WebAPI/WidgetAPI
< WebAPI
Jump to navigation
Jump to search
Goals
The widget API allows privileged APPs have ability to embed APPs in their own iframe, i.e. homescreen, lockscreen ....etc.
Use case
Proposal
embed-widgets bug 1005818
In order to expose to privileged APPs and consider security issue.
- "embed-widgets" is a new permission for "mozapp" attribute, it comes from 'embed-apps' but is more restricted.Disallow some of Browser API that embedder can not receive events and use those.
- Set manifest entry in "widget" attribute.
<iframe mozapp="manifesturl" widget="mywidget1">
extend manifest.webapp
Declare details of widget in mainfest.
{
name: "MyApp2000",
...
widgets: {
"mywidget1": {
href: "widget.html"
positions: ["homescreen", "lockscreen"]
description: "This is my cool widget"
},
"myotherwidget": { ... }
}
}
Restriction
Issues under discussion
Browser API
Need to clarify which methods/Events are safe or unsafe.
Safe
- Performance methods
- setVisible()
- getVisible()
- purgeHistory()
- Navigation methods
- reload()
- stop()
- Event methods
- sendMouseEvent()
- sendTouchEvent()
- addNextPaintListener()
- removeNextPaintListener()
- Events
- mozbrowserasyncscroll
- mozbrowserclose
- mozbrowsererror
- mozbrowsericonchange
- mozbrowserloadend
- mozbrowserloadstart
- mozbrowserlocationchange
- mozbrowsertitlechange
- mozbrowseropensearch
Unsafe
- getScreenshot()
- Navigation methods
- getCanGoBack()
- goBack()
- getCanGoForward()
- goForward()
- Events
- mozbrowserusernameandpasswordrequired
- mozbrowseropenwindow (i.e. window.open)
- mozbrowsershowmodalprompt (i.e. alert(), confirm(), prompt())
- mozbrowsercontextmenu
- mozbrowsersecuritychange