Re: security model of Web Components, etc. - joint work with WebAppSec? from Arthur Barstow on 2013-03-09 (public-webapps@w3.org from January to March 2013)

From: Arthur Barstow <art.barstow@nokia.com>
Date: Sat, 09 Mar 2013 07:36:28 -0500
To: "ext Hill, Brad" <bhill@paypal-inc.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, "WebApps WG (public-webapps@w3.org)" <public-webapps@w3.org>
Message-ID: <513B2CCC.7080204@nokia.com>

[ Apology for top-posting and continuing the cross-posting ]

Hi Brad,

Thanks, yes earlier security review and feedback would be good.

My preference is to use public-webapps (solely) for all discussions 
related to Web Components (WC).

Re discussing security and WC f2f, I added a joint meeting between these 
two groups as a potential agenda topic for WebApps' April 25-26 f2f 
meeting [1] but I did not allocate a specific day+time slot because it 
could be a bit premature right now. That said, if you, or Dimitri, or 
other WC people have a specific day+time you would prefer, please speak 
up and note we intend to meet all day on the 25th but only until noon on 
the 26th. (Of course we can cancel the joint meeting if it turns out 
there is no need to meet.)

-Thanks, ArtB

[1] <http://www.w3.org/wiki/Webapps/April2013Meeting#Potential_Topics>


On 3/8/13 6:56 PM, ext Hill, Brad wrote:
>
> WebApps WG,
>
> I have been following with interest (though with less time to give it 
> the attention I wish) the emergence of Web Components and related 
> specifications. (HTML Templates, Shadow DOM, etc.)
>
> I wonder if it would be a good time to start discussing the security 
> model jointly with the WebAppSec WG, both on list, and possibly at the 
> upcoming F2F in April?
>
> One of our goals in WebAppSec is that a mashup web of re-usable and 
> composable pieces be possible to do securely. An example anti-pattern 
> in this area is the widely deployed <script 
> src=”someothersite.com/canOwnYou.js”> pattern for things like 
> analytics, social widgets and social login. This pattern makes the Web 
> more brittle, such as the “Facebook broke the Internet” bug recently 
> when a script error in Facebook Connect redirected a huge chunk of the 
> Web to a Facebook error page. We security folks that work in both the 
> web apps and PKI areas stay awake at night worrying about bad guys 
> getting a certificate for Google Analytics or Omniture and XSS-ing 90% 
> of the Web.
>
> I don’t see much in these specs or via a quick search of the list 
> archives on the security models for the new Web Component and Shadow 
> DOM type integration models when they involve foreign components. 
> There is some level of isolation implied, but I hope there is interest 
> in defining what, if any, the security guarantees of such are and how 
> we might make this kind of composition more pleasant and useful than a 
> sandboxed iframe, but still robust against errors or attacks such that 
> popular components don’t become single points of failure for the 
> entire Web.
>
> Thanks,
>
>
> Brad Hill
>
> Co-Chair, WebAppSec
>

Received on Saturday, 9 March 2013 12:37:11 UTC