say I agreed with it either, I just thought it was slightly pre-judging the future for a requirements doc. I'm happy either way though. Cheers, Jim.
