W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2012

Re: Widget access request policy

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Mon, 20 Aug 2012 14:07:10 +0100
Message-ID: <CAL1nonLJxXtU==crkdaxjkrgOdnWCtV1jCPwRr8_nnuwS9xpKA@mail.gmail.com>
To: steve paesani <spaesani@gmail.com>
Cc: public-webapps@w3.org
>The access request policy says to address security concerns.
>This raises a few questions.

>One is what are the security concerns.

That widgets will be able to access resources from anywhere over HTTP
because they are not bound to the HTML same origin policy (because
HTML does really define what to do when an HTML document's origin is,
for example, file://)

>Two is what of the previous DOM related security models does not address
>them.

As above. Same origin would be nice, but widgets have an arbitrary
unique origin (e.g., widget://random-string/).

>Three is unless all scripts are authored and packaged as widgets in
>accordance to/with the entire widget specification set it would seem that
>those security issues would remain.

The default policy denies all network access. Access to origins must
be explicitly requested. So, it mitigates some attacks.

>Can someone clarify?

Hopefully the above helps. There are lots ways of overcoming the
security issues with widgets. See, for example, the security section
description for Chrome Packaged apps, which use CSP to restrict common
Web functionality, explicit sandboxing, and a <browser> tag to
overcome some of the potential security concerns with Widgets:

http://developer.chrome.com/trunk/apps/app_architecture.html

-- 
Marcos Caceres
http://datadriven.com.au
Received on Monday, 20 August 2012 13:08:03 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:54 GMT