Be able to use a LocalServer on one domain to store static resources, with subdomains able to use this without having to popup Gears permission prompts over and over

[GoogleCodeExporter]

This request comes from WordPress.

In the WordPress + Gears integration of using LocalServer to speed up
commonly accessed static resources, WordPress likes to store all of their
static resources on a single domain, such as s.wordpress.com. Then, a
user's blogs are on subdomains, such as myblog1.wordpress.com and
myblog2.wordpress.com.

Many users have multiple blogs. They would like to indicate on one blog
that they want to speed things up, such as on myblog1.wordpress.com, and
then have that speedup work on their other blogs, such as
myblog2.wordpress.com. However, right now a user has to work through the
Gears permission prompt on every one of their blogs that are on separate
sub-domains.

Brad explained that this is due to security:

"This might not be possible from a security standpoint. Imagine I have a
hosting service like Google Sites, with sites.google.com being the main
domain, and alice.sites.google.com being a subdomain created by a
third-party user. Just because a user gives permission to
sites.google.comdoesn't mean they want to give permission to
alice.sites.google.com"

Brad suggested using a cross-domain worker hosted on s.wordpress.com, but
that still shows security prompts. This RFE is opened to see if anyone has
a creative solution to this problem that doesn't sacrifice security.

Andrew at WordPress suggested that one possible solution is to be able to
specify multiple subdomains or a subdomain pattern or wildcard in the
manifest file.

Original issue reported on code.google.com by bradneub...@gmail.com on 23 Jul 2008 at 11:25

[GoogleCodeExporter]

What are the security concerns beyond what's normally raised by allowing 
Javascript
or embeds like Flash? Are there special things which Gears enables that are 
dangerous?

There might be good examples to follow here in the way that cookies are set, 
with
optional sub-domain availability which should solve security concerns.

Flash also has a cross-domain model.

It's a separate discussion, but imagine the boost to web-wide performance that 
could
be gained if widgets, stats JS, adsense, and such could be served from 
LocalServer
even if the linking website wasn't Gears-enabled.

Original comment by mmm...@gmail.com on 24 Jul 2008 at 2:32

[GoogleCodeExporter]

Brad, there's a lot of discussion up there, can you help pin down the exact 
feature
request?

I think the hope is to grant permission to a.com, and then not need a security 
dialog
for b.com.  However, since a.com and b.com are different security origins, 
there is
no way for Gears to do that automatically.

The way to achieve this is for a.com to grant permission to b.com.  That is 
already
possible, using cross-origin workers.

One other solution I've seen: if foo.wp.com/admin redirected to 
admin.wp.com/foo/,
then only admin.wp.com would need permissions.

Original comment by gears.te...@gmail.com on 24 Jul 2008 at 8:00

• Added labels: Type-Enhancement
• Removed labels: Priority-Medium, Type-Defect

[GoogleCodeExporter]

Hi Chris, here is the request boiled down:

I have all my static resources on static.wordpress.com. On 
myblog1.wordpress.com I
indicate that I want to store things in the LocalServer for 
static.wordpress.com, get
the permission prompt, and say OK. Then, on my second blog at 
myblog2.wordpress.com I
would like to have the _same_ performance improvements in LocalServer for
static.wordpress.com without another Gears permission dialog. I suggested
cross-domain workers but they don't solve the problem -- you still get the 
permission
dialog on both myblog1 and myblog2.

Original comment by bradneub...@gmail.com on 1 Aug 2008 at 5:43

[GoogleCodeExporter]

I'm afraid I don't see any good way to do that.  It would require breaking the
same-origin security model.

* WARNING: Granting permission via cross-origin workers may not work as you're
expecting.  Let's say myblog1 grants permission to static, and static captures 
its
resources.  From there, _all_ requests to captured pages on 
static.wordpress.com will
come from LocalServer -- even when requested by myblog2, which hasn't granted
permission yet!

In other words, myblog2 needs permission to call Gears APIs, but static already 
has
permission and has captured (and is serving) resources.

* NOTE: The 'HTML5 Offline Apps' spec will let you capture resources in another
domain without a security prompt.  In that case, the resources are only served 
when
requested _from_ the page that captured them.  However, I don't know if the 
spec says
whether an implementation can re-use already captured files, or if it must 
capture
them again from each origin.

Original comment by gears.te...@gmail.com on 1 Aug 2008 at 6:05

• Changed state: WontFix

[GoogleCodeExporter]

Hi Chris, it sounds like what you suggest is actually the workaround: once
static.wordpress.com has been captured, even if I'm on myblog2.wordpress.com it 
is
still 'accelerated'. The one issue is that there is no way to detect from 
myblog2
that everything is already captured without giving a security prompt, is that 
correct? 

Original comment by bradneub...@gmail.com on 1 Aug 2008 at 6:34

[GoogleCodeExporter]

> The one issue is that there is no way to detect from myblog2
> that everything is already captured without giving a security prompt,
> is that correct?

That is correct.  However...

If you only want to cache content on static.wordpress.com, I'd suggest not even
asking for Gears permission on myblog1 or myblog2.  You should be able to load a
resource static.wordpress.com in an iframe, right?  That's the "right" approach 
to
this problem.

Original comment by gears.te...@gmail.com on 1 Aug 2008 at 11:32

[GoogleCodeExporter]

I'm not sure if an iframe is the right approach. WordPress uses a LocalServer to
cache all of the admin UI, which can't really be served from an iframe on
myblog1.wordpress.com and myblog2.wordpress.com. An iframe would be akward.

Original comment by bradneub...@gmail.com on 1 Aug 2008 at 11:39

[GoogleCodeExporter]

I'm only saying to use it for requesting permission for static.wordpress.com, 
and
then calling into LocalServer.

Original comment by gears.te...@gmail.com on 1 Aug 2008 at 11:58

[GoogleCodeExporter]

That would work well if the browser sees the content as coming from one main 
server.
However on WordPress.com (and probably other large sites) the browser sees the
content as coming from blog1.wordpress.com, blog2.wordpress.com, etc.

What we were trying to accomplish was to have Gears ask for permission for the 
main
domain, then use the captured files on the sub-domains too without needing 
second
permission. 

This is similar to giving permission to site.com and then using the captured 
content
on site.com/user1/, site.com/user2/, etc. (the current behavior). So giving
permission to site.com would use the captured content on user1.site.com,
user2.site.com, etc. without asking for new permission on each sub-domain.

Of course user1.site.com can have a different store and capture different 
content
that will only be used on that sub-domain.

Original comment by aozem...@gmail.com on 2 Aug 2008 at 7:26