Extend widget privacy information before accepting it

[HarHarLinks]

Your use case

What would you like to do?

With element-hq/element-web#11262 (comment) we got the information about what data might get transmitted to a widget.

I would like to see this extended for privacy concerns:

1. It would be good if this warning could determine in advance not what data could, but actually will be transmitted to the widget.
2. The warning says "might transmit data to XY", and store cookies. In above screenshot I tried adding several different widgets using a self hosted dimension integration manager. It will always say dimension, even if you embed a totally different page. With dev tools we can see that e.g. "data.url": "https://framadate.org/somehashhere". I would like to be able to preview what actually is embedded based on the actual content that's loaded. (I'm not sure however, some of this might be specific to how dimension works.)

Why would you like to do it?

1. More fine grained control/expectation about what data you're willing to expose
2. Can decide if I want to share above info to that specific site. This is important because I might trust things hosted by my homeserver or reputable organizations, but not others. Further, this doesn't depend on the widget title being set and trusted to tell me what this is.

How would you like to achieve it?

1. Think similar to installing an app on android: This widget requires the following: mxid, roomid, etc. This might eventually need some spec about how to define those requirements.
2. Maybe just display said url field?

Have you considered any alternatives?

No response

Additional context

No response

[t3chguy]

The warning says "might transmit data to XY", and store cookies. In above screenshot I tried adding several different widgets using a self hosted dimension integration manager. It will always say dimension, even if you embed a totally different page. With dev tools we can see that e.g. "data.url": "https://framadate.org/somehashhere". I would like to be able to preview what actually is embedded based on the actual content that's loaded. (I'm not sure however, some of this might be specific to how dimension works.)

This sounds like Dimension is wrapping the framedate iframe in its own iframe, so Element can only see the outermost Dimension iframe. Scalar does similar things. Element has no way of knowing what the outer iframe will do so has to be more generic.

[HarHarLinks]

I learned the other day that apparently widgets are barely specced if at all? The info about what is wrapped is clearly there in my case. So it would need to be properly specced to get that info in a standardized way for clients to display?

What element can do right now, is offer a way to inspect the actual URL instead of displaying just the domain of what it embeds (outside of dev tools). Often the embed seems to be tacked on to that, at least with dimension.
"url": "https://dimension.example.org/widgets/generic?url=https%3A%2F%2Fdimension.example.org%2Fetherpad%2Fp%2F!thismaymatchtheroomid_SomeFunnyWords%3FshowChat%3Dfalse"

It appears to me that additional info like mxid would be tacked on as GET arguments to that as well, so it could parse for that and display a definitive list.

But again, to have all that info properly in the event sounds like a spec issue in its core. Right now, this is an im.vector.modular.widgets event, which smells like a new vector (= element) custom event to me - that would be completely in your hands.

According to half-shot's fosdem talk, widgets have a "capacity negotiation system" that sounds like it covers that access management (~8:47) contrary to what element's current UI suggests.