On 2014-07-21, 7:55 PM, Garner Lee wrote:
>
>
>
> On Mon, Jul 21, 2014 at 11:54 AM, Ehsan Akhgari <
ehsan....@gmail.com
> <mailto:
ehsan....@gmail.com>> wrote:
>
> On 2014-07-18, 8:52 PM, Garner Lee wrote:
>
>
> On Fri, Jul 18, 2014 at 2:45 PM, Ehsan Akhgari
> <
ehsan....@gmail.com <mailto:
ehsan....@gmail.com>
> <mailto:
ehsan.akhgari@gmail.__com
> 1) Is "window.navigator.____mozSetMessageHandler" going
> to be a
>
> web standard,
> or just intended to be a Mozilla WebApp feature only?
> This does
> start the
> application, and deliver information.
> -- How hard/sane is it to create a filter for system
> messages like it is
> done for MozActivities?
>
>
> I don't think our system messages are something that we can
> standardize as an API exposed to web pages. The Web
> equivalent way
> of delivering notifications to apps that may or may not be
> running
> is going to be dispatching an event to the app's service
> worker.
>
>
>
> If I'm not mistaken, web pages can't send system messages, but
> they can
> sure receive them (mozSetMessageHandler('__activity', func);)
>
http://www.w3.org/2012/nfc/__web-api/#widl-NFCManager-__ontagfound
tag is a property of the event object, which is a "platform object"
(meaning that it is a JS reflection of an object provided by the UA).
This is a very normal concept across all Web APIs. I'm not sure what
the issue with this is exactly.
> It's Activites that don't accept them (we currently use a
> "getNFCPeer(sessionToken)" as a workaround .. objects with
> interfaces
> are sent as empty objects the last I checked).
> Ex of current implementation in FirefoxOS:
>
https://wiki.mozilla.org/__WebAPI/WebNFC#NDEF_P2P_Send___Example
> <
https://wiki.mozilla.org/WebAPI/WebNFC#NDEF_P2P_Send_Example>
>
>
> So you want to pass a DOM object to an activity? Yes, that's not
> really supported. The way we "send" DOM objects around in other
> parts of the platform (for example postMessage) is by doing a
> structured clone on the DOM object in order to serialize its content
> alongside with all of the information required to reconstruct it
> from scratch later on, send the serialized representation to the
> other side, and create a completely new object from that serialized
> info which looks and acts like the original object. So in a sense,
> sending the same DOM object to somewhere else may not mean exactly
> what you are thinking.
>
> Passing a DOM object might be important later in an activity.
>
> Whether it's the same object or not is less important than being able to
> get an object, and call APIs on it immediately without a
> "getNFCTag(sessionToken) call.
>
> It is actually not hard to do that extra step, but it is an extra step.
> The object is intended to be part of an object hierarchy eventually in
> the case of NFC.
>
> Events apparently can pass a working API object, but events don't start
> applications.
If you are asking for a generic event dispatch mechanism that can wake
up an application and transmit arbitrary information to it in form of
platform objects, then neither web activities or system messages are
what you want. I'm not aware of any existing mechanism to do that.
Oops, my bad.
> To quote a recent discussion (Paul Theriault, Hi!):
>
> -------
> Do we need support a user choosing from a list of qualified applications
> (e.g. like web activities, but from a list of web apps which satisfy
> certain security properties).
> -------
>
> As we know, activities are quite public.
Yes, they can be triggered and handled by arbitrary apps.
> System messages (and perhaps
> the event that gets triggered somehow), is supposed to be relatively
> "trusted" as it is supposedly originated from the system.
Yes, they are initiated by the system.
> The is that
> the nature of the data can be private, can be intercepted or mistakenly
> sent to the wrong application by the user, or worse, a somehow malicious
> app asking a high value app, like the wallet, for example, to do
> something unexpected for it.
I'm not sure if I understand this part...
> Bug 979767 <
https://bugzilla.mozilla.org/show_bug.cgi?id=979767>
> (HCI_EVENT_TRANSACTION message) references a security mechanism that is
> an over the air managed white list to help secure the target end: which
> webapp is allowed to handle things at the target level, as determined by
> say, Mastercard.
>
> The "Access Control Enforcer" on the gecko side will check web
> application certificates against a whitelist, but it doesn't actually
> cover the source of the message if it were from a WebActivity (which is
> available to all apps to send --> untrusted data).
Yes, it seems that web activities are not the right tool for this job.
> A system message (with filters), will potentially allow the system can
> do some security checks first before delivering the message (or event
> with sensitive data attached if that's decided) to the application.
> <
https://bugzilla.mozilla.org/show_bug.cgi?id=979767>
I did read that bug. I think you're referring to comment 8 there.
Unfortunately I'm not as familiar with these concepts as you are, and I
didn't manage to understand the problem better from that bug. So far
all I know is that you have some data that you want to generate from
code inside Gecko and you want to launch an app and pass it that data
somehow. I don't understand how the app selection works, and what needs
to be protected, and how, etc. I'm going on with my extremely limited
understanding of this issue.
> I'm looking at service worker. Can it be described as an application
> service model? Application, Mime-type, Filtering/Routing, and "message
> data origin" type security issues is of interest.
Service workers provide us with the ability to launch a worker
associated with a web application and dispatch an event to it. The User
Agent will remain in control of when to dispatch the event and to which
service workers to dispatch it to. As I said before, I don't really
know anything about the specific requirements you're mentioning so I
can't provide any comment on whether they are the right tool for this job.
But please note that the spec and implementation of Service Workers is
still work in progress, and they are also currently being designed for
Web apps, so we may need to do some additional work to make it possible
to make them work in Firefox OS app.
Cheers,
Ehsan
> In every case, we would want to start the user intended app
> first, rather
> than blind fire events to every possible interested NFC,
> Couponing, or
> Payment application. We're still working out some UX
> details.
>
> For now, we want only to notify one application, though
> there's
> some talk
> still of expanding it to allow more than one to be a
> target, but
> not all
> apps.
>
>
>
> ------------------------------____----------------------------__--__--
>
> Some further reading for a bit more background:
>
> ------------------------------____----------------------------__--__--
>
>
> In the case of NFC (and Wallet Applications, for
> example), we
> want to send
> payment "received" transaction messages to a designated
> application (Some
> more information here:
>
https://bugzilla.mozilla.org/____show_bug.cgi?id=979767
> <
https://bugzilla.mozilla.org/__show_bug.cgi?id=979767>
>
https://bugzilla.mozilla.org/____show_bug.cgi?id=1037380
> <
https://bugzilla.mozilla.org/__show_bug.cgi?id=1037380>
>
https://bugzilla.mozilla.org/__show_bug.cgi?id=979767
> <
https://bugzilla.mozilla.org/show_bug.cgi?id=979767>. The payment
> "HCI_EVENT_TRANSACTION" message itself is simple: "you have
> submitted
> payment for that thing!" with some transaction data specific to that
> app, like, the vendor and amount pending/transacted. The applet
> on the
> SIM/embedded secure element does all the actual work for now.
>
> We're still in discussion on whether it's a 1-1 pairing between the
> application (running on the host processor, ie, the CPU running
> FirefoxOS), and the secure element running Java cardlets on the
> baseband
> processor (i.e., the mobile radio), and if it expands to more
> than one
> web application application, how we're going to securely route those
> transaction messages.
>
> The second bug
>
https://bugzilla.mozilla.org/__show_bug.cgi?id=1037380