W3C

Widget Updates

W3C Working Draft 28 September 2010

This version:
http://www.w3.org/TR/2010/WD-widgets-updates-20100928/
Latest published version:
http://www.w3.org/TR/widgets-updates/
Latest editor's draft:
http://dev.w3.org/2006/waf/widgets-updates/
Previous version:
http://www.w3.org/TR/2010/WD-widgets-updates-20100413/
Editors:
Marcos Cáceres, Opera Software
Richard Tibbett, Opera Software
Robin Berjon, Vodafone

Copyright © 2010 W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark and document use rules apply.

Abstract

This specification defines a process and a document format to allow a user agent to update an installed widget package with a different version of a widget package. A widget cannot update itself; instead, a widget relies on the user agent to manage the update process. A user agent can perform an update over HTTP and from non-HTTP sources (e.g., directly from a device's memory card or hard disk).

Status of This Document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.

Implementers should be aware that this document is not stable and should not be implemented. Implementers who are not taking part in the discussions are likely to find the specification changing out from under them in incompatible ways. Vendors interested in implementing this document before it eventually reaches the Candidate Recommendation stage should join the group's public mailing list and take part in the discussions.

User agents that wish to extend this specification in any way are encouraged to discuss their extensions on a public forum, such as public-webapps so their extensions can be considered for standardization.

This specification is part of the Widgets Family of Specifications.

This Specification takes into account the recommendations from the Widget Updates Patent Advisory Group and considering the large set of prior art the PAG found.

This document was published by the Web Applications WG as a Working Draft. This document is intended to become a W3C Recommendation. If you wish to make comments regarding this document, please send them to public-webapps@w3.org (subscribe, archives). All feedback is welcome.

Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

Table of Contents

1. Introduction

This section is non-normative.

There are a multitude of reasons why authors might want to update a widget including addressing security vulnerabilities, making performance enhancements, and adding new features. Sometimes authors may even want to revert back to a previous version of a widget, if it is found that a newly deployed version of a widget contains issues or vulnerabilities.

To facilitate the process of updating widgets, this specification introduces an XML element, called update-description, that is included into a configuration document of a widget. This specificaiton also introduces a new XML vocabulary, called an update description document. The update-description element provides an author with a means to point to an update description document. An update description document is metadata about an widget update including:

If a user agent determines, via the strategies defined in this specification, that two widget packages are not the same version, and if the user consents, the user agent will attempt to replace the currently installed widget package with a potential update. Updates are designed to retain any locally stored data, so to protect end-users from losing data that a widget may have stored at runtime.

This specification also defines the rules that govern the interactions between the user agent, the update description document, and the updated widget.

2. Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words must, must not, required, should, should not, recommended, may, and optional in this specification are to be interpreted as described in [RFC2119].

This specification defines conformance requirements for a single class of product: user agents.

3. Definitions

The concepts of a widget package and a configuration document are defined in the [WIDGETS] specification.

A user agent is an implementation of this specification that also implements the [WIDGETS] specification and its dependencies.

An installed widget is a widget package that has been correctly installed on a user agent.

An update description source is the URI referenced by the href attribute of an update-description element of an installed widget's configuration document.

An update description document is an [XML10] document that has a update-info element at its root.

An update source is the URI referenced by the src attribute of an update-info element of an update description document.

A potential update is a resource acquired via HTTP from an update source or from local media.

The widget update process is a multi-step process whereby a user agent acquires a potential update, performs the rule for verifying a widget update, and then proceeds to install the widget package.

The identity of a widget package is determined by the id attribute of the widget element declared by an author in the configuration document of a widget package.

The version of a widget package is determined by the version attribute of the widget element declared by an author in the configuration document of a widget package.

An incumbent widget is an installed widget that is determined to have the same identity as the potential update.

An installed widget is said to be up-to-date if a user agent determins that an incumbent widget does not need updating.

A failure notification is an optional message emitted by the user agent to indicate to the user that a widget update has failed.

Note: This specification does not define the means or format of a failure notification, which is left up to implementers.

3.1 Value types

The space characters, valid URI, and valid version-tag are defined in the Widget Packaging and Configuration specification [WIDGETS].

4. Extensions to Configuration Document

As stated above, this specification introduces a new element to the configuration document defined in [WIDGETS]. This new element is defined below.

4.1 The update-description Element

The update-description element points, via the href attribute, to an update description document.

The update-description element is in the http://www.w3.org/ns/widgets namespace as defined in [WIDGETS].

Context in which this element is used:
As a child of the widget element defined in the [WIDGETS] specification.
Content model:
Empty.
Occurrences:
Zero or one.
Expected children:
None.
Localizable via xml:lang:
No.

4.1.1 Attributes

href
A URI attribute that points to the location of an update description document.

4.1.2 Usage example

This example shows the expected usage of the update-description element. 

<widget xmlns  ="http://www.w3.org/ns/widgets" 
        id     ="http://example.com/my-widget" 
        version="1.0">

<update-description 
   href="http//example.com/update?widget=my-widget&amp;version=1.0"/>

</widget>

4.2 Processing update-description elements in the Configuration Document

This section describes the algorithm for processing the update-description element.

  1. A user agent must add the following to the Table of Configuration Defaults [WIDGETS] during Step 3 - Set the Configuration defaults.
Table of Configuration Defaults (addendum)
Variable Type Default Value Overridden in Description
update href URI null Processing update-description elements in the Configuration Document The URI for where an update description can be downloaded, corresponding to the update-description element's href attribute.

  1. During Step 7 - Process the Configuration Document, if this is not the first update-description element, then the user agent must ignore this element and its descendants.
  2. If this is the first update-description element and the href attribute is used, and it is a valid uri, then let update href be the value of the href attribute. Otherwise, this elements is in error and the user agent must ignore this element.

5. Update Description Document

Within an update description document an author declares, amongst other things, what's new or different in the potential update, the version that the widget will be updated to, and the URI from where the user agent can retrieve the potential update (the update source).

The purpose of the update description document is to provide the details about a potential update, including a pointer to a HTTP resource that will act as the potential update.

In order for a user agent to retrieve and process an update description document, an author must initially declare a valid URI for the update-description element in the installed configuration document (e.g. <update-description href="https://example.com/myWidget/updates"/>).

5.1 Example Update Description Document

Below is an example of a typical update description document. 

<update-info xmlns   = "http://www.w3.org/ns/widgets"
             src     = "https://w.example.com/2.1/RC/app.wgt"
             version = "RC2.1">

  <details>
    Now supporting X, Y and Z features!
  </details>
</update-info>

5.2 Namespace

All elements defined to be used in an update description document are in the http://www.w3.org/ns/widgets namespace as defined in [WIDGETS].

5.3 The update-info Element

The update-info element is intended to provide metadata about the potential update. In addition, it serves as a container for the other elements; as such, it must be used.

Context in which this element may be used:
The root element of an update description document.
Content model:
Zero or more details elements.
Occurrences:
Exactly one, at the root element of the document.
Expected children:
details.
Localizable via xml:lang:
No.

5.3.1 Attributes

version
A valid version tag that denotes the version number of the potential update.
src
A valid URI that references a potential update. Over the wire, the potential update must be labeled with a correct widget media type (i.e. application/widget).

5.3.2 Usage example

The example below shows how the update-info element can be used. 

<update-info xmlns="http://www.w3.org/ns/widgets"
             src="http://sometld/somewidget_0_3_BETA.wgt"
             version="BETA 0.3">
           
</update-info>

5.4 The details Element

The details element represents a human-readable description of what differentiates this potential update from other versions.

Context in which this element can be used:
Inside a update-info element.
Content model:
Anything.
Occurrences:
Zero or more.
Expected children:
Anything.
Localizable via xml:lang:
Yes.

5.4.1 Usage example

The example below shows how the details element can be used. 


<update-info xmlns="http://www.w3.org/ns/widgets"
             src="http://foo.com/widget.wgt"
             version="1.3.1">
  <details>
    This update tries to make 2010 a little bit less like "1984".
  </details>
</update-info>

6. Acquiring an Update Description Document

The authoritative update URI is the update source of an installed widget's configuration document.

A user agent must support the capability to acquire an update description document over HTTP protocols. For non-HTTP protocols, UAs should act in equivalent ways.

It is expected that user agents will perform a widget update process asynchronously and periodically check for any available updates. The timing of any widget update process is an implementation detail left to the discretion of the implementer (e.g. once a day or once a week).

To check for updates to a widget, the user agent issues a HTTP request towards the authoritative update URI.

The user agent should send the last known ETag response value, if available, in an If-None-Match header.

The user agent should send an If-Modified-Since header indicating the time of the last check for an update from the user agent.

If the widget is displaying localized content, the user agent should send an Accept-Encoding header representing the widget's locale.

As data is received, the user agent will then act as follows.

The user agent should ignore any Cache-Control or Pragma header with a value of no-cache.

The user agent should honor the value of any Expires header when scheduling the next widget update process for the current installed widget.

HTTP 200 OK responses with a Content-Type header specifying the type application/xml must be processed according to the rules defined in Processing an Update Description Document.

HTTP 200 OK responses that have a Content-Type other than application/xml must cause the user agent to terminate the widget update.

HTTP 204 No Content, 205 Reset Content, and 304 Not Modified responses are equivalent to 200 OK responses with a Content-Type other than application/xml.

Other HTTP response codes in the 2xx range must terminate the widget update. They are, however, likely to indicate an error has occurred somewhere and may cause the user agent to emit a warning.

HTTP 301 Moved Permanently, 302 Found, 303 See Other, and 307 Temporary Redirect responses must cause the user agent to reconnect using the new server specified URL instead of the previously specified URL.

HTTP 305 Use Proxy, 401 Unauthorized, and 407 Proxy Authentication Required should be treated transparently as for any other subresource.

Any other HTTP response code not listed here, and any network error that prevents the HTTP connection from being established in the first place (e.g. DNS errors), must cause the user agent to terminate the widget update.

7. Processing an Update Description Document

A user agent must assume the following defaults prior to processing an update description document:

Update Defaults
Variable Type Default value Description
update-source URI null
version-tag DOMString null
details DOMString null

A user agent must process an update description document according to the rule for processing an update description document.

The following processing model is written with more concern for clarity over efficiency. As such, a user agent can optimize the processing model so long as the end result is indistinguishable from the result that would be obtained by the following the specification.

The term in error, typically used on an element or attribute, means that the element, attribute, or other construct does not conform to the rules of this specification. Rules for exactly how a user agent needs to treat the erroneous construct are always given when the term is used.

When an invalid update description document is determined, the user agent must terminate the current widget update process.

The rule for processing an update description document is defined as follows:

  1. Let doc be the result of parsing the acquired update description document as a [DOM-LEVEL-3-CORE] Document using a [XML-NAMES]-aware parser. If the document is not well-formed [XML10], then treat this as an invalid update description document.
  2. Let root element be the documentElement of doc.
  3. If the root element is not a update-info element in the widget namespace, then treat this update description document as an invalid update description document.
  4. If the root element is a update-info element:
    1. If the version attribute was used, and it is a valid version-tag, then let version-tag be the value of version.
    2. If no version attribute was used, or the value was in error, treat this as an invalid update description document.
    3. If the src attribute was used, and it is a valid URI, then let update-source be the value of src.
    4. If no src attribute was used, or the value was in error, treat this as an invalid update description document.
  5. For any child element of the root element:
    1. If the child element is a details element:
      1. If this is not the first details element, then the element is in error and must be ignored.
      2. Let details be the result of applying the rule for getting text content [WIDGETS] to this element.
    2. Otherwise it must be ignored.

8. Verifying and Installing an Update

When a user agent is to install the widget package it must remove any incumbent widget and add the potential update as an installed widget.

When a user agent is to terminate the widget update the user agent must terminate the current widget update process. The user agent may emit a failure notification warning that the widget update has been terminated.

To verify and install a potential update the user agent must apply the rule for verifying a widget update.

The rule for verifying a widget update enables a user agent to match and verify a potential update - acquired via HTTP or from local media - with an installed widget package and is defined as follows:

  1. Apply the steps for processing a widget package [WIDGETS] to the obtained potential update.
  2. If an incumbent widget could not be found then skip the rest of this rule and install the widget package.
  3. If the incumbent widget has the same version as the potential update then the installed widget is up-to-date and the user agent must terminate the widget update.
  4. If the potential update is determined to be a digitally-signed widget package when applying the rules for signature validation [WIDGETS-DIGSIG] then the user agent will act as follows:
  5. The user agent must install the widget package.

9. Security Considerations

Because an update description document is not self-contained, it is conceivable that the update model could be subject to a man-in-the-middle attack, as with any unencrypted requests performed over [HTTP11]. For this reason, it is recommended that, for widgets that have not been digitally signed, updates are always performed over [HTTP-TLS].

Another means of protection is for authors to always digitally sign their widget resources. During an update, the user agent will then validate the signature before installation, ensuring that a widget resource's identity and integrity was maintained over the network.

Without the availability of a digitally signed installed widget, it is extremely easy to overwrite a widget resource with another (potentially malicious) widget resource. Therefore it is recommended that a user agent only allow updates to a signed installed widget or to a non-signed installed widget only from a potential update obtained via its authoritative update URI.

A. Design Goals and Requirements

This section is non-normative.

This document addresses the Remote and Local Updates the requirement of the 30 April 2009 Working Draft of the Widgets 1.0: Requirements Document (see [WIDGETS-REQS]).

B. Acknowledgements

The editors would like to thank the following contributors (in no particular order): Raine Hillebrand.

C. References

C.1 Normative references

[DOM-LEVEL-3-CORE]
Gavin Nicol; et al. Document Object Model (DOM) Level 3 Core Specification. 7 April 2004. W3C Recommendation. URL: http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407
[RFC2119]
S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Internet RFC 2119. URL: http://www.ietf.org/rfc/rfc2119.txt
[WIDGETS]
Marcos Caceres. Widget Packaging and Configuration. 01 December 2009. W3C Candidate Recommendation. (Work in progress.) URL: http://www.w3.org/TR/2009/CR-widgets-20091201/
[WIDGETS-DIGSIG]
Marcos Caceres. Widgets 1.0: Digital Signature. 14 April 2008. W3C Working Draft. (Work in progress.) URL: http://www.w3.org/TR/2008/WD-widgets-digsig-20080414
[XML-NAMES]
Richard Tobin; et al. Namespaces in XML 1.0 (Third Edition). 8 December 2009. W3C Recommendation. URL: http://www.w3.org/TR/2009/REC-xml-names-20091208/
[XML10]
C. M. Sperberg-McQueen; et al. Extensible Markup Language (XML) 1.0 (Fifth Edition). 26 November 2008. W3C Recommendation. URL: http://www.w3.org/TR/2008/REC-xml-20081126/

C.2 Informative references

[HTTP-TLS]
E. Rescorla. HTTP Over TLS. May 2000. Internet RFC 2818. URL: http://www.ietf.org/rfc/rfc2818.txt
[HTTP11]
R. Fielding; et al. Hypertext Transfer Protocol - HTTP/1.1. June 1999. Internet RFC 2616. URL: http://www.ietf.org/rfc/rfc2616.txt
[WIDGETS-REQS]
Marcos Caceres. Widgets 1.0: Requirements. 30 April 2009. W3C Working Draft. (Work in progress.) URL: http://www.w3.org/TR/2009/WD-widgets-reqs-20090430