W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [widget] Security model

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 25 May 2009 15:01:30 -0700
Message-ID: <7789133a0905251501i7d0f9f61k2f554c0754fb8788@mail.gmail.com>
To: marcosc@opera.com
Cc: timeless@gmail.com, public-webapps <public-webapps@w3.org>
On Mon, May 25, 2009 at 2:34 PM, Marcos Caceres <marcosc@opera.com> wrote:
> should the following inline resources load?
>
> <html>
> <script src="'http://foo.com"/> </script>
> <img src="http://foo.com/image">
> <iframe src="http://bar.com">

I haven't studied the widgets use case in detail, but these sorts of
loads usually aren't restricted.  If it's find for attacker.com to
load these resources, why would it be problematic for widgets to load
them?

> And what is the origin?

The origin is the scheme, host, and port of the document's URL.

> I'm not interested in getting bogged down in complex terminology,
> fancy pants RFCs, and things that are hard to understand, at this
> point. I just want to take the average widget developer (me) point of
> view in an effort to understand how it works (or not) in practice.

To what practice are you referring?  Are there deployed widgets that
have already made assumptions about these behaviors?

Adam
Received on Monday, 25 May 2009 22:02:30 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT