<br><br><div class="gmail_quote">On Fri, Apr 11, 2008 at 1:37 PM, Eben Eliason <<a href="mailto:eben.eliason@gmail.com">eben.eliason@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">On Fri, Apr 11, 2008 at 11:15 AM, Bert Freudenberg <<a href="mailto:bert@freudenbergs.de">bert@freudenbergs.de</a>> wrote:<br>
><br>
> On 11.04.2008, at 07:12, Eben Eliason wrote:<br>
> > On Fri, Apr 11, 2008 at 10:03 AM, Jameson Chema Quinn<br>
> > <<a href="mailto:jquinn@cs.oberlin.edu">jquinn@cs.oberlin.edu</a>> wrote:<br>
> >> I'm assuming that the data would only go one way. In that case, the<br>
> >> permission would be, an app without P_NETWORK would not be able to<br>
> >> request<br>
> >> opening of apps with P_NETWORK. No new permissions needed, just<br>
> >> careful<br>
> >> attention to the ones we have.<br>
> ><br>
> > Sorry, I'm not sure I understand this particular requirement. The<br>
> > activity launched will be completely isolated from that which<br>
> > requested it. Why would we need to make this statement hold? If I<br>
> > have, for instance, chosen to trust my web browser to use P_NETWORK,<br>
> > then why should it matter that it was asked to launch by something<br>
> > that didn't?<br>
><br>
><br>
> Because a malicious activity could encode a private document as URL<br>
> and have the browser go to that URL, which would send it to any server<br>
> on the internet.<br>
<br>
</div>Well, isn't that interesting. You have a point, there, and I don't<br>
see any good way around it.<br>
<div class="Ih2E3d"></div></blockquote><div><br>One way would be to launch an instance of Browse without P_NETWORK (and, of course, with a virgin configuration, which was deleted after running). You could view your document locally, and P_NETWORK would not be violated.<br>
<br>If, in fact, this use case is considered important enough to be worth the effort. I'd say that watching P_NETWORK as I suggested originally would be a good enough first-pass solution that probably we'd never get a second pass.<br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d"><br>
</div>Well, perhaps a permission is in fact needed then. Of course, I still<br>
see that there could be worth in a service which allows activities to<br>
launch others. Perhaps the Develop activity eventually wants to<br>
launch an SVG editor for its icon. Perhaps Write wants to be able to<br>
embed links to other projects (as was initially mentioned as the use<br>
case) for writing tutorials. I'm not sure how to accomplish this.<br>
<font color="#888888"><br>
- Eben</font></blockquote><div><br>Note that these use-cases can be done with the P_NETWORK scheme - assuming that, instead of writing your tutorials in Write, you do it in Blog (which may indeed by a special case of Browse), which makes more sense anyway. (Yes, I am proposing a url format for activity launching - this is safe, since the originating app would have P_NETWORK.)<br>
<br>Jameson<br></div></div><br>