About the proposed single vs plural calls in the tag list that's mentioned:
- RESTful call equivalents:
Why do we chose to give PersonAppData (which is a single form, so for a single user?) a user + group id (@owner + @friends = plural, no?), while the person request has 2 calls, and the plural form with @viewer, @self would give a singular response? That's how it's working for people data in the REST spec anyhow.
- <os:PersonRequest> - request to get a single person's profile
- <os:PeopleRequest> - request to get profile information for a group or list of people
- <os:ActivitiesRequest> - request to get activities
- <os:PersonAppDataRequest>. A request for app data
With activities it's the same kind of 0deal, if you parse it a single ID in the @activitiesIds you get a straight activity record, if you specifiy a collection (either by giving multiple activity id's or specifying a @owner/@self type request, you get a collection back).
Something I think might confuse developers down the road
This works:
<Content type="osml">
<os:PersonRequest key="vf" userid="@viewer" groupid="@friends"/>
This doesn't:
<Content type="html">
<os:PersonRequest key="vf" userid="@viewer" groupid="@friends"/>
But this does (but behaves differently):
<Content href="http://foo/bar">
<os:PersonRequest key="vf" userid="@viewer" groupid="@friends"/>
I would almost be inclined to suggest that type="osml" becomes type="html", and on gadget parsing we do a quick gadgetContent.indexOf('<os'): to see if we need to do any dynamic parsing? I think that would make things a good bit easy to use for dev's. Or if people see some huge problems with this, how about adding a new 'osml="true"' to the type="html" statement (I would prefer not having to add any tags though to prevent any possible confusion)
Likewise i'm also not 100% clear yet on what something like this should do:
<Content href="http://foo/bar">
<os:PersonRequest key="vf" userid="@viewer" groupid="@friends"/>
<b>Hello {$vf.Name}</b>
Would the parsed html content be posted to the url, the unparsed html be posted, or would it raise an error or be ignored?
Can we eliminate the need for OSML to function correctly outside of a container?
<Content href="http://foo/bar">
<os:PersonRequest key="vf" userid="@viewer" groupid="@friends"/>
<b>Hello {$vf.Name}</b>
Would the parsed html content be posted to the url, the unparsed html be posted, or would it raise an error or be ignored?
Given our lax parsing requirements for "unknown" tags in other XML contexts, it should be ignored, since that HTML tag isn't a part of the data pipelining subset of OSML.
chabotc wrote: I would almost be inclined to suggest that type="osml" becomes type="html", and on gadget parsing we do a quick gadgetContent.indexOf('<os'): to see if we need to do any dynamic parsing? I think that would make things a good bit easy to use for dev's. Or if people see some huge problems with this, how about adding a new 'osml="true"' to the type="html" statement (I would prefer not having to add any tags though to prevent any possible confusion)
The argument for type="osml" (and yes, this could just be a new attribute, but I don't see the point) is that it's the only safe way to seamlessly move from client side to server side processing without requiring additional script tags.
In discussions about this, Evan has voiced a strong opinion that OSML should be able to work in a standalone HTML document. I disagree with this requirement (you need a container anyway for lots of other things), but that's the main argument. Without that requirement, the difference is irrelevant. This distinction should probably be explained better in the proposal
On Thu, Nov 6, 2008 at 5:32 PM, Kevin Brown <et...@google.com> wrote:chabotc wrote: I would almost be inclined to suggest that type="osml" becomes type="html", and on gadget parsing we do a quick gadgetContent.indexOf('<os'): to see if we need to do any dynamic parsing? I think that would make things a good bit easy to use for dev's. Or if people see some huge problems with this, how about adding a new 'osml="true"' to the type="html" statement (I would prefer not having to add any tags though to prevent any possible confusion)
The argument for type="osml" (and yes, this could just be a new attribute, but I don't see the point) is that it's the only safe way to seamlessly move from client side to server side processing without requiring additional script tags.
In discussions about this, Evan has voiced a strong opinion that OSML should be able to work in a standalone HTML document. I disagree with this requirement (you need a container anyway for lots of other things), but that's the main argument. Without that requirement, the difference is irrelevant. This distinction should probably be explained better in the proposal
I presume we expect the opensocial javascript API to function inside of a social gadget at any time right, even if a good part of it's content is parsed on the server? Also things like preloading require modifications of the html document by the container, so the container modifications will remain a hard requirement i would imagine.
Or is type="osml" going to be lacking in other functionalities, current and future? I would think that's a horrible direction to go in!
Nevermind—shouldn’t have hit send…
Just to be clear, the only difference between type="osml" and type="html" is that in type="html" OSML isn't natively supported -- you have to add <script type="text/os-template"> around the OSML parts.
I agree that they shouldn't -- I'd prefer to not have type="osml" and also not require the script tags. Evan is the only person I know of so far who has voiced support for the need for the script tags (in order to allow OSML to work outside of a gadget context), but others may feel the same way.
My take is that if you're writing a gadget, it's assumed that you need a container to process it, period.
I want to throw out another suggestion, if you include a <Require feature="osml"/> push both the Content bodies or the proxied response through the Data Pipeline interpreter. Then eliminate the @type attribute.
On type="html" vs type="osml"...
The biggest benefit of allowing OSML to work in standalone HTML content is that it works on all containers, including those that only support 0.7 or 0.8, and those who might not want to implement or support content rewriting.
We have a JS feature in Shindig that works today on almost all containers by using <script src="">. It took me about 20 minutes to get the Super Lame Game (my simple template app) working on Ning, which is an 0.7 container.
On Fri, Nov 7, 2008 at 5:18 PM, Evan Gilbert <uid...@google.com> wrote:On type="html" vs type="osml"...
The biggest benefit of allowing OSML to work in standalone HTML content is that it works on all containers, including those that only support 0.7 or 0.8, and those who might not want to implement or support content rewriting.
