W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: [widgets] WARP default policy

From: Mark S. Miller <erights@google.com>
Date: Tue, 4 May 2010 14:37:03 -0700
Message-ID: <AANLkTil-tqCQuCR1PAbl-SNzgnZ672bqqw9a_B3B3Ahz@mail.gmail.com>
To: Scott Wilson <scott.bradley.wilson@gmail.com>
Cc: public-webapps WG <public-webapps@w3.org>
On Tue, May 4, 2010 at 10:29 AM, Scott Wilson <
scott.bradley.wilson@gmail.com> wrote:

> I've just been reading through the WARP spec again, and in particular this
> stood out:
> In the default policy, a user agent<http://www.w3.org/TR/widgets-access/#dfn-user-agent>
>  *must* deny access <http://www.w3.org/TR/widgets-access/#dfn-deny-access>
>  to network resources<http://www.w3.org/TR/widgets-access/#dfn-network-resource> external
> to the widget by default, whether this access is requested through APIs
> (e.g. XMLHttpRequest) or through markup (e.g. iframe, script, img).
> I'm not sure if this statement is actually helpful here. While it makes
> sense that WARP defines policies that widen access beyond whatever the UA's
> default policy may be, is it strictly necessary to define the default
> policy?
> For example, this implies that a UA should actively block widgets using
> JSONp, CORS,  Google's Ajax libraries, CDNs, or even a widget just grabbing
> its company's icon off their website in an img tag.

If these were limited to Uniform Messages, how much of a need would there
still be to disallow them? What would the remaining threats be?

> Now there may be UAs who have a default policy that is this strict, but
> requiring this to be the default policy as a conformance requirement for any
> WARP implementation seems OTT.
> S

Received on Tuesday, 4 May 2010 21:37:32 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:24 UTC