W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: [widgets] WARP default policy

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 4 May 2010 14:45:09 -0700
Message-ID: <h2x63df84f1005041445y4a01d91ek4964bf60dc19cc2d@mail.gmail.com>
To: "Mark S. Miller" <erights@google.com>
Cc: Scott Wilson <scott.bradley.wilson@gmail.com>, public-webapps WG <public-webapps@w3.org>
On Tue, May 4, 2010 at 2:37 PM, Mark S. Miller <erights@google.com> wrote:
> On Tue, May 4, 2010 at 10:29 AM, Scott Wilson
> <scott.bradley.wilson@gmail.com> wrote:
>>
>> I've just been reading through the WARP spec again, and in particular this
>> stood out:
>> In the default policy, a user agent must deny access to network
>> resources external to the widget by default, whether this access is
>> requested through APIs (e.g. XMLHttpRequest) or through markup
>> (e.g. iframe, script, img).
>> I'm not sure if this statement is actually helpful here. While it makes
>> sense that WARP defines policies that widen access beyond whatever the UA's
>> default policy may be, is it strictly necessary to define the default
>> policy?
>> For example, this implies that a UA should actively block widgets using
>> JSONp, CORS,  Google's Ajax libraries, CDNs, or even a widget just grabbing
>> its company's icon off their website in an img tag.
>
> If these were limited to Uniform Messages, how much of a need would there
> still be to disallow them? What would the remaining threats be?

Would it allow reading resources behind corporate firewalls using a
browser running on a computer behind said firewall?

/ Jonas
Received on Tuesday, 4 May 2010 21:46:01 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT