This specification defines a mechanism for Web applications to register themselves as being able to handle certain specific types of services ("grant wishes") with a user agent. Once a service handler is registered, any Web application can then request its functionality from the user agent in order to compose the service into itself.

For instance, a Web application could register itself as an image editor. When another application needs image editing functionality (e.g. a meme generator) then it can instantiate the image editor as part of itself (typically in an iframe). The editor is selected based on user preference rather than by hardcoding it. This provides a simple yet powerful component model for Web applications.

This specification is a proposed extension specification to HTML and has no official standing whatsoever.

Introduction

@@@

Example

@@@

Wish Granter Registration

A wish granter is registered using the link element, using the wish relationship.

<link rel='wish' href='image-editor.json'>

The href attribute points to a JSON document.

{
  name:   "Wunderbar Image Editor"
, action: "edit"
, types:  ["image/*"]
, href:   "editor-implementation.html"
}

There can be many links using the wish relationship pointing to different descriptions. How user agents handle the services they discover is implementation-specific, but they could simply remember them all and apply some heuristics (frequency of visit to the site) to sort them when needed, as well as allow for preferred granters.

Wishing

Wishing is done with a very simple API.

var url = navigator.wishFor("edit", "image/webp")
,   iframe = document.getElementById("embed-here")
;
iframe.src = url;
iframe.onload = function () {
    iframe.contentWindow.postMessage({ image: imageData });
};
window.onmessage = function (evt) {
    if (!evt.data || evt.data.type !== "image-edited") return;
    // work with evt.data.image
};

The URL returned by navigator.wishFor() has the same properties as Blob URLs. It can be used to load an iframe, but also to open a new tab or a new window if needed.

When loaded, if the UA knows of several possible granters that could respond and doesn't have any reason to just prefer one (this is UA specific) it renders a choice page for granter services. (This does not trigger the load event.)

When a granter is picked (either directly or through user interaction) it is loaded, and the load event is fired. Communication is then entirely carried out using the usual Web Messaging framework.

Security Considerations

Are the attack vectors any different from regular iframes?