W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

RE: [WARP] Comments to WARP spec

From: Marcin Hanclik <Marcin.Hanclik@access-company.com>
Date: Wed, 18 Nov 2009 14:37:23 +0100
To: Robin Berjon <robin@berjon.com>
CC: Marcos Caceres <marcosc@opera.com>, "SULLIVAN, BRYAN L (ATTCINW)" <BS3131@att.com>, WebApps WG <public-webapps@w3.org>
Message-ID: <FAA1D89C5BAF1142A74AF116630A9F2C28942D7548@OBEEX01.obe.access-company.com>
Hi Robin,

>>That doesn't work. Not only could some script just manipulate canvas stuff,
>>but some images can execute script.
Ok for the former, but not for the latter.

>>It would be trivial to create lossless
>>bitmaps that could encode script.
OK.

>>One could also use XHR to evaluate content
>>returned as text/plain (or as a bunch of other things).
Yes, this falls into the "api" category I proposed earlier.
Access to resources via API could by default fall into the later proposed "executable" category.

>>One could request an
>>image that is redirected to http://address/of/image?put+a+complete+script+here
>>and then evaluate the query.
Ok, but then it will still be processed as image and will result in an invalid image, I think.

Therefore I still assume that simple classification could help.

Thanks,
Marcin

Marcin Hanclik
ACCESS Systems Germany GmbH
Tel: +49-208-8290-6452  |  Fax: +49-208-8290-6465
Mobile: +49-163-8290-646
E-Mail: marcin.hanclik@access-company.com

-----Original Message-----
From: Robin Berjon [mailto:robin@berjon.com]
Sent: Wednesday, November 18, 2009 12:57 PM
To: Marcin Hanclik
Cc: Marcos Caceres; SULLIVAN, BRYAN L (ATTCINW); WebApps WG
Subject: Re: [WARP] Comments to WARP spec

On Nov 12, 2009, at 16:36 , Marcin Hanclik wrote:
> I understand that too many details may not work or be an obstacle in the adoption.
> However, I derive that from the security point of view we still would like to distinguish at least between executable and non-executable content.

That doesn't work. Not only could some script just manipulate canvas stuff, but some images can execute script. It would be trivial to create lossless bitmaps that could encode script. One could also use XHR to evaluate content returned as text/plain (or as a bunch of other things). One could request an image that is redirected to http://address/of/image?put+a+complete+script+here and then evaluate the query.

I think there are two threads in this discussion, one seems to concern the default behaviour of widget UAs as defined by WARP - I think that's a valuable discussion to have (is the request simply that WARP be open by default for the same things that are allowed in a browser?) that is being drowned in the other discussion, which is about a semi-sentient local filtering proxy firewall built using pieces of flint and some string. Can we focus on the first one?

--
Robin Berjon - http://berjon.com/




________________________________________

Access Systems Germany GmbH
Essener Strasse 5  |  D-46047 Oberhausen
HRB 13548 Amtsgericht Duisburg
Geschaeftsfuehrer: Michel Piquemal, Tomonori Watanabe, Yusuke Kanda

www.access-company.com

CONFIDENTIALITY NOTICE
This e-mail and any attachments hereto may contain information that is privileged or confidential, and is intended for use only by the
individual or entity to which it is addressed. Any disclosure, copying or distribution of the information by anyone else is strictly prohibited.
If you have received this document in error, please notify us promptly by responding to this e-mail. Thank you.
Received on Wednesday, 18 November 2009 13:38:29 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT