W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

RE: [Widgets] Security Considerations

From: Marcin Hanclik <Marcin.Hanclik@access-company.com>
Date: Tue, 27 Oct 2009 17:27:22 +0100
To: "marcosc@opera.com" <marcosc@opera.com>
CC: public-webapps <public-webapps@w3.org>, Thomas Roessler <tlr@w3.org>
Message-ID: <FAA1D89C5BAF1142A74AF116630A9F2C2890D48E0F@OBEEX01.obe.access-company.com>
Hi Marcos,

Fine for me.


Marcin Hanclik
ACCESS Systems Germany GmbH
Tel: +49-208-8290-6452  |  Fax: +49-208-8290-6465
Mobile: +49-163-8290-646
E-Mail: marcin.hanclik@access-company.com

-----Original Message-----
From: marcosscaceres@gmail.com [mailto:marcosscaceres@gmail.com] On Behalf Of Marcos Caceres
Sent: Tuesday, October 27, 2009 5:23 PM
To: Marcin Hanclik
Cc: public-webapps; Thomas Roessler
Subject: Re: [Widgets] Security Considerations

On Tue, Oct 27, 2009 at 5:38 PM, Marcin Hanclik
<Marcin.Hanclik@access-company.com> wrote:
> Hi Marcos,
> I think the section below is ok.
> 1. As in [1] we could add more detailed statements about HTML tags.

I could, but this might be mostly outdated because of HTML5.

> 2. Also together with the term "security" we could add "privacy".


> So e.g. we may have another paragraph like this (the below text may need more details):
> "Widget packages may contain content that is able to interact both with the remote host and local device.
> Therefore, implementers need to take into account the privacy-related implications resulting from the potential exposure of private information to the remote host given the relevant programming interface / model is defined."

I tried to shorten it and included it... details below...

> 3. [2] has a more thorough list of considerations that seem to be related to widgets, but more in the context of DAP. Anyway some of them could be reflected in the registration of application/widget.
> [1] http://tools.ietf.org/html/rfc4287#section-8

> [2] http://dev.w3.org/geo/api/spec-source.html#security


Ok, I took from [2] and got:

"As widget packages can contain content that is able to simultaneously
interact with the local device and a remote host, implementers need to
consider the privacy implications resulting from exposing private
information to a remote host. Mitigation and in-depth defensive
measures are an implementation responsibility and not prescribed by
this specification. However, in designing these measures, implementers
are advised to enable user awareness of information sharing, and to
provide easy access to interfaces that enable revocation of
permissions. "

Marcos Caceres


Access Systems Germany GmbH
Essener Strasse 5  |  D-46047 Oberhausen
HRB 13548 Amtsgericht Duisburg
Geschaeftsfuehrer: Michel Piquemal, Tomonori Watanabe, Yusuke Kanda


This e-mail and any attachments hereto may contain information that is privileged or confidential, and is intended for use only by the
individual or entity to which it is addressed. Any disclosure, copying or distribution of the information by anyone else is strictly prohibited.
If you have received this document in error, please notify us promptly by responding to this e-mail. Thank you.
Received on Tuesday, 27 October 2009 16:28:17 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:20 UTC