This specification defines a process and a document format to allow a user agent to update an installed widget package with a different version of a widget package. A widget cannot automatically update itself; instead, a widget relies on the user agent to manage the update process.

User agents that wish to extend this specification in any way are encouraged to discuss their extensions on a public forum, such as public-webapps so their extensions can be considered for standardization.

This specification is part of the Widgets Family of Specifications.

This specification takes into account the recommendations from the Widget Updates Patent Advisory Group and considering the set of prior art the Patent Advisory Group found.

To exit the Candidate Recommendation (CR) stage, the following criteria must have been met:

Introduction

There are a multitude of reasons why an author of might want to update an application including:

Sometimes an author may even want to revert back to a previous version of an application, if it is found that a newly deployed version of a application contains issues or vulnerabilities.

To facilitate the process of updating widgets, this specification introduces an XML element, called an update description source, that is included as an Extension to the Configuration Document of a widget package. This specification also introduces a new XML vocabulary, called an update description document. The update description source provides an author with a means to point to an update description document.

An update description document is metadata about a widget update including:

If a user agent determines, after Acquiring an Update Description Document and during Processing an Update Description Document, that two widget packages are not the same version, and if the user consents, the user agent will attempt to replace the currently installed widget with the potential update. Updates are designed to retain any locally stored data, so to protect end-users from losing data that a widget may have stored at runtime.

A user agent must support the capability to acquire an update description document over HTTP protocols. For non-HTTP protocols, UAs should act in equivalent ways.

This specification also discusses the Security Considerations that are left up to the discretion of implementers.

This specification defines conformance requirements for a single class of product: user agents.

Definitions

The concepts of a widget package, a configuration document, a valid IRI, a version attribute, user agent locales, global attributes and the definition that one element is allowed per language are defined in the [[!WIDGETS]] specification.

A user agent is an implementation of this specification that also implements the [[!WIDGETS]] specification and its dependencies.

An installed widget is a widget package [[!WIDGETS]] that has been correctly installed and currently resides on or within a user agent.

An update description source is the URI pointing to the location of an update description document.

An update description document is an [[!XML10]] document that has a update-info element at its root.

An update source is the URI referenced by the src attribute of an update-info element within an update description document.

A potential update is a resource acquired via HTTP (from an update source) or from local media.

The widget update process is a multi-step process whereby a user agent acquires a potential update, performs the rule for verifying a widget update, and then proceeds to install the widget package.

The identity of a widget package [[!WIDGETS]] is determined by the id attribute of the widget element declared by an author in the configuration document [[!WIDGETS]] of a widget package [[!WIDGETS]].

The version of a widget package [[!WIDGETS]] is determined by the version attribute of the widget element declared by an author in the configuration document [[!WIDGETS]] of a widget package [[!WIDGETS]].

An incumbent widget is an installed widget that is determined to have the same identity as the potential update.

An installed widget is said to be up-to-date if a user agent determines that an incumbent widget does not need updating.

A failure notification is an optional message emitted by the user agent to indicate to the user that a widget update has failed.

Note: This specification does not define the means or format of a failure notification, which is left up to implementers.

Update Extensions to Widget Configuration Documents

This specification introduces a new element, called the update-description element, for inclusion in a widget's configuration document [[!WIDGETS]].

The update-description Element

The update-description element points, via the href attribute, to an update description document.

The update-description element is in the http://www.w3.org/ns/widgets namespace as defined in [[!WIDGETS]].

Context in which this element is used:
As a child of the widget element defined in the [[!WIDGETS]] specification.
Content model:
Empty.
Occurrences:
Zero or one.
Expected children:
None.
Localizable via xml:lang:
No.

Attributes

href
A valid IRI [[!WIDGETS]] that points to the location of an update description document.

Usage example

This example shows the expected usage of the update-description element.

<widget xmlns  ="http://www.w3.org/ns/widgets" 
        id     ="http://example.com/my-widget" 
        version="1.0">

<update-description 
   href="http//example.com/update?widget=my-widget&amp;version=1.0"/>

</widget>

Processing update-description elements in the Configuration Document

The user agent MUST process a configuration document [[!WIDGETS]] containing an update-description element according to the rule for processing the update-description element.

The rule for processing the update-description element is defined as follows.

  1. A user agent MUST add the following to the Table of Configuration Defaults [[!WIDGETS]] during Step 3 - Set the Configuration defaults.
Table of Configuration Defaults (addendum)
Variable Type Default Value Overridden in Description
update href URI null Processing update-description elements in the Configuration Document The URI for where the widget's update description document can be downloaded, corresponding to the update-description element's href attribute.

 

  1. During Step 7 - Process the Configuration Document, if this is not the first update-description element, then the user agent MUST ignore this element and its descendants.
  2. If this is the first update-description element and the href attribute is used, and it is a valid IRI [[!WIDGETS]], then let update href be the value of the href attribute. Otherwise, this element is in error and the user agent MUST ignore this element.

The Update Description Document

Within an update description document an author declares, amongst other things, what's new or different in the potential update, the version that the widget will be updated to, and the update source from where the user agent can retrieve the potential update.

The purpose of the update description document is to provide the details about a potential update, including a pointer to a HTTP resource that will act as the potential update.

In order for a user agent to retrieve and process an update description document, an author will initially declare a valid IRI [[!WIDGETS]] for the update-description element in the installed configuration document (e.g. <update-description href="https://example.com/myWidget/updates"/>), as defined in the Update Extensions to Widget Configuration Documents section.

Example Update Description Document

Below is an example of a typical update description document.

<update-info xmlns   = "http://www.w3.org/ns/widgets"
             src     = "https://w.example.com/2.1/RC/app.wgt"
             version = "RC2.1">
  <details xml:lang="en-us">
    Now supporting X, Y and Z features!
  </details>
  <details xml:lang="ar" dir="rtl">
    دعم الآن سين وصاد وعين ملامح
  </details>
  <details xml:lang="pt">
    Agora com suporte a X, Y e Z recursos!
  </details>
</update-info>

Namespace

All elements defined to be used in an update description document are in the http://www.w3.org/ns/widgets namespace as defined in [[!WIDGETS]].

The update-info Element

The update-info element is intended to provide metadata about the potential update. In addition, it serves as a container for the other elements.

Context in which this element is to be used:
The root element of an update description document.
Content model:
Zero or more details elements.
Occurrences:
Exactly one, at the root element of the document.
Expected children:
details.
Localizable via xml:lang:
No.

Attributes

version
A valid version tag that denotes the version number of the potential update.
src
A valid IRI [[!WIDGETS]] that references a potential update. Over the wire, the potential update MUST be labeled with a correct widget media type (i.e. application/widget).

Usage example

The example below shows how the update-info element can be used.

<update-info xmlns="http://www.w3.org/ns/widgets"
             src="http://sometld/somewidget_0_3_BETA.wgt"
             version="BETA 0.3">
           
</update-info>

The details Element

The details element represents a human-readable description of what differentiates this potential update from other versions.

Context in which this element can be used:
Inside a update-info element.
Content model:
Anything.
Occurrences:
Zero or more.
Expected children:
Anything.
Localizable via xml:lang:
Yes (one element is allowed per language).

All global attributes [[!WIDGETS]], in particular xml:lang and dir attributes, can be applied to this element.

Usage example

The example below shows how the details element can be used.

<update-info xmlns="http://www.w3.org/ns/widgets"
             src="http://foo.com/widget.wgt"
             version="1.3.1">
  <details>
    This update tries to make 2010 a little bit less like 1984.
  </details>
  <details xml:lang="pt">
    Esta atualização tenta fazer de 2010 um pouco menos parecido com 1984.
  </details>
  <details xml:lang="ar" dir="rtl">
    يحاول هذا التحديث لجعل 2010 أقل قليلا مثل 1984.
  </details>
</update-info>
       

Acquiring an Update Description Document

It is expected that user agents will perform a widget update process asynchronously and periodically check for any available updates. The timing of any widget update process is an implementation detail left to the discretion of the implementer (e.g. once a day or once a week).

To check for updates to a widget, the user agent issues a HTTP request towards the update description source.

The user agent MUST send the last known ETag response value, if available, in an If-None-Match header.

The user agent MUST send an If-Modified-Since header indicating the time of the last check for an update from the user agent.

The user agent MUST send an Accept-Language header representing the widget's locale.

As data is received, the user agent will then act as follows.

The user agent MUST ignore any Cache-Control or Pragma header with a value of no-cache.

The user agent MUST honor the value of any Expires header when scheduling the next widget update process for the current installed widget.

The user agent MUST process HTTP 200 OK responses, with a Content-Type header specifying the type application/xml, according to the rules defined in Processing an Update Description Document.

The user agent MUST terminate the widget update on HTTP 200 OK responses that have a Content-Type other than application/xml.

On receiving HTTP 204 No Content, 205 Reset Content, and 304 Not Modified responses, the user agent MUST terminate the widget update.

On receiving HTTP response codes in the 2xx range, other than HTTP 200 OK, the user agent MUST terminate the widget update. They are, however, likely to indicate an error has occurred somewhere and may cause the user agent to emit a warning.

On receiving HTTP 301 Moved Permanently, 302 Found, 303 See Other, and 307 Temporary Redirect responses, the user agent MUST reconnect using the new server specified URL instead of the previously specified URL.

The user agent SHOULD treated HTTP 305 Use Proxy, 401 Unauthorized, and 407 Proxy Authentication Required responses transparently as for any other subresource.

On receiving an HTTP 410 Gone response, the user agent must terminate the widget update and remove the installed widget.

Any other HTTP response code not listed here, and any network error that prevents the HTTP connection from being established in the first place (e.g. DNS errors), must cause the user agent to terminate the widget update.

 

Processing an Update Description Document

A user agent MUST assume the following defaults prior to processing an update description document:

Update Defaults
Variable Type Default value Description
update-source URI null  
version-tag DOMString null  
details DOMString null  

A user agent MUST process an update description document according to the rule for processing an update description document.

The following processing model is written with more concern for clarity over efficiency. As such, a user agent can optimize the processing model so long as the end result is indistinguishable from the result that would be obtained by following the specification.

The term in error, typically used on an element or attribute, means that the element, attribute, or other construct does not conform to the rules of this specification. Rules for exactly how a user agent needs to treat the erroneous construct are always given when the term is used.

When an invalid update description document is determined then the user agent MUST terminate the widget update.

The rule for processing an update description document is defined as follows:

  1. Let doc be the result of parsing the acquired update description document as a [[!DOM-LEVEL-3-CORE]] Document using a [[!XML-NAMES]]-aware parser. If the document is not well-formed [[!XML10]], then treat this as an invalid update description document.
  2. Let root element be the documentElement of doc.
  3. If the root element is not a update-info element in the widget namespace, then treat this update description document as an invalid update description document.
  4. If the root element is a update-info element:
    1. If the version attribute was used, and it is a valid version attribute [[!WIDGETS]], then let version-tag be the value of version.
    2. If no version attribute was used, or the value was in error, treat this as an invalid update description document.
    3. If the src attribute was used, and it is a relative URL, then let update-source be the absolute valid IRI [[!WIDGETS]] value of src relative to the current update description document's IRI.
    4. If the src attribute was used, and it is an absolute valid IRI [[!WIDGETS]], then let update-source be the value of src.
    5. If no src attribute was used, or the value was in error, treat this as an invalid update description document.
  5. For any child element of the root element:
    1. If the child element is a details element:
      1. If this is not the first details element, in document order, that matches a language range in the user agent locales; or, if no details element in the document matches the user agent locales and this is not the first element; then the element is in error and MUST be ignored.
      2. Let details be the result of applying the rule for getting text content [[!WIDGETS]] to this element.
    2. Otherwise it MUST be ignored.

 

Verifying and Installing an Update

When a user agent is to install the widget package it is to remove the installed widget and then add the potential update as an installed widget.

When a user agent is to remove the installed widget it is to disable the current incumbent widget, if it exists. The user agent may also physically remove the incumbent widget from the device. The user agent may emit a notification warning that the incumbent widget is being removed.

When a user agent is to terminate the widget update it is to terminate the current widget update process. The user agent may emit a failure notification warning that the widget update has been terminated.

To verify and install a potential update the user agent must apply the rule for verifying a widget update.

The rule for verifying a widget update enables a user agent to match and verify a potential update - acquired via HTTP or from local media - with an installed widget package [[!WIDGETS]] and is defined as follows:

  1. Apply the steps for processing a widget package [[!WIDGETS]] to the obtained potential update.
  2. If an incumbent widget could not be found then skip the rest of this rule and install the widget package.
  3. If the incumbent widget has the same version as the potential update then the installed widget is up-to-date and the user agent MUST terminate the widget update.
  4. If the potential update is determined to be a digitally-signed widget package when applying the rules for signature validation [[!WIDGETS-DIGSIG]] then the user agent will act as follows:
  5. If the potential update is determined not to be a digitally-signed widget package when applying the rules for signature validation [[!WIDGETS-DIGSIG]] then the user agent will act as follows:
  6. The user agent MUST install the widget package.

Security Considerations

Because an update description document is not self-contained, it is conceivable that the update model could be subject to a man-in-the-middle attack, as with any unencrypted requests performed over [[HTTP11]]. For this reason, it is RECOMMENDED that, for widgets that have not been digitally signed, updates are always performed over [[HTTP-TLS]].

Another means of protection is for authors to always digitally sign their widget resources. During an update, the user agent will then validate the signature before installation, ensuring that a widget resource's identity and integrity was maintained over the network.

An authoritative update URI is an update description source referenced in the href attribute of an update-description element within an installed widget's configuration document [[!WIDGETS]].

Without the availability of a digitally signed installed widget, it is extremely easy to overwrite a widget resource with another (potentially malicious) widget resource. Therefore it is RECOMMENDED that a user agent only allow updates to a signed installed widget or to a non-signed installed widget only from a potential update obtained via its authoritative update URI.

Design Goals and Requirements

This document addresses the Remote and Local Updates the requirement of the 30 April 2009 Working Draft of the Widgets 1.0: Requirements Document (see [[WIDGETS-REQS]]).

Acknowledgements

The editors would like to thank the following contributors (in alphabetical order): Art Barstow, Raine Hillebrand, Hari G Kumar, Scott Wilson.

Special thanks to Robin Berjon for co-editing an early version of this specification.

Thanks to the W3C WebApps WG, and to participants on the public-webapps@w3.org listserv.