Missing bits from Widget side
Posted on:On the widget side, technically, we need to finish the widget URI scheme spec. It currently lacks a proper dereferencing model, which means it does not work well as a protocol. What it needs is to work like blob:// so that it can be used with XMLHTTPRequests (i.e., fake HTTP responses). This will allow things like JQuery mobile to work better… or we need to look to switching to blob://. Also, Widget Updates needs to be finished.
We also need to continue investigating how to get widgets to work better with OAuth. This is a general problem with native applications, and the OAuth 2 spec does not provide too much guidance:(
Politically/Business-wise, we need to get Moz, Google, or somehow get this supported in Webkit… otherwise, this is not going anywhere.
I agree with your characterization of what’s missing from widgets.
I think in general, it will be useful to take a step back and look at the overall landscape of “native Web apps” (including with projects such as PhoneGap), and also define what we expect this group to do (discuss? experiment? specs?).
A more random comment: I remember discussing cases where widgets having http origins would be useful; an idea was by binding together Widgets Signature & DNSSec or HTTPS, one could associate reliably a widget with an HTTP origin.
We are still trying to work out what to do with the group. Despite having about 20 members, people have been a bit reluctant to commit to working on anything… maybe we just haven’t found the right thing to work on. I’ve made a few proposals (e.g., an API to allow widgets to be booted from a URI, and passing initialization parameters through a query string).
I’ve not looked at DSNSec, but seems like signing a widget with an SSL certificate associated with a website might do the trick. I’m a bit worried, however, that mixing HTTP/HTTPs and content from a widget file might make a mess.
I think it would be a good idea to explore how Widgets Signature & DNSSec or HTTPS, could be used (it does begin to solve some of the origin problems… though I don’t like the idea of faking an origin).
All native apps suffer from the origin problem, so we should look at how that is being addressed (particular use case is OAuth).