W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

[widget] Security model

From: Marcos Caceres <marcosc@opera.com>
Date: Tue, 19 May 2009 11:18:36 +0200
Message-ID: <b21a10670905190218k2645cf5dh5506bdf7be243330@mail.gmail.com>
To: public-webapps <public-webapps@w3.org>
With my "editor" hat on, I would like to propose the following
security model for widgets:

1. If no <access> element is used, the application type (e.g., HTML,
Flash, whatever) is responsible for providing the security
context/rules under which the widget runs. For HTML this means that a
widget runs as if you had dragged a HTML file from your hard-drive
into the Web browser.

Then, it is up to the implementers if they allow such widgets to run
or have access to features (APIs). Distributors may not allow these
widgets to be distributed, but that is their prerogative.

This defers the security problem to HTML5 or whoever wants to make use
of widgets as a packaging format.  HTML5 already has to deal with
situation where HTML files are run locally or with a synthetic origin
(think email attachments).

2. If <access> is used, then this is an "op-in" to a "widget security
model" and all network activity is blocked by all means (like a
firewall), except those access requests made via <access> element that
have been granted by the UA. Access requests are granted via the UA
security policy, which is outside the scope of the Widgets spec.

I personally think <access> should be removed from Widgets 1.0 and
deferred to Widgets 2.0 once it is properly sorted out.

-- 
Marcos Caceres
http://datadriven.com.au
Received on Tuesday, 19 May 2009 09:19:36 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT