W3C home > Mailing lists > Public > public-appformats@w3.org > December 2007

Re: [fwd] [MacOS X] Insecure eval() in Twitgit and Twitterlex dashboard widgets (from: tlr@w3.org)

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 4 Dec 2007 08:57:07 +0100
To: Marcos Caceres <marcosscaceres@gmail.com>
Cc: public-appformats@w3.org
Message-ID: <20071204075707.GR12626@iCoaster.does-not-exist.org>

On 2007-12-04 14:17:01 +1000, Marcos Caceres wrote:

> I guess one thing we don't need to worry about at the moment is
> concerning ourselves with the widget.system() API, as we
> currently don't spec it ( should we?:) ).... 

I have no particular desire for that; however, if there was work on
a capability-based security model for widgets, then that kind of API
would need to be covered.

> And I'm not sure what we can do with regards to eval() as I
> gather that is a problem for the web at large....

One question (and I'm going out on a limb here) is whether there
should be standardized JSON parsing and request APIs some time soon
-- that's, in fact, a generic question around Web APIs.

Until these exists (and are deployed), I'm pretty sure we'll
continue to see (a) JSON, and (b) eval used to parse it.  With
Widgets that aren't sandboxed, the problem becomes just much more
pressing.

The other observation is that capability-like security models for
widgets are nice, but will inevitably make those who program them
exercise the "get functionality, fast" card.

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Tuesday, 4 December 2007 07:57:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:24 GMT