The Web, and security models Re: Reporting of CORS error in the XHR API callbacks from Charles McCathieNevile on 2012-01-27 (public-webapps@w3.org from January to March 2012)

From: Charles McCathieNevile <chaals@opera.com>
Date: Fri, 27 Jan 2012 12:54:52 +0100
To: "Tim Berners-Lee" <timbl@w3.org>, "Ian Hickson" <ian@hixie.ch>
Cc: public-webapps@w3.org, "Thomas Roessler" <tlr@w3.org>, "Michael(tm) Smith" <mike@w3.org>
Message-ID: <op.v8qrdq14wxe0ny@widsith.eng.oslo.osa>

On Fri, 20 Jan 2012 20:32:33 +0100, Ian Hickson <ian@hixie.ch> wrote:

> On Fri, 20 Jan 2012, Tim Berners-Lee wrote:

>> There of course places where XHR is used and there is no
>> cross-sitescripting security needed
>>
>> 1)  in a browser extension
>> 2)  in node.js code trusted apps
>
> These aren't the Web, so they're probably out of scope of the CORS and  
> XHR specs, but Anne can comment if he disagrees. :-)

I'm not Anne, but I disagree with both of you. These things are related to
the Web and have the potential to become part of it, and the idea that
they don't need to worry about security in the way the web does seems to
me ridiculous, for the reasons Ian outlines below...

>> 3)  in web apps when web apps can, in I hope the near future, be
>> installed, and flagged as trusted code
>
> Personally I think the idea of "installing" a Web app is anathema.

The range of options for web apps which go from using local storage
through appcache to full installability means that this horse seems to
have bolted. Personally I think that's a good thing - being able to work
with the Web even when there isn't a permanent and perfect connection is
still important (as I was reminded again this month when trying to use
normal infrastructure in Melbourne Australia...).

There are plenty of use cases for some kind of installability, just as
there is lots of use for bits of the Web behind a firewall (every time
someone tries to share something with me developed using Google's services
I am required to have a Google log-in - the fact that the firewall
includes zillions of people doesn't make it public, just as it doesn't
mean that it isn't "on the Web").

> The best thing about Web apps is that the browser can be trusted such
> that even the most hostile app can't do anything bad.

This is not true. One of the good things about the Web is that it has a
robust security model (compared to alternatives) which is designed to
protect users from hostile apps to a greater extent than other platforms.

IMHO (and I think this is simply a subjective assertion of values rather
than a question that can be objectively determined) the best thing about
web apps is that they are built with a very widespread, well understood
and relatively simple technology stack that is successfully implemented by
many providers, such that no provider cannot be replaced.

> If we start allowing users to install apps, we'll just change the
> security model of the Web from "you can't do anything bad without an
> implicit permission gesture from the user" to "all you have to do is
> convince the user to install you and then you can own them".

Only if we make the assumption Tim made above - which I think is based in
turn on the assumption that installable web apps come from one source.
Having to go through some particular app store for them leads to such an
assumption. It also breaks important use cases.

It should be straightforward for ACME co to produce a web app that is
useful for its employees, and distribute it internally from some trusted
point. They should also be able to distribute that to others, either
directly (based on other people trusting ACME) or through a third party
which people trust (widgets.opera.com or google's app store or appsRus or
whoever...)

This requires a trust and security model where the decisions can be made
by a user, or further back in the distribution chain.

> Basically, moving us from the Web's security model today, a fantastic
> and successful security model that has withstood a decade or more of
> sustained attack, to the Windows security model.

I think you're overstating the success of the Web security model, and
missing the fact that it has caused us to have a web which until recently
is far less capable than installed applications. But yes, as I said above
in agreement with you, the model is designed to match reality better than
most of the alternatives, and we should think carefully before abandoning
it any time we are tempted to do so...

cheers

Chaals

-- 
Charles 'chaals' McCathieNevile  Opera Software, Standards Group
         je parle français -- hablo español -- jeg kan litt norsk
http://my.opera.com/chaals       Try Opera: http://www.opera.com

Received on Friday, 27 January 2012 11:55:25 UTC