Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
What is a Capability URL
(and why do I care?)
Dan Appelquist (@torgo)

Open Web Advocate, Telefónica Digital
Telefónica Digital
http://blog.digital.telefonica.com - @tefdigital
Firefox OS
http://firefoxos.com
W3C Technical Architecture Group
“The TAG” http://w3.org/tag - @w3ctag
Jeni Tennison
!
Technical Director of the ODI
http://theodi.org
@jenit
Capability URLs
“Cool URIs Don’t Change”
- Tim Berners-Lee
http://www.w3.org/Provider/Style/URI.html
Footnote: What’s the difference
between a URI and a URL?
•

In theory: URLs are a subset of URIs

•

In practice: they are ...
Cool URLs Don’t Change
…but…
Not all URLs are cool
Some URLs are hot!
Sorry.
So what’s a hot URL?

•

Something that provides a set of unique capabilities

•

Access control - a key

•

Ephemeral res...
Examples, please?
•

Password resets: “Your password has expired. Click here to
reset it.”

•

Video chats: “The video con...
Reasons to Use

•

No login required

•

Easy to pass on
Reasons to Be Careful

•

No login required

•

Easy to pass on
URLs Aren’t Designed to be Secret

•

It appears in the address bar (usually)

•

It appears in log files - e.g. proxy logs...
Also, Web Architecture Says “No”
•

Using multiple URLs for the same resource runs contrary to
documented good practice:
•...
Recommendations for Use
•

Only use:
•

to avoid the need for users to log in to perform an
action

•

to make it easy for...
•

Capability URLs should be https URLs - lowers
possibility of exposure

•

Pages that inform users of capability URLs sh...
•

Pages accessed through a capability URL should not
include links to third-party websites, or to third-party
scripts
•

...
Be aware of when you are using this pattern.
Employ best practices.
Remember: URLs are the fundamental architectural
build...
Capability URLs
Many care
Such powerful

Very not break Web

Wow.
Thanks!
Keep up with our ongoing work in this space:

http://w3ctag.github.io/capability-urls/
Formal feedback round comin...
Upcoming SlideShare
Loading in …5
×

What is a Capability URL (and why do I care?)

6,143 views

Published on

The W3C TAG is working on a set of best practices for capability URLs. What's a capability URL? Glad you asked. This presentation (give at "London Web Standards" on 20 Jan 2014) attempts to explain what a capability URL is and why Web developers should take care when using them. (NB: the first few slides are just speaker introduction.)

Published in: Technology, Design
  • Be the first to comment

What is a Capability URL (and why do I care?)

  1. 1. What is a Capability URL (and why do I care?) Dan Appelquist (@torgo)
 Open Web Advocate, Telefónica Digital
  2. 2. Telefónica Digital http://blog.digital.telefonica.com - @tefdigital
  3. 3. Firefox OS http://firefoxos.com
  4. 4. W3C Technical Architecture Group “The TAG” http://w3.org/tag - @w3ctag
  5. 5. Jeni Tennison ! Technical Director of the ODI http://theodi.org @jenit
  6. 6. Capability URLs
  7. 7. “Cool URIs Don’t Change” - Tim Berners-Lee http://www.w3.org/Provider/Style/URI.html
  8. 8. Footnote: What’s the difference between a URI and a URL? • In theory: URLs are a subset of URIs • In practice: they are used interchangeably • In reality: anyone who uses the term URI probably spends too much time around Web Standards wonks
  9. 9. Cool URLs Don’t Change
  10. 10. …but…
  11. 11. Not all URLs are cool
  12. 12. Some URLs are hot!
  13. 13. Sorry.
  14. 14. So what’s a hot URL? • Something that provides a set of unique capabilities • Access control - a key • Ephemeral resources
  15. 15. Examples, please? • Password resets: “Your password has expired. Click here to reset it.” • Video chats: “The video conference is on 
 https://opentokrtc.com/xyz...” • Polls: “Send this link to anyone you wish to invite: 
 http://doodle.com/xyz....” • Github GISTs • Google Calendar private URLs • iCloud sharing
  16. 16. Reasons to Use • No login required • Easy to pass on
  17. 17. Reasons to Be Careful • No login required • Easy to pass on
  18. 18. URLs Aren’t Designed to be Secret • It appears in the address bar (usually) • It appears in log files - e.g. proxy logs • If it’s passed on once it can be passed on again
  19. 19. Also, Web Architecture Says “No” • Using multiple URLs for the same resource runs contrary to documented good practice: • • However, the rationale for this is based on sharing: • • Good practice: Avoiding URI aliases : A URI owner should not associate arbitrarily different URIs with the same resource.
 (Source: Architecture of the World Wide Web, Volume One: http:// www.w3.org/TR/webarch/) It’s better for everyone linking to, or talking about, the same resource to use the same URL Capability URLs are oriented around limited sharing. In these circumstances, having multiple aliases is not an issue.
  20. 20. Recommendations for Use • Only use: • to avoid the need for users to log in to perform an action • to make it easy for those with whom you share URLs to share them with others • to avoid authentication overheads in APIs.
  21. 21. • Capability URLs should be https URLs - lowers possibility of exposure • Pages that inform users of capability URLs should also be https • Capability URLs should expire
  22. 22. • Pages accessed through a capability URL should not include links to third-party websites, or to third-party scripts • If they do, they should include rel="noreferrer" • Capability URLs should be revokable - e.g. by the user who created them • Capability URLs must be unique and should be unguessable
  23. 23. Be aware of when you are using this pattern. Employ best practices. Remember: URLs are the fundamental architectural building block of the web. Use with care.
  24. 24. Capability URLs Many care Such powerful Very not break Web Wow.
  25. 25. Thanks! Keep up with our ongoing work in this space:
 http://w3ctag.github.io/capability-urls/ Formal feedback round coming soon, but feel free to weigh in on GitHub (github.com/w3ctag) or on our mailing list www-tag@w3.org (also holds true for anything else the TAG is working on). Dan Appelquist @torgo
 W3C TAG @w3ctag

×