W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [WARP] "uri" attribute is confusing

From: Stephen Jolly <stephen.jolly@rd.bbc.co.uk>
Date: Wed, 07 Oct 2009 11:52:07 +0100
Message-ID: <4ACC72D7.1030900@rd.bbc.co.uk>
To: public-webapps WG <public-webapps@w3.org>
CC: Phil Archer <phila@w3.org>, Scott Wilson <scott.bradley.wilson@gmail.com>, Dominique Hazael-Massieux <dom@w3.org>, Marcin Hanclik <Marcin.Hanclik@access-company.com>
Phil Archer wrote:
> The problem is finding the right amount of flexibility without making it 
> too complicated or opening unwanted security holes.
...
> It depends on your use cases of course.

I guess the reason I've joined this discussion is that I'm concerned 
that most of the schemes out there (including the one proposed for WARP) 
don't allow the local network to be defined as a security domain, which 
precludes use cases I care about.

The Opera widget security model has the concept of "private" addresses 
(the RFC 1918 and 3927 ranges) - I presume that this group made the 
conscious decision not to include this concept in the WARP model?

Personally, I'm not sure even the Opera model[1] (which talks about 
these "private" addresses in the context of intranets) is as flexible as 
one might like: you could make a good case that 127.0.0.0/8 and the UA 
device's own IP address(es) masked by the appropriate subnet masks 
should be added to that list.

It does all come down to the use cases though, and I guess my 
fundamental question is still whether or not widget access to resources 
on the local network is seen as important by this group.  Answers 
welcome. :-)

S

[1] http://dev.opera.com/articles/view/opera-widgets-security-model/
Received on Wednesday, 7 October 2009 10:53:00 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:34 GMT