On Tue, 30 Sep 2008, Robert O'Callahan wrote:
We can easily offer these developers the following options: a) developers of privileged gadgets can whitelist domains that they trust to not subvert the UI
How is this achieved? If I have a chat ("talk to site owner using your $foo chat account") or calendar overlay ("see scheduled events overlaid on your calendar") gadget that is to be embedded freely by third-parties, and offers a "privileged" UI - even if I require sites to pre-register or otherwise build a whitelist of these untrusted domains, I have no assurance they would play nice.
b) privileged gadgets can be offered to the world as long as the IFRAME's own UI is not trusted. For example, gadgets whose purpose is to offer a postMessage API to untrusted container pages would be just fine.
Sure, but then it makes the model drastically different, and suitable for different uses (many privileged gadgets may specifically not want to disclose any presented information to the top level page).
c) spawn new windows/tabs to perform or confirm privileged operations
That's a terrible user experience, by most accounts, and goes against the concept of a gadget; I believe it is often avoided at all costs except when absolutely necessary (e.g., login, where the user needs the opportunity to verify URL, SSL status, etc).
Cheers, /mz
