W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [WARP] Comments to WARP spec

From: Marcos Caceres <marcosc@opera.com>
Date: Mon, 09 Nov 2009 11:01:24 +0100
Message-ID: <4AF7E874.1050900@opera.com>
To: "SULLIVAN, BRYAN L (ATTCINW)" <BS3131@att.com>
CC: WebApps WG <public-webapps@w3.org>


SULLIVAN, BRYAN L (ATTCINW) wrote:
> Hi Marcos,
>
> To be clear, your answer addresses point (2) only, and while I realize that the idea proposed may not apply to all valid start files, it nonetheless did address the point of the comment. It may not be the best solution but it is just a start on one, I hope.
>
> I still think we should recognize and somehow address the significant limitations of blanket handling of all external references ala "In the default policy, a user agent must deny access to network resources  external to the widget by default, whether this access is requested through APIs (e.g. XMLHttpRequest) or through markup (e.g. iframe, script, img)."
>
> I think this will have a significant impact on the functionality of web applications that should be able to access wide sources of media content, but want to be more selective on sources of scripts.

Although I understand the rationale, I'm personally not in favor of 
trying to deviate too much from the Web security model. This proposal 
seems to make more work for authors rather than providing security 
enhancements. It also makes more work for implementers in that they need 
to change the security model of the browsers on which widget engines run.

Kind regards,
Marcos
Received on Monday, 9 November 2009 10:26:23 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT