Outline of interfaces for Web Powerbox
Definitions
- Provider URL: this is an unguessable URL.
- This is never exposed to requesters.
- This can be guessable for a shared, public service provider, but we don't expect this to be the common case.
- Service token: a string.
- We leave it unspecified how this is interpreted; there are several options below.
DOM interfaces
Powerbox defines 2 DOM interfaces:
Request service, via <input> element. TODO.
- Offer provider. TODO.
HTTP interface
Powerbox defines only 1 HTTP message, get_service, to send to a provider using POST:
- Arguments (to be appended to provider URL):
requester_id: based on the identity of the requesting page
args_to_provider: from an attribute in the <input> element
- Response contains:
service: a service token
interaction_url: URL to open in a new tab, if the provider was registered as interactive
- We don't need to specify whether this HTTP message includes cookies.
If the provider was registered as interactive, a new tab is opened immediately, but it can only be navigated to interaction_url when the response is received.
- The service token is returned to the requesting page as soon as the response is received.
- Since the service token is returned before the interaction is complete, the requester can treat it as a promise reference.
UMP-based (web-key) services
requester_id is a description of the requester. This can be displayed but not otherwise interpreted by the provider.
- The service token is a URL (unguessable), to which the requester can send UMP messages.
- This can work on the client side or server-to-server.
CORS-based services
requester_id is a domain name.
- The provider can add this domain name to a CORS ACL.
- The service token is a URL (possibly guessable), to which the requester can send CORS requests.
Problems:
- This is vulnerable to confused deputy attacks if the service URL is guessable. The provider could supply a URL from the requester's host of origin, or from a third party host that the requester has rights to access.
- If the service requires cookies, this does not work server-to-server.
iframe-based messaging services
- The service token is a URL (possibly guessable) for an iframe.
- To send messages to the service, the requester creates a hidden iframe on the URL and sends messages to the iframe with postMessage().
- Impractical to use server-to-server. Could only be used this way if the server ran Javascript and a DOM implementation, and the iframe did not require cookies.
img/form-based services
- The service token is a URL (unguessable).
If the service is an image, the requester client can display the image by using the URL in an <img> element. (Normally it will not be possible to fetch the image contents, since the URL will be cross-origin.)
The requester can acquire the image data by asking for it to be sent in a POST to a server. It does this by sending a POST using a hidden <form>, specifying the URL to POST to in an argument.
Allowing multiple messaging types
- A service token could be a list of the above token types.