We have a JS feature in Shindig that works today on almost all containers by using <script src="">. It took me about 20 minutes to get the Super Lame Game (my simple template app) working on Ning, which is an 0.7 container.
Ok please let interject here... Your saying we should cater to containers who do not want to upgrade to the latest spec revision, or choose not to support a MUST part of the OpenSocial specification?
I had a longer response all typed up, but really there is nothing to add to this question ...
To the first point, we always presume containers will upgrade, we presume gadget devs will write gadges that <Require feature="opensocial-0.8"/> and use all the new goodies we put into each new spec.. and we also assume people will use REST right? All these things won't work on 0.5 (yes those are around still too) and 0.7 based containers, however that never stopped us from moving forward and trying to improve with each spec revision.
Yes there will always be a period of time in which some containers support an older version, and some apps won't work everywhere if they use the latest spec revision, but the goal here is not to develop a solution that will work on all older specs, but to develop a new spec revision, right?
To the second point, we have protection build in that you can't call your self 'OpenSocial' if you do not support MUST part of the spec, so to assume and expect that containers 'chose not to support server sided rewriting' sounds absurd to me; I've had plenty of conversations with containers here in the EMEA region who would love to support ONLY server side templating and not do javascript (it scares them from a security POV), but I always explained best I could to them that to call your self an OpenSocial container you have to support all parts of it ... otherwise the spec looses all meaning if people get to pick only the parts their interested in, and we'd end up with opensocial apps that would never run on more then just one container since each supports a different part of the 'spec'
"By providing a JS library, developers can use templates in content that is visible both on their gadget and on their own web site."Isn't one of the goals of OSML to allow for things like:
<os:hasApp> foo <os:else> bar </os:hasApp>
or constructions like
<os:profilePic uid="12345" linked="true" />
<os:if-is-friends-with-viewer uid="12345">
Hey your already friends, cool!
</os:if-is-friends-with-viewer>
These kind of tools would make the life of a web-1.0 type developer a lot easier, require no client side parsing or extra requests, and even have the potential of solving some consistency in UI problems too.
Now that seems pretty impossible if your argumentation is that the template should work on a stand alone website (without any social context from the container) too, unless you expect them to implement something like shindig, in which case server side rendering is possible too :)
I have a hard time imagining how you can test a social app, without a social context ... what exactly would you show in the friends selector? What profile pictures? What media album entries? What owner and viewer information would you build on?
"Can be tested without a gadget container"
You could build 'an web application' without a container, sure... but not a social app, and that's kind of the point of Open*Social* isn't it, and given the name of this list, i thought that was everyone's priority here :)in my opinion this should be a non-argument out of principle, as i outlined in my earlier response
"Can be used on all containers, today."I find these assumptions very hard to support without any data or references to back this up, so far from my talks with containers here in europe, their all very excited about server sided rendering and templating, and there are also a lot of posts indicating excitement about lower latency on initial render that this could bring.
"Does not require containers to parse HTML body content.
- Although there are parts of the OpenSocial spec (hangman substitution is one) that need containers to go through the entire content of the page, I believe that many non-Shindig implementations do not support this.
- Also, OSML would require a more complex parser than just a string replacer. This is more work to implement and more CPU cycles on the server.
- Because of these, I'm not sure if OSML would ever be universally supported across OpenSocial containers if it required server side processing."
Also the question if it will be universally supported, if we make it a 'MUST' in the spec, I would assume so; Besides from the containers on this list I've gotten the impression they seem ok with the proposal of server sided processing (anyone from myspace, yahoo, hi5, etc want to weigh in on this discussion?)
Lastly the pressure is quite high to support smart tags like <os:addAppLink> <os:hasApp> <os:profilePicture link="true"> and all such type of constructions, people are used to these kind of tags "on that other social platform" and they add a lot of value to app developers, plus they offer a method for better UI consistency with the container.
It seems we have agreement on much of this spec. This is goodness. Items where we have contention may need more time or be separated out and postponed to the next milestone.
We have contention on a few points:
1. Processing returned/proxied content as OSML. If we drop this, devs will have to return fully expanded HTML. Is this OK in a world where we can send the JSON/XML objects on the POST to the dev server?
2. The script tags: I haven’t seen any discussion for how drop the tag and still allow one to build custom templates. Please see http://wiki.opensocial-templates.org/index.php?title=OpenSocial_Templating#Calling_Templates. In previous discussions, custom/named templates are the one item that let the script tag live. Dropping the script tag would mean dropping named templates from the OSML spec for this rev. Is this a feature we can live without?
3. Content type=html|osml: It seems like this can be mitigated by using type=html and requiring the OSML feature. For cross container compatibility, the dev would states that the OSML feature is optional. In the optional use case, the inclusion of the <script type="text/osml"> tags enclosing the OSML type plus the OSML client side JS will work. This requires <script> tags to be included and allows for the use of named templates too.
If I missed another point of contention, I apologize. The thread is getting hard to follow. Please add the point.
Please don’t read my suggestions as ‘we should never do the feature’. My larger concern is getting this out quickly and recognizing that we will iterate and ship again. Our pattern is every 3-4 months.
From:
opensocial-an...@googlegroups.com
[mailto:opensocial-an...@googlegroups.com] On Behalf Of Evan
Gilbert
Sent: Friday, November 07, 2008 1:32 PM
To: opensocial-an...@googlegroups.com
Subject: [opensocial-and-gadgets-spec] Re: [Proposal] Data Pipelining
On Fri, Nov 7, 2008 at 10:13 AM, Chris Chabot <cha...@google.com> wrote:
We have contention on a few points:1. Processing returned/proxied content as OSML. If we drop this, devs will have to return fully expanded HTML. Is this OK in a world where we can send the JSON/XML objects on the POST to the dev server?
2. The script tags: I haven't seen any discussion for how drop the tag and still allow one to build custom templates. Please see http://wiki.opensocial-templates.org/index.php?title=OpenSocial_Templating#Calling_Templates. In previous discussions, custom/named templates are the one item that let the script tag live. Dropping the script tag would mean dropping named templates from the OSML spec for this rev. Is this a feature we can live without?
3. Content type=html|osml: It seems like this can be mitigated by using type=html and requiring the OSML feature. For cross container compatibility, the dev would states that the OSML feature is optional. In the optional use case, the inclusion of the <script type="text/osml"> tags enclosing the OSML type plus the OSML client side JS will work. This requires <script> tags to be included and allows for the use of named templates too.
I think testability is a serious limitation of Shindig currently - I'd be curious to hear how many gadget developers download a local copy of Shindig in order to be able to see how their gadget works with different user imnput. My guess is that the answer is very few.
As I mentioned, I'm going to post an example gadget to clarify how this would work.
I'm also very worried about issues that we would find on implementation or rollout. I could easily see a container wanting to turn *off* this feature if needed if their CPUs were spiking because of increased traffic, or because a developer wrote an infinite template loop. Even if we like this as an abstract direction it seems a useful charateristic to not require this.
The use case for repeaters in the OSML is pretty strong—we really want it if at all possible. Table output, selection lists, etc. all benefit in the presence of some form of repeater. My experience with the repeat as attribute vs. control tag argument is that it is a time waster—the two constructs are isomorphic (I have an XSLT laying around that handles the attributeàtag transformation).
From the start, we’ve felt pretty strongly that OSML should be agnostic about client or server. MySpace is building a server implementation at this time, so I don’t suspect that we would argue against some of the client side capabilities being dropped if ShinDig thought this was acceptable. However, I know that the ShinDig prototype has done some excellent work along these lines purely on the client.
If I understand you correctly, the suggestion here is to require the OSML feature and use the <script type="text/osml" name="myTemplate"> block only for named templates. All other OSML uses would then be in the open.\
This leaves the path to back compat as little more than a curiosity from the proof of concept implementation.
From: opensocial-an...@googlegroups.com
[mailto:opensocial-an...@googlegroups.com] On Behalf Of Chris
Chabot
Sent: Friday, November 07, 2008 2:44 PM
To: opensocial-an...@googlegroups.com
Subject: [opensocial-and-gadgets-spec] Re: [Proposal] Data Pipelining
Thanks for a great summary Scott
The use case for repeaters in the OSML is pretty strong—we really want it if at all possible. Table output, selection lists, etc. all benefit in the presence of some form of repeater. My experience with the repeat as attribute vs. control tag argument is that it is a time waster—the two constructs are isomorphic (I have an XSLT laying around that handles the attributeàtag transformation).
From the start, we've felt pretty strongly that OSML should be agnostic about client or server. MySpace is building a server implementation at this time, so I don't suspect that we would argue against some of the client side capabilities being dropped if ShinDig thought this was acceptable. However, I know that the ShinDig prototype has done some excellent work along these lines purely on the client.
If I understand you correctly, the suggestion here is to require the OSML feature and use the <script type="text/osml" name="myTemplate"> block only for named templates. All other OSML uses would then be in the open.\
This leaves the path to back compat as little more than a curiosity from the proof of concept implementation.
On Sat, Nov 8, 2008 at 12:08 AM, Scott Seely <sSe...@myspace.com> wrote:The use case for repeaters in the OSML is pretty strong—we really want it if at all possible. Table output, selection lists, etc. all benefit in the presence of some form of repeater. My experience with the repeat as attribute vs. control tag argument is that it is a time waster—the two constructs are isomorphic (I have an XSLT laying around that handles the attributeàtag transformation).
There are other ways of preventing recursive cycles, either through detection in code ("5000 loops means your killed and the recursive cops will be dispatched!"), or through language definition, not allowing template inclusions in repeat statements is a very simple way of preventing this from ever happening.
Either way I was trying to address Evan's concerns, but I agree it doesn't have to go, there are perfectly valid solutions to this problem.
From the start, we've felt pretty strongly that OSML should be agnostic about client or server. MySpace is building a server implementation at this time, so I don't suspect that we would argue against some of the client side capabilities being dropped if ShinDig thought this was acceptable. However, I know that the ShinDig prototype has done some excellent work along these lines purely on the client.
(ps, it really is 'Shindig', no capital D required before someone would suspect a htdig or digg.com relationship :P)
Neither me nor kevin have any objections to coding a server sided solution, which covers both the php and java versions of Shindig, so that shouldn't have to be a blocker at all..
3. Content type=html|osml: It seems like this can be mitigated by using type=html and requiring the OSML feature. For cross container compatibility, the dev would states that the OSML feature is optional. In the optional use case, the inclusion of the <script type="text/osml"> tags enclosing the OSML type plus the OSML client side JS will work. This requires <script> tags to be included and allows for the use of named templates too.
Putting HTML though an OSML processor should work just fine,
and it's important that html, osml and proxied aren't conflated. What is really present is a choice between two transfer modes: inline and external; and a flag for whether OSML processing should proceed.
Just one comment—I’m not too sure what is going on with the comment about recursive cycles and preventing them and recursive cycles. I mean I get what you are saying, I just don’t see what sparked it. I was simply stating that I like the idea of having a mechanism to define that, with a collection of friends, I want each friend’s data in a row in a table. Obviously, an implementation will need to detect recursive cycles or typical errors during development will consume CPU and blow stack on the container dev servers.
All that said, we should probably standardize how deep any recursion will be allowed so that devs will know that if they use < n levels of recursion, they are OK.
The isomorphic comment means that I can do a lossless transformation from attributeàtag based, making the comment about which one is ‘bad’ moot. I proved this to myself by writing a XSLT that seems to do the job.
From:
opensocial-an...@googlegroups.com
[mailto:opensocial-an...@googlegroups.com] On Behalf Of Chris
Chabot
Sent: Friday, November 07, 2008 3:23 PM
To: opensocial-an...@googlegroups.com
Subject: [opensocial-and-gadgets-spec] Re: [Proposal] Data Pipelining
On Sat, Nov 8, 2008 at 12:08 AM, Scott Seely <sSe...@myspace.com> wrote:
When proxying content, there's really no good reason to need to specify the type at all. That's what the Content-Type header is for.
Kevin, if you think this is a sufficiently user-friendly mechanism for specifying how proxied content is to be handled, we can simplify the <Content> tag markup to three scenarios:When proxying content, there's really no good reason to need to specify the type at all. That's what the Content-Type header is for.
<Content type="html">
<Content type="osml">
<Content type="proxied" src="http://example.com/app"> - in this case the mime type is interpreted to determine whether the returned output is to be treated as OSML or not.
This seems like it leverages existing standards more (mime type), though is a little less easy to use (I'd imagine some of the developers may not have a good understanding of mime types, though they can be easily educated).
Are you going to use the Wiki page that was already created: http://wiki.opensocial.org/index.php?title=Data_Pipelining? Just thinking that Lane’s good work should be used J
From:
opensocial-an...@googlegroups.com [mailto:opensocial-an...@googlegroups.com]
On Behalf Of Evan Gilbert
Sent: Monday, November 10, 2008 10:11 AM
To: opensocial-an...@googlegroups.com
Subject: [opensocial-and-gadgets-spec] Re: [Proposal] Data Pipelining
Thanks again to everyone for all of the feedback on the thread - it's definitely been helpful.
Evan—great work.
I would like to see us remove the text/os-data script tag if possible. I’m not aware of any use cases that make it necessary. It seems to be an artifact of us trying to separate out templates and pipelining. This means that the embedding in @type="html" content looks like this:
<Content type="html">
<script type="text/os-template">
<os:PeopleRequest key="vf" userid="@viewer" groupid="@friends"/>
<div repeat="${vf}">${Name} is a friend.</div>
</script>
</Content>
Other Comments inline.
From: opensocial-an...@googlegroups.com [mailto:opensocial-an...@googlegroups.com] On Behalf Of Louis Ryan
Sent: Monday, November 17, 2008 11:24 PM
To: opensocial-an...@googlegroups.com
Subject: [opensocial-and-gadgets-spec] Re: [Updated Proposal] Data Pipelining
Some notes:
- Spec does not say for non-proxied non-OSML gadgets how the contents of the preload are made accessible in JS. Something along the lines of opensocial.getPreloaded() which returns DataResponse seems appropriate. A more concise equivalent is also needed in oslite.
[[sseely]] http://docs.google.com/View?docid=dc5qrdst_19fbb8fpd3 has a section, “Updates to OpenSocial JavaScript API”. If nothing else, the getDataSet/putDataSet functions should move along with the proposal OR the proposal should reference the simplified JS API doc if that functionality is migrating elsewhere.
- Probably best to explicitly state that the attribute names match 1:1 with REST & JSON-RPC parameter names and makeRequest parameter names where a mapping exists
- Spec does not state what format the content POSTed for a proxied render is in other than as "POSTed JSON data" I believe the JSON-RPC batch response format is the appropriate one and we should state that.
[[sseely]] JSON-RPC batch is currently an optional item. Perhaps we want to pull that description to a standard description of ‘batched data’ and then update the JSON-RPC doc and the Data Pipelining docs reference that standard description.
- I think filter attribute should be extended to match the REST spec definition of filterBy, filterOp & filterValue. Most of the predefined filters I believe map to filterOp=<predefined name> e.g. filterOp=@hasApp. Filter operations apply to activites and other types too.
[[sseely]] +1
Evan—great work.
I would like to see us remove the text/os-data script tag if possible. I'm not aware of any use cases that make it necessary. It seems to be an artifact of us trying to separate out templates and pipelining. This means that the embedding in @type="html" content looks like this:
The XML Namespace should just match the XMLNS we use in the REST spec: http://ns.opensocial.org/2008/opensocial. Is there any reason why this shouldn’t be true?
From:
opensocial-an...@googlegroups.com
[mailto:opensocial-an...@googlegroups.com] On Behalf Of Adam
Winer
Sent: Tuesday, November 18, 2008 3:02 PM
To: opensocial-an...@googlegroups.com
Subject: [opensocial-and-gadgets-spec] Re: [Updated Proposal] Data
Pipelining
Comments:
The XML Namespace should just match the XMLNS we use in the REST spec: http://ns.opensocial.org/2008/opensocial. Is there any reason
why this shouldn't be true?
Some notes:- Spec does not say for non-proxied non-OSML gadgets how the contents of the preload are made accessible in JS. Something along the lines of opensocial.getPreloaded() which returns DataResponse seems appropriate. A more concise equivalent is also needed in oslite.
- Probably best to explicitly state that the attribute names match 1:1 with REST & JSON-RPC parameter names and makeRequest parameter names where a mapping exists
- Spec does not state what format the content POSTed for a proxied render is in other than as "POSTed JSON data" I believe the JSON-RPC batch response format is the appropriate one and we should state that.
- I think filter attribute should be extended to match the REST spec definition of filterBy, filterOp & filterValue. Most of the predefined filters I believe map to filterOp=<predefined name> e.g. filterOp=@hasApp. Filter operations apply to activites and other types too.
- For <os:DataRequest> I don't think the permutations of method and href work as described. If href is empty and method is "people.get" what are the parameters to the RPC method? I think it would be fine to use the URL encoded form of JSON-RPC parameters in the href and have the method be "<service>.<operation>" as described in the JSON-RPC spec. Then detection of the special cased RPC call is simply if the method attribute is anything other than the standard HTTP methods. E.g.<os:DataRequest href="userId=@me&groupId=@self" method="people.get" key="akey" />I have to admit that this also seems a bit clunky. It may just be cleaner to support <os:RestRequest ...> and <os:RpcRequest> for arbitrary but container resolveable calls and leave DataRequest to just HTTP
- I think there's a larger list of relevant makeRequest params that should be documented for DataRequest HTTP use. e.g. OAUTH_SERVICE_NAME. We should state whether the intent is to have full 1:1 functionality with makeRequest and if not list the exceptions
- Needs to be a description of how containers are allowed to vary behavior and still remain spec compliant. E.g. a container suppressing viewer information in proxied renders of profile views because it wants to enforce a high degree of cacheability for the proxied content.
Evan, this seems to omit a lot of client-side interoperability details that were present in the proposal here: http://wiki.opensocial-templates.org/index.php?title=OpenSocial_Data_Pipelining
Some missing points:
- How does client code access the data in non-proxied scenario (there was a proposal for this in the other spec - via opensocial.data.DataContext[key] )
- At what point is the data available to non-proxied content? Is it guaranteed to be there when the gadget renders (unlikely), when the onLoad callback is made (possible) or do you need to register a listener to be called back (optimal in my view)
- Can proxied responses include more data markup (for example, a PeopleRequest for specific IDs), and how will the pipelined data be available to merge against this content? (this is a new one)
Good feedback from all. Batching up the remaning responses...I agree that complex use cases will need to have one, separate data block at the start of the page. However, it would be nice for simple use cases (like Scott's example) to not have to include 2 script blocks, and in general the distinction between type="text/os-data" and "text/os-template" may not be as clear to developers as it is to us.
<script type="text/os-data">
I'd be happy moving forward with the proposal as it stands, but I also want to outline an alternative for discussion:
- Only have <script type="text/os-template">
- Only top-level data pipelining tags in the first <script type="text/os-template"> block are processed. All other data pipelining tags are ignored
This seems to accomplish both scenarios cleanly and is easy to code. I'm just not clear whether this will be simpler or more complex for developers.
JSON-RPC batch in a separate document
Scott - I can take the action on this... how soon do you think this is needed? It seems like it's not blocking now, but we should have it in place well before we finalize 0.9
unknown data pipelining tags
Agreed that containers should ignore these - added to proposal
<script> tags omitted in Detailed Proposal
oversight - added
Places where we're not 1:1 with JSON-RPC
- @startPage does not exist; paging is easy enough without it. Did this to match the JSON-RPC doc- @filterBy, @filterOp, and @filterValue are all missing - added- os:ActivitiesRequest has a typo (userid -should be userId) fixed- @activityIds should be @activityId. Did this to match the JSON-RPC doc
For the two places where the proposal matched the JSON-RPC doc - if is incorrect, let's update both. I'm not sure of the source of truth.
CDATA missing from example
Added
Default @userId value
Comment was "if @userId defaults to @viewer on os:ActivitiesRequest, it should default to @viewer everywhere; or, it shouldn't default anywhere".
Agreed in this case that we shouldn't have a default, and updated the proposal. It's not clear whether @owner or @viewer would be the right default.
I'm not sure I agree with the blanket statement that all defaults should be the same - I'd like to provide intellegent defaults when they make sense.
Namespace
We're going to be sharing the same namespace for OSML, OpenSocial templating, and Data Pipelining. I have no idea what to call this. First person to update the proposal with a reasonable option gets my support.
For JSON-RPC batch being moved to a separate doc—I’ll need that by Dec 1 in order to incorporate it by the 12/4 deadline to create the OS 0.9 draft.
From:
opensocial-an...@googlegroups.com
[mailto:opensocial-an...@googlegroups.com] On Behalf Of Adam
Winer
Sent: Tuesday, November 18, 2008 11:24 PM
To: opensocial-an...@googlegroups.com
Subject: [opensocial-and-gadgets-spec] Re: [Updated Proposal] Data
Pipelining
On Tue, Nov 18, 2008 at 10:14 PM, Evan Gilbert <uid...@google.com> wrote:
Some days, my head isn’t screwed on properly.
It seems that we are using the http://ns.opensocial.org/2008/ as a base URL for the REST spec. I suggest http://ns.opensocial.org/2008/template as the URI for os: in the templates spec.
On Tue, Nov 18, 2008 at 10:14 PM, Evan Gilbert <uid...@google.com> wrote:Good feedback from all. Batching up the remaning responses...I agree that complex use cases will need to have one, separate data block at the start of the page. However, it would be nice for simple use cases (like Scott's example) to not have to include 2 script blocks, and in general the distinction between type="text/os-data" and "text/os-template" may not be as clear to developers as it is to us.
<script type="text/os-data">
I'd be happy moving forward with the proposal as it stands, but I also want to outline an alternative for discussion:
- Only have <script type="text/os-template">
- Only top-level data pipelining tags in the first <script type="text/os-template"> block are processed. All other data pipelining tags are ignored
This seems to accomplish both scenarios cleanly and is easy to code. I'm just not clear whether this will be simpler or more complex for developers.
JSON-RPC batch in a separate document
Scott - I can take the action on this... how soon do you think this is needed? It seems like it's not blocking now, but we should have it in place well before we finalize 0.9
unknown data pipelining tags
Agreed that containers should ignore these - added to proposalI disagree - an error response with notImplemented would be more appropriate and useful. We need machinery to report errors in any event.
<script> tags omitted in Detailed Proposal
oversight - added
Places where we're not 1:1 with JSON-RPC
- @startPage does not exist; paging is easy enough without it. Did this to match the JSON-RPC doc- @filterBy, @filterOp, and @filterValue are all missing - added- os:ActivitiesRequest has a typo (userid -should be userId) fixed- @activityIds should be @activityId. Did this to match the JSON-RPC doc
For the two places where the proposal matched the JSON-RPC doc - if is incorrect, let's update both. I'm not sure of the source of truth.In both cases, I was going off of the existing Shindig implementation, not the JSON RPC doc. I believe Shindig has a bug with activityId - activityIds is better, and is what the spec says. But I'm confused where startPage came from in the JSON RPC doc, as AFAIK it's not mentioned in the Restful Protocol doc, exposed in the Javascript API, or implemented in Shindig. I didn't follow the discussions closely when it was proposed - Louis?
CDATA missing from example
Added
Default @userId value
Comment was "if @userId defaults to @viewer on os:ActivitiesRequest, it should default to @viewer everywhere; or, it shouldn't default anywhere".
Agreed in this case that we shouldn't have a default, and updated the proposal. It's not clear whether @owner or @viewer would be the right default.
I'm not sure I agree with the blanket statement that all defaults should be the same - I'd like to provide intellegent defaults when they make sense.Across all APIs, yes, that'd be an excessive blanket statement. Limited to @userId in this spec, I think it's reasonable.
Namespace
We're going to be sharing the same namespace for OSML, OpenSocial templating, and Data Pipelining. I have no idea what to call this. First person to update the proposal with a reasonable option gets my support.
-- Adam
Has this been addressed yet? "TBD - How to choose which container parameters (viewer, owner, relationship) to send to the 3rd party server. This has a big impact on cacheability. "
I'm also curious about how data gets posted to a third party server. The spec says "Proxied content requests. This data will be POSTed to the developer party server with requests for proxied content. " but doesn't define the format of the POSTed data. It would also be extremely useful to define a way for this data to be signed by the container, as there currently isn't a way to pass a list of friends in a verifiable manner from the app to the third party server.
On Sat, Nov 22, 2008 at 2:06 PM, Arne Roomann-Kurrik <kur...@google.com> wrote:Has this been addressed yet? "TBD - How to choose which container parameters (viewer, owner, relationship) to send to the 3rd party server. This has a big impact on cacheability. "
I haven't seen a discussion of this yet on the proxied content thread (and i think that's where the discussion should go).
I'm also curious about how data gets posted to a third party server. The spec says "Proxied content requests. This data will be POSTed to the developer party server with requests for proxied content. " but doesn't define the format of the POSTed data. It would also be extremely useful to define a way for this data to be signed by the container, as there currently isn't a way to pass a list of friends in a verifiable manner from the app to the third party server.
Think that's covered with: "The results of the data pipelining requests will be sent to the href of the <Content> section as POSTed JSON data. The structure will match the [JSON-RPC] format."
(http://wiki.opensocial.org/index.php?title=Data_Pipelining#Proxied_content)
--
~ArneOn Fri, Nov 21, 2008 at 6:06 PM, Evan Gilbert <uid...@google.com> wrote:
Only open issue I'm aware with Data Pipelining of is whether unhandled tags get 404 or can return null.
Are there other issues or concerns? This is a key feature for 0.9, so please vote if you like it or say why if you don't.
Evan
OpenSocial IRC - irc://irc.freenode.net/opensocial
Thanks Louis, good feedback.On Mon, Nov 17, 2008 at 11:23 PM, Louis Ryan <lr...@google.com> wrote:
Some notes:- Spec does not say for non-proxied non-OSML gadgets how the contents of the preload are made accessible in JS. Something along the lines of opensocial.getPreloaded() which returns DataResponse seems appropriate. A more concise equivalent is also needed in oslite.
I left out the JS APIs in transcription from the original doc. It's been added back in.
- Probably best to explicitly state that the attribute names match 1:1 with REST & JSON-RPC parameter names and makeRequest parameter names where a mapping exists
See http://wiki.opensocial.org/index.php?title=Data_Pipelining#Common_request_processing. Feel free to edit if this should be more prominent.
- Spec does not state what format the content POSTed for a proxied render is in other than as "POSTed JSON data" I believe the JSON-RPC batch response format is the appropriate one and we should state that.
Agreed, added.
- I think filter attribute should be extended to match the REST spec definition of filterBy, filterOp & filterValue. Most of the predefined filters I believe map to filterOp=<predefined name> e.g. filterOp=@hasApp. Filter operations apply to activites and other types too.
Agreed. I updated the text for people.get to state that these are strings that match the REST spec - however I couldn't actually find where we had defined them in the REST spec.
- For <os:DataRequest> I don't think the permutations of method and href work as described. If href is empty and method is "people.get" what are the parameters to the RPC method? I think it would be fine to use the URL encoded form of JSON-RPC parameters in the href and have the method be "<service>.<operation>" as described in the JSON-RPC spec. Then detection of the special cased RPC call is simply if the method attribute is anything other than the standard HTTP methods. E.g.<os:DataRequest href="userId=@me&groupId=@self" method="people.get" key="akey" />I have to admit that this also seems a bit clunky. It may just be cleaner to support <os:RestRequest ...> and <os:RpcRequest> for arbitrary but container resolveable calls and leave DataRequest to just HTTP
One alternative is @method + @params. I'm split between this and <os:RpcRequest> - any preference?
- I think there's a larger list of relevant makeRequest params that should be documented for DataRequest HTTP use. e.g. OAUTH_SERVICE_NAME. We should state whether the intent is to have full 1:1 functionality with makeRequest and if not list the exceptions
The general goal should be 1:1 functionality but I didn't want to blindly add the fields as I wasn't clear if all of them could be statically defined and if all were in current use (vs. legacy support). Also, a number of the parameters deal with feed retrieval, and I wasn't sure if we wanted / needed to support this with preload.
I'll defer to the experts on this one... Louis - if you or someone else has a clear idea what parameters should be exposed, please update the proposal.
- Needs to be a description of how containers are allowed to vary behavior and still remain spec compliant. E.g. a container suppressing viewer information in proxied renders of profile views because it wants to enforce a high degree of cacheability for the proxied content.
Good point. I think we have a few solved issues and one big unsolved issue:
- Containers can already not pass in viewer information (on a given view, or due to permissions). We can just match the results from calling REST APIs when the app is not allowed access to the data
- The proxied content proposal should cover how the data can be cached, based on sign_owner and sign_viewer parameters (or equivalents). The container will probably not send the opensocial_viewer parameter to the 3rd party server if not allowed for a given view. The URL for caching would only include the parameters actually sent to the 3rd party server.
- The tricky issue is that we also need to prevent sending viewer / owner information in the data pipeline if the URL sent to the 3rd party server doesn't contain opensocial_viewer / opensocial_owner.
For this last point, I've made a small update to the proposal:
Elements in a data pipeline referencing the viewer (via @viewer, @me) will return a 403 (Forbidden) error response if the container is unable to also send the opensocial_viewer URL parameter to the 3rd party server. The same holds true for @owner and opensocial_owner URL parameter.
If anyone has better HTTP codes than 403, please update the proposal. On a quick scan I couldn't find a great match.
The PeopleRequest doesn't go to a third-party server, so signing isn't
On Mon, Nov 24, 2008 at 4:42 PM, Arne Roomann-Kurrik <kur...@google.com> wrote:
> Sorry, I only meant to ask whether the request itself would be signed (using
> the same algorithm as RPC), as opposed to not signed at all, not whether the
> body would be signed.
>
> I don't see an explicit way to specify that a PeopleRequest would be signed
> (whereas DataRequest has the authz parameter).
relevant. An implementation might use a security token internally,
but that's outside the scope of the spec.
What is important is whether a proxied render (type="html" w/@href)
needs to be signed when it requests viewer or owner data. IMO, yes.
2: DataRequest has no information explaining what happens for a POST. A
POST means that data is being passed somewhere. We need something that
can be formatted into a POST in order to actually have the POST be of
any value. Consider reducing the set of supported methods to GET if we
MUST have this tag supported for 0.9. We can figure out POST in v.NEXT
without breaking anyone. Another option: to pass data to a DataRequest
tag, only pass the set of tags nested within the <DataRequest>
</DataRequest> tags to the endpoint.
3: DataRequest needs some text explaining how we will pass things like
{Owner.ID} in a GET request. Alternatively, we can say that integration
with other data is not possible in 0.9 and leave this problem for later.
I doubt that this is useful. Suggestion-- move Dynamic Parameters into
the spec proper as opposed to an issue to resolve at implementation. If
we implement #2 as suggested, then we can punt on passing parameters in
a URL to v.NEXT.
Data pipelining will support a limited subset of the expression language used in OpenSocial templates (based on JSP EL):
Possible resolutions for the open items....
POSTing data in <os:DataRequest>
<os:DataRequest> has @method="post", which is confusing because there is no way to specify the content to POST.
The goal of this was to support key/value parameters that might extend beyond the URL length limits for GETs, and not to support arbitrary POST content. I think this is an important use case, especially with Dynamic Parameters, so I updated the spec to allow for a separate "@params" attribute. This has a bit of duplication with the @href (both can contain params), but the flexibility to specify POST is something that I'd like to keep and I couldn't see a cleaner way. The change:
Signing of the POSTed data for proxied content
- @params {string} Additional URL parameters, of format "a=b&c=d". Optional.
- @method {string} HTTP method to use, one of "get" or "post". Defaults to "get". Optional.
- If method is "post", than the "@params" parameters are sent as POST content. If method is "get", then the params are appended to the URL.
- Note that POSTing arbitrary content is not supported.
I think we need to make sure that a malicious party can't spoof a different set of friends to get access to data. I think the right soution to this may be to support a parameter that states whether the container generated this request vs. the JavaScript - the only reason way a malicious party can spoof a request is if they can generate an equivalent gadgets.io.make.request(). I'm going to start a separate thread on this.
TBD in DataRequest
This was addressed with Louis' edit to add the makeRequest parameters of @sign_owner and @sign_viewer.
Dynamic params
Seems that people feel this is required, so moved up to the proposal. Text is:
Data pipelining will support a limited subset of the expression language used in OpenSocial templates (based on JSP EL):
- Expressions of format ${A.B} will be supported, where "A" is the key and "B" is the property.
- The key "ViewParams" is reserved and refers to the parameters passed into the gadget rendering, equivalent to [gadgets.views.getParams()]
- Keys can also map to earlier items in the data pipeline. You can get a viewer and then pass the ID to successive requests.
- <os:PeopleRequest> has a special implicit property, "ids", which is used to send along a comma-delimited list of the IDs returned. This is required to enable passing of friends lists.
Note that we will likely still run into issues during implementation, but this at least gives us a starting point
Signing
There was a suggestion that we MUST require that proxied requests with viewer / owner are signed. I think this is already covered in http://wiki.opensocial.org/index.php?title=Data_Pipelining#Proxied_content
"Elements in a data pipeline referencing the viewer (via @viewer, @me) will return a 403 (Forbidden) error response if the container is unable to also send the opensocial_viewer URL parameter to the 3rd party server. The same holds true for @owner and opensocial_owner URL parameter. "
We've been tossing around a few different syntaxes for how to sign, so I had the text refer to the actual signed parameters that will be sent to the 3rd party server. Let me know if this makes sense
os:DataRequest vs os:RpcRequest
I agree with Adam's comments. How do people feel about splitting into:
- <os:MakeRequest> for makeRequest() equivalent calls
- <os:DataRequest> for RPC data request calls?
(note - "RpcRequest" felt a little off, as it expands to "remote procedure call request")
On Tue, Nov 25, 2008 at 10:51 AM, Evan Gilbert <uid...@google.com> wrote:Possible resolutions for the open items....
POSTing data in <os:DataRequest>
<os:DataRequest> has @method="post", which is confusing because there is no way to specify the content to POST.
The goal of this was to support key/value parameters that might extend beyond the URL length limits for GETs, and not to support arbitrary POST content. I think this is an important use case, especially with Dynamic Parameters, so I updated the spec to allow for a separate "@params" attribute. This has a bit of duplication with the @href (both can contain params), but the flexibility to specify POST is something that I'd like to keep and I couldn't see a cleaner way. The change:
Signing of the POSTed data for proxied content
- @params {string} Additional URL parameters, of format "a=b&c=d". Optional.
- @method {string} HTTP method to use, one of "get" or "post". Defaults to "get". Optional.
- If method is "post", than the "@params" parameters are sent as POST content. If method is "get", then the params are appended to the URL.
- Note that POSTing arbitrary content is not supported.
I think we need to make sure that a malicious party can't spoof a different set of friends to get access to data. I think the right soution to this may be to support a parameter that states whether the container generated this request vs. the JavaScript - the only reason way a malicious party can spoof a request is if they can generate an equivalent gadgets.io.make.request(). I'm going to start a separate thread on this.
TBD in DataRequest
This was addressed with Louis' edit to add the makeRequest parameters of @sign_owner and @sign_viewer.
Dynamic params
Seems that people feel this is required, so moved up to the proposal. Text is:
Data pipelining will support a limited subset of the expression language used in OpenSocial templates (based on JSP EL):
- Expressions of format ${A.B} will be supported, where "A" is the key and "B" is the property.
- The key "ViewParams" is reserved and refers to the parameters passed into the gadget rendering, equivalent to [gadgets.views.getParams()]
- Keys can also map to earlier items in the data pipeline. You can get a viewer and then pass the ID to successive requests.
-1 for this in 0.9. The specific example is not compelling - you can already sign by viewer (or explicitly request the viewer) for all elements. More generally, mapping to earlier items eliminates the possibility of concurrency, unless implementations define a dependency graph, which will get harder when have broader support for JSP EL.
- <os:PeopleRequest> has a special implicit property, "ids", which is used to send along a comma-delimited list of the IDs returned. This is required to enable passing of friends lists.
Don't see the need for this property. os:PeopleRequest has userIds. We need to define type coercion rules, which aren't hard - we have strings and integers, which are obvious, and arrays of strings, which should be coerced using comma-delimited lists.
I don't think this is addressed. makeRequest, Preload, and proxied
content support several parameters for OAuth that haven't been moved
into os:DataRequest.
Maybe we need a content fetching spec? There are multiple parts of
the opensocial spec that all independently describe behavior around
signing and caching of requests. We've got:
gadgets.io.makeRequest: javascript binding
Preload: one XML binding
proxied content: second XML binding
os:DataRequest: third XML binding
We could write a description of opensocial content fetching, then have
those other spots reference it instead of cut and paste.
Cheers,
brian
On Tue, Nov 25, 2008 at 11:06 AM, Adam Winer <awi...@gmail.com> wrote:On Tue, Nov 25, 2008 at 10:51 AM, Evan Gilbert <uid...@google.com> wrote:Possible resolutions for the open items....
POSTing data in <os:DataRequest>
<os:DataRequest> has @method="post", which is confusing because there is no way to specify the content to POST.
The goal of this was to support key/value parameters that might extend beyond the URL length limits for GETs, and not to support arbitrary POST content. I think this is an important use case, especially with Dynamic Parameters, so I updated the spec to allow for a separate "@params" attribute. This has a bit of duplication with the @href (both can contain params), but the flexibility to specify POST is something that I'd like to keep and I couldn't see a cleaner way. The change:
Signing of the POSTed data for proxied content
- @params {string} Additional URL parameters, of format "a=b&c=d". Optional.
- @method {string} HTTP method to use, one of "get" or "post". Defaults to "get". Optional.
- If method is "post", than the "@params" parameters are sent as POST content. If method is "get", then the params are appended to the URL.
- Note that POSTing arbitrary content is not supported.
I think we need to make sure that a malicious party can't spoof a different set of friends to get access to data. I think the right soution to this may be to support a parameter that states whether the container generated this request vs. the JavaScript - the only reason way a malicious party can spoof a request is if they can generate an equivalent gadgets.io.make.request(). I'm going to start a separate thread on this.
TBD in DataRequest
This was addressed with Louis' edit to add the makeRequest parameters of @sign_owner and @sign_viewer.
Dynamic params
Seems that people feel this is required, so moved up to the proposal. Text is:
Data pipelining will support a limited subset of the expression language used in OpenSocial templates (based on JSP EL):
- Expressions of format ${A.B} will be supported, where "A" is the key and "B" is the property.
- The key "ViewParams" is reserved and refers to the parameters passed into the gadget rendering, equivalent to [gadgets.views.getParams()]
- Keys can also map to earlier items in the data pipeline. You can get a viewer and then pass the ID to successive requests.
-1 for this in 0.9. The specific example is not compelling - you can already sign by viewer (or explicitly request the viewer) for all elements. More generally, mapping to earlier items eliminates the possibility of concurrency, unless implementations define a dependency graph, which will get harder when have broader support for JSP EL.
How do we pass along viewer/owner friends? I think this would be a common use case.
- <os:PeopleRequest> has a special implicit property, "ids", which is used to send along a comma-delimited list of the IDs returned. This is required to enable passing of friends lists.
Don't see the need for this property. os:PeopleRequest has userIds. We need to define type coercion rules, which aren't hard - we have strings and integers, which are obvious, and arrays of strings, which should be coerced using comma-delimited lists.
This is for the previous item - hard to pass a list of friends otherwise, as you only have person JSON objects.
Very open to alternate suggestions for this use case - this was my best guess at a solution.
@Evan - Can you give an example of "Keys can also map to earlier items in the data pipeline. You can get a viewer and then pass the ID to successive requests."?
@Adam - Can you expand on the "possibility of concurrency"? (sounds like an O'Bama book to me =P)
On Evan's behalf, I believe he was referring to something like this:<os:PersonRequest key="user" userid="@me"/>
<script type="text/os-data">
<os:DataRequest key="scores" href="http://developersite.com/getscores?user=${user}"/>
</script>