On Tue, 26 May 2009 17:38:48 +0200, Jean-Claude Dufourd
<jean-claude.dufo...@telecom-paristech.fr> wrote:
2- the browser will have to resolve the relative URI to an absolute URI
because of the DOM spec, hence a possible vulnerability by divulging
private information (e.g. actual name of current user in file: URI
example of Apple Dashboard widgets) to scripts running in the widget.
...
Marcos mentions the widget V2 spec and extensibility as one reason for
adopting the proposed URI scheme. I would like to understand how V2 and
extensibility could make the URI scheme either seen by the author or
exchanged between implementations, or make its absence otherwise imperil
implementations.
Thanks.
The main issue here, I think, is one of being proactive on this front.
Given that absolute URIs are required for resolution, and that UA vendors
will, unless specified, have to pick a URI scheme of their own, the
situation may well arise where they have specified something that would
either be insecure (eg. file:), incompatible ( again, file:) or
inappropriate (all schemes that fail to make query strings and fragment
identifiers useful)
--
Arve Bersvendsen
Opera Software ASA, http://www.opera.com/