Widget Updates

Table of Contents

• 1. Introduction
• 2. Conformance
• 3. Definitions
• 4. Update Extensions to Widget Configuration Documents
  • 4.1 The update-description Element
    • 4.1.1 Attributes
    • 4.1.2 Usage example
  • 4.2 Processing update-description elements in the Configuration Document
• 5. The Update Description Document
  • 5.1 Example Update Description Document
  • 5.2 Namespace
  • 5.3 The update-info Element
    • 5.3.1 Attributes
    • 5.3.2 Usage example
  • 5.4 The details Element
    • 5.4.1 Usage example
• 6. Acquiring an Update Description Document
• 7. Processing an Update Description Document
• 8. Verifying and Installing an Update
• 9. Security Considerations
• A. Design Goals and Requirements
• B. Acknowledgements
• C. References
  • C.1 Normative references
  • C.2 Informative references

2. Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words must, must not, required, should, should not, recommended, may, and optional in this specification are to be interpreted as described in [RFC2119].

This specification defines conformance requirements for a single class of product: user agents.

3. Definitions

The concepts of a widget package, a configuration document, a valid IRI, a version attribute, user agent locales, global attributes and the definition that one element is allowed per language are defined in the [WIDGETS] specification.

A user agent is an implementation of this specification that also implements the [WIDGETS] specification and its dependencies.

An installed widget is a widget package [WIDGETS] that has been correctly installed and currently resides on or within a user agent.

An update description source is the URI pointing to the location of an update description document.

An update description document is an [XML10] document that has a update-info element at its root.

An update source is the URI referenced by the src attribute of an update-info element within an update description document.

A potential update is a resource acquired via HTTP (from an update source) or from local media.

The widget update process is a multi-step process whereby a user agent acquires a potential update, performs the rule for verifying a widget update, and then proceeds to install the widget package.

The identity of a widget package [WIDGETS] is determined by the id attribute of the widget element declared by an author in the configuration document [WIDGETS] of a widget package [WIDGETS].

The version of a widget package [WIDGETS] is determined by the version attribute of the widget element declared by an author in the configuration document [WIDGETS] of a widget package [WIDGETS].

An incumbent widget is an installed widget that is determined to have the same identity as the potential update.

An installed widget is said to be up-to-date if a user agent determines that an incumbent widget does not need updating.

A failure notification is an optional message emitted by the user agent to indicate to the user that a widget update has failed.

Note: This specification does not define the means or format of a failure notification, which is left up to implementers.

4. Update Extensions to Widget Configuration Documents

<widget xmlns  ="http://www.w3.org/ns/widgets" 
        id     ="http://example.com/my-widget" 
        version="1.0">

<update-description 
   href="http//example.com/update?widget=my-widget&amp;version=1.0"/>

</widget>

5. The Update Description Document

Within an update description document an author declares, amongst other things, what's new or different in the potential update, the version that the widget will be updated to, and the update source from where the user agent can retrieve the potential update.

The purpose of the update description document is to provide the details about a potential update, including a pointer to a HTTP resource that will act as the potential update.

In order for a user agent to retrieve and process an update description document, an author will initially declare a valid IRI [WIDGETS] for the update-description element in the installed configuration document (e.g. <update-description href="https://example.com/myWidget/updates"/>), as defined in the Update Extensions to Widget Configuration Documents section.

<update-info xmlns   = "http://www.w3.org/ns/widgets"
             src     = "https://w.example.com/2.1/RC/app.wgt"
             version = "RC2.1">
  <details xml:lang="en-us">
    Now supporting X, Y and Z features!
  </details>
  <details xml:lang="ar" dir="rtl">
    دعم الآن سين وصاد وعين ملامح
  </details>
  <details xml:lang="pt">
    Agora com suporte a X, Y e Z recursos!
  </details>
</update-info>

<update-info xmlns="http://www.w3.org/ns/widgets"
             src="http://sometld/somewidget_0_3_BETA.wgt"
             version="BETA 0.3">
           
</update-info>

<update-info xmlns="http://www.w3.org/ns/widgets"
             src="http://foo.com/widget.wgt"
             version="1.3.1">
  <details>
    This update tries to make 2010 a little bit less like 1984.
  </details>
  <details xml:lang="pt">
    Esta atualização tenta fazer de 2010 um pouco menos parecido com 1984.
  </details>
  <details xml:lang="ar" dir="rtl">
    يحاول هذا التحديث لجعل 2010 أقل قليلا مثل 1984.
  </details>
</update-info>

6. Acquiring an Update Description Document

It is expected that user agents will perform a widget update process asynchronously and periodically check for any available updates. The timing of any widget update process is an implementation detail left to the discretion of the implementer (e.g. once a day or once a week).

To check for updates to a widget, the user agent issues a HTTP request towards the update description source.

The user agent must send the last known ETag response value, if available, in an If-None-Match header.

The user agent must send an If-Modified-Since header indicating the time of the last check for an update from the user agent.

The user agent must send an Accept-Language header representing the widget's locale.

As data is received, the user agent will then act as follows.

The user agent must ignore any Cache-Control or Pragma header with a value of no-cache.

The user agent must honor the value of any Expires header when scheduling the next widget update process for the current installed widget.

The user agent must process HTTP 200 OK responses, with a Content-Type header specifying the type application/xml, according to the rules defined in Processing an Update Description Document.

The user agent must terminate the widget update on HTTP 200 OK responses that have a Content-Type other than application/xml.

On receiving HTTP 204 No Content, 205 Reset Content, and 304 Not Modified responses, the user agent must terminate the widget update.

On receiving HTTP response codes in the 2xx range, other than HTTP 200 OK, the user agent must terminate the widget update. They are, however, likely to indicate an error has occurred somewhere and may cause the user agent to emit a warning.

On receiving HTTP 301 Moved Permanently, 302 Found, 303 See Other, and 307 Temporary Redirect responses, the user agent must reconnect using the new server specified URL instead of the previously specified URL.

The user agent should treated HTTP 305 Use Proxy, 401 Unauthorized, and 407 Proxy Authentication Required responses transparently as for any other subresource.

On receiving an HTTP 410 Gone response, the user agent must terminate the widget update and remove the installed widget.

Any other HTTP response code not listed here, and any network error that prevents the HTTP connection from being established in the first place (e.g. DNS errors), must cause the user agent to terminate the widget update.

7. Processing an Update Description Document

A user agent must assume the following defaults prior to processing an update description document:

A user agent must process an update description document according to the rule for processing an update description document.

The following processing model is written with more concern for clarity over efficiency. As such, a user agent can optimize the processing model so long as the end result is indistinguishable from the result that would be obtained by following the specification.

The term in error, typically used on an element or attribute, means that the element, attribute, or other construct does not conform to the rules of this specification. Rules for exactly how a user agent needs to treat the erroneous construct are always given when the term is used.

When an invalid update description document is determined then the user agent must terminate the widget update.

The rule for processing an update description document is defined as follows:

1. Let doc be the result of parsing the acquired update description document as a [DOM-LEVEL-3-CORE] Document using a [XML-NAMES]-aware parser. If the document is not well-formed [XML10], then treat this as an invalid update description document.
2. Let root element be the documentElement of doc.
3. If the root element is not a update-info element in the widget namespace, then treat this update description document as an invalid update description document.
4. If the root element is a update-info element:
   1. If the version attribute was used, and it is a valid version attribute [WIDGETS], then let version-tag be the value of version.
   2. If no version attribute was used, or the value was in error, treat this as an invalid update description document.
   3. If the src attribute was used, and it is a relative URL, then let update-source be the absolute valid IRI [WIDGETS] value of src relative to the current update description document's IRI.
   4. If the src attribute was used, and it is an absolute valid IRI [WIDGETS], then let update-source be the value of src.
   5. If no src attribute was used, or the value was in error, treat this as an invalid update description document.
5. For any child element of the root element:
6. 1. If the child element is a details element:
      1. If this is not the first details element, in document order, that matches a language range in the user agent locales; or, if no details element in the document matches the user agent locales and this is not the first element; then the element is in error and must be ignored.
      2. Let details be the result of applying the rule for getting text content [WIDGETS] to this element.
   2. Otherwise it must be ignored.

8. Verifying and Installing an Update

When a user agent is to install the widget package it is to remove the installed widget and then add the potential update as an installed widget.

When a user agent is to remove the installed widget it is to disable the current incumbent widget, if it exists. The user agent may also physically remove the incumbent widget from the device. The user agent may emit a notification warning that the incumbent widget is being removed.

When a user agent is to terminate the widget update it is to terminate the current widget update process. The user agent may emit a failure notification warning that the widget update has been terminated.

To verify and install a potential update the user agent must apply the rule for verifying a widget update.

The rule for verifying a widget update enables a user agent to match and verify a potential update - acquired via HTTP or from local media - with an installed widget package [WIDGETS] and is defined as follows:

1. Apply the steps for processing a widget package [WIDGETS] to the obtained potential update.
   • If an invalid widget package [WIDGETS] is detected, the user agent must terminate the widget update.
2. If an incumbent widget could not be found then skip the rest of this rule and install the widget package.
3. If the incumbent widget has the same version as the potential update then the installed widget is up-to-date and the user agent must terminate the widget update.
4. If the potential update is determined to be a digitally-signed widget package when applying the rules for signature validation [WIDGETS-DIGSIG] then the user agent will act as follows:
   • If the incumbent widget is also determined to be a digitally-signed widget package when applying the rules for signature validation [WIDGETS-DIGSIG] then the user agent will act as follows:
     1. Let update_digsigs be an enumerated list of all the digital signatures contained within the potential update obtained according to the rule to locate signature files in a widget package [WIDGETS-DIGSIG].
     2. If any of the elements within update_digsigs were determined to be in error then terminate the widget update.
     3. Let incumbent_digsigs be an enumerated list of all the digital signatures contained within the incumbent widget obtained according to the rule to locate signature files in a widget package [WIDGETS-DIGSIG].
     4. If any of the elements within incumbent_digsigs were determined to be in error then terminate the widget update. This is, however, likely to indicate an error has occurred somewhere in the installed widget package processing and may cause the user agent to emit a warning.

     Note: The decision of which (if any) distributor signatures are to be validated and whether the author signature is to be validated is out of scope [WIDGETS-DIGSIG].

     5. For each update_signature to be validated in update_digsigs:
        1. Let digSigsMatch be the result of comparing the dsp:Identifier value [WIDGETS-DIGSIG] from update_signature with the same value obtained from the associated incumbent_signature within incumbent_digsigs.
        2. If digSigsMatch is false then terminate the widget update.
5. If the potential update is determined not to be a digitally-signed widget package when applying the rules for signature validation [WIDGETS-DIGSIG] then the user agent will act as follows:
   • If the incumbent widget is determined to be a digitally-signed widget package when applying the rules for signature validation [WIDGETS-DIGSIG] then the user agent then terminate the widget update.
6. The user agent must install the widget package.

9. Security Considerations

Because an update description document is not self-contained, it is conceivable that the update model could be subject to a man-in-the-middle attack, as with any unencrypted requests performed over [HTTP11]. For this reason, it is recommended that, for widgets that have not been digitally signed, updates are always performed over [HTTP-TLS].

Another means of protection is for authors to always digitally sign their widget resources. During an update, the user agent will then validate the signature before installation, ensuring that a widget resource's identity and integrity was maintained over the network.

An authoritative update URI is an update description source referenced in the href attribute of an update-description element within an installed widget's configuration document [WIDGETS].

Without the availability of a digitally signed installed widget, it is extremely easy to overwrite a widget resource with another (potentially malicious) widget resource. Therefore it is recommended that a user agent only allow updates to a signed installed widget or to a non-signed installed widget only from a potential update obtained via its authoritative update URI.