A significant aspect of annotations is that they are managed independently from the document they are associated with. That is, the annotations may come from servers that are independent from the document server. Before or after retrieving a document from the document server, the browser should also retrieve associated annotations at other servers. The annotation servers must be given the identity of the the document, as a URL, and therein lies the main challenge for retrieving annotations. A mechanism that tells the annotation servers which documents you are visiting could be considered a privacy violation unless it is done with your permission. This same mechanism could be abused by a snooper who watches what you read on the web.
In addition to merely accessing annotations associated with a document, and applying the annotations to the document, we would ideally want to manage some persistent state about the annotations and the annotation servers. For example, it may be useful to remember which annotations have already been viewed so we can simply request the new annotations not yet viewed. Also, for each annotation server, we may want to store information about the set of documents for which it has annotations so we can avoid asking for annotations that do not exist. These persistent storage capabilities are another area of security concern since they require that the annotation mechanism be able to read and write this data, probably to local disk.
Other security issues are the same as many current security issues for the web. Specifically, authentication and access control of annotation services can be done the same way as for existing services. Annotations are merely another kind of document from this perspective. [Client-Security]
The PICS [PICS]system is intended to support ratings of documents on the web. This is a specific kind of annotation with the semantics of filtering the appearance or availability of documents based on the rating values. Browser vendors are building in support for PICS [PICS clients], but due to the limited semantics, the same mechanism will not be available for use with other kinds of annotations without further extensions. One extension to PICS, called PICS-SE [PICS-SE], will support more general types of annotations and associated semantics.
The XML [XML] effort is to define a cleaned-up HTML-like markup language that has the ability to be extended in a more uniform manner. In particular, the semantics of each tag can be defined in an extensible manner, such as with Java code. This will be useful to define the data transfer format for arbitrary types of annotations along with their associated semantics. What we need is the combination of the ability to fetch associated annotations as supported by the PICS-capabile browsers with the extensible semantics of XML.
Plugins are in a similar situation to Java library code. They can do anything, but it is difficult to get users to install and trust the code. Furthermore, plugins tend to be browser specific rather than platform independent. ActiveX code is similar [Client-Security].
Signing the code, whether Java applets or ActiveX modules, will help with knowing who has violated your privacy once it has been violated, if you find out that it has been violated. This is little consolation and thus I expect it will not be satisfactory protection.
JavaScript code that is contained in one document may access aspects of the contents of another document viewed in another window, including the location, embedded links, form fields, etc. There are several restrictions on what the JavaScript program can do, however. First, and foremost, the JavaScript contained in document A from server-A cannot access any of the contents of document B from server-B unless the user has enabled tainting. In that case, all the data retrieved from B is "tainted" and the JavaScript execution environment will not let any such tainted data leave the browser without the user's permission. In other words, the URL of document B cannot be sent to an annotation server to retrieve associated annotations unless that server is the same as server-B. Document B could explicitly *allow* such exporting of data extracted from B by untainting its data, but this is not sufficient to support annotations of any document regardless of its origin or degree of cooperation.
One possible future workaround for JavaScript is that if the JavaScript code is in a document retrieved from the filesystem local to the user, then this could be considered to be safe, like the case of local Java libraries. Saving a document with embedded JavaScript to the local file system is considerably easier than installing a Java library, but perhaps it is too easy. If the JavaScript were found in a specially designated directory on the user's filesystem, then this might be sufficiently safe.
Proxy server can be used to fetch documents for you, as well as fetching the associated annotations, modify the returned document to append annotations or modify the content (depending on the nature of the annotation). Proxies are therefore and excellent solution to the problem except for some difficulties. First, users may not have the choice of installing a proxy, and even if they do, actually doing the installation and maintenance is extra work that seems to stop most people. If there is a proxy at all, it is probably used to get over a firewall or to do caching. And that is a second difficulty. Multiple proxies do not play well together yet. A chain of proxies is possible, but it slows down the process and compounds the complexity of dealing with different versions of the HTTP protocol, etc.
HyperNews is currently usable as an annotation server. A special script is provided that a browser may make requests to via normal HTTP used in a special way [Annotation-Protocol]. The request can take the form of either a GET request or POST request. In either case, parameters must be supplied that identify the URL of the document of interest, the date range of annotations, the desired format, etc.
The use of HyperNews as an annotation server depends on support in a browser for accessing the annotations. Such support was explicitly added to released versions of NCSA Mosaic for X and also to a non-public version of the HotJava browser.