[whatwg] Web widgets

Benjamin Smedberg benjamin at smedbergs.us
Wed Jun 7 13:23:32 PDT 2006

A couple weeks ago I was at XTech and talked with some Opera developers 
about the possibility of standardizing a method of doing "web widgets" 
similar to the current Opera widgets (and somewhat similar to Dashboard 
widgets). I am planning on implementing a similar widget functionality for 
mozilla-based browsers and wanted to share a common API that web developers 
could count on for multiple browsers.

Currently, Opera widgets are packaged in an archive (ZIP format) and are 
identified to the browser using a special mimetype. Once installed, widgets 
have elevated privileges, including the ability to perform XMLHttpRequests 
from any domain. Dashboard widgets have even more power, basically granting 
them complete control over the computer.

I have a few issues with the current Opera widget API:

1) By default, widgets should have the permissions of the website they are 
downloaded from. This makes it safe and easy for users to try widgets 
without worrying that the widget might steal personal information. I see the 
use for granting a widget elevated privileges, but I'm not sure how to 
design a sufficiently scary warning that users won't just automatically accept.

e.g. I just installed the "Functions 2d" widget in Opera. There is no reason 
I can see for this widget to have any special privileges (I don't know or 
trust the author). It makes me nervous to install the widget, and I don't 
like feeling nervous.

2) Packaging and downloading widgets as a special archive may not be 
necessary or desirable in all cases. I'd like the mozilla widget 
implementation to use ordinary HTTP caching mechanisms to save the widget data:

window.open("http://example.org/widget.html", "_blank", 

This would open the specfied webpage as a widget; if the user decides to 
keep the widget on their desktop, the browser will pin that page in the HTTP 

For more advanced widgets that need multiple files pinned in the cache for 
offline use, authors should make use of the JAR protocol:

window.open("jar:http://examples.org/widget.jar!/index.svg", "_blank", 

This has the added advantage that in older browser which don't have special 
widget support, the widget is opened in a mostly-chromeless browser window 
and can function in basically the same way the widget would behave in a 
newer browser.

3) Widgets don't have any browser UI for showing security information.

Once you have widgets with the permissions of a website, users should be 
able to figure out which website the widget comes from. This is especially 
important in that case of widgets from secure websites that were given the 
privileges of a certificate. This could be as simple as a little system-menu 
button on one of the corners of the widget which gives access to the SSL 
security info.

If/when agreement about widget APIs is reached, should these be included in 
the Web Applications spec?


cross-posted to dev-apps-firefox and whatwg.

More information about the whatwg mailing list