SlideShare a Scribd company logo

What is a Capability URL (and why do I care

Daniel Appelquist
Daniel Appelquist

The W3C TAG is working on a set of best practices for capability URLs. What's a capability URL? Glad you asked. This presentation (give at "London Web Standards" on 20 Jan 2014) attempts to explain what a capability URL is and why Web developers should take care when using them. (NB: the first few slides are just speaker introduction.)

TechnologyDesign
1 of 25
Download to read offline
What is a Capability URL (and why do I care?) Dan Appelquist (@torgo)
 Open Web Advocate, Telefónica Digital
Telefónica Digital http://blog.digital.telefonica.com - @tefdigital
Firefox OS http://firefoxos.com
W3C Technical Architecture Group “The TAG” http://w3.org/tag - @w3ctag
Jeni Tennison ! Technical Director of the ODI http://theodi.org @jenit
Capability URLs
“Cool URIs Don’t Change” - Tim Berners-Lee http://www.w3.org/Provider/Style/URI.html
Footnote: What’s the difference between a URI and a URL? • In theory: URLs are a subset of URIs • In practice: they are used interchangeably • In reality: anyone who uses the term URI probably spends too much time around Web Standards wonks
Cool URLs Don’t Change
…but…
Not all URLs are cool
Some URLs are hot!
Sorry.
So what’s a hot URL? • Something that provides a set of unique capabilities • Access control - a key • Ephemeral resources
Examples, please? • Password resets: “Your password has expired. Click here to reset it.” • Video chats: “The video conference is on 
 https://opentokrtc.com/xyz...” • Polls: “Send this link to anyone you wish to invite: 
 http://doodle.com/xyz....” • Github GISTs • Google Calendar private URLs • iCloud sharing
Reasons to Use • No login required • Easy to pass on
Reasons to Be Careful • No login required • Easy to pass on
URLs Aren’t Designed to be Secret • It appears in the address bar (usually) • It appears in log files - e.g. proxy logs • If it’s passed on once it can be passed on again
Also, Web Architecture Says “No” • Using multiple URLs for the same resource runs contrary to documented good practice: • • However, the rationale for this is based on sharing: • • Good practice: Avoiding URI aliases : A URI owner should not associate arbitrarily different URIs with the same resource.
 (Source: Architecture of the World Wide Web, Volume One: http:// www.w3.org/TR/webarch/) It’s better for everyone linking to, or talking about, the same resource to use the same URL Capability URLs are oriented around limited sharing. In these circumstances, having multiple aliases is not an issue.
Recommendations for Use • Only use: • to avoid the need for users to log in to perform an action • to make it easy for those with whom you share URLs to share them with others • to avoid authentication overheads in APIs.
• Capability URLs should be https URLs - lowers possibility of exposure • Pages that inform users of capability URLs should also be https • Capability URLs should expire
• Pages accessed through a capability URL should not include links to third-party websites, or to third-party scripts • If they do, they should include rel="noreferrer" • Capability URLs should be revokable - e.g. by the user who created them • Capability URLs must be unique and should be unguessable
Be aware of when you are using this pattern. Employ best practices. Remember: URLs are the fundamental architectural building block of the web. Use with care.
Capability URLs Many care Such powerful Very not break Web Wow.
Thanks! Keep up with our ongoing work in this space:
 http://w3ctag.github.io/capability-urls/ Formal feedback round coming soon, but feel free to weigh in on GitHub (github.com/w3ctag) or on our mailing list www-tag@w3.org (also holds true for anything else the TAG is working on). Dan Appelquist @torgo
 W3C TAG @w3ctag

Recommended

How to React to JavaScript Insecurity
How to React to JavaScript InsecurityHow to React to JavaScript Insecurity
How to React to JavaScript InsecurityKsenia Peguero
 
CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)Sam Bowne
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...
신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...
신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...Amazon Web Services Korea
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 

Recommended

How to React to JavaScript Insecurity
How to React to JavaScript InsecurityHow to React to JavaScript Insecurity
How to React to JavaScript InsecurityKsenia Peguero
 
CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)Sam Bowne
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...
신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...
신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...Amazon Web Services Korea
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Siber Güvenlik Kış Kampı'18 Soruları
Siber Güvenlik Kış Kampı'18 SorularıSiber Güvenlik Kış Kampı'18 Soruları
Siber Güvenlik Kış Kampı'18 SorularıBGA Cyber Security
 
DDoS
DDoSDDoS
DDoSMilan Petrásek
 
Web Application Introduction
Web Application IntroductionWeb Application Introduction
Web Application Introductionshaojung
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
Java access modifiers
Java access modifiersJava access modifiers
Java access modifiersSrinivas Reddy
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 
How to write a Dockerfile
How to write a DockerfileHow to write a Dockerfile
How to write a DockerfileKnoldus Inc.
 
A Car as a Semantic Web Thing - Motivation and Demonstration
A Car as a Semantic Web Thing - Motivation and DemonstrationA Car as a Semantic Web Thing - Motivation and Demonstration
A Car as a Semantic Web Thing - Motivation and DemonstrationBenjamin Klotz
 
Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Adam Englander
 
Introduction to Apache Camel.pdf
Introduction to Apache Camel.pdfIntroduction to Apache Camel.pdf
Introduction to Apache Camel.pdfKnoldus Inc.
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
CI/CD Development in Kubernetes - Skaffold
CI/CD Development in Kubernetes - SkaffoldCI/CD Development in Kubernetes - Skaffold
CI/CD Development in Kubernetes - SkaffoldSuman Chakraborty
 
CTAP
CTAPCTAP
CTAPLan & Wan Solutions
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionAshraf Bashir
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applicationsJose Manuel Ortega Candel
 
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...QAware GmbH
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | EdurekaTop 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | EdurekaEdureka!
 
DotNetNuke Urls - Best practice for administrators, editors and developers
DotNetNuke Urls - Best practice for administrators, editors and developersDotNetNuke Urls - Best practice for administrators, editors and developers
DotNetNuke Urls - Best practice for administrators, editors and developersbrchapman
 
Web Accessibility and Design
Web Accessibility and DesignWeb Accessibility and Design
Web Accessibility and Designcolinbdclark
 

More Related Content

What's hot

Siber Güvenlik Kış Kampı'18 Soruları
Siber Güvenlik Kış Kampı'18 SorularıSiber Güvenlik Kış Kampı'18 Soruları
Siber Güvenlik Kış Kampı'18 SorularıBGA Cyber Security
 
Web Application Introduction
Web Application IntroductionWeb Application Introduction
Web Application Introductionshaojung
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 
How to write a Dockerfile
How to write a DockerfileHow to write a Dockerfile
How to write a DockerfileKnoldus Inc.
 
A Car as a Semantic Web Thing - Motivation and Demonstration
A Car as a Semantic Web Thing - Motivation and DemonstrationA Car as a Semantic Web Thing - Motivation and Demonstration
A Car as a Semantic Web Thing - Motivation and DemonstrationBenjamin Klotz
 
Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Adam Englander
 
Introduction to Apache Camel.pdf
Introduction to Apache Camel.pdfIntroduction to Apache Camel.pdf
Introduction to Apache Camel.pdfKnoldus Inc.
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
CI/CD Development in Kubernetes - Skaffold
CI/CD Development in Kubernetes - SkaffoldCI/CD Development in Kubernetes - Skaffold
CI/CD Development in Kubernetes - SkaffoldSuman Chakraborty
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionAshraf Bashir
 
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...QAware GmbH
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | EdurekaTop 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | EdurekaEdureka!
 

What's hot (20)

Siber Güvenlik Kış Kampı'18 Soruları
Siber Güvenlik Kış Kampı'18 SorularıSiber Güvenlik Kış Kampı'18 Soruları
Siber Güvenlik Kış Kampı'18 Soruları
 
DDoS
DDoSDDoS
DDoS
 
Web Application Introduction
Web Application IntroductionWeb Application Introduction
Web Application Introduction
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
Java access modifiers
Java access modifiersJava access modifiers
Java access modifiers
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
How to write a Dockerfile
How to write a DockerfileHow to write a Dockerfile
How to write a Dockerfile
 
A Car as a Semantic Web Thing - Motivation and Demonstration
A Car as a Semantic Web Thing - Motivation and DemonstrationA Car as a Semantic Web Thing - Motivation and Demonstration
A Car as a Semantic Web Thing - Motivation and Demonstration
 
Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Practical API Security - PyCon 2018
Practical API Security - PyCon 2018
 
Introduction to Apache Camel.pdf
Introduction to Apache Camel.pdfIntroduction to Apache Camel.pdf
Introduction to Apache Camel.pdf
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
CI/CD Development in Kubernetes - Skaffold
CI/CD Development in Kubernetes - SkaffoldCI/CD Development in Kubernetes - Skaffold
CI/CD Development in Kubernetes - Skaffold
 
CTAP
CTAPCTAP
CTAP
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 Introduction
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | EdurekaTop 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
 

Similar to What is a Capability URL (and why do I care

DotNetNuke Urls - Best practice for administrators, editors and developers
DotNetNuke Urls - Best practice for administrators, editors and developersDotNetNuke Urls - Best practice for administrators, editors and developers
DotNetNuke Urls - Best practice for administrators, editors and developersbrchapman
 
Web Accessibility and Design
Web Accessibility and DesignWeb Accessibility and Design
Web Accessibility and Designcolinbdclark
 
Getting Down and Dirty with Accessibility and Usability workshop at TCUK12
Getting Down and Dirty with Accessibility and Usability workshop at TCUK12Getting Down and Dirty with Accessibility and Usability workshop at TCUK12
Getting Down and Dirty with Accessibility and Usability workshop at TCUK12Karen Mardahl
 
Build Accessibly - Community Day 2012
Build Accessibly - Community Day 2012Build Accessibly - Community Day 2012
Build Accessibly - Community Day 2012Karen Mardahl
 
Creating a RESTful api without losing too much sleep
Creating a RESTful api without losing too much sleepCreating a RESTful api without losing too much sleep
Creating a RESTful api without losing too much sleepMike Anderson
 
IWMW 2002: Web standards briefing (session C2)
IWMW 2002: Web standards briefing (session C2)IWMW 2002: Web standards briefing (session C2)
IWMW 2002: Web standards briefing (session C2)IWMW
 
Documenting APIs: Sample Code and More (with many pictures of cats)
Documenting APIs: Sample Code and More (with many pictures of cats)Documenting APIs: Sample Code and More (with many pictures of cats)
Documenting APIs: Sample Code and More (with many pictures of cats)Anya Stettler
 
Introduction web tech
Introduction web techIntroduction web tech
Introduction web techLiaquat Rahoo
 
Managing Annotations (OR2016)
Managing Annotations (OR2016)Managing Annotations (OR2016)
Managing Annotations (OR2016)Robert Sanderson
 
Online Collections Crawlability for Libraries, Archives, and Museums
Online Collections Crawlability for Libraries, Archives, and MuseumsOnline Collections Crawlability for Libraries, Archives, and Museums
Online Collections Crawlability for Libraries, Archives, and Museumsmherbison
 
Open access savvy skills 2011
Open access savvy skills 2011Open access savvy skills 2011
Open access savvy skills 2011Robert Perret
 
Quick wins for an easier user journey
Quick wins for an easier user journeyQuick wins for an easier user journey
Quick wins for an easier user journeyOpenAthens
 
HATEOAS: The Confusing Bit from REST
HATEOAS: The Confusing Bit from RESTHATEOAS: The Confusing Bit from REST
HATEOAS: The Confusing Bit from RESTelliando dias
 
APIs : Mapping the way
APIs : Mapping the wayAPIs : Mapping the way
APIs : Mapping the wayWSO2
 

Similar to What is a Capability URL (and why do I care (20)

DotNetNuke Urls - Best practice for administrators, editors and developers
DotNetNuke Urls - Best practice for administrators, editors and developersDotNetNuke Urls - Best practice for administrators, editors and developers
DotNetNuke Urls - Best practice for administrators, editors and developers
 
Web Accessibility and Design
Web Accessibility and DesignWeb Accessibility and Design
Web Accessibility and Design
 
Api Design
Api DesignApi Design
Api Design
 
Getting Down and Dirty with Accessibility and Usability workshop at TCUK12
Getting Down and Dirty with Accessibility and Usability workshop at TCUK12Getting Down and Dirty with Accessibility and Usability workshop at TCUK12
Getting Down and Dirty with Accessibility and Usability workshop at TCUK12
 
Build Accessibly - Community Day 2012
Build Accessibly - Community Day 2012Build Accessibly - Community Day 2012
Build Accessibly - Community Day 2012
 
Creating a RESTful api without losing too much sleep
Creating a RESTful api without losing too much sleepCreating a RESTful api without losing too much sleep
Creating a RESTful api without losing too much sleep
 
IWMW 2002: Web standards briefing (session C2)
IWMW 2002: Web standards briefing (session C2)IWMW 2002: Web standards briefing (session C2)
IWMW 2002: Web standards briefing (session C2)
 
Documenting APIs: Sample Code and More (with many pictures of cats)
Documenting APIs: Sample Code and More (with many pictures of cats)Documenting APIs: Sample Code and More (with many pictures of cats)
Documenting APIs: Sample Code and More (with many pictures of cats)
 
Introduction web tech
Introduction web techIntroduction web tech
Introduction web tech
 
world wide web
world wide webworld wide web
world wide web
 
Managing Annotations (OR2016)
Managing Annotations (OR2016)Managing Annotations (OR2016)
Managing Annotations (OR2016)
 
Online Collections Crawlability for Libraries, Archives, and Museums
Online Collections Crawlability for Libraries, Archives, and MuseumsOnline Collections Crawlability for Libraries, Archives, and Museums
Online Collections Crawlability for Libraries, Archives, and Museums
 
DevOps-Roadmap
DevOps-RoadmapDevOps-Roadmap
DevOps-Roadmap
 
Open access savvy skills 2011
Open access savvy skills 2011Open access savvy skills 2011
Open access savvy skills 2011
 
Unit 3 - URLs and URIs
Unit 3 - URLs and URIsUnit 3 - URLs and URIs
Unit 3 - URLs and URIs
 
Web decay and Internet Archive
Web decay and Internet ArchiveWeb decay and Internet Archive
Web decay and Internet Archive
 
Restful webservices
Restful webservicesRestful webservices
Restful webservices
 
Quick wins for an easier user journey
Quick wins for an easier user journeyQuick wins for an easier user journey
Quick wins for an easier user journey
 
HATEOAS: The Confusing Bit from REST
HATEOAS: The Confusing Bit from RESTHATEOAS: The Confusing Bit from REST
HATEOAS: The Confusing Bit from REST
 
APIs : Mapping the way
APIs : Mapping the wayAPIs : Mapping the way
APIs : Mapping the way
 

More from Daniel Appelquist

Why we need a more Ethical Web
Why we need a more Ethical Web Why we need a more Ethical Web
Why we need a more Ethical Web Daniel Appelquist
 
You're Doing it Wrong – How App Developers Can Leverage the Web (June 2015 fo...
You're Doing it Wrong – How App Developers Can Leverage the Web (June 2015 fo...You're Doing it Wrong – How App Developers Can Leverage the Web (June 2015 fo...
You're Doing it Wrong – How App Developers Can Leverage the Web (June 2015 fo...Daniel Appelquist
 
"The Web - You're Doing it Wrong" for Forum Oxford May 2014
"The Web - You're Doing it Wrong" for Forum Oxford May 2014"The Web - You're Doing it Wrong" for Forum Oxford May 2014
"The Web - You're Doing it Wrong" for Forum Oxford May 2014Daniel Appelquist
 
What's new in web standards?
What's new in web standards?What's new in web standards?
What's new in web standards?Daniel Appelquist
 
Application Development Guidelines: Developing fit-for-purpose applications
Application Development Guidelines: Developing fit-for-purpose applicationsApplication Development Guidelines: Developing fit-for-purpose applications
Application Development Guidelines: Developing fit-for-purpose applicationsDaniel Appelquist
 
Smartphone Challenge: Guidelines for development of network friendly applicat...
Smartphone Challenge: Guidelines for development of network friendly applicat...Smartphone Challenge: Guidelines for development of network friendly applicat...
Smartphone Challenge: Guidelines for development of network friendly applicat...Daniel Appelquist
 
Rise of Mobile and Web Runtimes - for Standards-Next
Rise of Mobile and Web Runtimes - for Standards-NextRise of Mobile and Web Runtimes - for Standards-Next
Rise of Mobile and Web Runtimes - for Standards-NextDaniel Appelquist
 
SXSW 2010 Future15 : Rise of Mobile, APIs and Web Runtimes
SXSW 2010 Future15 : Rise of Mobile, APIs and Web RuntimesSXSW 2010 Future15 : Rise of Mobile, APIs and Web Runtimes
SXSW 2010 Future15 : Rise of Mobile, APIs and Web RuntimesDaniel Appelquist
 
Emerging Widgets Ecosystem - for Vodacom Widget Developer Camp
Emerging Widgets Ecosystem - for Vodacom Widget Developer CampEmerging Widgets Ecosystem - for Vodacom Widget Developer Camp
Emerging Widgets Ecosystem - for Vodacom Widget Developer CampDaniel Appelquist
 
Nokia Web-Runtime Presentation (Phong Vu)
Nokia Web-Runtime Presentation (Phong Vu)Nokia Web-Runtime Presentation (Phong Vu)
Nokia Web-Runtime Presentation (Phong Vu)Daniel Appelquist
 
Yahoo Blueprint for Mobile Widget Aamp Austin (Markus Spiering)
Yahoo Blueprint for Mobile Widget Aamp Austin (Markus Spiering)Yahoo Blueprint for Mobile Widget Aamp Austin (Markus Spiering)
Yahoo Blueprint for Mobile Widget Aamp Austin (Markus Spiering)Daniel Appelquist
 
Mobile Ajax and the Future of the Web
Mobile Ajax and the Future of the WebMobile Ajax and the Future of the Web
Mobile Ajax and the Future of the WebDaniel Appelquist
 
Over The Air Keynote - Dan Appelquist
Over The Air Keynote - Dan AppelquistOver The Air Keynote - Dan Appelquist
Over The Air Keynote - Dan AppelquistDaniel Appelquist
 

More from Daniel Appelquist (13)

Why we need a more Ethical Web
Why we need a more Ethical Web Why we need a more Ethical Web
Why we need a more Ethical Web
 
You're Doing it Wrong – How App Developers Can Leverage the Web (June 2015 fo...
You're Doing it Wrong – How App Developers Can Leverage the Web (June 2015 fo...You're Doing it Wrong – How App Developers Can Leverage the Web (June 2015 fo...
You're Doing it Wrong – How App Developers Can Leverage the Web (June 2015 fo...
 
"The Web - You're Doing it Wrong" for Forum Oxford May 2014
"The Web - You're Doing it Wrong" for Forum Oxford May 2014"The Web - You're Doing it Wrong" for Forum Oxford May 2014
"The Web - You're Doing it Wrong" for Forum Oxford May 2014
 
What's new in web standards?
What's new in web standards?What's new in web standards?
What's new in web standards?
 
Application Development Guidelines: Developing fit-for-purpose applications
Application Development Guidelines: Developing fit-for-purpose applicationsApplication Development Guidelines: Developing fit-for-purpose applications
Application Development Guidelines: Developing fit-for-purpose applications
 
Smartphone Challenge: Guidelines for development of network friendly applicat...
Smartphone Challenge: Guidelines for development of network friendly applicat...Smartphone Challenge: Guidelines for development of network friendly applicat...
Smartphone Challenge: Guidelines for development of network friendly applicat...
 
Rise of Mobile and Web Runtimes - for Standards-Next
Rise of Mobile and Web Runtimes - for Standards-NextRise of Mobile and Web Runtimes - for Standards-Next
Rise of Mobile and Web Runtimes - for Standards-Next
 
SXSW 2010 Future15 : Rise of Mobile, APIs and Web Runtimes
SXSW 2010 Future15 : Rise of Mobile, APIs and Web RuntimesSXSW 2010 Future15 : Rise of Mobile, APIs and Web Runtimes
SXSW 2010 Future15 : Rise of Mobile, APIs and Web Runtimes
 
Emerging Widgets Ecosystem - for Vodacom Widget Developer Camp
Emerging Widgets Ecosystem - for Vodacom Widget Developer CampEmerging Widgets Ecosystem - for Vodacom Widget Developer Camp
Emerging Widgets Ecosystem - for Vodacom Widget Developer Camp
 
Nokia Web-Runtime Presentation (Phong Vu)
Nokia Web-Runtime Presentation (Phong Vu)Nokia Web-Runtime Presentation (Phong Vu)
Nokia Web-Runtime Presentation (Phong Vu)
 
Yahoo Blueprint for Mobile Widget Aamp Austin (Markus Spiering)
Yahoo Blueprint for Mobile Widget Aamp Austin (Markus Spiering)Yahoo Blueprint for Mobile Widget Aamp Austin (Markus Spiering)
Yahoo Blueprint for Mobile Widget Aamp Austin (Markus Spiering)
 
Mobile Ajax and the Future of the Web
Mobile Ajax and the Future of the WebMobile Ajax and the Future of the Web
Mobile Ajax and the Future of the Web
 
Over The Air Keynote - Dan Appelquist
Over The Air Keynote - Dan AppelquistOver The Air Keynote - Dan Appelquist
Over The Air Keynote - Dan Appelquist
 

Recently uploaded

SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 

What is a Capability URL (and why do I care

  • 1. What is a Capability URL (and why do I care?) Dan Appelquist (@torgo)
 Open Web Advocate, Telefónica Digital
  • 4. W3C Technical Architecture Group “The TAG” http://w3.org/tag - @w3ctag
  • 5. Jeni Tennison ! Technical Director of the ODI http://theodi.org @jenit
  • 7. “Cool URIs Don’t Change” - Tim Berners-Lee http://www.w3.org/Provider/Style/URI.html
  • 8. Footnote: What’s the difference between a URI and a URL? • In theory: URLs are a subset of URIs • In practice: they are used interchangeably • In reality: anyone who uses the term URI probably spends too much time around Web Standards wonks
  • 11. Not all URLs are cool
  • 14. So what’s a hot URL? • Something that provides a set of unique capabilities • Access control - a key • Ephemeral resources
  • 15. Examples, please? • Password resets: “Your password has expired. Click here to reset it.” • Video chats: “The video conference is on 
 https://opentokrtc.com/xyz...” • Polls: “Send this link to anyone you wish to invite: 
 http://doodle.com/xyz....” • Github GISTs • Google Calendar private URLs • iCloud sharing
  • 16. Reasons to Use • No login required • Easy to pass on
  • 17. Reasons to Be Careful • No login required • Easy to pass on
  • 18. URLs Aren’t Designed to be Secret • It appears in the address bar (usually) • It appears in log files - e.g. proxy logs • If it’s passed on once it can be passed on again
  • 19. Also, Web Architecture Says “No” • Using multiple URLs for the same resource runs contrary to documented good practice: • • However, the rationale for this is based on sharing: • • Good practice: Avoiding URI aliases : A URI owner should not associate arbitrarily different URIs with the same resource.
 (Source: Architecture of the World Wide Web, Volume One: http:// www.w3.org/TR/webarch/) It’s better for everyone linking to, or talking about, the same resource to use the same URL Capability URLs are oriented around limited sharing. In these circumstances, having multiple aliases is not an issue.
  • 20. Recommendations for Use • Only use: • to avoid the need for users to log in to perform an action • to make it easy for those with whom you share URLs to share them with others • to avoid authentication overheads in APIs.
  • 21. • Capability URLs should be https URLs - lowers possibility of exposure • Pages that inform users of capability URLs should also be https • Capability URLs should expire
  • 22. • Pages accessed through a capability URL should not include links to third-party websites, or to third-party scripts • If they do, they should include rel="noreferrer" • Capability URLs should be revokable - e.g. by the user who created them • Capability URLs must be unique and should be unguessable
  • 23. Be aware of when you are using this pattern. Employ best practices. Remember: URLs are the fundamental architectural building block of the web. Use with care.
  • 24. Capability URLs Many care Such powerful Very not break Web Wow.
  • 25. Thanks! Keep up with our ongoing work in this space:
 http://w3ctag.github.io/capability-urls/ Formal feedback round coming soon, but feel free to weigh in on GitHub (github.com/w3ctag) or on our mailing list www-tag@w3.org (also holds true for anything else the TAG is working on). Dan Appelquist @torgo
 W3C TAG @w3ctag