-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use the 'scope' in the send() method #32
Comments
It uses ``scope` in step 6 of the algorithm. On the receiving side, the scope is used by the clients directly. Since any native client could forge a web tag content (and we don't have a good solution against it), filtering based on scope is syntactic sugar - we thought it's simpler to just expose the scope to clients. In turn, we can enforce policy on sending: at least web pages cannot write a scope which is not a subdomain match of their origin. Any suggestions on changing the receiving part behavior? |
Step 6 says "set scope to the DOMString describing the document base URL." That makes scope a local variable in the algorithm, but it's not used after that. Did you mean to set Is "the receiving side" the tag or peer in steps 10–12? What's a "client"? It looks like you may be talking about later web sites that read the tag/peer, but in #2, @sicking is worried about the effect of writing data to the NFC tag/peer, not just the effect on later websites. |
Indeed the algorithm changed so many time that now the description is inconsistent... I am working to fix it. By "receiving side" I meant both tag reading and incoming peer message. We just expose the writing/sending scope, without filtering by scope. Matching writer origin to tag scope happens before writes. Even that is challenged by some people, saying why not be able to override just any web tag from any page (once the user agrees). That would actually make scope purely informative. |
Thanks. Re
which step of which algorithm does that? I haven't been able to find it. (I'm also skeptical of the need to do it, but as long as we're claiming to satisfy the requests in #2, we should be sure to actually satisfy them.) |
For the record, the policies user agents (currently) should implement are:
This last one is challenged, because
So I think we could relax the last policy, making scope informative (which origin has written/sent the data). But let me fix the latest number of issues and return to this bit later. |
This has become obsolete. |
The send() method discusses setting scope, but then it never uses the scope. Presumably this is where you'd check the
id
field of the peer or tag before actually writing.The text was updated successfully, but these errors were encountered: