W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [Widgets] URI Scheme revisited.... again

From: Mark Baker <distobj@acm.org>
Date: Mon, 13 Oct 2008 00:08:20 -0400
Message-ID: <e9dffd640810122108x6ad915ffya1ddee2bb425221d@mail.gmail.com>
To: "Marcos Caceres" <marcosscaceres@gmail.com>
Cc: public-webapps <public-webapps@w3.org>

On Fri, Oct 10, 2008 at 4:00 PM, Marcos Caceres
<marcosscaceres@gmail.com> wrote:
> Ok, In one of my previous emails I said that this was a potential
> privacy/security issue:
> "The reason we don't
> want to allow vendors to mint their own is that there are potential
> security and privacy issues related to URI schemes such as file:. For
> instance, because Dashboard uses "file:" it is very easy for me to
> work out what the username and home directory of a user on MacOsX by
> simply picking up any DOM node that contains a dereferenced URI (eg.
> by examining an img's src, I get something like
> "file:///Users/marcos/Library/widget/Default.png")."
> I'm no security/privacy expert, but this seems like an easy way to at
> least get someone's username (from which I may be able to  derive who
> they are, etc).  Also, if the implementation is crap and does not
> restrict file:// to the scope of the widget package (thankfully Apple
> does), then widgets could basically read any files on the hard drive.

Sure, but standardizing on a URI scheme won't fix this, because one
can guess URIs in any scheme.  Less opaque schemes like hierarchical
ones are a little more susceptible of course, but it's a problem for
all schemes.

I suspect implementors are familiar with this issue already, but if
you like, you could point out that implementations should ensure that
widgets can't access local resources that the implementation doesn't
want them to access.

Received on Monday, 13 October 2008 04:09:02 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:12 UTC