<br><br><div class="gmail_quote">On Fri, Apr 11, 2008 at 1:37 PM, Eben Eliason <<a href="mailto:eben.eliason@gmail.com">eben.eliason@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div class="Ih2E3d">On Fri, Apr 11, 2008 at 11:15 AM, Bert Freudenberg <<a href="mailto:bert@freudenbergs.de">bert@freudenbergs.de</a>> wrote:<br> ><br> >  On 11.04.2008, at 07:12, Eben Eliason wrote:<br> >  > On Fri, Apr 11, 2008 at 10:03 AM, Jameson Chema Quinn<br> >  > <<a href="mailto:jquinn@cs.oberlin.edu">jquinn@cs.oberlin.edu</a>> wrote:<br> >  >> I'm assuming that the data would only go one way. In that case, the<br> >  >> permission would be, an app without P_NETWORK would not be able to<br> >  >> request<br> >  >> opening of apps with P_NETWORK. No new permissions needed, just<br> >  >> careful<br> >  >> attention to the ones we have.<br> >  ><br> >  > Sorry, I'm not sure I understand this particular requirement.  The<br> >  > activity launched will be completely isolated from that which<br> >  > requested it.  Why would we need to make this statement hold?  If I<br> >  > have, for instance, chosen to trust my web browser to use P_NETWORK,<br> >  > then why should it matter that it was asked to launch by something<br> >  > that didn't?<br> ><br> ><br> >  Because a malicious activity could encode a private document as URL<br> >  and have the browser go to that URL, which would send it to any server<br> >  on the internet.<br> <br> </div>Well, isn't that interesting.  You have a point, there, and I don't<br> see any good way around it.<br> <div class="Ih2E3d"></div></blockquote><div><br>One way would be to launch an instance of Browse without P_NETWORK (and, of course, with a virgin configuration, which was deleted after running). You could view your document locally, and P_NETWORK would not be violated.<br> <br>If, in fact, this use case is considered important enough to be worth the effort. I'd say that watching P_NETWORK as I suggested originally would be a good enough first-pass solution that probably we'd never get a second pass.<br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d"><br> </div>Well, perhaps a permission is in fact needed then.  Of course, I still<br> see that there could be worth in a service which allows activities to<br> launch others.  Perhaps the Develop activity eventually wants to<br> launch an SVG editor for its icon.  Perhaps Write wants to be able to<br> embed links to other projects (as was initially mentioned as the use<br> case) for writing tutorials.  I'm not sure how to accomplish this.<br> <font color="#888888"><br> - Eben</font></blockquote><div><br>Note that these use-cases can be done with the P_NETWORK scheme - assuming that, instead of writing your tutorials in Write, you do it in Blog (which may indeed by a special case of Browse), which makes more sense anyway. (Yes, I am proposing a url format for activity launching - this is safe, since the originating app would have P_NETWORK.)<br> <br>Jameson<br></div></div><br>