[whatwg] Suggestion for a Specification: XUL Basic

Jose Dinuncio jdinunci at uc.edu.ve
Thu Jun 10 11:24:10 PDT 2004

El jue, 10-06-2004 a las 11:32, Ian Hickson escribió:
> On Thu, 10 Jun 2004, Jose Dinuncio wrote:
> >>>
> >>> *) There is a need for WAOB: In intranets, security of the web app
> >>> downloaded is not a concern. In client-server applications, it would be
> >>> nice to download an always-up-to-date thin client every time you need
> >>> it.
> >>
> >> How can you tell if the intranet content is trusted or not?
> >
> > I don't see wich is the diference on security concerns between using an
> > intranet inside the browser vs. outside the browser.
> There are several problems. First, how do you know it's an intranet page?
> Second, why are you assuming everyone in the intranet is trusted? There
> are many scenarios -- for example, school networks -- where the intranet
> is even more hostile than the internet.

I think I've understood the reason of our divergences. If I interpret
you rightly, the problem is that a intranet user is visiting a insecure
site inside the intranet and a web app pops up and he is fooled to use
this app. The scenario I have in mind is another one: you need to do
your job using several well known web apps in your intranet. You know
that the CRM apps is at http://mydoamin.com/crm. That's it: navigation
vs. app delivery.

I don't see web apps just as an improved www, but as well as a
replacement in several circumstances.

And again, there is no hostile enviroment that affect in special way web
apps outside browser.

> >>> *) The cost of add this feature in the SPEC is not so big: It is Web
> >>> forms outside html. Substract CSS and add the window and layout tags,
> >>> and that's all.
> >>
> >> I don't see why you have to substract CSS, but sure, actually doing a
> >> chromeless Web page is easy.
> >
> > What I mean is, since web forms are not inside a html doc (in my wildest
> > dreams at least) there's not <table> or <p> or CSS to help you in the
> > componets layout. So the layout is determined by <hlayout>, <vlayout>
> > and friends.
> Presentational markup is very bad for accessibility. Whatever language you
> use, you would want it to be semantic. And luckily we have this semantic
> language right here and already supported in several browsers... HTML. :-)

Ok. But if web apps outside the browser are to be implemented, it would
be necessary a way to attach info to the window (again, menu bar,
control bar, status bar, close button...)

> >> The biggest problem is simply: How can you tell that the content you
> >> have is trusted enough that it should be run without any of the browser
> >> chrome?
> >
> > This is a problem that goes beyond any SPEC. The browser chrome won't
> > help you to determine what the app is doing behind scenes, anyway.
> No but it will tell you whether the application is from www.paypal.com or
> hostile.intranet.example.com, even if the actual content looks identical
> in both.

Security by browser chrome doesn't seem the way to go.

> > Security concerns are orthogonal to the web app being executed inside or
> > outside the browser.
> Security, yes, but we're talking about spoofing, and trust, and that is
> not at all unrelated. It is in fact the major issue.

Yes, but again, this apply both tho web apps inside and outside the
browser. A complete answer, if possible, stand on several technologies
and is applicable in both cases.

I'm trying to keep open a path to WAOB. I think this feature can play an
important role in the future of this project.

Jose Dinuncio <jdinunci at uc.edu.ve>
Universidad de Carabobo

More information about the whatwg mailing list