W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

RE: [widgets] Making config.xml mandatory

From: Hillebrand, Rainer <Rainer.Hillebrand@t-mobile.net>
Date: Tue, 10 Mar 2009 11:16:11 +0100
Message-ID: <41C7C0F2BC2713438D933052463E9259024A88BC@DEMSWBMXSC0104.sv.ad.tmo>
To: "Arve Bersvendsen" <arveb@opera.com>
Cc: <public-webapps@w3.org>
Dear Arve,

Good point regarding OMTP/BONDI. BONDI supports a security framework for widgets and "web pages" (or non-widgets).

On the other, if widgets in pre-existing implementations may use sensitive resources then I as an attacker would pack my rogue content in a widget resource, add the config.xml file and run my attack. In other words, the config.xml file does not prevent any attack.

I agree with you that the config.xml file already supports security relevant features, like <access network="true"/>. However, as long as we do not have any means to check whether a widget user agent could trust a widget and that it does not misuse the network access, then a widget user agent must always allow this network access.

If the config.xml file is the major means to identify a zip archive as widget resource then we will not need to define the file extension "wgt" and the MIME type application/widget.

IMHO, I do not see the config.xml as a security solution. I would agree with you that it might be required to define settings that do not have default values. Do we have such settings?

Best Regards,

Rainer

*************************************
T-Mobile International
Terminal Technology
Rainer Hillebrand
Head of Terminal Security
Landgrabenweg 151, D-53227 Bonn
Germany

+49 171 5211056 (My T-Mobile)
+49 228 936 13916 (Tel.)
+49 228 936 18406 (Fax)
E-Mail: rainer.hillebrand@t-mobile.net

http://www.t-mobile.net

This e-mail and any attachment are confidential and may be privileged. If you are not the intended recipient, notify the sender immediately, destroy all copies from your system and do not disclose or use the information for any purpose. 

Diese E-Mail inklusive aller Anhänge ist vertraulich und könnte bevorrechtigtem Schutz unterliegen. Wenn Sie nicht der beabsichtigte Adressat sind, informieren Sie bitte den Absender unverzüglich, löschen Sie alle Kopien von Ihrem System und veröffentlichen Sie oder nutzen Sie die Information keinesfalls, gleich zu welchem Zweck.


T-Mobile International AG
Aufsichtsrat/ Supervisory Board: René Obermann (Vorsitzender/ Chairman)
Vorstand/ Board of Management: Hamid Akhavan (Vorsitzender/ Chairman), Michael Günther, Lothar A. Harings, Katharina Hollender
Handelsregister/Commercial Register Entry: Amtsgericht Bonn, HRB 12276
Steuer-Nr./Tax No.: 205 / 5777/ 0518
USt.-ID./VAT Reg.No.: DE189669124
Sitz der Gesellschaft/ Corporate Headquarters: Bonn
Received on Tuesday, 10 March 2009 10:16:53 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT