W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [Widgets] Security Considerations

From: Marcos Caceres <marcosc@opera.com>
Date: Tue, 27 Oct 2009 18:22:41 +0200
Message-ID: <b21a10670910270922pc7cb005te2ec9e5a023987c8@mail.gmail.com>
To: Marcin Hanclik <Marcin.Hanclik@access-company.com>
Cc: public-webapps <public-webapps@w3.org>, Thomas Roessler <tlr@w3.org>
On Tue, Oct 27, 2009 at 5:38 PM, Marcin Hanclik
<Marcin.Hanclik@access-company.com> wrote:
> Hi Marcos,
>
> I think the section below is ok.
> FWIW:
> 1. As in [1] we could add more detailed statements about HTML tags.

I could, but this might be mostly outdated because of HTML5.

> 2. Also together with the term "security" we could add "privacy".

Added.

> So e.g. we may have another paragraph like this (the below text may need more details):
>
> "Widget packages may contain content that is able to interact both with the remote host and local device.
> Therefore, implementers need to take into account the privacy-related implications resulting from the potential exposure of private information to the remote host given the relevant programming interface / model is defined."
>


I tried to shorten it and included it... details below...

> 3. [2] has a more thorough list of considerations that seem to be related to widgets, but more in the context of DAP. Anyway some of them could be reflected in the registration of application/widget.
>
> [1] http://tools.ietf.org/html/rfc4287#section-8
> [2] http://dev.w3.org/geo/api/spec-source.html#security
>

Ok, I took from [2] and got:

"As widget packages can contain content that is able to simultaneously
interact with the local device and a remote host, implementers need to
consider the privacy implications resulting from exposing private
information to a remote host. Mitigation and in-depth defensive
measures are an implementation responsibility and not prescribed by
this specification. However, in designing these measures, implementers
are advised to enable user awareness of information sharing, and to
provide easy access to interfaces that enable revocation of
permissions. "


--
Marcos Caceres
http://datadriven.com.au
Received on Tuesday, 27 October 2009 16:23:36 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:34 GMT