RE: [WARP] Comments to WARP spec from SULLIVAN, BRYAN L (ATTCINW) on 2009-11-09 (public-webapps@w3.org from October to December 2009)

From: SULLIVAN, BRYAN L (ATTCINW) <BS3131@att.com>
Date: Mon, 9 Nov 2009 11:22:19 -0800
To: "Marcos Caceres" <marcosc@opera.com>
Cc: "WebApps WG" <public-webapps@w3.org>
Message-ID: <8080D5B5C113E940BA8A461A91BFFFCD0FA82DC0@BD01MSXMB015.US.Cingular.Net>

Marcos,

Re "I'm personally not in favor of trying to deviate too much from the Web security model.": I agree with you, and that is the point of the comments. The "web security model" (I think you mean the same-origin restriction) does not restrict access to image content from anywhere, like the <access> element would. The <access> element as currently in the WARP spec goes beyond the "web security model". 

My point is that the statement below in the WARP spec needs to change, because this is not compatible with the "web security model", and also "makes more work for implementers" because the security model for widget-context webapps would not be the same as for browser-context webapps: "In the default policy, a user agent must deny access to network resources  external to the widget by default, whether this access is requested through APIs (e.g. XMLHttpRequest) or through markup (e.g. iframe, script, img)."

So either:
(1) we need to be specific about which API's / resource types are affected by inclusion (or exclusion) of domains in <access> (and keep this equivalent to HTML5)
(2) we must add a way for the developer to indicate which types of references should be allowed for the domain

My preference would be (1), but I proposed the use of "tag=" to illustrate how (2) might work.

Best regards,
Bryan Sullivan | AT&T
-----Original Message-----
From: Marcos Caceres [mailto:marcosc@opera.com] 
Sent: Monday, November 09, 2009 2:01 AM
To: SULLIVAN, BRYAN L (ATTCINW)
Cc: WebApps WG
Subject: Re: [WARP] Comments to WARP spec

SULLIVAN, BRYAN L (ATTCINW) wrote:
> Hi Marcos,
>
> To be clear, your answer addresses point (2) only, and while I realize that the idea proposed may not apply to all valid start files, it nonetheless did address the point of the comment. It may not be the best solution but it is just a start on one, I hope.
>
> I still think we should recognize and somehow address the significant limitations of blanket handling of all external references ala "In the default policy, a user agent must deny access to network resources  external to the widget by default, whether this access is requested through APIs (e.g. XMLHttpRequest) or through markup (e.g. iframe, script, img)."
>
> I think this will have a significant impact on the functionality of web applications that should be able to access wide sources of media content, but want to be more selective on sources of scripts.

Although I understand the rationale, I'm personally not in favor of 
trying to deviate too much from the Web security model. This proposal 
seems to make more work for authors rather than providing security 
enhancements. It also makes more work for implementers in that they need 
to change the security model of the browsers on which widget engines run.

Kind regards,
Marcos

Received on Monday, 9 November 2009 19:22:58 UTC