This specification defines a process and a document format to allow a user agent to update an installed widget package with a different version of a widget package. A widget cannot automatically update itself; instead, a widget relies on the user agent to manage the update process.
User agents that wish to extend this specification in any way are encouraged to discuss their extensions on a public forum, such as public-webapps so their extensions can be considered for standardization.
This specification is part of the Widgets Family of Specifications.
This specification takes into account the recommendations from the Widget Updates Patent Advisory Group and considering the set of prior art the Patent Advisory Group found.
To exit the Candidate Recommendation (CR) stage, the following criteria must have been met:
There will be at least two interoperable implementations passing all approved test cases in the test suite for this specification. An implementation is to be available (i.e. for download), shipping (i.e. not private), and not experimental (i.e. intended for a wide audience). The working group will decide when the test suite is of sufficient quality to test interoperability and will produce an implementation report (hosted together with the test suite).
A minimum of three months of the CR stage will have elapsed (i.e. not until after 24 August 2012). This is to ensure that enough time is given for any remaining major errors to be caught. The CR period will be extended if implementations are slow to appear.
There are a multitude of reasons why an author of might want to update an application including:
Sometimes an author may even want to revert back to a previous version of an application, if it is found that a newly deployed version of a application contains issues or vulnerabilities.
To facilitate the process of updating widgets, this specification introduces an XML element, called an update description source, that is included as an Extension to the Configuration Document of a widget package. This specification also introduces a new XML vocabulary, called an update description document. The update description source provides an author with a means to point to an update description document.
An update description document is metadata about a widget update including:
a means to describe the purpose of the update.
a means to indicate the version identifier for the potential update.
a link to where the potential update widget package can be retrieved from.
If a user agent determines, after Acquiring an Update Description Document and during Processing an Update Description Document, that two widget packages are not the same version, and if the user consents, the user agent will attempt to replace the currently installed widget with the potential update. Updates are designed to retain any locally stored data, so to protect end-users from losing data that a widget may have stored at runtime.
A user agent must support the capability to acquire an update description document over HTTP protocols. For non-HTTP protocols, UAs should act in equivalent ways.
This specification also discusses the Security Considerations that are left up to the discretion of implementers.
This specification defines conformance requirements for a single class of product: user agents.
The concepts of a widget package, a configuration document, a valid IRI, a version attribute, user agent locales, global attributes and the definition that one element is allowed per language are defined in the [[!WIDGETS]] specification.
A user agent is an implementation of this specification that also implements the [[!WIDGETS]] specification and its dependencies.
An installed widget is a widget package [[!WIDGETS]] that has been correctly installed and currently resides on or within a user agent.
An update description source is the URI pointing to the location of an update description document.
An update description document is an [[!XML10]] document that has a update-info
element at its root.
An update source is the URI referenced by the src attribute of an update-info
element within an
update description document.
A potential update is a resource acquired via HTTP (from an update source) or from local media.
The widget update process is a multi-step process whereby a user agent acquires a potential update, performs the rule for verifying a widget update, and then proceeds to install the widget package.
The identity of a widget package [[!WIDGETS]] is determined by the id attribute of the widget
element declared by an author in the configuration document [[!WIDGETS]] of a widget package [[!WIDGETS]].
The version of a widget package [[!WIDGETS]] is determined by the version attribute of the widget
element declared by an author in the configuration document [[!WIDGETS]] of a widget package [[!WIDGETS]].
An incumbent widget is an installed widget that is determined to have the same identity as the potential update.
An installed widget is said to be up-to-date if a user agent determines that an incumbent widget does not need updating.
A failure notification is an optional message emitted by the user agent to indicate to the user that a widget update has failed.
Note: This specification does not define the means or format of a failure notification, which is left up to implementers.
update-description
Element
The update-description
element points, via the href attribute, to an update description
document.
The update-description
element is in the http://www.w3.org/ns/widgets
namespace as defined in
[[!WIDGETS]].
widget
element defined in the [[!WIDGETS]] specification.
xml:lang
:
href
This example shows the expected usage of the update-description
element.
<widget xmlns ="http://www.w3.org/ns/widgets"
id ="http://example.com/my-widget"
version="1.0">
<update-description
href="http//example.com/update?widget=my-widget&version=1.0"/>
</widget>
update-description
elements in the Configuration Document
The user agent MUST process a configuration document [[!WIDGETS]] containing an update-description
element according
to the rule for processing the update-description element.
The rule for processing the update-description element is defined as follows.
Variable | Type | Default Value | Overridden in | Description |
---|---|---|---|---|
update href | URI |
null
|
Processing update-description elements in the Configuration Document
|
The URI for where the widget's update description document can be downloaded, corresponding to the update-description element's
href attribute.
|
update-description
element, then the user agent MUST ignore this
element and its descendants.update-description
element and the href attribute is used, and it is a
valid IRI [[!WIDGETS]], then let update href be the value of the href attribute.
Otherwise, this element is in error and the user agent MUST ignore this element. Within an update description document an author declares, amongst other things, what's new or different in the potential update, the version that the widget will be updated to, and the update source from where the user agent can retrieve the potential update.
The purpose of the update description document is to provide the details about a potential update, including a pointer to a HTTP resource that will act as the potential update.
In order for a user agent to retrieve and process an update description document, an author will initially declare a
valid IRI [[!WIDGETS]] for the update-description
element in the installed configuration document (e.g.
<update-description href="https://example.com/myWidget/updates"/>
), as defined in the Update Extensions to Widget Configuration Documents section.
Below is an example of a typical update description document.
<update-info xmlns = "http://www.w3.org/ns/widgets"
src = "https://w.example.com/2.1/RC/app.wgt"
version = "RC2.1">
<details xml:lang="en-us">
Now supporting X, Y and Z features!
</details>
<details xml:lang="ar" dir="rtl">
دعم الآن سين وصاد وعين ملامح
</details>
<details xml:lang="pt">
Agora com suporte a X, Y e Z recursos!
</details>
</update-info>
All elements defined to be used in an update description document are in the http://www.w3.org/ns/widgets
namespace as defined in [[!WIDGETS]].
update-info
Element
The update-info
element is intended to provide metadata about the potential update. In addition, it serves as
a container for the other elements.
details
elements.
details
.
xml:lang
:
version
src
application/widget
).
The example below shows how the update-info
element can be used.
<update-info xmlns="http://www.w3.org/ns/widgets" src="http://sometld/somewidget_0_3_BETA.wgt" version="BETA 0.3"> </update-info>
details
Element
The details
element represents a human-readable description of what differentiates this potential update from
other versions.
update-info
element.
xml:lang
:
All global attributes [[!WIDGETS]], in particular xml:lang and dir attributes, can be applied to this element.
The example below shows how the details
element can be used.
<update-info xmlns="http://www.w3.org/ns/widgets"
src="http://foo.com/widget.wgt"
version="1.3.1">
<details>
This update tries to make 2010 a little bit less like 1984.
</details>
<details xml:lang="pt">
Esta atualização tenta fazer de 2010 um pouco menos parecido com 1984.
</details>
<details xml:lang="ar" dir="rtl">
يحاول هذا التحديث لجعل 2010 أقل قليلا مثل 1984.
</details>
</update-info>
It is expected that user agents will perform a widget update process asynchronously and periodically check for any available updates. The timing of any widget update process is an implementation detail left to the discretion of the implementer (e.g. once a day or once a week).
To check for updates to a widget, the user agent issues a HTTP request towards the update description source.
The user agent MUST send the last known ETag response value, if available, in an If-None-Match header.
The user agent MUST send an If-Modified-Since header indicating the time of the last check for an update from the user agent.
The user agent MUST send an Accept-Language header representing the widget's locale.
As data is received, the user agent will then act as follows.
The user agent MUST ignore any Cache-Control or Pragma header with a value of no-cache
.
The user agent MUST honor the value of any Expires header when scheduling the next widget update process for the current installed widget.
The user agent MUST process HTTP 200 OK responses, with a Content-Type header specifying the type application/xml
,
according to the rules defined in Processing an Update Description Document.
The user agent MUST terminate the widget update on HTTP 200 OK responses that have a Content-Type other than application/xml
.
On receiving HTTP 204 No Content, 205 Reset Content, and 304 Not Modified responses, the user agent MUST terminate the widget update.
On receiving HTTP response codes in the 2xx range, other than HTTP 200 OK, the user agent MUST terminate the widget update. They are, however, likely to indicate an error has occurred somewhere and may cause the user agent to emit a warning.
On receiving HTTP 301 Moved Permanently, 302 Found, 303 See Other, and 307 Temporary Redirect responses, the user agent MUST reconnect using the new server specified URL instead of the previously specified URL.
The user agent SHOULD treated HTTP 305 Use Proxy, 401 Unauthorized, and 407 Proxy Authentication Required responses transparently as for any other subresource.
On receiving an HTTP 410 Gone response, the user agent must terminate the widget update and remove the installed widget.
Any other HTTP response code not listed here, and any network error that prevents the HTTP connection from being established in the first place (e.g. DNS errors), must cause the user agent to terminate the widget update.
A user agent MUST assume the following defaults prior to processing an update description document:
Variable | Type | Default value | Description |
---|---|---|---|
update-source | URI |
null
|
|
version-tag | DOMString |
null
|
|
details | DOMString |
null
|
A user agent MUST process an update description document according to the rule for processing an update description document.
The following processing model is written with more concern for clarity over efficiency. As such, a user agent can optimize the processing model so long as the end result is indistinguishable from the result that would be obtained by following the specification.
The term in error, typically used on an element or attribute, means that the element, attribute, or other construct does not conform to the rules of this specification. Rules for exactly how a user agent needs to treat the erroneous construct are always given when the term is used.
When an invalid update description document is determined then the user agent MUST terminate the widget update.
The rule for processing an update description document is defined as follows:
Document
using a [[!XML-NAMES]]-aware parser. If the document is not well-formed [[!XML10]], then treat this as an
invalid update description document.
documentElement
of doc.
update-info
element in the widget namespace, then treat this update
description document as an invalid update description document.
update-info
element:
version
attribute was used, and it is a valid version attribute [[!WIDGETS]], then let version-tag
be the value of version
.
version
attribute was used, or the value was in error, treat this as an invalid update
description document.
details
element:
details
element, in document order, that
matches a language range in the user agent locales; or, if no details
element in the document matches the user agent locales and this is not the first element; then the element is in error and MUST be
ignored.
When a user agent is to install the widget package it is to remove the installed widget and then add the potential update as an installed widget.
When a user agent is to remove the installed widget it is to disable the current incumbent widget, if it exists. The user agent may also physically remove the incumbent widget from the device. The user agent may emit a notification warning that the incumbent widget is being removed.
When a user agent is to terminate the widget update it is to terminate the current widget update process. The user agent may emit a failure notification warning that the widget update has been terminated.
To verify and install a potential update the user agent must apply the rule for verifying a widget update.
The rule for verifying a widget update enables a user agent to match and verify a potential update - acquired via HTTP or from local media - with an installed widget package [[!WIDGETS]] and is defined as follows:
Note: The decision of which (if any) distributor signatures are to be validated and whether the author signature is to be validated is out of scope [[WIDGETS-DIGSIG]].
dsp:Identifier
value [[WIDGETS-DIGSIG]] from update_signature with the same
value obtained from the associated incumbent_signature within incumbent_digsigs.
Because an update description document is not self-contained, it is conceivable that the update model could be subject to a man-in-the-middle attack, as with any unencrypted requests performed over [[HTTP11]]. For this reason, it is RECOMMENDED that, for widgets that have not been digitally signed, updates are always performed over [[HTTP-TLS]].
Another means of protection is for authors to always digitally sign their widget resources. During an update, the user agent will then validate the signature before installation, ensuring that a widget resource's identity and integrity was maintained over the network.
An authoritative update URI is an update description source referenced in the href attribute of an
update-description
element within an installed widget's configuration document [[!WIDGETS]].
Without the availability of a digitally signed installed widget, it is extremely easy to overwrite a widget resource with another (potentially malicious) widget resource. Therefore it is RECOMMENDED that a user agent only allow updates to a signed installed widget or to a non-signed installed widget only from a potential update obtained via its authoritative update URI.
This document addresses the Remote and Local Updates the requirement of the 30 April 2009 Working Draft of the Widgets 1.0: Requirements Document (see [[WIDGETS-REQS]]).
The editors would like to thank the following contributors (in alphabetical order): Art Barstow, Raine Hillebrand, Hari G Kumar, Scott Wilson.
Special thanks to Robin Berjon for co-editing an early version of this specification.
Thanks to the W3C WebApps WG, and to participants on the public-webapps@w3.org listserv.